https://owasp.org/www-project-mobile-top-10/
https://mas.owasp.org/
| Impact | Description | Impact | ||
|---|---|---|---|---|
| Customer | Customers sensitive information, such as personal details, financial data, and login credentials, can be exposed, leading to identity theft and financial fraud. | Minor | ||
| Legal Consequences | Customers may face legal issues if their data is misused or if they are involved in fraudulent activities due to security vulnerabilities in the app. | Moderate | ||
| Reputational | Customers may associate the application and the organization with poor security practices, damaging the brand's reputation. | Major | ||
| Financial Loss | Customers may suffer financial losses due to fraudulent transactions or unauthorized access to their accounts. | Moderate | ||
| Operational | Security breaches can lead to service outages or disruptions, affecting customers ability to use the application and access its features. | Major |
| Risk | Description | Type | Overall Risk | ||
|---|---|---|---|---|---|
| 1 | M1: Improper Credential Usage - improper handling of credentials, such as hardcoding them in the app or using weak authentication methods, can lead to unauthorized access and data breaches. | Threat | Medium | ||
| 2 | M2: Inadequate Supply Chain Security - vulnerabilities in the supply chain, such as compromised third-party components or services, can introduce security weaknesses into mobile applications. | Threat | Medium | ||
| 3 | M3: Insecure Authentication/Authorization - weaknesses in authentication and authorization mechanisms can allow attackers to gain unauthorized access to mobile applications and user data. | Threat | Medium | ||
| 4 | M4: Insufficient Input/Output Validation - inadequate validation of input and output data can allow attackers to exploit vulnerabilities, leading to injection attacks, data breaches, and unauthorized access. | Threat | Medium | ||
| 5 | M5: Insecure Communication - inadequate protection of data transmitted between the mobile app and external systems can lead to interception and unauthorized access. | Threat | Medium | ||
| 6 | M6: Inadequate Privacy Controls - insufficient privacy controls can lead to unauthorized access and exposure of sensitive user data. | Threat | Major | ||
| 7 | M7: Insufficient Binary Protection - inadequate protection of the mobile app's binary code can allow attackers to reverse-engineer the app, leading to unauthorized access, data breaches, and intellectual property theft. | Threat | Low | ||
| 8 | M8: Security Misconfiguration - improper configuration of security settings can leave mobile applications vulnerable to attacks. | Threat | Low | ||
| 9 | M9: Insecure Data Storage - improper storage of sensitive data on mobile devices can lead to unauthorized access and data breaches. | Threat | Medium | ||
| 10 | M10: Insufficient Cryptography - weak or improperly implemented cryptographic mechanisms can lead to unauthorized access and data breaches. | Threat | Low |
| Severe | |||||
| Major | 25 | 6 | |||
| Moderate | 149 | ||||
| Minor | 7810 | 3 | |||
| Insignificant | |||||
| Impact / Likelihood | Rare (0 - 5%) | Unlikely (5% - 15%) | Possible (15% - 40%) | Likely (40% - 90%) | Certain (>90%) |
| Threat: Mobile | Internal | External | 3rd Party | Technological | Physical | |
|---|---|---|---|---|---|---|
| Impact - The adversary is trying to manipulate, interrupt, or destroy your devices and data. | ||||||
| Credential Access - The adversary is trying to steal account names, passwords, or other secrets that enable access to resources. | ||||||
| Exfiltration - The adversary is trying to steal data. | ||||||
| Initial Access - The adversary is trying to get into your device. | ||||||
| Controls | Effectiveness | |||
|---|---|---|---|---|
| MOB.01 | Secure Baseline - Alignment to Secure Mobile Baseline & Development standards. | |||
| MOB.02 | Secure Testing - Must integrate SCA, SAST, and DAST into the development pipeline to continuously scan for vulnerabilities. | |||
| MOB.03 | Penetration Tests - Perform Penetration Tests on all new and/or modified public facing APIs. Ensure test covers a wide range of threats, including the OWASP Top 10 and other relevant threat models. | |||
| MOB.04 | Compromise - Build into the mobile app appropriate measures to protect against reverse engineering or tampering with the device and\or mobile application code and block the mobile application from loading if compromised. | |||
| MOB.05 | Compromise - Implement checks for minimum device and OS versions, and block access for those deemed insecure or unpatched. | |||
| MOB.06 | 3rd Party Libraries - Third party libraries compiled into the mobile app must be assessed for any vulnerabilities. | |||
| MOB.07 | Authentication - Leverage Digi ID (Bluekey) authentication processes ensuring alignment to strategic authentication approach. | |||
| MOB.08 | App Lock - Implement an 'App Lock' feature that requires at least a 6-digit PIN, with biometric authentication being the preferred option. | |||
| MOB.09 | Authorisation - Ensure an Authorisation framework is employed in the mobile app to control what components can be accessed based on authenticated state or identity assurance level. | |||
| MOB.10 | Certificate Pinning - Leverage Certificate Pinning for APIs used in the Mobile App including BUPA developed, Digi ID and 3rd Party\SDK where supported APIs. | |||
| MOB.11 | Encryption - Ensure communication between the mobile app and server components are over secure channels i.e. TLS\HTTPS. | |||
| MOB.12 | Re-purpose - Re-purpose | |||
| MOB.13 | Parameter Sanitized - Ensure User input or output received from 3rd party’s is sanitized\validated before being consumed by the mobile app to prevent attacks (e.g. SQL injection, cross-site scripting, buffer overflow). For example: input fields checked for malicious statements that may pose a threat to downstream systems. | |||
| MOB.14 | Sensitive Data - If sensitive information is required to be stored, then store in the following device mechanisms, iOS Keychain & Android Keystore: Allows apps to store cryptographic keys inside a secure container. Easily storing encrypted key-value pairs. For large amounts of data in which it is not recommended to store in iOS Keychain & Android Keystore, encrypt the data on the device and store the keys as above. | |||
| MOB.15 | Cryptographic - Use of Cryptographic algorithms must align to industry standards. | |||
| MOB.16 | Secrets - Ensure no Secrets / Accounts / Passwords are embedded into source code. | |||