OWASP - User contributions [en]

Mobile Top 10 2016-M1-Improper Platform Usage

2017-02-17T23:53:59Z

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M2-{{Mobile_Top_10_2016:ByTheNumbers |2 |year=2016 |langua..."

{{Mobile_Top_10_2016:TopTemplate
|usenext=Mobile2016NextLink
|next=M2-{{Mobile_Top_10_2016:ByTheNumbers
|2
|year=2016
|language=en}}
|useprev=Nothing
|prev=
|year=2016
|language=en
}}

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016|language=en}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=1|year=2016|language=en}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system.
</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The attack vectors correspond to the same attack vectors available through the traditional OWASP Top Ten.

</td>
<td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>In order for this vulnerability to be exploited, the organization must expose a web service or API call that is consumed by the mobile app. The exposed service or API call is implemented using insecure coding techniques that produce an OWASP Top Ten vulnerability within the server. Through the mobile interface, an adversary is able to feed malicious inputs or unexpected sequences of events to the vulnerable endpoint. Hence, the adversary realizes the original OWASP Top Ten vulnerability on the server.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The technical impact of this vulnerability corresponds to the technical impact of the associated vulnerability (defined in the OWASP Top Ten) that the adversary is exploiting via the mobile device.

For example, an adversary may exploit a Cross-Site Scripting (XSS) vulnerability via the mobile device. This corresponds to the OWASP Top Ten A3 - XSS Category with a technical impact of moderate.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The business impact of this vulnerability corresponds to the business impact of the associated vulnerability (defined in the OWASP Top Ten) that the adversary is exploiting via the mobile device.

For example, an adversary may exploit a Cross-Site Scripting (XSS) vulnerability via the mobile device. This corresponds to the OWASP Top Ten A3 - XSS Category's business impacts.

</td>

{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2016|language=en}}
The defining characteristic of risks in this category is that the platform (iOS, Android, Windows Phone, etc.) provides a feature or a capability that is documented and well understood. The app fails to use that capability or uses it incorrectly. This differs from other mobile top ten risks because the design and implementation is not strictly the app developer's issue.

There are several ways that mobile apps can experience this risk.

#'''Violation of published guidelines.''' All platforms have development guidelines for security (c.f., ((Android)), ((iOS)), ((Windows Phone))). If an app contradicts the best practices recommended by the manufacturer, it will be exposed to this risk. For example, there are guidelines on how to use the iOS Keychain or how to secure exported services on Android. Apps that do not follow these guidelines will experience this risk.
#'''Violation of convention or common practice.''' Not all best practices are codified in manufacturer guidance. In some instances, there are de facto best practices that are common in mobile apps.
#'''Unintentional Misuse.''' Some apps intend to do the right thing, but actually get some part of the implementation wrong. This could be a simple bug, like setting the wrong flag on an API call, or it could be a misunderstanding of how the protections work.

Failures in the platform's permission models fall into this category. For example, if the app requests too many permissions or the wrong permissions, that is best categorised here.
{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2016|language=en}}
Secure coding and configuration practices must be used on server-side of the mobile application. For specific vulnerability information, refer to the OWASP Web Top Ten or Cloud Top Ten projects.
{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=1|year=2016|language=en}}
Because there are several platforms, each with hundreds or thousands of APIs, the examples in this section only scratch the surface of what is possible.'''

'''App Local Storage Instead of Keychain'''
The iOS Keychain is a secure storage facility for both app and system data. On iOS, apps should use it to store any small data that has security significance (session keys, passwords, device enrolment data, etc.). A common mistake is to store such items in app local storage. Data stored in app local storage is available in unencrypted iTunes backups (e.g., on the user's computer). For some apps, that exposure is inappropriate.

Below, you can see that there are many risks and vulnerabilities that you must mitigate in order to satisfy M1:

<center>[[File:CloudTT_thum.png|border|400px|link=https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project]] [[File:WebTT_thumb.png|border|400px|link=https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project]]</center>

=== The Worst Offenders ===

Below is a list vulnerability types that OWASP sees most often within mobile applications:

;Poor Web Services Hardening
: Logic flaws
:: [https://www.owasp.org/index.php/Testing_for_business_logic_(OWASP-BL-001) Testing for business logic flaws]
:: [https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet Business Logic Security Cheat Sheet]
: Weak Authentication
:: [https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management OWASP Top Ten Broken Authentication Section]
:: [https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet]
:: [https://www.owasp.org/index.php/Guide_to_Authentication Developers Guide for Authentication]
:: [https://www.owasp.org/index.php/Testing_for_authentication Testing for Authentication]
: Weak or no session management
: Session fixation
: Sensitive data transmitted using GET method

; Insecure web server configurations
: Default content
: Administrative interfaces
; Injection (SQL, XSS, Command) on both web services and mobile-enabled websites
; Authentication flaws
; Session Management flaws
; Access control vulnerabilities
; Local and Remote File Includes

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=1|year=2016|language=en}}
{{Mobile_Top_10_2016:SubSubsectionOWASPReferencesTemplate}}
* [https://www.owasp.org/index.php/OWASP_Top_Ten OWASP Top Ten]
{{Mobile_Top_10_2016:SubSubsectionExternalReferencesTemplate}}
* [http://cwe.mitre.org/ External References]

