International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 18 (2018) pp.

13603-13609
© Research India Publications. http://www.ripublication.com

A Conceptual Exploration for the Safe Development of Mobile Devices

Software Based on OWASP

Celio Gil1, Luis Baquero1 and Miguel Hernández1

1
Fundación Universitaria Los Libertadores, Bogotá D.C., Colombia.

Abstract
The main objective of this article is to highlight the importance
of guidelines in the development (software methodologies) of
OWASP insurance for mobile applications, where security is
conceived as a desirable property in the assurance of the quality
of a secure mobile software product. Currently, the
overcrowding of devices has allowed security to be recognized
by protections and mitigations of risks at the system level and
its architecture, and implemented during the development of
applications and their operation. Thus, the OWASP safe mobile
development guidelines are considered, which are linked to the
top 10 security vulnerabilities and their implementation
Figure 1. Growth of mobile global traffic (CISCO, 2017).
according to the most affected functionalities such as user
authentication and password management, obfuscation. Of
code, the control of payments and the storage of information In the same way and contributing to what has been indicated
among others. above, new trends that boost the use of mobile devices are also
According to the trends outlined, it is considered to be before highlighted, based on the study carried out by the IBSG
(Internet Business Solutions Group) of CISCO [2]. which
the emergence of what some researchers call security
engineering, as a complement to the safe software engineering, shows the trend towards increasing the use of mobile devices
whose scope includes, among others, safety requirements, the in organizations, this trend known as BYOD (Bring your own
safety model and the development of secure software; whose device) which in Spanish means "Bring your own device",
main objective as a research field is the production of shows that companies expect this behavior to increase with
techniques, methods, processes and tools that integrate the work purposes [2] as indicated in figure 2.
principles of safety engineering and quality, and that allow
software developers to analyze, design, implement, test and
deploy systems of secure software.
Keywords: Information Security, Methodologies, Mobile
Devices, OWASP, Secure Software.

INTRODUCTION
Due to the great boom and growth of mobile applications,
security is conceived as a desirable property for insurance and
is part of the set of attributes to be considered in order to
determine the quality of a software product. Currently, the
overcrowding of devices has allowed security to be recognized
by protections and mitigations of risks at the system level and Figure 2. Projection of companies that expect the increase of
its architecture, and implemented during the development of BYOD in the coming years by country (Corey, 2014).
applications and their operation. Also because mobile devices
are increasingly used in everyday life and consequently this
increase is also reflected in the demand for application Taking into account the above and observing the proliferation
development, to illustrate the above, Figure 1 shows the of the use of these devices, thus, attacks on this type of
increase in mobile data traffic [1]. terminals have increased, for which figure 3 shows the
distribution of threat types [16], being its most representative
item RiskTool, where this malware has the function of hiding
files in the system, ending running processes and hiding
applications.

13603
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 18 (2018) pp. 13603-13609
© Research India Publications. http://www.ripublication.com

The agile methods allow to have an iterative development, with

continuous delivery cycles, a permanent contact with the client;
allowing the risk managers of the company, certifiers and
personnel responsible for security policies to be included as
part of the stakeholders [17].
Nevertheless; the mentioned methodologies tend to focus on
improving software quality, reducing the number of defects and
complying with the specified functionality [18]; but nowadays,
it is also necessary to deliver a product that guarantees a high
degree of security [19].

MODELING SECURITY THREATS

Figure 3. Distribution by types of malware on mobile devices
(SsecureList, 2016). To carry out the analysis and threat assessment, different
models can currently be used, such as the SDL threat modeling
tool (Security Development Lifecycle) [4], where this tool
As previously stated, it is identified that these malicious allows developers identify and mitigate security flaws. Figure
software called malware take advantage of weaknesses in both 4 describes the cycle used by this tool.
the operating system and architecture applications, because in
some cases security guidelines are not applied and
vulnerabilities are not evaluated. which may be exposed the
application developed or to be developed [3], according to this
and as an objective of this article will provide the indications to
apply the mobile development guidelines OWASP Insurance
(The Open Web Application Security Project) in the most
relevant functionalities according to the top 10, which is
periodically being updated, because this community is
specialized in the survey of vulnerabilities, security tests for
different technological platforms and where its top 10
vulnerabilities is one of the most important references
important in the field of security for this type of equipment and
other technologies

Figure 4. SDL threat modeling process (Microsoft, 2016).

