Guidelines for testing and securing mobile apps
There are multiple organizations providing guidelines for testing and securing mobile apps. The most common ones include OWASP Mobile Top 10 and Veracode Mobile App Top 10. Additionally, there are also guidelines from Google itself on how to secure Android apps by showing examples of what not to do. Having knowledge on these guidelines is important in order to understand what to look for during a penetration test.
Let's have a brief look at OWASP Mobile Top 10 Vulnerabilities.
OWASP Top 10 Mobile Risks (2014)
The following diagram shows the OWASP Top 10 Mobile Risks, which is a list of top 10 mobile app vulnerabilities released in 2014. This is the latest list as of writing this book:
The following are the top 10 vulnerabilities and we will have a deeper look into each of these vulnerabilities in the following sections:
M1: Weak Server-Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5...