Template:Mobile Top 10:RoundedBoxLinkBegin

2017-02-17T23:43:22Z

Jonathan Carter:

[[Mobile_Top_10_2016-M{{{risk}}}-{{Mobile_Top_10_2016:ByTheNumbers
|{{{risk}}}
|year=2016
|language=en}} |
{{Top 10:RoundedBoxBegin|year={{{year}}} }}

Projects/OWASP Mobile Security Project - Top Ten Mobile Risks

2017-02-14T01:13:59Z

Jonathan Carter:

<center> 
{| align="center" style="width:45%; background-color:#FFFFFF; border:1px solid #a7d7f9; -moz-border-radius: 9px;-webkit-border-radius: 9px; border-radius: 9px; padding:1px;" id="social_bookmarks" class="noprint"
|-
|
<div class="plainlinks" align="center">
'''Share this:''' 
[[File:social-email.png|E-mail this story|link=mailto:?subject={{FULLPAGENAMEE}}&body={{FULLPAGENAMEE}}:%0A{{fullurle:{{FULLPAGENAME}}}}]]
[[File:social-facebook.png|Bookmark with Facebook|link=http://www.facebook.com/sharer.php?u={{fullurle:{{FULLPAGENAME}}}}&t={{urlencode:{{FULLPAGENAME}}}}]]
[[File:social-digg.png|Share on Digg.com|link=http://digg.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}} }}]]
[[File:social-delicious.png|16px|Share on delicious|link=http://delicious.com/post?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]
[[File:social-reddit.png|Share on reddit.com|link=http://reddit.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]
[[File:social-stumbleupon.png|16px|Share on stumbleupon.com|link=http://stumbleupon.com/submit?url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]
[[File:social-linkedin.png|16px|Share on LinkedIn.com|link=http://www.linkedin.com/shareArticle?mini=true&url={{fullurle:{{FULLPAGENAME}}}}&title={{urlencode:{{FULLPAGENAME}}}}]]
[[File:social-twitter.png|alt=Share on twitter.com|link=http://twitter.com/?status={{fullurle:{{FULLPAGENAME}}}}|Share on twitter.com]]
[[File:social-newsvine.png|16px|Seed on Newsvine|link=http://www.newsvine.com/_wine/save?popoff=1&u={{fullurle:{{FULLPAGENAME}}}}]]
</div>
|}
</center>
= The Mobile Top Ten 2016 =

Following a 90-day review and publication of the release candidate, we determined that the release candidate was ready for final publication. The 2016 list has now been published and can be found here: [https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 OWASP Mobile Top Ten 2016]

Feel free to visit [https://groups.google.com/a/owasp.org/forum/#!forum/owasp-mobile-top-10-risks the mailing list] as well!

== 2015 Mobile Top Ten Analysis Results ==
Are you interested in what the data collection for the 2015 list looks like? Check out the final synthesis... [[Media:2015 Data Synthesis Results.pptx]]

We are fleshing out the new Mobile Top Ten at [[Projects/OWASP_Mobile_Security_Project_-2015_Scratchpad]]. Have a look.

Here is the original raw data: [[https://www.dropbox.com/sh/d143o6tbkdx4w4l/AAAQlpmnCpHCgiBqZkgXPSTKa?dl=0 Dropbox Data]]

== Project Leads, Credit, and Contributions ==

* ''' [[Mobile_Top_Contributions|Mobile Top Ten Contributions Page ]] '''

== How Did the List Get Made? ==
# We wanted to know what the community wanted in the next Mobile Top Ten list and what they thought about the last. We published a [http://bit.ly/1sihkkE survey] and shared the [https://docs.google.com/a/owasp.org/forms/d/1WMEbjVgXU4VkjHP5AcW934D9EI0_XQ5vmjb-Y5liMQY/viewanalytics results] with everyone.
# We issued a [https://www.owasp.org/index.php/File:MobileTopTen2015-CallForData.pdf Call for Data] and aggressively pursued many different vendors and consultants for raw data.
# We had a huge response by vendors and consultants. We collected lots of data about the last years vulnerabilities from a number of different vendors and consultant. That raw data can be found [https://www.dropbox.com/sh/d143o6tbkdx4w4l/AAAQlpmnCpHCgiBqZkgXPSTKa?dl=0 here].
# Over the coming months, we then analyzed the data. Lots of different contributors did their own analysis and compared results. [https://www.owasp.org/index.php/Mobile2015Commentary Here] is a sample of the color commentary on the data.
# Ultimately, we agreed on the findings and published [https://www.owasp.org/images/9/96/OWASP_Mobile_Top_Ten_2015_-_Final_Synthesis.pdf key findings] from the data that we all agreed upon.
# Next, we started coming up with a [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-2015_Scratchpad consensus] of what we wanted in the next revision of the Mobile Top Ten.
# Results were collected and a release candidate got released.
# We examined the results from the release candidate and concluded that we achieved what we set out to do for 2016
# We published the list officially and moved it from release to final stage

== Archive ==
* The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks.  This list was initially released on September 23, 2011 at Appsec USA.  
** The original presentation can be found here: [http://www.slideshare.net/JackMannino/owasp-top-10-mobile-risks SLIDES] 
** The corresponding video can be found here: [http://www.youtube.com/watch?v=GRvegLOrgs0 VIDEO]
** [[Mobile_Top_10_2012|2011-12 Mobile Top Ten for archive purposes]]
__NOTOC__

