1 00:00:06,940 --> 00:00:09,650 - In the first course part of the series, 2 00:00:09,650 --> 00:00:13,250 you learn about an organization called OWASP, right? 3 00:00:13,250 --> 00:00:15,240 Now if you're not familiar with this organization, 4 00:00:15,240 --> 00:00:18,560 I'll definitely invite you to view the first course 5 00:00:18,560 --> 00:00:23,050 or just to go to their website at owasp.org. 6 00:00:23,050 --> 00:00:25,210 Now OWASP has an initiative called 7 00:00:25,210 --> 00:00:27,680 the OWASP Mobile Security Project, 8 00:00:27,680 --> 00:00:30,970 and it basically is a centralized resource 9 00:00:30,970 --> 00:00:34,320 aimed to give developers and security teams 10 00:00:34,320 --> 00:00:36,380 the resources actually need to build 11 00:00:36,380 --> 00:00:38,930 and maintain secure mobile applications, right? 12 00:00:38,930 --> 00:00:41,610 And of course extends more than the mobile application, 13 00:00:41,610 --> 00:00:45,800 but they actually are focusing in this specific initiative 14 00:00:45,800 --> 00:00:49,270 around mobile devices and mobile applications, right? 15 00:00:49,270 --> 00:00:50,960 Now through the project, 16 00:00:50,960 --> 00:00:54,610 their goal is actually to classify mobile security risk 17 00:00:54,610 --> 00:00:56,740 and provide developmental controls 18 00:00:56,740 --> 00:00:58,880 to be able to reduce the impact 19 00:00:58,880 --> 00:01:01,140 or the actual likelihood of, you know, 20 00:01:01,140 --> 00:01:04,110 exploitation of vulnerabilities in mobile devices. 21 00:01:04,110 --> 00:01:08,210 Now their primary focus is at the application layer, right? 22 00:01:08,210 --> 00:01:09,840 They also take into consideration 23 00:01:09,840 --> 00:01:11,520 the underlying mobile platform, right? 24 00:01:11,520 --> 00:01:13,270 So the actual hardware itself, 25 00:01:13,270 --> 00:01:15,800 and also even the service provider risk, 26 00:01:15,800 --> 00:01:16,990 whenever they actually, you know, 27 00:01:16,990 --> 00:01:18,150 are doing the threat modeling 28 00:01:18,150 --> 00:01:19,790 and building controls, right? 29 00:01:19,790 --> 00:01:22,450 Now they also cover not only 30 00:01:22,450 --> 00:01:25,100 the mobile applications deployed in the end user devices 31 00:01:25,100 --> 00:01:29,290 but also the broader server site infrastructure 32 00:01:29,290 --> 00:01:31,530 in which the actually the mobile applications actually 33 00:01:31,530 --> 00:01:33,030 will communicate too, right? 34 00:01:33,030 --> 00:01:34,360 So in a lot of cases 35 00:01:34,360 --> 00:01:35,590 actually these mobile applications 36 00:01:35,590 --> 00:01:37,980 are communicating to the Cloud, right? 37 00:01:37,980 --> 00:01:40,310 So they also look at that communication 38 00:01:40,310 --> 00:01:43,230 from the mobile device and the Cloud environment. 39 00:01:43,230 --> 00:01:46,140 They also cover best practices and vulnerabilities 40 00:01:46,140 --> 00:01:49,200 around the integration between the mobile application, 41 00:01:49,200 --> 00:01:51,010 the remote authentication servers, 42 00:01:51,010 --> 00:01:54,180 and the actual Cloud platform specific features, right? 43 00:01:54,180 --> 00:01:56,460 Now let's take a look at some of the top security 44 00:01:56,460 --> 00:01:58,620 vulnerabilities and through it 45 00:01:58,620 --> 00:02:02,003 that are assist for mobile devices in their website. 46 00:02:03,440 --> 00:02:07,180 If you look at the OWASP Mobile Security Project website, 47 00:02:07,180 --> 00:02:10,050 you will find tons of resources 48 00:02:10,050 --> 00:02:11,940 related to mobile security, right? 49 00:02:11,940 --> 00:02:15,620 So the website includes the top 10 mobile risk, 50 00:02:15,620 --> 00:02:17,710 and we will review those in a minute, right? 