SlideShare a Scribd company logo

Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS

K
KazHackStan

This document outlines a presentation on testing the security of iOS applications. It discusses the iOS security architecture including the kernel, secure enclave, and application sandboxing. It then covers tools for analyzing apps like dumpdecrypted, IDA, Hopper, Frida, and idb. The document lists the OWASP top 10 mobile risks and provides examples of vulnerabilities found in various mobile apps during security research, including issues with insecure communication, data storage, authorization and cryptography. Case studies are presented on vulnerabilities discovered in apps like MyPay, HomeBank, KolesaKz and others.

Technology
1 of 40
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Сергей Ximerus Харюк “Проверка безопасности приложений на платформе iOS”
Agenda • Overview • iOS Security architecture • Application data structure • Preparation testing environment • Tools • dumpdecrypted • IDA and Hopper • Frida and Cycript • needle and idb • OWASP Top 10 Mobile • M1: Improper Platform Usage • M2: Insecure Data Storage • M3: Insecure Communication • M4: Insecure Authentication • M5: Insufficient Cryptography • M6: Insecure Authorization • M7: Client Code Quality • M8: Code Tampering • M9: Reverse Engineering • M10: Extraneous Functionality • Research results • Low security lvl • Medium security lvl • Good security lvl
iOS Security Architecture Kernel
 
 
 
 Secure Enclave Secure Element Crypto Engine Device Key Group Key Apple Root Certificate File System HardwareandFirmware Software OS Partition User Partition (Encrypted) Application sandbox Data protection class
Secure Boot Boot ROM Low Level Bootloader iBoot Kernel
File System protection Hardware Key Passcode Class key File metadata File content File system key File key
TouchID and FaceID is secure?
Environment @qwertyoruiopz
Environment on Device • AppList • Cydia Substrate • DumpDecrypted • Frida • Keychaineditor • NeedleAgent • OpenSSH • SSL KillSwitch 2 • Stashing for iOS
dumpdecrypted put dumpdecrypted.dlyb in to /usr/lib/ set permissions to read and execute DLYB_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dlyb /path/to/binary
IDA Pro decompiled code
Hopper decompiled code
needle
idb
OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
MyPay
MyPay Insecure Communication Plain Text Payment Info
HomeBank
HomeBank Insecure Communication Plain Text Payment Info Caching Screenshot
KolesaKz
KolesaKz
KolesaKz
KolesaKz
KolesaKz Insecure Authorization Insecure Data Storage Broken Cryptography Plain text credentials
Technodom
Technodom Insecure Communication Plain Text Payment Info
ATF24
ATF24
ATF24
Question? Contact info: telegram/twitter/linkedin/fb/vk: @ximerus mail: ximerus@gmail.com
СПАСИБО ЗА ВНИМАНИЕ!

More Related Content

PPTX
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
PDF
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
 
PDF
Owasp Mobile Top 10 – 2014
n|u - The Open Security Community
 
PPTX
Owasp mobile top 10
Pawel Rzepa
 
PPTX
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
PDF
Owasp Mobile Top 10 - M7 & M8
5h1vang
 
PDF
State of OWASP 2015
tmd800
 
PPTX
News Bytes - December 2015
n|u - The Open Security Community
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
 
Owasp Mobile Top 10 – 2014
n|u - The Open Security Community
 
Owasp mobile top 10
Pawel Rzepa
 
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
Owasp Mobile Top 10 - M7 & M8
5h1vang
 
State of OWASP 2015
tmd800
 
News Bytes - December 2015
n|u - The Open Security Community
 

What's hot (20)

PDF
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
5h1vang
 
PDF
Menofia UN -Mobile Security
Ahmed Samara
 
PDF
(ISC)2 Kamprianis - Mobile Security
Michalis Kamprianis
 
PDF
Protecting microservices using secure design patterns 1.0
Trupti Shiralkar, CISSP
 
PPTX
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
 
PPTX
Developing A Cyber Security Incident Response Program
BGA Cyber Security
 
PDF
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Priyanka Aash
 
PPTX
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
PDF
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
NCCOMMS
 
PDF
Client side encryption without knowing its limits is a ticking time bomb!
Priyanka Aash
 
PPTX
ZeroNights2013 testing of password policy
Anton Dedov
 
PDF
Top Azure security fails and how to avoid them
Karl Ots
 
PPTX
Attack chaining for web exploitation
n|u - The Open Security Community
 
PDF
Top 10 web application security risks akash mahajan
Akash Mahajan
 
PPTX
See Web Security Trend from OWASP Top 10 - 2017
Chia-Lung Hsieh
 
PPTX
Newbytes NullHyd
n|u - The Open Security Community
 
PDF
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
PDF
SSH - From Zero to Hero
OWASP Khartoum
 
PDF
Web application security
Akash Mahajan
 
PDF
Stopping zero day threats
Zscaler
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
5h1vang
 
Menofia UN -Mobile Security
Ahmed Samara
 
(ISC)2 Kamprianis - Mobile Security
Michalis Kamprianis
 
Protecting microservices using secure design patterns 1.0
Trupti Shiralkar, CISSP
 