Mobile Top 10 2016-Top 10

2017-02-14T01:13:10Z

Jonathan Carter:

{| cellspacing="1" cellpadding="1" border="0" width="100%;"
| style="width: 173px;" | {{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=1|language=en}}M1 - Improper Platform Usage
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system.
There are several ways that mobile apps can experience this risk.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=2|language=en}}M2 - Insecure Data Storage
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=3|language=en}}M3 - Insecure Communication
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=4|language=en}}M4 - Insecure Authentication
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This category captures notions of authenticating the end user or bad session management. This can include:

* Failing to identify the user at all when that should be required
* Failure to maintain the user's identity when it is required
* Weaknesses in session management

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=5|language=en}}M5 - Insufficient Cryptography
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way. Note that anything and everything related to TLS or SSL goes in M3. Also, if the app fails to use cryptography at all when it should, that probably belongs in M2. This category is for issues where cryptography was attempted, but it wasn't done correctly.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=6|language=en}}M6 - Insecure Authorization
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This is a category to capture any failures in authorization (e.g., authorization decisions in the client side, forced browsing, etc.). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.).

If the app does not authenticate users at all in a situation where it should (e.g., granting anonymous access to some resource or service when authenticated and authorized access is required), then that is an authentication failure not an authorization failure.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=7|language=en}}M7 - Client Code Quality
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This was the "Security Decisions Via Untrusted Inputs", one of our lesser-used categories. This would be the catch-all for code-level implementation problems in the mobile client. That's distinct from server-side coding mistakes. This would capture things like buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=8|language=en}}M8 - Code Tampering
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.

Once the application is delivered to the mobile device, the code and data resources are resident there. An attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application's data and resources. This can provide the attacker a direct method of subverting the intended use of the software for personal or monetary gain.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=9|language=en}}M9 - Reverse Engineering
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This category includes analysis of the final core binary to determine its source code, libraries, algorithms, and other assets. Software such as IDA Pro, Hopper, otool, and other binary inspection tools give the attacker insight into the inner workings of the application. This may be used to exploit other nascent vulnerabilities in the application, as well as revealing information about back end servers, cryptographic constants and ciphers, and intellectual property.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=10|language=en}}M10 - Extraneous Functionality
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment. For example, a developer may accidentally include a password as a comment in a hybrid app. Another example includes disabling of 2-factor authentication during testing.

{{Mobile Top 10:GrayBoxEnd|year=2016}}

Mobile Top 10 2016-Top 10

2017-02-14T01:09:57Z

Jonathan Carter:

=== How Did the List Get Made? ===
# We wanted to know what the community wanted in the next Mobile Top Ten list and what they thought about the last. We published a [http://bit.ly/1sihkkE survey] and shared the [https://docs.google.com/a/owasp.org/forms/d/1WMEbjVgXU4VkjHP5AcW934D9EI0_XQ5vmjb-Y5liMQY/viewanalytics results] with everyone.
# We issued a [https://www.owasp.org/index.php/File:MobileTopTen2015-CallForData.pdf Call for Data] and aggressively pursued many different vendors and consultants for raw data.
# We had a huge response by vendors and consultants. We collected lots of data about the last years vulnerabilities from a number of different vendors and consultant. That raw data can be found [https://www.dropbox.com/sh/d143o6tbkdx4w4l/AAAQlpmnCpHCgiBqZkgXPSTKa?dl=0 here].
# Over the coming months, we then analyzed the data. Lots of different contributors did their own analysis and compared results. [https://www.owasp.org/index.php/Mobile2015Commentary Here] is a sample of the color commentary on the data.
# Ultimately, we agreed on the findings and published [https://www.owasp.org/images/9/96/OWASP_Mobile_Top_Ten_2015_-_Final_Synthesis.pdf key findings] from the data that we all agreed upon.
# Next, we started coming up with a [https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-2015_Scratchpad consensus] of what we wanted in the next revision of the Mobile Top Ten.
# Results were collected and a release candidate got released.
# We examined the results from the release candidate and concluded that we achieved what we set out to do for 2016
# We published the list officially and moved it from release to final stage

{| cellspacing="1" cellpadding="1" border="0" width="100%;"
| style="width: 173px;" | {{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=1|language=en}}M1 - Improper Platform Usage
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system.
There are several ways that mobile apps can experience this risk.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=2|language=en}}M2 - Insecure Data Storage
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=3|language=en}}M3 - Insecure Communication
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=4|language=en}}M4 - Insecure Authentication
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This category captures notions of authenticating the end user or bad session management. This can include:

* Failing to identify the user at all when that should be required
* Failure to maintain the user's identity when it is required
* Weaknesses in session management

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=5|language=en}}M5 - Insufficient Cryptography
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way. Note that anything and everything related to TLS or SSL goes in M3. Also, if the app fails to use cryptography at all when it should, that probably belongs in M2. This category is for issues where cryptography was attempted, but it wasn't done correctly.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=6|language=en}}M6 - Insecure Authorization
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This is a category to capture any failures in authorization (e.g., authorization decisions in the client side, forced browsing, etc.). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.).

