Mobile Application Threat Modelling (Research Paper Sample)
You are a cyber threat analyst at a mobile applications company. One morning, your supervisor, Dan, tells you about a mobile application security project that is already underway but needs more guidance. Because of your success in previous projects, he wants your help.
Your expertise and oversight will enable the mobile app team to meet its approaching deadline. "Mobile applications and their security are on the technology roadmap for our organization. Of course, this means we need to be well-informed of mobile application security management," Dan says.
"Without the proper threat modeling, leadership can't be sure of the issues that lie ahead. I want you to oversee the project and manage the team," Dan says. "We'd also like you to contribute to this project by preparing a report for senior management. The report should include threat models to this technology as well as remediation for management to consider. The report should give senior management a greater understanding of mobile application security and its implementation.
Your report should consist of the following sections: mobile application architecture, mobile data, threat agent identification, methods of attack, and possible controls. The goal is to convince senior managers that your proposals will benefit the company. If you succeed, leadership will move forward with its plan for mobile applications.
Threat modeling begins with a clear understanding of the system in question. There are several areas to consider when trying to understand possible threats to an application. The areas of concern include the mobile application structure, the data, identifying threat agents and methods of attack, and controls to prevent attacks. The threat model should be created with an outline or checklist of items that need to be documented, reviewed, and discussed when developing a mobile application.
Mobile Application Threat Modelling
Mobile Application Threat Modelling
WhatsApp has been selected as the mobile application of interest for this paper. Mobile threat modeling is a process that requires keenness to pinpoint possible risks to applications. In order to develop a good threat model, developers should focus on the assets that need security, the technology protocols provide security, the controls needed to implement an application and possible attacks from threat agents. This paper will follow strategic steps to establish a good threat model for the WhatsApp application. The steps include a description of the mobile application architecture, the definition of requirements for the application, identification of threats and threat agents, identification of methods of attack, controls and threat model report.
Step I: Mobile Application Architecture
WhatsApp Messenger is an application connects an individual with a registered number using the internet. The number registered acts as the unique WhatsApp account. This is an app that has millions of users; the application uses various databases. This application has introduced a new era of exploration by use of Mnesia database and the XMPP server. The XMPP server is used to maintain message queue for the users (Paspatis et. al., 2018). This section explores the architecture of the application given that it is one of the fastest media transfer application and reliable.
As one of the most preferred messaging application, WhatsApp can perform such functions as downloading of media. Once an individual installs the application in their smartphone, the app will validate phones numbers and contacts from the database, after a quick scan. Additionally, the app can be used to send data immediately since it integrates the camera and gallery of the smartphone. However, the efficiency and convenience the app provides users with is surprisingly free. This is due to the fact that there is more interest to explore user personal information in today’s world.
Figure 1.0 XMPP Server;
(Paspatis et. al., 2018).
XMPP server is the extensible messaging and presence protocol. WhatsApp is able to connect users via the internet by using an open-source called Ejabberd. This is a Jabber server facility that makes use of the internet essential to enable the instantaneous transfer of messages between two or more users provided there is an internet connection.
Figure 1.1 XMPP Server United Purpose vs. General Purpose
The above architectural description shows that the application creates action tickets to avoid duplication. The tickets are stored in the form of double-linked lists in the Scheduler. The links follow a FIFO order that ensures new requests from the database are detected. The XMPP server and the Mnesia database are connected through the Data Fetcher threads. The connection transfers data to be stored in the mentioned database from the node. Tickets are further subjected to processing for action. The action tickets are consumed by the action threads to obtain the information they carry; this is mostly done to check whether the rules are matching or not. The connection between the database and handling queries is enabled by the Database Handler, which has a special functionality (Wottrich & Smit, 2018).
This application requires quick adaptation to hotfixes and instant updates, which is facilitated with the use of ERLANG programming language. The language can also be used to notifications reach the user when they are offline, usually known as a push notification. Erlang is a special programming language that can be used to develop apps that are free of errors. Therefore, with Erlang, Whats...
- Joint Network Defense Bulletin: The Financial Services ConsortiumDescription: In this step, you will create the Joint Network Defense Bulletin. Compile the information you have gathered, taking care to eliminate any sensitive bank-specific information....1 page/≈275 words | 2 Sources | APA | IT & Computer Science | Research Paper |
- Malicious Network Activity, Overview of the Network StructureDescription: A representative from the Financial Services Information Sharing and Analysis Center, FS-ISAC, met with your boss, the chief net defense liaison to the financial services sector, about recent reports of intrusions into the networks of banks and their consortium...7 pages/≈1925 words | 6 Sources | APA | IT & Computer Science | Research Paper |
- Enterprise Key And Management Policy In Senthara Health CareDescription: The policy governs the processes, procedures, rules of behavior, and training for users and administrators of the enterprise key management system. Research similar policy documents used by other organizations and adopt an appropriate example to create your policy....2 pages/≈550 words | 3 Sources | APA | IT & Computer Science | Research Paper |