SlideShare a Scribd company logo

Mobile-threat-analysis-short-presentation_owasp.pdf

B
BobDimante

The document outlines a 5-step thought process for discovering threats in mobile applications: 1) Identify assets to protect and why, 2) Determine where attacks could occur, 3) Consider what could go wrong, 4) Evaluate existing protections, and 5) Accept residual risks. It also discusses threat modeling concepts like assets, attackers, attacks surfaces, STRIDE threats, and the DREAD risk assessment method. The OWASP mobile security risks are presented, such as data leakage, weak authentication, and third-party code issues.

Software
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Mobile Application Threat Analysis Ari Kesäniemi Nixu
2 Threat Modeling Threats Threat agents Assets Architecture
3 Thought Process for Discovering Threats 1. “What do we want to protect and why?” 2. “Where could the attack happen?” 3. “What could go wrong?” 4. “Do we have appropriate protection?” 5. “What is the risk we accept?”
1. “What do we want to protect and why?” • What are the assets worth protecting? • What would be the business impact if compromised? • Data • Money, privacy, credentials • Transactions and processes • IPR, innovations, algorithms • Reputation, customer experience • Resources 4
5 Thought Process for Discovering Threats 1. “What do we want to protect and why?” 2. “Where could the attack happen?” 3. “What could go wrong?” 4. “Do we have appropriate protection?” 5. “What is the risk we accept?”
2. “Where could the attack happen?” • What is the attack surface? • Local storage? (Including logs, caches etc) • Connection to back end server? • Connection to third party services? • Malicious user? • Web browsing and content handlers? • Exposed API or RPC? • Third party components part of the application? 6
7 Thought Process for Discovering Threats 1. “What do we want to protect and why?” 2. “Where could the attack happen?” 3. “What could go wrong?” 4. “Do we have appropriate protection?” 5. “What is the risk we accept?”
3. “What could go wrong?” • What are the most feasible attack scenarios? • How each of the assets (from step 1) could be compromised • Considering confidentiality, integrity, availability and non- repudiation for information assets? • Considering STRIDE* for processes and data flows? • Considering attack surfaces (from step 2)? • Considering the system as a whole? * STRIDE = Spoofing / Tampering / Repudiation / Information disclosure / Denial of service / Elevation of privilege 8
9 Thought Process for Discovering Threats 1. “What do we want to protect and why?” 2. “Where could the attack happen?” 3. “What could go wrong?” 4. “Do we have appropriate protection?” 5. “What is the risk we accept?”
4. “Do we have appropriate protection?” • Consider each scenario individually • Is there a best practice protection mechanism? Is it implemented in the system? • Build an attack tree when necessary 10 Legend Protection Attack Vector Threat disclosure_of_info stolen_id unauthorized_use eavesdropping forged_authz local_storage_access exploiting_internal_interfaces modification_of_info mitm sync_modification_from_client_to_server malicious_health_tips modified_app stealing_auth_cred exploiting_unencrypted_comm phone_call_fraud modified_phone_nr identity_theft stolen_session_token guessing_or_stealing_password physical_access application_pin server_side_attack attack_from_another_app rooting_device secure_session_storage local_data_encryption api_protection rerouting_comms publish_and_refresh_sync faking_app_in_app_store ssl_protection ip_bound_session social_engineering
Attack Tree 11
OWASP Top Ten Mobile Risks (DRAFT) 1. Insecure or unnecessary client-side data storage 2. Lack of data protection in transit 3. Personal data leakage 4. Failure to protect resources with strong authentication 5. Failure to implement least privilege authorization policy 6. Client-side injection 7. Client-side DOS 8. Malicious third-party code 9. Client-side buffer overflow 10.Failure to apply server-side controls 12
… and: • Abuse of client side paid resources • Failure to properly handle inbound SMS messages • Failure to properly handle outbound SMS messages • Malicious / fake applications from app store • Ability of one application to view data or communicate with other applications • Switching networks during a transaction • Failure to protect sensitive data at rest • Failure to disable insecure platform features in application (caching of keystrokes, screen data) 13
14 Thought Process for Discovering Threats 1. “What do we want to protect and why?” 2. “Where could the attack happen?” 3. “What could go wrong?” 4. “Do we have appropriate protection?” 5. “What is the risk we accept?”
5. “What is the risk we accept?” • What are the residual risks that can be accepted? • Not every scenario is worth protecting • For scenarios not having good protection, consider DREAD: • Damage • Reproducibility • Exploitability • Affected users • Discoverability • Is there a known threat agent motivated to perform an attack? 15
Attack Tree 16
Summary & Conclusion
18 1. “What do we want to protect and why?” 2. “Where could the attack happen?” 3. “What could go wrong?” 4. “Do we have appropriate protection?” 5. “What is the risk we accept?” Threats Threat agents Assets Architecture
19 Questions? Resources: • OWASP Mobile Security Project • ENISA: Top Ten Smartphone Risks • Microsoft: STRIDE, DREAD