If the app does not authenticate users at all in a situation where it should (e.g., granting anonymous access to some resource or service when authenticated and authorized access is required), then that is an authentication failure not an authorization failure.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=7|language=en}}M7 - Client Code Quality
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This was the "Security Decisions Via Untrusted Inputs", one of our lesser-used categories. This would be the catch-all for code-level implementation problems in the mobile client. That's distinct from server-side coding mistakes. This would capture things like buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=8|language=en}}M8 - Code Tampering
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.

Once the application is delivered to the mobile device, the code and data resources are resident there. An attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application's data and resources. This can provide the attacker a direct method of subverting the intended use of the software for personal or monetary gain.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=9|language=en}}M9 - Reverse Engineering
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
This category includes analysis of the final core binary to determine its source code, libraries, algorithms, and other assets. Software such as IDA Pro, Hopper, otool, and other binary inspection tools give the attacker insight into the inner workings of the application. This may be used to exploit other nascent vulnerabilities in the application, as well as revealing information about back end servers, cryptographic constants and ciphers, and intellectual property.

{{Mobile Top 10:GrayBoxEnd|year=2016}}
|-
|{{Mobile Top 10:RoundedBoxLinkBegin|year=2016|risk=10|language=en}}M10 - Extraneous Functionality
{{Mobile Top 10:RoundedBoxLinkEnd|year=2016}}
|{{Mobile Top 10:GrayBoxBegin|year=2016}}
Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment. For example, a developer may accidentally include a password as a comment in a hybrid app. Another example includes disabling of 2-factor authentication during testing.

{{Mobile Top 10:GrayBoxEnd|year=2016}}

Mobile Top Ten 2016-M1-Improper Platform Usage

2017-02-14T01:06:09Z

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M2-{{Mobile_Top_10_2016:ByTheNumbers |2 |year=2016 |langua..."

Mobile Top 10 2016-M2-Insecure Data Storage

2017-02-14T01:06:00Z

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M3-{{Mobile_Top_10_2016:ByTheNumbers |3 |year=2016 |langua..."

{{Mobile_Top_10_2016:TopTemplate
|usenext=Mobile2016NextLink
|next=M3-{{Mobile_Top_10_2016:ByTheNumbers
|3
|year=2016
|language=en}}
|useprev=Mobile2016PrevLink
|prev=M1-{{Mobile_Top_10_2016:ByTheNumbers
|1
|year=2016
|language=en}}
|year=2016
|language=en
}}

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016|language=en}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=1|year=2016|language=en}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Threats agents include the following: an adversary that has attained a lost/stolen mobile device; malware or another repackaged app acting on the adversary's behalf that executes on the mobile device.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>In the event that an adversary physically attains the mobile device, the adversary hooks up the mobile device to a computer with freely available software. These tools allow the adversary to see all third party application directories that often contain stored personally identifiable information (PII) or other sensitive information assets. An adversary may construct malware or modify a legitimate app to steal such information assets.

</td>
<td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Insecure data storage vulnerabilities occur when development teams assume that users or malware will not have access to a mobile device's filesystem and subsequent sensitive information in data-stores on the device. Filesystems are easily accessible. Organizations should expect a malicious user or malware to inspect sensitive data stores. Rooting or jailbreaking a mobile device circumvents any encryption protections. When data is not protected properly, specialized tools are all that is needed to view application data.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>This can result in data loss, in the best case for one user, and in the worst case for many users. It may also result in the following technical impacts: extraction of the app's sensitive information via mobile malware, modified apps or forensic tools.

The nature of the business impact is highly dependent upon the nature of the information stolen. Insecure data may result in the following business impacts:

* Identity theft;
* Privacy violation;
* Fraud;
* Reputation damage;
* External policy violation (PCI); or
* Material loss.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Insecure data storage vulnerabilities typically lead to the following business risks for the organization that owns the risk app:

* Identity Theft
* Fraud
* Reputation Damage
* External Policy Violation (PCI); or
* Material Loss.

</td>

{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=2|year=2016|language=en}}
This category insecure data storage and unintended data leakage. Data stored insecurely includes, but is not limited to, the following:

* SQL databases;
* Log files;
* XML data stores ou manifest files;
* Binary data stores;
* Cookie stores;
* SD card;
* Cloud synced.

Unintended data leakage includes, but is not limited to, vulnerabilities from:

* The OS;
* Frameworks;
* Compiler environment;
* New hardware.

This is obviously without a developer's knowledge. In mobile development specifically, this is most seen in undocumented, or under-documented, internal processes such as:

* The way the OS caches data, images, key-presses, logging, and buffers;
* The way the development framework caches data, images, key-presses, logging, and buffers;
* The way or amount of data ad, analytic, social, or enablement frameworks cache data, images, key-presses, logging, and buffers.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=2|year=2016|language=en}}
It is important to threat model your mobile app, OS, platforms and frameworks to understand the information assets the app processes and how the APIs handle those assets. It is crucial to see how they handle the following types of features :

* URL caching (both request and response);
* Keyboard press caching;
* Copy/Paste buffer caching;
* Application backgrounding;
* Logging;
* HTML5 data storage;
* Browser cookie objects;
* Analytics data sent to 3rd parties.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=2|year=2016|language=en}}
=== A Visual Example ===

iGoat is a purposefully vulnerable mobile app for the security community to explore these types of vulnerabilities first hand. In the exercise below, we enter our credentials and log in to the fake bank app. Then, we navigate to the file system. Within the applications directory, we can see a database called “credentials.sqlite”. Exploring this database reveals that the application is storing our username and credentials (Jason:pleasedontstoremebro!) in plain text.

