Mobile Application Threat Modeling.
Step 1: Describe Your Mobile Application Architecture
In your role as a cyber threat analyst, senior management has entrusted you to identify how a particular mobile application of your choosing conforms to mobile architecture standards. You are asked to:
1. Describe device-specific features used by the application, wireless transmission protocols, data transmission media, interaction with hardware components, and other applications.
2. Identify the needs and requirements for application security, computing security, and device management and security.
3. Describe the operational environment and use cases.
4. Identify the operating system security and enclave/computing environment security concerns, if there are any.
These resources will guide you in completing this task:Architecture Considerations.
Although mobile applications vary in function, they can be described in general as follows:
• wireless interfaces
• transmission type
• hardware interaction
• interaction with on device applications/services
• interaction with off device applications/services
• encryption protocols
• platforms
In Section 1 of your research report, you will focus your discussion on the security threats, vulnerabilities, and mitigations of the above considerations.
Include an overview of these topics in your report.
Use Mobile Application and Architecture Considerations to review the architectural considerations for mobile applications and architecture. Then, include those that are relevant to your mobile application in your report to senior management. Address the following questions:
1. What is the design of the architecture (network infrastructure, web services, trust boundaries, third-party APIs, etc.)?
2. What are the common hardware components?
3. What are the authentication specifics?
4. What should or shouldn’t the app do?
You will include this information in the report.
Step 2: Define the Requirements for Your Mobile Application
In Step 2, you will define what purpose the mobile app serves from a business perspective and what data the app will store, transmit, and receive. Include a data flow diagram to showing exactly how data are handled and managed by the application. You can use fictional information or model it after a real-world application. Here are some questions to consider as you define your requirements:
1. What is the business function of the app?
2. What data does the application store/process? (provide data flow diagram)
a. This diagram should outline network, device file system, and application data flows
b. How are data transmitted between third-party APIs and app(s)?
c. Will there be remote access and connectivity? Read this resource about mobile VPN security, and include any of these security issues in your report.
d. Are there different data-handling requirements between different mobile platforms? (iOS/Android/Windows/J2ME)
Does the app use cloud storage APIs (e.g., Dropbox, Google Drive, iCloud, Lookout) for device data backups?
f. Does personal data intermingle with corporate data?
g. Is there specific business logic built into the app to process data?
3. What does the data give you (or an attacker) access to? Think about data at restand data in motion as they relate to your app.
a. Do stored credentials provide authentication?b.
b. Do stored keys allow attackers to break crypto functions (data integrity)?