SAFE SOFTWARE DEVELOPMENT METHODOLOGIES
Software is typically an intangible element and that is why In the same way, OWASP proposes a threat analysis modeling
Systems Engineering has evolved developing publications, which should be applied throughout the life cycle of application
techniques and methods oriented to the construction of secure development, since to the extent that this cycle is being
systems. All this has conformed the "Engineering of Safe executed, it is examined, identified and mitigated. Threats or
Systems", a discipline that deals to the construction of systems vulnerabilities found [5].
that must remain functioning as expected in the face of badness,
error, or chance [16]. Like any discipline, it focuses on the During the modeling of these threats there are three high-level
instruments, processes, and methods used to design, steps that must be carried out for the implementation of this
implement, and test complete systems, and adapt existing model, which are:
systems to their environment. • Decompose the application: that is, a sweep must be done in
The systems engineering activities involved in the construction the application, know it and identify the relationships or
of secure systems are: (1) The development of systems security interactions that this has with the outside and with the
requirements; (2) The development of safe system designs; (3) environment in which it will be found, the information inputs
The integration of subsystem components; (4) System tests and and outputs, which types of data will manage and how is the
subsystems [16]. management of information and storage, this will identify
several threats and then categorize them and give them a
On the other hand, there are several methodologies that hierarchy.
establish a series of steps in search of a more secure software
capable of resisting attacks. These include Correctness by • Give hierarchy to threats: once identified the different
Construction (CbyC), Security Development Lifecycle (SDL), threats it is important to assign them a hierarchy, which can be
Cigital Touchpoints, Common Criteria, Comprehensive, done using different models such as STRIDE (Spoofing,
Lightweight Application Security Process (CLASP), TSP- Tampering, Repudiation, Information Disclosure, Denial of
Secure. Service, Elevation of Privilege) in English) [6] which helps

13604
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 18 (2018) pp. 13603-13609
© Research India Publications. http://www.ripublication.com

identify threats in the components of a system at the level of the It is important to highlight that each of these steps must be
attacker depending on their categories, allowing the creation of documented and communicated with the interested parties,
attack trees [7], which help identify threats and causes of each indicating how the mitigations are carried out, and the follow-
of these; You can also use the DREAD model (Damage, up to identify the status of each one of them.
Reproducibility, Exploitability, Affected users,
As we have seen above, these steps help to give the application
Discoverability) which helps to weigh the threats identified
not only security at the code level, but also in each of the stages
based on their risk [7], another model to give hierarchy to
of the application's life cycle, this same technique has been
threats and its risks is OCTAVE (Operationally Critical Threat,
applied to identify the vulnerabilities in the mobile devices by
Asset, and Vulnerability Evaluation of its acronym in English)
OWASP which are shown below.
which can be an option when assessing threats and their risks,
since it validates according to availability, confidentiality and
types of active affected (Active: any information or element
related to it) for this case the mobile application developed or OWASP SECURITY VULNERABILITIES
developed [8]. As indicated above, the top 10 of OWASP is a summary of
vulnerabilities found in mobile applications, which are
• Mitigate the threats: after assigning the hierarchy to the
threats, a mitigation map is made where the threat can be illustrated in Table1:
assigned and the action taken to mitigate it.

Table 1. Top 10 vulnerabilities (OWASP, 2016).

Vulnerabilities Description
This category covers the improper use of the platform or the non-use of security controls, platform
M1 - improper use permissions, undue use of TouchID, password services (KeyChain IOS) or some other security control
of the platform that is part of the mobile operating system.

M2 - Unsafe data This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers unsafe storage
storage of data and unwanted data leaks.

This covers poor link protocols, incorrect SSL versions, weak negotiation, unencrypted communication
M3 - Insecure of sensitive data, etc.
Communication

This category captures the notions of end-user authentication or incorrect session management.
This may include:
M4 - Unsafe
• Do not identify the user at all when necessary
Authentication
• Failure to maintain the user's identity when required
• Weakness in handling sessions

The code applies cryptography to a sensitive information asset. However, cryptography is insufficient in
M5 - Insufficient some way. Keep in mind that everything and everything related to TLS or SSL goes on M3. Also, if the
cryptography application does not use cryptography at all when it should, it probably belongs to M2.

This is a category to capture any authorization failure (for example, authorization decisions on the client
M6 - Insecure side, forced navigation, etc.). It is different from authentication problems (for example, device
Authorization registration, user identification, etc.).

This would be the capture of all the implementation problems at the code level in the mobile client. This
is different from server encoding errors.
M7 - Quality of the This would capture things like buffer overflows, format string vulnerabilities and various other code-
customer code level errors where the solution is to rewrite some code that is running on the mobile device.

