1 00:00:01,050 --> 00:00:06,260 This is the first lecture of part one, I hope you all know about an organization called us. 2 00:00:06,420 --> 00:00:10,250 If you are not familiar with this organization, I'll explain to you right now. 3 00:00:10,440 --> 00:00:16,950 So the Open Web Application Security Project or is an online community that produces freely available 4 00:00:16,950 --> 00:00:23,040 articles, methodologies, documentation, tools and technologies in the field of Web application. 5 00:00:23,040 --> 00:00:30,950 Security is also registered as a non-profit organization in Belgium under the name of Europe VW. 6 00:00:31,140 --> 00:00:33,730 And for more details, visit their website. 7 00:00:33,900 --> 00:00:36,790 W w w w got or now. 8 00:00:36,790 --> 00:00:42,630 Congress passed an initiative called the Mobile Security Project, and it is a centralized resource 9 00:00:42,630 --> 00:00:48,540 aimed to give developers and security teams the resources actually need to build and maintain secure 10 00:00:48,540 --> 00:00:53,280 mobile applications and of course, extends more than the mobile applications. 11 00:00:53,280 --> 00:00:59,520 But they actually are focusing in this specific initiative around mobile devices and mobile applications 12 00:00:59,520 --> 00:01:00,830 right now through the project. 13 00:01:01,140 --> 00:01:06,270 Their goal is actually to classify and mobile security risk and provide developmental controls to be 14 00:01:06,270 --> 00:01:12,270 able to reduce the impact or the actual likelihood of exploitation of vulnerabilities in mobile devices. 15 00:01:12,510 --> 00:01:15,490 Now their primary focus is at the application layer. 16 00:01:15,780 --> 00:01:19,560 They also take into consideration the underlying mobile platform. 17 00:01:19,770 --> 00:01:26,040 So the actual hardware itself and also even the service provider risk whenever they are doing that type 18 00:01:26,040 --> 00:01:32,010 modeling and building controls right now, they also cover not only the mobile applications deployed 19 00:01:32,010 --> 00:01:38,010 in the end user devices, but also the broader server side infrastructure and which is actually the 20 00:01:38,010 --> 00:01:40,210 mobile applications will communicate to. 21 00:01:40,440 --> 00:01:45,030 So in a lot of cases, actually, these mobile applications are communicating to the cloud. 22 00:01:45,030 --> 00:01:45,340 Right. 23 00:01:45,540 --> 00:01:50,420 So they also look at data communication from the mobile device and the cloud environment. 24 00:01:50,550 --> 00:01:55,620 They also cover best practices and vulnerabilities around the integration between the mobile application, 25 00:01:55,950 --> 00:02:00,600 the remote authentication servers and the actual cloud platform specific features. 26 00:02:00,630 --> 00:02:06,430 OK, now let's take a look at some of the top security vulnerabilities and threats that are assessed 27 00:02:06,450 --> 00:02:08,460 for mobile devices in their website. 28 00:02:09,000 --> 00:02:15,540 If you look at the Mobile Security Project website, you will find tons of resources related to mobile 29 00:02:15,540 --> 00:02:16,170 security. 30 00:02:16,290 --> 00:02:21,580 So the website includes the top end mobile risk and we will review those in a minute. 31 00:02:21,780 --> 00:02:28,470 So now it also includes mobile security checklist, a mobile security testing guide, a set of tools 32 00:02:28,470 --> 00:02:34,730 that they actually call tools that allows you to test the security of mobile devices, a guidance for 33 00:02:34,740 --> 00:02:40,980 security, mobile device development, and also the top 10 mobile controls and a project that is dedicated 34 00:02:41,220 --> 00:02:44,670 to teach you how to perform track models for mobile devices. 35 00:02:45,090 --> 00:02:50,520 Now, if you click on the top 10 mobile risk, you will see that the current top 10 vulnerability or 36 00:02:50,520 --> 00:02:55,440 risk types for mobile devices are the following and no one is improper. 37 00:02:55,440 --> 00:02:59,280 Platform usage, then insecure data storage. 38 00:02:59,490 --> 00:03:04,200 Next is insecure communication, then insecure authentication. 39 00:03:04,410 --> 00:03:06,780 Next is insufficient cryptography. 40 00:03:07,050 --> 00:03:12,750 And this is actually one of the challenges nowadays because a lot of people are trying to create their 41 00:03:12,780 --> 00:03:14,450 own crypto implementation. 42 00:03:14,490 --> 00:03:21,180 OK, so whenever you do that and you don't reuse some of the stronger out there, like open SSL and 43 00:03:21,180 --> 00:03:26,490 some other ones that actually a lot more maintainers actually contribute to them, you will introduce 44 00:03:26,490 --> 00:03:28,210 security problems for sure. 45 00:03:28,400 --> 00:03:28,590 Right. 46 00:03:28,800 --> 00:03:35,700 So it's not only as far as the actual core crypto components, but also the implementations of those. 47 00:03:35,850 --> 00:03:36,200 Right. 48 00:03:36,420 --> 00:03:41,760 So especially whenever you actually do not have a sufficient cryptography, best practices, including 49 00:03:41,760 --> 00:03:46,290 to your device right next to insecure authorization. 50 00:03:46,650 --> 00:03:53,850 Another one is claimed quality code, tempering, reverse engineering and extraneous functionality as 51 00:03:53,850 --> 00:03:54,180 well. 52 00:03:54,720 --> 00:03:56,590 Now, this change from time to time. 53 00:03:56,610 --> 00:04:00,180 OK, so I definitely recommend for you to do two things. 54 00:04:00,570 --> 00:04:06,390 Keep these resources handy and also subscribe to their mailing list to get information about any new 55 00:04:06,390 --> 00:04:06,840 types. 56 00:04:07,020 --> 00:04:10,370 And maybe you can even contribute to the project personally. 57 00:04:10,500 --> 00:04:16,320 And these guys actually not only provide a lot of resources for mobile device security, but a lot of 58 00:04:16,320 --> 00:04:19,740 resources and tools are also shared on their website.