1 00:00:01,070 --> 00:00:06,250 This is the first lecture of part one, I hope you all know about an organization called us. 2 00:00:06,410 --> 00:00:10,260 If you are not familiar with this organization, I'll explain to you right now. 3 00:00:10,460 --> 00:00:17,570 So the Open Application Security Project or is an online community that produces freely available articles, 4 00:00:17,760 --> 00:00:23,060 methodologies, documentation, tools and technologies in the field of Web application. 5 00:00:23,060 --> 00:00:30,880 Security is also registered as a non-profit organization in Belgium under the name of WPRO VW. 6 00:00:31,130 --> 00:00:36,110 And for more details, visit their website w w w w dot org. 7 00:00:36,500 --> 00:00:43,040 Now, W passed an initiative called the Mobile Security Project, and it is a centralized resource aimed 8 00:00:43,040 --> 00:00:48,860 to give developers and security teams the resources actually need to build and maintain secure mobile 9 00:00:48,860 --> 00:00:53,270 applications and of course, extends more than the mobile applications. 10 00:00:53,270 --> 00:00:59,510 But they actually are focusing in this specific initiative around mobile devices and mobile applications 11 00:00:59,510 --> 00:01:00,820 right now through the project. 12 00:01:01,130 --> 00:01:06,620 Their goal is actually to classify mobile security risk and provide developmental controls to be able 13 00:01:06,620 --> 00:01:12,260 to reduce the impact or the actual likelihood of exploitation of vulnerabilities in mobile devices. 14 00:01:12,500 --> 00:01:15,510 Now their primary focus is at the application layer. 15 00:01:15,800 --> 00:01:19,580 They also take into consideration the underlying mobile platform. 16 00:01:19,760 --> 00:01:26,020 So the actual hardware itself and also even the service provider risk whenever they are doing that type 17 00:01:26,030 --> 00:01:32,030 modeling and building controls right now, they also cover not only the mobile applications deployed 18 00:01:32,030 --> 00:01:38,030 in the end user devices, but also the broader server side infrastructure and which is actually the 19 00:01:38,030 --> 00:01:40,200 mobile applications will communicate to. 20 00:01:40,430 --> 00:01:45,020 So in a lot of cases, actually, these mobile applications are communicating to the cloud. 21 00:01:45,020 --> 00:01:45,330 Right. 22 00:01:45,530 --> 00:01:50,400 So they also look at data communication from the mobile device and the cloud environment. 23 00:01:50,540 --> 00:01:55,610 They also cover best practices and vulnerabilities around the integration between the mobile application, 24 00:01:55,940 --> 00:02:00,590 the remote authentication servers and the actual cloud platform specific features. 25 00:02:00,620 --> 00:02:06,450 OK, now let's take a look at some of the top security vulnerabilities and threats that are exposed 26 00:02:06,470 --> 00:02:08,470 for mobile devices in their website. 27 00:02:09,020 --> 00:02:15,530 If you look at the Mobile Security Project website, you will find tons of resources related to mobile 28 00:02:15,530 --> 00:02:16,160 security. 29 00:02:16,280 --> 00:02:21,590 So the website includes the top end mobile risk and we will review those in a minute. 30 00:02:21,770 --> 00:02:28,460 So now it also includes mobile security checklist, a mobile security testing guide, a set of tools 31 00:02:28,460 --> 00:02:34,550 that they actually can and tools that allows you to test the security of mobile devices, a guidance, 32 00:02:34,550 --> 00:02:40,970 particular mobile device development, and also the top 10 mobile controls and a project that is dedicated 33 00:02:41,210 --> 00:02:44,660 to teach you how to perform track models for mobile devices. 34 00:02:45,110 --> 00:02:50,510 Now, if you click on the top 10 mobile risk, you will see that the current top 10 vulnerability or 35 00:02:50,510 --> 00:02:55,430 risk types for mobile devices are the following and no one is improper. 36 00:02:55,430 --> 00:02:59,270 Platform usage, then insecure data storage. 37 00:02:59,480 --> 00:03:04,190 Next is insecure communication, then insecure authentication. 38 00:03:04,400 --> 00:03:06,770 Next is insufficient cryptography. 39 00:03:07,040 --> 00:03:12,740 And this is actually one of the challenges nowadays because a lot of people are trying to create their 40 00:03:12,770 --> 00:03:14,480 own crypto implementation. 41 00:03:14,520 --> 00:03:21,170 OK, so whenever you do that and you don't reuse some of the stronger out there, like open SSL and 42 00:03:21,170 --> 00:03:26,510 some other ones that actually a lot more maintainers actually contribute to them, you will introduce 43 00:03:26,510 --> 00:03:28,210 security problems for sure. 44 00:03:28,240 --> 00:03:28,550 Right. 45 00:03:28,790 --> 00:03:34,760 So the other ones, it's not only as far as the actual core crypto components, but also the implementations 46 00:03:34,790 --> 00:03:35,690 of those. 47 00:03:35,840 --> 00:03:36,200 Right. 48 00:03:36,440 --> 00:03:41,750 So especially whenever you actually do not have a sufficient cryptography, best practices, including 49 00:03:41,750 --> 00:03:43,130 to your device. 50 00:03:43,250 --> 00:03:43,610 Right. 51 00:03:44,030 --> 00:03:46,310 Next is insecure authorization. 52 00:03:46,670 --> 00:03:53,840 Another one is Glencora quality code tampering, reverse engineering and extraneous functionality as 53 00:03:53,840 --> 00:03:54,170 well. 54 00:03:54,710 --> 00:03:56,580 Now this change from time to time. 55 00:03:56,600 --> 00:04:00,200 OK, so I definitely recommend for you to do two things. 56 00:04:00,590 --> 00:04:06,410 Keep these resources handy and also subscribe to their mailing list to get information about any new 57 00:04:06,410 --> 00:04:06,830 types. 58 00:04:07,010 --> 00:04:10,360 And maybe you can even contribute to the project personally. 59 00:04:10,490 --> 00:04:16,310 And these guys actually not only provide a lot of resources for mobile device security, but a lot of 60 00:04:16,310 --> 00:04:19,760 resources and tools are also shared on their website.