[[Image:Screen%20Shot%202012-12-19%20at%206.34.23%20AM.png]]
[[Image:Screen%20Shot%202012-12-19%20at%206.44.51%20AM.png]]
[[Image:Screen%20Shot%202012-12-19%20at%2010.11.15%20AM.png]]

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=2|year=2016|language=en}}
{{Mobile_Top_10_2016:SubSubsectionOWASPReferencesTemplate}}
* [https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet OWASP ][https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet IOS Developer Cheat Sheet]
{{Mobile_Top_10_2016:SubSubsectionExternalReferencesTemplate}}
* [http://source.android.com/tech/security/ Google Androids Developer Security Topics 1]
* [http://developer.android.com/training/articles/security-tips.html Google Androids Developer Security Topics 2]
* [https://developer.apple.com/library/mac/ Apple's Introduction to Secure Coding]
* [http://h30499.www3.hp.com/t5/Application-Security-Fortify-on/Exploring-The-OWASP-Mobile-Top-10-M1-Insecure-Data-Storage/ba-p/5904609 Fortify On Demand Blog - Exploring The OWASP Mobile Top 10: Insecure Data Storage]

Mobile Top 10 2016-M3-Insecure Communication

2017-02-14T01:05:52Z

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M4-{{Mobile_Top_10_2016:ByTheNumbers |4 |year=2016 |langua..."

{{Mobile_Top_10_2016:TopTemplate
|usenext=Mobile2016NextLink
|next=M4-{{Mobile_Top_10_2016:ByTheNumbers
|4
|year=2016
|language=en}}
|useprev=Mobile2016PrevLink
|prev=M2-{{Mobile_Top_10_2016:ByTheNumbers
|2
|year=2016
|language=en}}
|year=2016
|language=en
}}

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016|language=en}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=1|year=2016|language=en}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>When designing a mobile application, data is commonly exchanged in a client-server fashion. When the solution transmits its data, it must traverse the mobile device's carrier network and the internet. Threat agents might exploit vulnerabilities to intercept sensitive data while it's traveling across the wire. The following threat agents exist:

* An adversary that shares your local network (compromised or monitored Wi-Fi);
* Carrier or network devices (routers, cell towers, proxy's, etc); or
* Malware on your mobile device.
</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The exploitabilty factor of monitoring a network for insecure communications ranges. Monitoring traffic over a carrier's network is harder than that of monitoring a local coffee shop's traffic. In general, targeted attacks are easier to perform.
</td>
<td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Mobile applications frequently do not protect network traffic. They may use SSL/TLS during authentication but not elsewhere. This inconsistency leads to the risk of exposing data and session IDs to interception. The use of transport security does not mean the app has implemented it correctly. To detect basic flaws, observe the phone's network traffic. More subtle flaws require inspecting the design of the application and the applications configuration.
</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>This flaw exposes an individual user's data and can lead to account theft. If the adversary intercepts an admin account, the entire site could be exposed. Poor SSL setup can also facilitate phishing and MITM attacks.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>At a minimum, interception of sensitive data through a communication channel will result in a privacy violation.

The violation of a user's confidentiality may result in:

* Identity theft;
* Fraud, or
* Reputational Damage.

</td>

{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=3|year=2016|language=en}}
This risk covers all aspects of getting data from point A to point B, but doing it insecurely. It encompasses mobile-to-mobile communications, app-to-server communications, or mobile-to-something-else communications. This risk includes all communications technologies that a mobile device might use: TCP/IP, WiFi, Bluetooth/Bluetooth-LE, NFC, audio, infrared, GSM, 3G, SMS, etc.

All the TLS communications issues go here. All the NFC, Bluetooth, and WiFi issues go here.

The prominent characteristics include packaging up some kind of sensitive data and transmitting it into or out of the device. Some examples of sensitive data include encryption keys, passwords, private user information, account details, session tokens, documents, metadata, and binaries. The sensitive data can be coming to the device from a server, it can be coming from an app out to a server, or it might be going between the device and something else local (e.g., an NFC terminal or NFC card). The defining characteristic of this risk is the existence of two devices and some data passing between them.

If the data is being stored locally in the device itself, that's #Insecure Data. If the session details are communicated securely (e.g., via a strong TLS connection) but the session identifer itself is bad (perhaps it is predictable, low entropy, etc.), then that's an #Insecure Authentication problem, not a communication problem.