This category covers binary patches, modification of local resources, method hooks, method swizzling
M8 - Code and dynamic memory modification.
adulteration Once the application is delivered to the mobile device, the code and data resources are resident there. An
attacker can directly modify the code, dynamically change the contents of the memory, change or

13605
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 18 (2018) pp. 13603-13609
© Research India Publications. http://www.ripublication.com

Vulnerabilities Description
replace the APIs of the system used by the application or modify the data and resources of the
application.

This category includes the analysis of the final binary kernel to determine its source code, libraries,
algorithms and other assets. Software such as IDA Pro, Hopper, otool, and other binary inspection tools
M9 - Reverse give the attacker a view of the application's internal operation. This can be used to exploit other nascent
Engineering vulnerabilities in the application, as well as to reveal information about back end servers, cryptographic
constants and figures, and intellectual property.

Often, developers include hidden backdoor functionality or other internal security controls that are not
M10 - Strange intended to be put into a production environment. For example, a developer may accidentally include a
Functionality password as a comment in a hybrid application. Another example includes disabling two-factor
authentication during the test.

Within the security vulnerabilities shown in Table 1, the most password policies, although the trends of these types of
relevant vulnerabilities have been taken, where the application authentication are focused on biometric devices [12].
of the OWASP guidelines according to the following items is
3. It is also important to provide users with information on
described.
the strength of passwords during their creation, as this
will indicate to the user the degree of security of their
password [11].
Authentication and password management
4. 4. As a good practice, it is important to perform the
The authentication in the applications is the initial interaction
validation of an additional parameter or to implement a
of the user with the application, where the identity of the user
two-step authentication policy since this will provide
or other functionalities to be authenticated is verified, it may be
greater security when creating users and entering
at first glance a part of the software that does not have much
applications [11].
complexity, but that It gives access to the operation of the
application and relates various components for the management 5. In order to verify the validation functionality of
of it, as is the case of the permissions and privileges that the password strength, the tool indicated in [13] is
authenticated user has as well, such as the provision of recommended. Because it allows you to implement a
functionalities for its use where the most important thing is secure password policy, and in addition to validating the
Protect this characteristics as indicated below [9]: strength, it indicates the execution time for the password
entered.
1. Sometimes the application may require the user to
create their password or pattern, against this it is 6. Another important point in the security of the
advisable not to use the pattern due to its restrictions, authentication and management of passwords is to
since its length is not greater than 9 digits, which results validate at all times the data entered by the user by
in a number of low combinations and therefore not very verifying the entered values, since in these fields cases
strong, so it is very easy to validate each of these in a of injection of database scripts can be presented and the
very short time. Another limitation is that each point can rest.
only be used once, in the same way the pattern can’t
omit an intermediate point on a line, just as the finger
can’t leave the touch surface, users usually use these The obfuscation of code
patterns with combinations quite predictable [10] [11],
Another guideline of OWASP is to obfuscate the application
which is why instead it is suggested that a password be
created that follows a secure password policy, i.e. code, since this will prevent reverse engineering of the
alphanumeric combinations with special characters and application, preventing the source code from being obtained
and modifications being made after its publication.
defined length, which will make this functionality of the
application is more robust and secure [11]. The obfuscation of code is the process that transforms the
source code or intermediate code to make it more difficult to
2. Several mobile devices offer the possibility of using a
analyze [14], then indicate the points that are part of this
password PIN, where this type of authentication does
not have a very strong security, although it is based on guideline:
the entry of a 4-digit number resulting in a number of 1. Try to obfuscate the application code whenever
combinations not very strong, which could be possible, through the execution of an automated code
deciphered in a short time [10] [11], in its replacement obfuscation software (commercial or open source),
it is advisable to use or create a password with secure which is available in most development IDEs.

13606
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 18 (2018) pp. 13603-13609
© Research India Publications. http://www.ripublication.com

