1

2

3

4

Path: Collected and uploaded personal informationConcur: Stored password in plain text

5

Recommendation for future versions• Expand to specific risks

6

Google Wallet NFC MITMPayPal failure to validate certificatesApple iOS AppStore MITM led to circumventing purchases

7

Recommendation for future versions• Improve or eliminate

8

Dropbox: Used only a unique ID to authenticate, no password required; password reset doesn’t protect assetsAudible: Used plaintext password to authenticate and used HTTP GET methodOOB: Remember, mobile devices can potentially intercept phone calls, SMS and email

9

10

Recommendation for future versions• Improve or eliminate

11

Android: Information sent to advertisers http://news.techeye.net/mobile/many-android-apps-send-your-private-information-to-advertisersApple: Collected and stored mobile tower data; called before US Congress to answer questionsAudible: Stored URL with password in logfile, also in GET request stored in web server log

Recommendation for future versions• Consider combining with M10• Consider incorporating the idea of collecting unnecessary but potentially sensitive

or private information

12

13

Recommendation for future versions• Consider combining with M8

14

http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-002/

15

http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2011-004/

16

http://stratigossecurity.com/2012/10/03/security-advisory-ustream-mobile-application/

17

18

19