Dr. Ahmed Alyahya OWASP Top 10 Mobile Risks • M1 – Improper Platform Usage – misuse of features or security controls (e.g., Touch ID) • M2 – Insecure Data Storage – improperly stored data and data leakage. • M3 – Insecure Communication – poor handshaking, incorrect SSL. • M4 – Insecure Authentication – authentication end user or bad session management. • M5 – Insufficient Cryptography – code that applies cryptography to an asset but is insufficient (Dose NOT include SSL/TLS). • M6 – Insecure Authorization – failures in authorization (access right). • M7 – Client Code Quality – catchall for code-level implementation problem. • M8 – Code Tampering – binary patching, resource modification. • M9 – Reverse Engineering – reversing core binaries to find problems and exploits. • M10 – Extraneous Functionality – catchall for backdoors that were inadvertently placed by codes. Mobile Attacks • App Store attacks. • Phishing attacks. • Bring Your Own Device (BYOD). Mobile Attacks Bluetooth Attacks: • Bluesmacking – DoS against device • Bluejacking – Sending unsolicited messages. • Bluesniffing – Attempt to discover Bluetooth devices • Bluebugging – Remotely using device’s features. • Bluesarfing – Steal of data from a device. • Blueprinting – Collecting device information over the Bluetooth. Questions