A few weeks back, it was still November, but already not the pretty kind - autumn leaves and colors faded away so quickly, and all of a sudden it was dark and cold. However, a post popped up which brightened the day - there was a call for presenters for the OWASP Vinius meetup. It doesn't happen that often, and this was supposed to be the second real-life meetup after Covid, so I did not hesitate and offered my help. I figured that spending the last 2 years closely with a product that is a mobile app, it would make sense to talk about mobile stuff. My talk was titled "Mobile Top 10: What's new for 2023 & Experiences from the Field".

The Talks

The meetup itself was held in an outer city area, which I don't get to often. It was dark, cold, and not a lot of street lights, so it was a bit tricky to figure out where the entrance was. However, after a bit of strolling, we managed to find the entrace to the Faculty of Mathematics and Informatics of the Vilnius University. It was a typical university auditorium, with bright lights and squeaky chairs.

The first speaker was a lecturer and a Doctor of Law, and the talk was about the current state and perspectives of AI systems regulations. It was an interesting overview of the situation at the moment: different governments are trying to come up with AI regulations to make sure the systems are safe and respecting the fundamental rights, while the interest of involved businesses and organizations is that these regulations don't hinder the development, progress and innovation of the AI technologies. At the time of writing, I realized that the European Council has actually just came up with what seems to be a draft of these regulations - it's called "artificial intelligence act".

Next up was me - I dimmed the lights, gave a bit of context / intro of how the mobile has changed over the years, and continued to walk through the OWASP Mobile Top 10 items. My idea of the presentation was to explain the mobile top 10 in simple terms and at the same time, provide some real-world examples from my experience in the field.

Mobile top 10 is already quite abstract, but I tried to summarize it even more. While the mobile world has its specifics when it comes to security, in the end, similar principles apply as in other security areas. In addition to technical examples on how to exploit and mitigate the top 10 items, I added a few points that come to my mind when I think about mobile app security:

• Client side should not be trusted blindly by the backend. It's a security boundary. As well said in (maybe?) the first Mobile Top 10 talk, in mobile world, the developers now not only have to write the server, but the browser too. The client app can be manipulated, reversed, functions can hooked, stuff can end up harcoded. In the end, it's better just to not trust what happens on the client side. Shifting certain actions to backend, depending on the architecture, might solve a good amount of security issues.
• Input needs to be validated: it's an obvious truth, and still very much valid for mobile. Imagine a deep link which the app does not validate correctly. Think about what functionality can be used via deep link. There is a plethora of things that could result in security problems.
• Test often: another security axiom, but for mobile apps, I find it even more important. Vulnerable dependencies, supply chain issues, new mobile-specific types of attacks are just a few of the potential problems. In addition, not every pentester neccessarily has the pentest skills specialized in mobile, so frequent tester rotation is also needed.
• Corner cutting: it's something that happens in the mobile development world, where things usually need to go fast. It's a rivalry - security at the price of performance; fast product development vs security "brakes". By cutting corners I mean stuff like skipping security reviews, implementing solutions that have not been properly tested for security but pass the risk tolerance for now. It's the lack of sound architectural decisions, which will bite back later, i.e. it will be expensive to fix. What's the remedy? I think security automation, scaling and advocating for an architecture built with a security-first mindset.

The event finished up with another speaker sharing his experience from the field as well - how do pentesters collaborate and exchange information on who has been tested by who? To me, the main idea was that the system doesn't matter too much as long as there is a clear, concise and detailed way to share the information that both sides agreed on, so that the knowledge transfer is smooth.

Till Next Time

Shout-out to OWASP Vilnius Chapter for organizing the event. The quality events and meetups between infosec enthusiasts in Lithuania like this is a much needed breath of fresh air. I was pleasantly surprised with the amplitude of ages of the attendees, and a few curious questions / discussions I had after the talk. There is curiosity and hunger for information security topics and knowledge, which is fantastic.