Module 9a · Mobile Security
Security Champions · Module 9a
Mobile Application Security
Threats and controls for the mobile attack surface. Part 1 of 2 — OWASP Mobile Top 10.
1 / 17
Your journey · Program map
Your journey so far
9 modules. One toolkit. You are at Module 9.
Context
Your toolkit · So far
What you already have
Modules 1–8
M1–8
The full Champion toolkit
Role clarity, sprint workflow, risk vocabulary, threat modeling, supply chain, secrets, config, IR
M4
Find risks → prioritize → file tickets
Systematic threat hunting → actionable output
M5–7
Prevent: supply chain, secrets, config controls
Three layers of defense
M8
Respond when they get through: PICERL
Prepare → Identify → Contain → Eradicate → Recover → Learn
Context
Module 9 · The platform-specific layer
The platform-specific layer
Everything from Modules 1–8 applies to mobile. This module adds the platform-specific layer.
Mobile has a unique trust model: the client device is untrusted — hardware you don't own, network you don't control, apps you can't see.
This module adds three things:
1
Mobile Top 10 + MASVS
The verification framework purpose-built for mobile
2
Four developer pitfalls
The mistakes that cause most mobile security failures
3
Final module → Challenge Bank
After this, the Challenge Bank synthesizes all 9 modules into one toolkit
Context
Act 1 · Why mobile matters
More than just an app
Mobile security today covers an entire system — client code, backend APIs, CI/CD pipelines, cloud infrastructure, third-party SDKs, and platform configurations. Each layer requires its own security controls.
The shift has been dramatic: supply chain attacks targeting mobile SDKs increased more than 600% in three years. The OWASP Mobile Top 10, updated in 2024, reflects a fundamentally different threat landscape.
If your security program treats mobile as "just another frontend," it's missing the attack surfaces that matter most — supply chain, cloud misconfiguration, and credential management.
2 / 17 · Landscape
Act 1 · Pattern in the Top 10
A pattern in the Top 10
The Mobile Top 10 risk names use two recurring words that reveal different categories of failure:
Insecure (communication, data storage, auth) — the absence of controls. Nobody applied any protection. No TLS, no encryption, no auth check.
Insufficient (validation, binary protections, cryptography) — controls exist but aren't strong enough. Encryption is present but uses a weak algorithm. Validation runs but misses injection vectors.
The first category is a planning failure. The second requires understanding where the sufficiency threshold is — which comes from threat modeling.
3 / 17 · Patterns
Map · OWASP Mobile Top 10 (2024)
OWASP Mobile Top 10 (2024)
M1
Improper Credential Usage
M2
Supply Chain
M3
Auth / Authz
M4
Insufficient Validation
M5
Insecure Communication
M6
Inadequate Privacy
M7
Binary Protections
M8
Misconfiguration
M9
Insecure Storage
M10
Insufficient Crypto
Absent controls
Weak controls
Misused controls
Three categories of failure — absent, weak, and misused controls — each requiring a different response. Tap any card for details.
Notice — M2 (Supply Chain) is brand new in the 2024 update. The threat landscape has fundamentally shifted since 2016.
Time to think and reflect
Act 2 · M1 · Credential usage
The #1 mobile risk
Over 50% of analyzed mobile applications in 2024 contained hardcoded secrets — API keys, tokens, or passwords in source code, config files, or build scripts.
A common misconception: obfuscation provides protection. Splitting a key across variables, Base64-encoding it, or hiding it in resource files feels secure. But compilers optimize code, and decompilation tools reassemble the full value regardless of how it was split.
Use platform-level secure storage: Android Keystore and iOS Keychain. These are hardware-backed or TEE-backed and significantly more trustworthy than application-level storage. For remote credentials, establish a trusted session and store received tokens in the platform keychain — never in
SharedPreferences, NSUserDefaults, or plaintext SQLite.5 / 17 · M1
Visual · What attackers see
What Attackers See
jadx — decompiled binary output
; Decompiled iOS binary — credential initialization
ADRP X8, #classRef_INMAWSCredentials@PAGE
LDR X0, [X8, #classRef_INMAWSCredentials@PAGEOFF]
BL _objc_alloc
ADRL X2, cfstr_Ak████████yp ; "AK██████████ZA"
ADRL X3, cfstr_Yb████████2p ; "yb████████C6"
BL _objc_msgSend$initWithAccessKey_secretKey_
Decompiled iOS binary. AWS access key and secret key visible as string constants. Obfuscation didn't help.
This is what an attacker sees after 5 minutes with a decompilation tool. Every hardcoded credential is readable.
Notice — the highlighted lines contain real credential patterns. The structure is identical in production binaries.