The usual risks of insecure communication are around data integrity, data confidentiality, and origin integrity. If the data can be changed while in transit, without the change being detectable (e.g., via a man-in-the-middle attack) then that is a good example of this risk. If confidential data can be exposed, learned, or derived by observing the communications as it happens (i.e., eavesdropping) or by recording the conversation as it happens and attacking it later (offline attack), that's also an insecure communication problem. Failing to properly setup and validate a TLS connection (e.g., certificate checking, weak ciphers, other TLS configuration problems) are all here in insecure communication.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=3|year=2016|language=en}}
=== General Best Practices ===

* Assume that the network layer is not secure and is susceptible to eavesdropping.
* Apply SSL/TLS to transport channels that the mobile app will use to transmit sensitive information, session tokens, or other sensitive data to a backend API or web service.
* Account for outside entities like third-party analytics companies, social networks, etc. by using their SSL versions when an application runs a routine via the browser/webkit. Avoid mixed SSL sessions as they may expose the user’s session ID.
* Use strong, industry standard cipher suites with appropriate key lengths.
* Use certificates signed by a trusted CA provider.
* Never allow self-signed certificates, and consider certificate pinning for security conscious applications.
* Always require SSL chain verification.
* Only establish a secure connection after verifying the identity of the endpoint server using trusted certificates in the key chain.
* Alert users through the UI if the mobile app detects an invalid certificate.
* Do not send sensitive data over alternate channels (e.g, SMS, MMS, or notifications).
* If possible, apply a separate layer of encryption to any sensitive data before it is given to the SSL channel. In the event that future vulnerabilities are discovered in the SSL implementation, the encrypted data will provide a secondary defense against confidentiality violation.

Newer threats allow an adversary to eavesdrop on sensitive traffic by intercepting the traffic within the mobile device just before the mobile device's SSL library encrypts and transmits the network traffic to the destination server. See M10 for more information on the nature of this risk.

=== iOS Specific Best Practices ===

Default classes in the latest version of iOS handle SSL cipher strength negotiation very well. Trouble comes when developers temporarily add code to bypass these defaults to accommodate development hurdles. In addition to the above general practices:

* Ensure that certificates are valid and fail closed.
* When using CFNetwork, consider using the Secure Transport API to designate trusted client certificates. In almost all situations, NSStreamSocketSecurityLevelTLSv1 should be used for higher standard cipher strength.
* After development, ensure all NSURL calls (or wrappers of NSURL) do not allow self signed or invalid certificates such as the NSURL class method setAllowsAnyHTTPSCertificate.
* Consider using certificate pinning by doing the following: export your certificate, include it in your app bundle, and anchor it to your trust object. Using the NSURL method connection:willSendRequestForAuthenticationChallenge: will now accept your cert.

=== Android Specific Best Practices ===

* Remove all code after the development cycle that may allow the application to accept all certificates such as org.apache.http.conn.ssl.AllowAllHostnameVerifier or SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER. These are equivalent to trusting all certificates.
* If using a class which extends SSLSocketFactory, make sure checkServerTrusted method is properly implemented so that server certificate is correctly checked.
{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=3|year=2016|language=en}}
There are a few common scenarios that penetration testers frequently discover when inspecting a mobile app's communication security:

'''Lack of certificate inspection'''
The mobile app and an endpoint successfully connect and perform a TLS handshake to establish a secure channel. However, the mobile app fails to inspect the certificate offered by the server and the mobile app unconditionally accepts any certificate offered to it by the server. This destroys any mutual authentication capability between the mobile app and the endpoint. The mobile app is susceptible to man-in-the-middle attacks through a TLS proxy.

'''Weak handshake negotiation'''
The mobile app and an endpoint successfully connect and negotiate a cipher suite as part of the connection handshake. The client successfully negotiates with the server to use a weak cipher suite that results in weak encryption that can be easily decrypted by the adversary. This jeopardizes the confidentiality of the channel between the mobile app and the endpoint.

'''Privacy information leakage'''
The mobile app transmits personally identifiable information to an endpoint via non-secure channels instead of over SSL. This jeopardizes the confidentiality of any privacy-related data between the mobile app and the endpoint.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=3|year=2016|language=en}}
{{Mobile_Top_10_2016:SubSubsectionOWASPReferencesTemplate}}
* [https://www.owasp.org/ References Go Here]
{{Mobile_Top_10_2016:SubSubsectionExternalReferencesTemplate}}
* [http://cwe.mitre.org/ External References]

Mobile Top 10 2016-M4-Insecure Authentication

2017-02-14T01:05:43Z

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M5-{{Mobile_Top_10_2016:ByTheNumbers |5 |year=2016 |langua..."

{{Mobile_Top_10_2016:TopTemplate
|usenext=Mobile2016NextLink
|next=M5-{{Mobile_Top_10_2016:ByTheNumbers
|5
|year=2016
|language=en}}
|useprev=Mobile2016PrevLink
|prev=M3-{{Mobile_Top_10_2016:ByTheNumbers
|3
|year=2016
|language=en}}
|year=2016
|language=en
}}

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016|language=en}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=1|year=2016|language=en}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Threat agents that exploit authentication vulnerabilities typically do so through automated attacks that use available or custom-built tools.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Once the adversary understands how the authentication scheme is vulnerable, they fake or bypass authentication by submitting service requests to the mobile app's backend server and bypass any direct interaction with the mobile app. This submission process is typically done via mobile malware within the device or botnets owned by the attacker.

</td>
<td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Poor or missing authentication schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app. Weaker authentication for mobile apps is fairly prevalent due to a mobile device's input form factor. The form factor highly encourages short passwords that are often purely based on 4-digit PINs.

Authentication requirements for mobile apps can be quite different from traditional web authentication schemes due to availability requirements.

In traditional web apps, users are expected to be online and authenticate in real-time with a backend server. Throughout their session, there is a reasonable expectation that they will have continuous access to the Internet.

In mobile apps, users are not expected to be online at all times during their session. Mobile internet connections are much less reliable or predictable than traditional web connections. Hence, mobile apps may have uptime requirements that require offline authentication. This offline requirement can have profound ramifications on things that developers must consider when implementing mobile authentication.