More Related Content

PPTX
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
PDF
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
PDF
Unicom Conference - Mobile Application Security
Subho Halder
 
PPTX
Appsecurity, win or loose
Bjørn Sloth
 
PPTX
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
PPTX
Webdays blida mobile top 10 risks
Islam Azeddine Mennouchi
 
PDF
Developing Secure Mobile Applications
Denim Group
 
PDF
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Nikola Milosevic
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
Unicom Conference - Mobile Application Security
Subho Halder
 
Appsecurity, win or loose
Bjørn Sloth
 
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
Webdays blida mobile top 10 risks
Islam Azeddine Mennouchi
 
Developing Secure Mobile Applications
Denim Group
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
Denim Group
 

Similar to Mobile-threat-analysis-short-presentation_owasp.pdf (20)

PDF
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
PDF
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
ODP
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
PDF
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
PDF
Securing Mobile Apps - Appfest Version
Subho Halder
 
PDF
20160831_app_storesecurity_Seminar
Jisoo Park
 
PPTX
Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities
jasonhaddix
 
PPTX
Application Threat Modeling
Rochester Security Summit
 
PDF
Building a Mobile Security Model
tmbainjr131
 
PDF
Securing Your Mobile Applications
Greg Patton
 
PPTX
Mobile Application Security
Lenin Aboagye
 
PPTX
Mobile application securitry risks ISACA Silicon Valley 2012
Symosis Security (Previously C-Level Security)
 
PDF
Owasp Mobile Top 10 – 2014
n|u - The Open Security Community
 
PDF
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
PPTX
Owasp top-10-mobile-risks-v-1-3 publish
Ali Kazmi
 
PDF
Menofia UN -Mobile Security
Ahmed Samara
 
PDF
Securing 3-Mode Mobile Banking
Jay McLaughlin
 
PPTX
Building a Mobile Security Program
Denim Group
 
PPT
Mobile app Unit 1 best notes for students .ppt
AnuradhaGupta789099
 
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Securing Mobile Apps - Appfest Version
Subho Halder
 
20160831_app_storesecurity_Seminar
Jisoo Park
 
Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities
jasonhaddix
 
Application Threat Modeling
Rochester Security Summit
 
Building a Mobile Security Model
tmbainjr131
 
Securing Your Mobile Applications
Greg Patton
 
Mobile Application Security
Lenin Aboagye
 
Mobile application securitry risks ISACA Silicon Valley 2012
Symosis Security (Previously C-Level Security)
 
Owasp Mobile Top 10 – 2014
n|u - The Open Security Community
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
Owasp top-10-mobile-risks-v-1-3 publish
Ali Kazmi
 
Menofia UN -Mobile Security
Ahmed Samara
 
Securing 3-Mode Mobile Banking
Jay McLaughlin
 
Building a Mobile Security Program
Denim Group
 
Mobile app Unit 1 best notes for students .ppt
AnuradhaGupta789099
 
Ad

Recently uploaded (20)

PDF
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PPTX
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
PDF
Ableton Live Suite for MacOS Crack Full Download (Latest 2025)
hashmi66g66
 
PPTX
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Complete Guide to Website Development in Malaysia for SMEs
Asian Business Services & Technologies
 
PDF
Time Tracking Features That Teams and Organizations Actually Need
Orangescrum
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
DOCX
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
PDF
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
PDF
AI-Powered Threat Modeling: The Future of Cybersecurity by Arun Kumar Elengov...
Arun Kumar Elengovan
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PDF
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PDF
Wondershare Recoverit Full Crack New Version (Latest 2025)
hashmi66g66
 
PPTX
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
Ableton Live Suite for MacOS Crack Full Download (Latest 2025)
hashmi66g66
 
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Complete Guide to Website Development in Malaysia for SMEs
Asian Business Services & Technologies
 
Time Tracking Features That Teams and Organizations Actually Need
Orangescrum
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
assetexplorer- product-overview - presentation
nonameist3434
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
AI-Powered Threat Modeling: The Future of Cybersecurity by Arun Kumar Elengov...
Arun Kumar Elengovan
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Wondershare Recoverit Full Crack New Version (Latest 2025)
hashmi66g66
 