Time to think and reflect
Act 2 · M2 · Supply chain
A new entry in the Top 10
Inadequate supply chain security was added to the Mobile Top 10 specifically because of SolarWinds-style attacks reaching mobile SDKs. Modern mobile apps can't be built from scratch — every framework and package is a trust decision.
Misspell a package name by one character, and the misspelled version may already exist with malicious code. Your pipeline doesn't error because the package is real — just not the one you intended. Test this: generate probable typosquatting variants of your dependencies and check which already exist as published packages.
An emerging vector: attackers publish knowledge repositories (Obsidian vaults, Notion pages) with genuine technical content but embedded prompt injections. When a developer's AI agent processes this content, the injection produces compromised code. Supply chain risk now extends beyond code dependencies to the AI tools your team uses.
7 / 17 · M2
Act 2 · M3 · Auth / Authz
Broken flows
Most mobile auth/authz failures come from distributed logic — authorization decisions spread across microservices with inconsistencies between them. IDOR and BOLA are the common results.
A practical mitigation: develop auth as a separate, reusable package that every microservice imports. One codebase for all auth logic, tested centrally, used consistently.
A particularly common misconfiguration: servers accepting JWT tokens with the
none algorithm — effectively accepting tokens with no signature verification. This should be on every backend configuration checklist.Mobile biometric authentication can be bypassed via runtime hooks (Frida) if it relies on client-side logic. Always use platform APIs (
BiometricPrompt, LocalAuthentication) — and treat biometrics as one factor, not the only factor for sensitive operations.8 / 17 · M3
Visual · The mobile trust boundary
The Mobile Trust Boundary
Untrusted
📱
Client code
Local storage
User input
Biometric checks
Local storage
User input
Biometric checks
Everything here can be bypassed, decompiled, or tampered with.
Trust Boundary
Trusted
🖥️
Backend API
Server-side auth
Platform Keychain
Keystore
Server-side auth
Platform Keychain
Keystore
Enforce everything here.
Platform security APIs bridge the gap — hardware-backed storage crosses into the trusted zone.
The client device is untrusted territory. Platform APIs and server-side enforcement are the only reliable controls.
Notice — the red dot gets blocked at the boundary. The green dot passes through. That's the entire story of mobile security architecture.
Time to think and reflect
Act 2 · M4 · Validation
The client lies
Mobile apps are thick clients on untrusted devices. Any validation performed only on the client — input length, format checks, business rule enforcement — can be bypassed by intercepting the request with a proxy like Burp Suite or Charles Proxy.
The rule is absolute: every input check must be duplicated on the backend. Client-side validation is a UX convenience, not a security control. Treat the client as a helpful but untrustworthy middleman.
An e-commerce app calculates the total on the client and sends it to the backend. An attacker intercepts the request, changes the total from $299 to $0.01, and the backend processes the order because it trusted the client's calculation. The fix: recalculate server-side. Never trust a number the client sends if it affects money, permissions, or access.
13 / 23 · M4
Act 2 · M5 · Communication
One flag away from exposure
Some apps still ship with App Transport Security disabled or with
android:usesCleartextTraffic="true" in the manifest. Both allow cleartext HTTP, exposing every request to network-level interception. These are configuration flags checkable with a simple manifest review.Beyond the basics, mobile communication has a second layer of risk: certificate pinning failures. Without pinning, an attacker who installs a custom CA certificate on the device can intercept all HTTPS traffic — the OS trusts the attacker's certificate.
iOS: search
Info.plist for NSAppTransportSecurity — if NSAllowsArbitraryLoads is true, ATS is disabled. Android: check AndroidManifest.xml for usesCleartextTraffic and review network_security_config.xml for custom trust anchors. Both checks belong in your CI/CD pipeline as automated gates.14 / 23 · M5
Act 2 · M6 · Privacy
What you declare vs what you collect
iOS now requires a privacy manifest (
PrivacyInfo.xcprivacy) declaring exactly which data the app collects and why. Android's Data Safety section in the Play Store serves a similar purpose. Both create a contract between the app and its users.The security champion's role: ensure the technical implementation matches the declared privacy posture. If the manifest says "no tracking," but a third-party SDK sends device fingerprints to an ad network, that's a compliance violation — and increasingly, a legal liability under GDPR and state privacy laws.
Most privacy violations aren't intentional — they come from SDKs the team didn't audit. An analytics SDK collects location data. A crash reporter logs user email addresses. A push notification library stores device tokens with personally identifiable metadata. Every SDK is a privacy decision. Apple now requires privacy manifests from SDK authors too, but enforcement is inconsistent — your team still needs to verify.