51 00:02:17,710 --> 00:02:21,490 So now it also includes mobile security checklist, 52 00:02:21,490 --> 00:02:23,490 a mobile security testing guide, 53 00:02:23,490 --> 00:02:27,560 a set of tools that they actually call M-Tools 54 00:02:27,560 --> 00:02:29,100 that allows you to of course, you know, 55 00:02:29,100 --> 00:02:31,780 test the security of mobile devices, 56 00:02:31,780 --> 00:02:36,630 guidance for secure mobile device, you know, development. 57 00:02:36,630 --> 00:02:39,210 And also the top 10 mobile controls 58 00:02:39,210 --> 00:02:42,590 and a project that is dedicated to teach you 59 00:02:42,590 --> 00:02:46,770 how to perform threat models for mobile devices. 60 00:02:46,770 --> 00:02:49,860 Now, if you click on the Top 10 Mobile Risk, 61 00:02:49,860 --> 00:02:52,700 you will see that the current top 10 vulnerability 62 00:02:52,700 --> 00:02:56,470 or risk types for mobile devices are the following. 63 00:02:56,470 --> 00:02:59,670 And number one is actually improper platform usage, right. 64 00:02:59,670 --> 00:03:02,840 Insecure data storage, insecure communication, 65 00:03:02,840 --> 00:03:06,230 insecure authentication, insufficient cryptography, 66 00:03:06,230 --> 00:03:09,000 and this is actually one of the challenges nowadays 67 00:03:09,000 --> 00:03:11,690 because a lot of people are actually trying 68 00:03:11,690 --> 00:03:14,260 to create their own crypto implementation, right? 69 00:03:14,260 --> 00:03:15,580 So whenever you do that 70 00:03:15,580 --> 00:03:18,710 and you don't reuse, you know, some of the, you know, 71 00:03:18,710 --> 00:03:20,890 stronger out there, like, you know, open SSL 72 00:03:20,890 --> 00:03:24,140 and some other ones that actually a lot more maintainers 73 00:03:24,140 --> 00:03:27,240 you know, actually, you know, contribute to them, 74 00:03:27,240 --> 00:03:29,930 you will introduce security problems for sure, right? 75 00:03:29,930 --> 00:03:32,400 So the other ones is not only as far 76 00:03:32,400 --> 00:03:35,540 as the actual core crypto components 77 00:03:35,540 --> 00:03:37,730 but also the implementations of those, right? 78 00:03:37,730 --> 00:03:41,640 So especially whenever you actually do not have 79 00:03:41,640 --> 00:03:44,770 a sufficient cryptography best practices 80 00:03:44,770 --> 00:03:46,440 include into your device, right? 81 00:03:46,440 --> 00:03:48,800 Now, insecure authorization is another one. 82 00:03:48,800 --> 00:03:51,140 Client code quality, code tampering, 83 00:03:51,140 --> 00:03:52,440 reverse engineering, 84 00:03:52,440 --> 00:03:56,210 and extraneous functionality as well, right. 85 00:03:56,210 --> 00:03:58,910 Now this change from time to time, right? 86 00:03:58,910 --> 00:04:02,220 So I definitely recommend for you to do two things. 87 00:04:02,220 --> 00:04:04,150 Keep these resources handy 88 00:04:04,150 --> 00:04:07,340 and also subscribe to the mailing list to get information 89 00:04:07,340 --> 00:04:09,810 about any new threats and perhaps, you know, 90 00:04:09,810 --> 00:04:11,600 you can even contribute to the project. 91 00:04:11,600 --> 00:04:13,050 Personally, actually I belong 92 00:04:13,050 --> 00:04:15,340 to the local OWASP chapter 93 00:04:15,340 --> 00:04:16,660 here where I live, 94 00:04:16,660 --> 00:04:18,310 and I invite you to do the same, right? 95 00:04:18,310 --> 00:04:21,590 So this guy is actually not only provide a lot 96 00:04:21,590 --> 00:04:23,380 of references for mobile device security, 97 00:04:23,380 --> 00:04:26,400 but you know a lot of security, 98 00:04:26,400 --> 00:04:28,590 you know, resources and tools 99 00:04:28,590 --> 00:04:30,963 are also share in their website.