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
Ad

Mobile-threat-analysis-short-presentation_owasp.pdf

  • 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Mobile Application Threat Analysis Ari Kesäniemi Nixu
  • 3. 3 Thought Process for Discovering Threats 1. “What do we want to protect and why?” 2. “Where could the attack happen?” 3. “What could go wrong?” 4. “Do we have appropriate protection?” 5. “What is the risk we accept?”
  • 4. 1. “What do we want to protect and why?” • What are the assets worth protecting? • What would be the business impact if compromised? • Data • Money, privacy, credentials • Transactions and processes • IPR, innovations, algorithms • Reputation, customer experience • Resources 4
  • 5. 5 Thought Process for Discovering Threats 1. “What do we want to protect and why?” 2. “Where could the attack happen?” 3. “What could go wrong?” 4. “Do we have appropriate protection?” 5. “What is the risk we accept?”
  • 6. 2. “Where could the attack happen?” • What is the attack surface? • Local storage? (Including logs, caches etc) • Connection to back end server? • Connection to third party services? • Malicious user? • Web browsing and content handlers? • Exposed API or RPC? • Third party components part of the application? 6
  • 7. 7 Thought Process for Discovering Threats 1. “What do we want to protect and why?” 2. “Where could the attack happen?” 3. “What could go wrong?” 4. “Do we have appropriate protection?” 5. “What is the risk we accept?”
  • 8. 3. “What could go wrong?” • What are the most feasible attack scenarios? • How each of the assets (from step 1) could be compromised • Considering confidentiality, integrity, availability and non- repudiation for information assets? • Considering STRIDE* for processes and data flows? • Considering attack surfaces (from step 2)? • Considering the system as a whole? * STRIDE = Spoofing / Tampering / Repudiation / Information disclosure / Denial of service / Elevation of privilege 8
  • 9. 9 Thought Process for Discovering Threats 1. “What do we want to protect and why?” 2. “Where could the attack happen?” 3. “What could go wrong?” 4. “Do we have appropriate protection?” 5. “What is the risk we accept?”
  • 10. 4. “Do we have appropriate protection?” • Consider each scenario individually • Is there a best practice protection mechanism? Is it implemented in the system? • Build an attack tree when necessary 10 Legend Protection Attack Vector Threat disclosure_of_info stolen_id unauthorized_use eavesdropping forged_authz local_storage_access exploiting_internal_interfaces modification_of_info mitm sync_modification_from_client_to_server malicious_health_tips modified_app stealing_auth_cred exploiting_unencrypted_comm phone_call_fraud modified_phone_nr identity_theft stolen_session_token guessing_or_stealing_password physical_access application_pin server_side_attack attack_from_another_app rooting_device secure_session_storage local_data_encryption api_protection rerouting_comms publish_and_refresh_sync faking_app_in_app_store ssl_protection ip_bound_session social_engineering
  • 12. OWASP Top Ten Mobile Risks (DRAFT) 1. Insecure or unnecessary client-side data storage 2. Lack of data protection in transit 3. Personal data leakage 4. Failure to protect resources with strong authentication 5. Failure to implement least privilege authorization policy 6. Client-side injection 7. Client-side DOS 8. Malicious third-party code 9. Client-side buffer overflow 10.Failure to apply server-side controls 12
  • 13. … and: • Abuse of client side paid resources • Failure to properly handle inbound SMS messages • Failure to properly handle outbound SMS messages • Malicious / fake applications from app store • Ability of one application to view data or communicate with other applications • Switching networks during a transaction • Failure to protect sensitive data at rest • Failure to disable insecure platform features in application (caching of keystrokes, screen data) 13
  • 14. 14 Thought Process for Discovering Threats 1. “What do we want to protect and why?” 2. “Where could the attack happen?” 3. “What could go wrong?” 4. “Do we have appropriate protection?” 5. “What is the risk we accept?”
  • 15. 5. “What is the risk we accept?” • What are the residual risks that can be accepted? • Not every scenario is worth protecting • For scenarios not having good protection, consider DREAD: • Damage • Reproducibility • Exploitability • Affected users • Discoverability • Is there a known threat agent motivated to perform an attack? 15
  • 18. 18 1. “What do we want to protect and why?” 2. “Where could the attack happen?” 3. “What could go wrong?” 4. “Do we have appropriate protection?” 5. “What is the risk we accept?” Threats Threat agents Assets Architecture
  • 19. 19 Questions? Resources: • OWASP Mobile Security Project • ENISA: Top Ten Smartphone Risks • Microsoft: STRIDE, DREAD