2. Apply anti-purification techniques, this section is quite 1. Store information that is expressly necessary, at no time
simple since in most cases you should avoid that the store data of passwords or sensitive data such as credit
debugger adheres to running processes, where with only card information and others.
a few configuration lines in the manifests of the
2. Classify the sensitive information that the application
application you can mitigate this vulnerability.
will handle, this classification will help you identify
3. One of the most used tools to perform code obfuscation possible data that you must strictly store locally and also
is ProGuard [15], this easy-to-use tool allows what information can be stored remotely.
obfuscation of our code and helps us to eliminate all
3. Set the data deletion time in the application cache, since
unused and variable classes without use, as well as to
sometimes some applications use this temporary data to
modify the names of the variables and methods.
obtain access data and others.
4. Currently in the operating systems of mobile devices is In case the sensitive information should be stored, it
already implemented ASLR "Address Space Layout must be encrypted, and in case this information is
Randomization" which is the random storage system of temporary or temporary be sure to delete it as soon as
execution in memory and fulfills the function of the execution of the application ends.
assigning dynamic routes for the execution of
4. In case of loss or theft of the device it is important to
applications. This technique is widely used by
implement the erasure of the information remotely,
manufacturers of mobile devices such as Apple and
where it will prevent the information from being left in
Android and it is advisable during the design stage to
inappropriate hands.
identify if the application uses shared components,
since this policy must be specified so that the 5. Instead of using sensitive data such as bank accounts
components of these are used by other processes of you can make use of unique identifiers known between
other applications or the operating system. both parties (application and server), the above for
applications with external interaction, which can only
be interpreted by both parties.
Communication security
6. Do not use the device identification number as the
One of the most important factors of security in mobile devices identifier of temporary files, it is advisable to use a
is the security of communications, since it is the means by random number or GUID instead.
which the application interacts with the internet or allows the
execution of external content, in this case the application has a
browser internal to show the content, taking as reference the Payment control
above listed security considerations for this section:
One of the most important roles in mobile applications and that
1. In case the application makes shipments or requests for are repeatedly used as a complement to these, are purchases
information to external services it is advisable to through this medium, this type of transaction varies depending
encrypt the information of the packages sent and on the platform and architecture, since there are several
perform the corresponding decryption on the server side methods for perform this task and for the case of this document
and vice versa in the case of reception of server-side will indicate the controls that must be taken into account to
responses. make this functionality the safest:
2. In cases where the application has the functionality of 1. Warn the user and obtain financial consent and the
web browsing it is advisable to validate the security consequences of using the application.
certificates of the pages shown in order to validate the 2. Validate the location of the connection as this will
integrity of the same, this can be done by validating the allow you to identify if there are drastic changes in this
dates of the certificates of the sites. and thus perform additional validations.
3. Validate that all requests and resources of the pages use
SSL and that their internal elements such as images and
styles apply this same security, since in case of not using Session management
it these elements may contain unsafe information and Within the good practices of development, is the administration
where this information should not be shown. of sessions, which is very important since it allows the use of
data in a global way that can be used at any time, then the
suggestions of good development practices are indicated for
Storage and data protection this section:
The information stored in the device is quite important and 1. It is advisable to validate the session in each action of
must comply with some characteristics since all the data the application, this will validate the state of the same
handled by the application should not be stored in it, because identifying whether the session expired or not and thus,
these are very prone to damage or theft, taking into account the prevent the application is still active and in some cases
above, the following considerations for handling data in mobile the user should be sent to the authentication interface.
applications:

13607
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 18 (2018) pp. 13603-13609
© Research India Publications. http://www.ripublication.com