15 / 23 · M6
Act 2 · M7 · Binary protections
When decompilation takes minutes
Android apps can be decompiled with jadx in minutes, exposing business logic, API endpoints, and hardcoded keys. Standard protections include ProGuard/R8 and runtime integrity checks.
For truly critical code, a more advanced approach exists: embedding a lightweight virtual machine with custom bytecode inside the application. Critical logic is compiled to the VM's instruction set, not standard Java bytecode. Decompilation shows the VM interpreter but not the business logic it executes.
VM protection adds overhead. Use it only for code sections where reverse engineering would cause material business damage (financial algorithms, DRM, proprietary logic) — not for the entire application.
16 / 23 · M7
Act 2 · M8 · Misconfiguration
The defaults will betray you
Debug mode left on in production. Verbose error messages that expose stack traces to the client. Unnecessary permissions requested in the manifest. ADB backup enabled. Every one of these is a single configuration flag, and every one ships to production more often than teams expect.
The fix isn't awareness — it's automation. Each of these checks belongs in a CI/CD gate that blocks the build before it reaches the store. A human reviewer will eventually miss one. A pipeline check won't.
Android:
debuggable=false, allowBackup=false, usesCleartextTraffic=false, minimal permissions, ProGuard/R8 enabled. iOS: ATS enabled (no exceptions), no NSAppTransportSecurity bypasses, no test entitlements in release builds. Both: strip logging statements, disable verbose error responses, remove test endpoints from production API routing.17 / 23 · M8
Act 2 · M9–M10 · Storage & Crypto
Data at rest
M9 — Insecure data storage. Sensitive data written to SD cards, leaked into system logs via
NSLog or Log.d, or stored in unencrypted local databases. The platform provides secure alternatives — Keychain and Keystore — but teams default to the easier path.M10 — Insufficient cryptography. The failure isn't choosing encryption — it's choosing it wrong. Static initialization vectors, deprecated algorithms like MD5 or SHA-1 for hashing passwords, custom crypto implementations nobody audits.
The most common leaks: clipboard (sensitive data copied stays accessible to other apps), screenshots (iOS takes a screenshot when backgrounding — if sensitive data is visible, it's cached), keyboard cache (autocomplete suggestions store typed passwords), and backup files (iCloud/Google backups include app data unless explicitly excluded). Each needs a specific mitigation.
Define your cryptographic standard early — which algorithms, which libraries, which key sizes. Use AES-256-GCM, PBKDF2 or Argon2 for key derivation, and platform APIs for random number generation. A short checklist prevents the majority of crypto failures.
18 / 23 · M9–M10
Knowledge check · Credential obfuscation
Knowledge check
A developer obfuscates an API key by splitting it across three variables and Base64-encoding each part. How effective is this protection against a determined attacker?
Correct: C. Compilers optimize away the splitting, and tools like jadx or IDA Pro reassemble string constants regardless of source-code structure. The correct approach is to avoid storing the key in the binary entirely — use platform keystores or server-side credential management.
19 / 23 · Quiz
Visual · Mobile defense layers
Mobile Defense Layers
🎯
Design
Threat model
Data classification
Data classification
→
🔧
Develop
Platform APIs
Auth package
Auth package
→
🏗️
Build
SAST
Secret detection
Secret detection
→
🚀
Deploy
Cloud scanning
Rules review
Rules review
→
📊
Monitor
Crash reporting
Anomaly detection
Anomaly detection
Security at every layer. A failure at any single layer shouldn't compromise the whole system — the cascade illuminates the handoff between stages.
Notice — the glow travels left to right. That's the order security decisions flow through a mobile release cycle.
Time to think and reflect
Summary · Part 1
What you covered
01: Mobile security is full-stack — client, backend, CI/CD, cloud, and SDKs all require dedicated controls.
02: "Insecure" means absent controls; "insufficient" means weak controls. The distinction determines whether you add security or strengthen what exists.
03: Over 50% of apps have hardcoded secrets. Platform keychain/keystore is the solution — not obfuscation.
04: Supply chain risks now include AI knowledge base poisoning alongside traditional dependency attacks.
05: The client is always untrusted. Platform APIs and server-side enforcement are the only reliable defenses.
21 / 23 · Summary
Module 9a · Your score
Part 1 Results
Calculating...
22 / 23 · Score
Next · Part 2
Next
MASVS, Developer Pitfalls & Action Plan
Part 2: using the MASVS framework as a practical checklist, avoiding common developer mistakes, and building your mobile security action plan.
23 / 23 · Bridge
↻ Retake the module
Reset all progress and start over?
This will clear your XP, quiz answers, and wagers. The module returns to the cover slide.
⏸ Pause to reflect