To detect poor authentication schemes, testers can perform binary attacks against the mobile app while it is in 'offline' mode. Through the attack, the tester will force the app to bypass offline authentication and then execute functionality that should require offline authentication (for more information on binary attacks, see M10). As well, testers should try to execute any backend server functionality anonymously by removing any session tokens from any POST/GET requests for the mobile app functionality.
</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The technical impact of poor authentication is that the solution is unable to identify the user performing an action request. Immediately, the solution will be unable to log or audit user activity because the identity of the user cannot be established. This will contribute to an inability to detect the source of an attack, the nature of any underlying exploits, or how to prevent future attacks.

Authentication failures may expose underlying authorization failures as well. When authentication controls fail, the solution is unable to verify the user's identity. This identity is linked to a user's role and associated permissions. If an attacker is able to anonymously execute sensitive functionality, it highlights that the underlying code is not verifying the permissions of the user issuing the request for the action. Hence, anonymous execution of code highlights failures in both authentication and authorization controls.
</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The business impact of poor authentication will typically result in the following at a minimum:

* Reputational Damage
* Information Theft; or
* Unauthorized Access to Data.
</td>

{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=4|year=2016|language=en}}
There are many different ways that a mobile app may suffer from insecure authentication:

* If the mobile app is able to anonymously execute a backend API service request without providing an access token, this application suffers from insecure authentication;
* If the mobile app stores any passwords or shared secrets locally on the device, it most likely suffers from insecure authentication;
* If the mobile app uses a weak password policy to simplify entering a password, it suffers from insecure authentication; or
* If the mobile app uses a feature like TouchID, it suffers from insecure authentication.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=4|year=2016|language=en}}

=== Avoid Weak Patterns ===
Avoid the following Insecure Mobile Application Authentication Design Patterns:

* If you are porting a web application to its mobile equivalent, authentication requirements of mobile applications should match that of the web application component. Therefore, it should not be possible to authenticate with less authentication factors than the web browser;

* Authenticating a user locally can lead to client-side bypass vulnerabilities. If the application stores data locally, the authentication routine can be bypassed on jailbroken devices through run-time manipulation or modification of the binary. If there is a compelling business requirement for offline authentication, see M10 for additional guidance on preventing binary attacks against the mobile app;

* Where possible, ensure that all authentication requests are performed server-side. Upon successful authentication, application data will be loaded onto the mobile device. This will ensure that application data will only be available after successful authentication;

* If client-side storage of data is required, the data will need to be encrypted using an encryption key that is securely derived from the user’s login credentials. This will ensure that the stored application data will only be accessible upon successfully entering the correct credentials. There are additional risks that the data will be decrypted via binary attacks. See M9 for additional guidance on preventing binary attacks that lead to local data theft;

* Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a user’s password on the device;

* Ideally, mobile applications should utilize a device-specific authentication token that can be revoked within the mobile application by the user. This will ensure that the app can mitigate unauthorized access from a stolen/lost device;

* Do not use any spoof-able values for authenticating a user. This includes device identifiers or geo-location;

* Persistent authentication within mobile applications should be implemented as opt-in and not be enabled by default;

* If possible, do not allow users to provide 4-digit PIN numbers for authentication passwords.

=== Reinforce Authentication ===

* Developers should assume all client-side authorization and authentication controls can be bypassed by malicious users. Authorization and authentication controls must be re-enforced on the server-side whenever possible.

* Due to offline usage requirements, mobile apps may be required to perform local authentication or authorization checks within the mobile app's code. If this is the case, developers should instrument local integrity checks within their code to detect any unauthorized code changes. See M9 for more information about detecting and reacting to binary attacks.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=4|year=2016|language=en}}
The following scenarios showcase weak authentication or authorization controls in mobile apps:

'''Scenario #1:''' Hidden Service Requests:
Developers assume that only authenticated users will be able to generate a service request that the mobile app submits to its backend for processing. During the processing of the request, the server code does not verify that the incoming request is associated with a known user. Hence, adversaries submit service requests to the back-end service and anonymously execute functionality that affects legitimate users of the solution.

'''Scenario #2:''' Interface Reliance:
Developers assume that only authorized users will be able to see the existence of a particular function on their mobile app. Hence, they expect that only legitimately authorized users will be able to issue the request for the service from their mobile device. Back-end code that processes the request does not bother to verify that the identity associated with the request is entitled to execute the service. Hence, adversaries are able to perform remote administrative functionality using fairly low-privilege user accounts.

'''Scenario #3:''' Usability Requirements:
Due to usability requirements, mobile apps allow for passwords that are 4 digits long. Server code correctly stores a hashed version of the password. However, due to the severely short length of the password, an adversary will be able to quickly deduce the original passwords using rainbow hash tables. If the password file (or data store) on the server is compromised, an adversary will be able to quickly deduce users' passwords.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=4|year=2016|language=en}}
{{Mobile_Top_10_2016:SubSubsectionOWASPReferencesTemplate}}
* [https://www.owasp.org/ OWASP References Go Here]
{{Mobile_Top_10_2016:SubSubsectionExternalReferencesTemplate}}
* [http://cwe.mitre.org/ External References]

Mobile Top 10 2016-M5-Insufficient Cryptography

2017-02-14T01:05:28Z

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M6-{{Mobile_Top_10_2016:ByTheNumbers |6 |year=2016 |langua..."