2. In the same way that when validating the session in each REFERENCES
action of the application, it is advisable to configure the
[1] Mohamed Ghallali, E. B. (2012). The safety of mobile
expiration time of the same with a short or adequate
phones: The methods of preventing the spread of
time as indicated in ISO/IEC 27002 [16] .
malware.
[2] http://biblioteca.libertadores.edu.co:2087/xpls/icp.jsp
CONCLUSIONS ?arnumber=6481989#fig_2.
As a result of the elaboration of this article, the importance of [3] Cisco IBSG, 2. (2012). BYOD: a global perspective.
the implementation of safe development guidelines in mobile Homepage,
applications was identified, since several gaps are identified http://www.cisco.com/c/dam/en_us/about/ac79/docs/
that are not visualized at first sight but through the analysis in re/byod/BYOD_Horizons-Global_LAS.pdf
each of the stages of the development was evidenced, it was
[4] SEGURINFO. (25 de 10 de 2016). Los 10 errores mas
also possible to verify how the use of mobile devices has been
comunes de seguridad de aplicaciones móviles.
behaving at present, the trends that contribute and make the use
Obtenido de
of this type of hardware increase every day, where its use is not
http://www.segurinfo.org/detalle.php?a=los-10-
only personal, It is also projected as an instrument with high
errores-mas-comunes-de-seguridad-de-aplicaciones-
growth in companies and organizations, although the use of the
moviles&t=2&d=542
desktop is still relevant, mobile devices will offer a large
number of efficient uses, which will contribute to productivity [5] Microsoft. (2016). Microsoft Security Development
and agility in the processes of each organization. Lifecycle (SDL) – Process Guidance.
https://msdn.microsoft.com/es-
According to the trends outlined, it is considered to be before
es/library/windows/desktop/84aed186-1d75-4366-
the emergence of what some researchers call security
8e61-8d258746bopq.aspx.
engineering, as a complement to the Safe Software
Engineering, whose scope includes, among others, the security [6] OWASP. (2016). Modelado de Amenazas. Obtenido
requirement engineering, the model of security and the de
development of secure software. Its main objective as a https://www.owasp.org/index.php/Modelado_de_Am
research field is the production of techniques, methods, enazas
processes and tools that integrate the principles of safety
engineering and quality, and that allow software developers to [7] Shostack, A. (2014). Threat Modeling: Designing for
Security. En A. Shostack, Threat Modeling:
analyze, design, implement, test and deploy systems of secure
Designing for Security (págs. 61-86). Wiley.
software. This new area of Engineering offers several
advantages, among which are: 1. Allow the development of [8] OWASP. (2016). Threat Risk Modeling. Obtenido de
better techniques related to safety and better definitions of https://www.owasp.org/index.php/Threat_Risk_Mod
methodological work schemes; 2. Offer the basis for a complete eling#DREAD
and recognized security ontology, which allows developers to
consider not only the technological challenges related to [9] MINTIC. (6 de 11 de 2016). Guia Seguridad
security, but also the social implications derived from them. informacion Mypimes. Obtenido de
http://www.mintic.gov.co/gestionti/615/articles-
It is important to understand that, just as technology is 5482_Guia_Seguridad_informacion_Mypimes.pdf
constantly evolving, so cybercrime techniques are evolving, it
should also be noted that the revision of vulnerabilities is not a [10] José A. Montoya S, Z. R. (2012). GESTIÓN DE
static task over time, but instead is a dynamic and evolving task, IDENTIDADES Y CONTROL DE ACCESO
because with each advance the degree of security must be DESDE UNA. Obtenido de
compared to the existing and new features that will be part of http://web.usbmed.edu.co/usbmed/fing/v3n1/v3n1a3.
the application. pdf

Similarly, an analysis was made of the different considerations [11] ESET-LA.COM. (01 de 11 de 2016).
and methods to be used in the development of applications for WELIVESECURITY. Obtenido de ¿Cuán difícil es
mobile devices, it is identified that these methodologies and descubrir el patrón de desbloqueo en Android?:
guidelines used in an indicated way can give mobile http://www.welivesecurity.com/la-
applications not only security in coding but also in the whole es/2015/09/07/descubrir-patron-de-desbloqueo-en-
life cycle, since this type of responsibility does not fall directly android/
into the development area, but rather part of the conception, [12] ESST-LA.COM. (13 de 06 de 2014). La matemática
analysis and design of the software, since from this point these de las claves: ¿numérica o alfanumérica? Obtenido de
considerations must be present, when applying the http://www.welivesecurity.com/la-
methodologies to identify threats and classify them, to measure es/2014/06/13/matematica-claves-numerica-
the level of risk of each of them, and thus define the alfanumerica/
development guidelines necessary to make the developed
application not only safe but also competitive in the market for [13] OWASP. (18 de 07 de 2016). Proyecto OWASP
the quality in each one of the steps of its life cycle. Mobile Security. Obtenido de

13608
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 18 (2018) pp. 13603-13609
© Research India Publications. http://www.ripublication.com

https://www.owasp.org/index.php/OWASP_Mobile_
Security_Project
[14] KAPERSKY. (2016). Password Cheker. Obtenido de
https://password.kaspersky.com/es/
[15] IEEE, S. A.-S.-P.-M.-T. (29 de 02 de 2016). A study
& review on code obfuscation. Obtenido de
http://biblioteca.libertadores.edu.co:2087/xpls/icp.jsp
?arnumber=7583913
[16] www.guardsquare.com. (2016). ProGuard.
https://www.guardsquare.com/proguard.
[17] Castellaro, M. y otros (2014). Threat Modeling:
Designing for Security. En A. Shostack, Threat
Modeling: Designing for Security (págs. 61-86).
Wiley.
[18] Fowler, M., & Highsmith, J. (2001). The Agile
Manifesto. Consultado el 07 de julio del 2013, en
http://www.pmp-projects.org/Agile-Manifesto.pdf
[19] Davis, N. (2005). Secure Software Development Life
Cycle Processes: A Technology Scouting Report (pp.
14–20).
[20] H. Mouratidis and P. Giorgini. “Integrating Security
and Software Engineering”. Idea Group Publishing.
USA. 2007.

13609