Layered API Security: What Hackers Don't Want You To Know
AaronLieberman5
 
Developing A Cyber Security Incident Response Program
BGA Cyber Security
 
Bad for Enterprise: Attacking BYOD enterprise mobility security solutions
Priyanka Aash
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Anant Shrivastava
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
NCCOMMS
 
Client side encryption without knowing its limits is a ticking time bomb!
Priyanka Aash
 
ZeroNights2013 testing of password policy
Anton Dedov
 
Top Azure security fails and how to avoid them
Karl Ots
 
Attack chaining for web exploitation
n|u - The Open Security Community
 
Top 10 web application security risks akash mahajan
Akash Mahajan
 
See Web Security Trend from OWASP Top 10 - 2017
Chia-Lung Hsieh
 
Newbytes NullHyd
n|u - The Open Security Community
 
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
SSH - From Zero to Hero
OWASP Khartoum
 
Web application security
Akash Mahajan
 
Stopping zero day threats
Zscaler
 
Ad

Similar to Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS (20)

PPTX
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
 
PDF
Creating secure apps using the salesforce mobile sdk
Martin Vigo
 
PDF
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
PDF
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 
PDF
1. Mobile Application (In)security
Sam Bowne
 
PPTX
[Wroclaw #2] iOS Security - 101
OWASP
 
PPTX
Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities
jasonhaddix
 
PDF
CactusCon - Practical iOS App Attack and Defense
Seth Law
 
PPTX
Top 10 mobile security risks - Khổng Văn Cường
Security Bootcamp
 
PDF
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
PPTX
Top 10 mobile security risks - Khổng Văn Cường
Võ Thái Lâm
 
PPTX
Hacking Mobile Apps
Sophos Benelux
 
PPTX
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
PDF
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
PDF
Android Application Security
Chong-Kuan Chen
 
PPTX
Web Application Security Session for Web Developers
Krishna Srikanth Manda
 
PDF
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
PPTX
Indianapolis Splunk User Group Dec 22
WesComer2
 
PPTX
How to create a secure IoT device
Abhijeet Rane
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
 
Creating secure apps using the salesforce mobile sdk
Martin Vigo
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 
1. Mobile Application (In)security
Sam Bowne
 
[Wroclaw #2] iOS Security - 101
OWASP
 
Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities
jasonhaddix
 
CactusCon - Practical iOS App Attack and Defense
Seth Law
 
Top 10 mobile security risks - Khổng Văn Cường
Security Bootcamp
 
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
Top 10 mobile security risks - Khổng Văn Cường
Võ Thái Lâm
 
Hacking Mobile Apps
Sophos Benelux
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
Android Application Security
Chong-Kuan Chen
 
Web Application Security Session for Web Developers
Krishna Srikanth Manda
 
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
Indianapolis Splunk User Group Dec 22
WesComer2
 
How to create a secure IoT device
Abhijeet Rane
 
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Ad

More from KazHackStan (20)

PPTX
Андрей Масалович (Россия). Корпоративная защита в РК глазами хакера
KazHackStan
 
PDF
Евгений Гончаров (Россия, Казахстан). Автоматизация рутины AD
KazHackStan
 
PPTX
Иван Чалыкин (Россия), Digital Security. Легальный SOP Bypass. Проблемы внедр...
KazHackStan
 
PPTX
Тимур Юнусов (Россия), Positive Technologies. Уязвимости банкоматов
KazHackStan
 
PPTX
Антон Bo0oM Лопаницын (Россия), OnSec. Трекинг. Как узнать посетителя, если о...
KazHackStan
 
PDF
Омар Ганиев (Россия). Обзор атак на модели машинного обучения
KazHackStan
 
PPTX
Валерий Блонский (Казахстан), PACIFICA. Как угнать Ботнет
KazHackStan
 
PPTX
Татьяна Новикова (Казахстан), ЦАРКА. Как мы мониторим Казнет с помощью WebTotem
KazHackStan
 
PPTX
Шамбулов У. К. (Казахстан), ГТС. Анализ и исследование инцидентов информацион...
KazHackStan
 
PPTX
Ярослав Бабин (Россия), Positive Technologies. Основные аспекты при проведени...
KazHackStan
 
PPTX
Виталий Трахтенберг (Израиль), MER Group. Кейс по кибер-расследованию для одн...
KazHackStan
 
PDF
Валерий Боронин (Россия), Positive Technologies. SSDL для руководителей: как ...
KazHackStan
 
PDF
Батыржан Тютеев (Казахстан), ЦАРКА. Уязвимости Казнета
KazHackStan
 
PDF
Сергей Белов (Россия), Mail.ru. Temple of Bug Bounty: Leveling & Farming
KazHackStan
 
PDF
Максим Ефименко (Казахстан), ЦАРКА. Двойное проникновение
KazHackStan
 
PDF
Андрей Абакумов (Россия). Yandex.ru. Соавтор: Эльдар Заитов. Автоматизация ск...
KazHackStan
 
