The OWASP Top 10 Mobile Risks were first created in 2011. However, a lot has changed over the past three years. The mobile platforms themselves have evolved, mobile threats have evolved, and app developers have experimented with crazy new things. As a result, the OWASP Mobile Security Project decided it was the time to take another look at the threat landscape. In this presentation, we will present the 2014 version of the OWASP Top 10 Mobile Risks for the first time. We will highlight the differences between the 2011 and 2014 versions and we will explain why some risks were added to the list, dropped altogether, elevated in criticality, or bumped down a few notches. As we present each risk that made the list, we will provide supporting data and explain the reasoning behind each entry in detail. But what would an OWASP presentation be without also providing solutions to the problems we’re pointing out? For each of the risks identified, recommended fixes will be provided for the most commonly used mobile platforms (which pretty much means iOS, Android, and if we’re feeling adventurous, Windows Phone).
Jason Haddix Jason is also the Director of Penetration Testing at Fortify Software. Jason performs (and trains internal candidates for) mobile penetration testing, black box web application auditing, network/infrastructural security assessments, cursory mainframe security analysis, cloud architecture reviews, wireless network assessment, binary reverse engineering, and static analysis. He is also a semi-regular player on the capture the flag team Shellphish, an academic hacking group based out of the University of California, Santa Barbara. Jack Mannino Jack Mannino is a Partner at nVisium, a DC area firm specializing in application security. At nVisium, he helps to ensure that large corporations, government agencies, and software startups have the tools they need to build and maintain successful security initiatives. He is an active Android security researcher/tinkerer, and has a keen interest in identifying security issues and trends on a large scale. Jack is a leader and founder of the OWASP Mobile Security Project. He is the lead developer for the OWASP GoatDroid project, and is the chairman of the OWASP Northern Virginia chapter.