1 00:00:01,020 --> 00:00:06,090 Now, what happens if the application leaks, do the data leaks in the application is another issue 2 00:00:06,090 --> 00:00:12,120 in mobile applications and in a mobile application security, it is possible that an app may unintentionally 3 00:00:12,120 --> 00:00:14,220 leak sensitive data to an attacker. 4 00:00:14,760 --> 00:00:20,640 This requires an extra attention from the developer and the code he uses for Logan during the development 5 00:00:20,640 --> 00:00:21,020 phase. 6 00:00:21,480 --> 00:00:26,250 It must be removed and he must make sure that no data is actually prone to leaks. 7 00:00:26,580 --> 00:00:28,610 So again, this includes sensitive data. 8 00:00:28,620 --> 00:00:32,310 It probably logs on sensitive that it goes beyond the sandboxing. 9 00:00:32,730 --> 00:00:39,210 So the main reason behind focusing on this is that applications on boxing not be applicable to some 10 00:00:39,210 --> 00:00:40,730 of the attacks in this class. 11 00:00:40,890 --> 00:00:47,460 If a user actually copy some sensitive data, such as your security answer from an application or anything 12 00:00:47,460 --> 00:00:53,460 that will be placed on the device, Flipboard or in the other portions of memory, which is definitely 13 00:00:53,460 --> 00:00:59,010 out of the application sandbox, and any other application sitting on the same device can read this 14 00:00:59,010 --> 00:01:02,040 data, copy it without the knowledge of the first application. 15 00:01:02,250 --> 00:01:09,000 OK, now another thing is a Web services and Web services are almost similar to Web applications. 16 00:01:09,330 --> 00:01:14,700 So it is possible that a Web service can be affected with all the common vulnerabilities that a normal 17 00:01:14,700 --> 00:01:16,540 Web application can actually help. 18 00:01:16,800 --> 00:01:22,440 For example, you can leverage many different types of vulnerabilities and threats like authentication, 19 00:01:22,440 --> 00:01:24,450 authorization vulnerabilities. 20 00:01:24,450 --> 00:01:29,160 Station management in mobile platforms is typically done using an authentication token. 21 00:01:29,440 --> 00:01:35,580 OK, so when the user logs in for the first time, he will be given an authentication token and this 22 00:01:35,580 --> 00:01:41,040 will be used for the rest of the session if that token is not properly secured until it's destroyed 23 00:01:41,040 --> 00:01:41,860 or expired. 24 00:01:41,880 --> 00:01:44,190 It definitely may lead to an attack. 25 00:01:44,490 --> 00:01:50,250 OK, now, killing the station at the claim site, but not the server side is another common problem 26 00:01:50,250 --> 00:01:53,230 that is actually seen in mobile applications as well. 27 00:01:53,640 --> 00:02:00,000 So those are the type of things that you actually can manipulate and reuse tokens and also input validation. 28 00:02:00,030 --> 00:02:06,060 OK, so input validation is also known as data validation that we actually have seen in application 29 00:02:06,060 --> 00:02:06,890 for years. 30 00:02:06,900 --> 00:02:07,260 Right. 31 00:02:07,770 --> 00:02:13,950 So it is possible to have a sequel injection or a cross scripting vulnerability if no input validation 32 00:02:13,950 --> 00:02:15,930 controls are actually implemented. 33 00:02:16,410 --> 00:02:23,040 OK, so those are the things that you focus to evaluate that backend now, errors that are addicted 34 00:02:23,040 --> 00:02:28,280 to attack or something, testers or another type of threat, and that is error handling. 35 00:02:28,620 --> 00:02:34,320 And if not properly done, then the EPA is actually throwing database or server error specific to the 36 00:02:34,320 --> 00:02:35,190 crafted request. 37 00:02:35,490 --> 00:02:39,770 It is actually possible for you to actually craft attacks using those errors. 38 00:02:39,900 --> 00:02:40,340 Right. 39 00:02:40,800 --> 00:02:44,150 And let's see another thing, and that is the cryptography. 40 00:02:44,310 --> 00:02:48,150 It's another area where developers commit mistakes during the development. 41 00:02:48,390 --> 00:02:52,410 I am making sure that they do not employ the cryptographic protocols. 42 00:02:52,440 --> 00:02:52,890 OK.