PDF
Ярослав Бабин (Россия), Positive Technologies. Основные аспекты при проведени...
KazHackStan
 
PDF
Ильяс Аринов (Казахстан), ЦАРКА. Linux for newbie hackers
KazHackStan
 
PPTX
Презентация НИТ
KazHackStan
 
PPTX
Дмитрий Кузнецов. Опыт РФ в обеспечении национальной кибербезопасности
KazHackStan
 
Андрей Масалович (Россия). Корпоративная защита в РК глазами хакера
KazHackStan
 
Евгений Гончаров (Россия, Казахстан). Автоматизация рутины AD
KazHackStan
 
Иван Чалыкин (Россия), Digital Security. Легальный SOP Bypass. Проблемы внедр...
KazHackStan
 
Тимур Юнусов (Россия), Positive Technologies. Уязвимости банкоматов
KazHackStan
 
Антон Bo0oM Лопаницын (Россия), OnSec. Трекинг. Как узнать посетителя, если о...
KazHackStan
 
Омар Ганиев (Россия). Обзор атак на модели машинного обучения
KazHackStan
 
Валерий Блонский (Казахстан), PACIFICA. Как угнать Ботнет
KazHackStan
 
Татьяна Новикова (Казахстан), ЦАРКА. Как мы мониторим Казнет с помощью WebTotem
KazHackStan
 
Шамбулов У. К. (Казахстан), ГТС. Анализ и исследование инцидентов информацион...
KazHackStan
 
Ярослав Бабин (Россия), Positive Technologies. Основные аспекты при проведени...
KazHackStan
 
Виталий Трахтенберг (Израиль), MER Group. Кейс по кибер-расследованию для одн...
KazHackStan
 
Валерий Боронин (Россия), Positive Technologies. SSDL для руководителей: как ...
KazHackStan
 
Батыржан Тютеев (Казахстан), ЦАРКА. Уязвимости Казнета
KazHackStan
 
Сергей Белов (Россия), Mail.ru. Temple of Bug Bounty: Leveling & Farming
KazHackStan
 
Максим Ефименко (Казахстан), ЦАРКА. Двойное проникновение
KazHackStan
 
Андрей Абакумов (Россия). Yandex.ru. Соавтор: Эльдар Заитов. Автоматизация ск...
KazHackStan
 
Ярослав Бабин (Россия), Positive Technologies. Основные аспекты при проведени...
KazHackStan
 
Ильяс Аринов (Казахстан), ЦАРКА. Linux for newbie hackers
KazHackStan
 
Презентация НИТ
KazHackStan
 
Дмитрий Кузнецов. Опыт РФ в обеспечении национальной кибербезопасности
KazHackStan
 

Recently uploaded (20)

PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 

Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS

  • 1. Сергей Ximerus Харюк “Проверка безопасности приложений на платформе iOS”
  • 2. Agenda • Overview • iOS Security architecture • Application data structure • Preparation testing environment • Tools • dumpdecrypted • IDA and Hopper • Frida and Cycript • needle and idb • OWASP Top 10 Mobile • M1: Improper Platform Usage • M2: Insecure Data Storage • M3: Insecure Communication • M4: Insecure Authentication • M5: Insufficient Cryptography • M6: Insecure Authorization • M7: Client Code Quality • M8: Code Tampering • M9: Reverse Engineering • M10: Extraneous Functionality • Research results • Low security lvl • Medium security lvl • Good security lvl
  • 3. iOS Security Architecture Kernel
 
 
 
 Secure Enclave Secure Element Crypto Engine Device Key Group Key Apple Root Certificate File System HardwareandFirmware Software OS Partition User Partition (Encrypted) Application sandbox Data protection class
  • 4. Secure Boot Boot ROM Low Level Bootloader iBoot Kernel
  • 5. File System protection Hardware Key Passcode Class key File metadata File content File system key File key
  • 6. TouchID and FaceID is secure?
  • 8. Environment on Device • AppList • Cydia Substrate • DumpDecrypted • Frida • Keychaineditor • NeedleAgent • OpenSSH • SSL KillSwitch 2 • Stashing for iOS
  • 9. dumpdecrypted put dumpdecrypted.dlyb in to /usr/lib/ set permissions to read and execute DLYB_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dlyb /path/to/binary
  • 13. idb
  • 14. OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
  • 15. OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
  • 16. OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
  • 17. OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
  • 18. OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
  • 19. OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
  • 20. OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
  • 21. OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
  • 22. OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
  • 23. OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
  • 24. OWASP 10 Mobile •M1: Improper Platform Usage •M2: Insecure Data Storage •M3: Insecure Communication •M4: Insecure Authentication •M5: Insufficient Cryptography •M6: Insecure Authorization •M7: Client Code Quality •M8: Code Tampering •M9: Reverse Engineering •M10: Extraneous Functionality
  • 25. MyPay
  • 28. HomeBank Insecure Communication Plain Text Payment Info Caching Screenshot
  • 33. KolesaKz Insecure Authorization Insecure Data Storage Broken Cryptography Plain text credentials
  • 36. ATF24
  • 37. ATF24
  • 38. ATF24