{{Mobile_Top_10_2016:TopTemplate
|usenext=Mobile2016NextLink
|next=M6-{{Mobile_Top_10_2016:ByTheNumbers
|6
|year=2016
|language=en}}
|useprev=Mobile2016PrevLink
|prev=M4-{{Mobile_Top_10_2016:ByTheNumbers
|4
|year=2016
|language=en}}
|year=2016
|language=en
}}

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016|language=en}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=1|year=2016|language=en}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Threat agents include the following: anyone with physical access to data that has been encrypted improperly, or mobile malware acting on an adversary's behalf.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Attack vectors include the following: decryption of data via physical access to the device or network traffic capture, or malicious apps on the device with access to the encrypted data.

</td>
<td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>In order to exploit this weakness, an adversary must successfully return encrypted code or sensitive data to its original unencrypted form due to weak encryption algorithms or flaws within the encryption process.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>This vulnerability will result in the unauthorized retrieval of sensitive information from the mobile device.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>This vulnerability can have a number of different business impacts. Typically, broken cryptography will result in the following:

* Privacy Violations;
* Information Theft;
* Code Theft;
* Intellectual Property Theft; or
* Reputational Damage.
</td>

{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=5|year=2016|language=en}}
Insecure use of cryptography is common in most mobile apps that leverage encryption. There are two fundamental ways that broken cryptography is manifested within mobile apps. First, the mobile app may use a process behind the encryption / decryption that is fundamentally flawed and can be exploited by the adversary to decrypt sensitive data. Second, the mobile app may implement or leverage an encryption / decryption algorithm that is weak in nature and can be directly decrypted by the adversary. The following subsections explore both of these scenarios in more depth:

== Reliance Upon Built-In Code Encryption Processes ==

By default, iOS applications are protected (in theory) from reverse engineering via code encryption. The iOS security model requires that apps be encrypted and signed by trustworthy sources in order to execute in non-jailbroken environments. Upon start-up, the iOS app loader will decrypt the app in memory and proceed to execute the code after its signature has been verified by iOS. This feature, in theory, prevents an attacker from conducting binary attacks against an iOS mobile app.

Using freely available tools like ClutchMod or GBD, an adversary will download the encrypted app onto their jailbroken device and take a snapshot of the decrypted app once the iOS loader loads it into memory and decrypts it (just before the loader kicks off execution). Once the adversary takes the snapshot and stores it on disk, the adversary can use tools like IDA Pro or Hopper to easily perform static / dynamic analysis of the app and conduct further binary attacks.

Bypassing built-in code encryption algorithms is trivial at best. Always assume that an adversary will be able to bypass any built-in code encryption offered by the underlying mobile OS.
For more information about additional steps you can take to provide additional layers of reverse engineering prevention, see M9.

=== Poor Key Management Processes ===

The best algorithms don't matter if you mishandle your keys. Many make the mistake of using the correct encryption algorithm, but implementing their own protocol for employing it. Some examples of problems here include:

* Including the keys in the same attacker-readable directory as the encrypted content;
* Making the keys otherwise available to the attacker;
* Avoid the use of hardcoded keys within your binary; and
* Keys may be intercepted via binary attacks. See M10 for more information on preventing binary attacks.

=== Creation and Use of Custom Encryption Protocols ===

There is no easier way to mishandle encryption--mobile or otherwise--than to try to create and use your own encryption algorithms or protocols.

Always use modern algorithms that are accepted as strong by the security community, and whenever possible leverage the state of the art encryption APIs within your mobile platform. Binary attacks may result in adversary identifying the common libraries you have used along with any hardcoded keys in the binary. In cases of very high security requirements around encryption, you should strongly consider the use of whitebox cryptography. See M10 for more information on preventing binary attacks that could lead to the exploitation of common libraries.

=== Use of Insecure and/or Deprecated Algorithms ===

Many cryptographic algorithms and protocols should not be used because they have been shown to have significant weaknesses or are otherwise insufficient for modern security requirements. These include:

* RC2
* MD4
* MD5
* SHA1

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=5|year=2016|language=en}}
It is best to do the following when handling sensitive data:
* Avoid the storage of any sensitive data on a mobile device where possible.
* Apply cryptographic standards that will withstand the test of time for at least 10 years into the future; and
* Follow the NIST guidelines on recommended algorithms (see external references).

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=5|year=2016|language=en}}

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=5|year=2016|language=en}}
{{Mobile_Top_10_2016:SubSubsectionOWASPReferencesTemplate}}
* [https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet OWASP Cryptographic Storage Cheat Sheet]
* [https://www.owasp.org/index.php/Key_Management_Cheat_Sheet OWASP Key Management Cheat Sheet]
{{Mobile_Top_10_2016:SubSubsectionExternalReferencesTemplate}}
* [http://csrc.nist.gov/publications/drafts/800-175/sp800-175b_draft.pdf NIST Encryption Guidelines]

Mobile Top 10 2016-M6-Insecure Authorization

2017-02-14T01:05:19Z

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M7-{{Mobile_Top_10_2016:ByTheNumbers |7 |year=2016 |langua..."

{{Mobile_Top_10_2016:TopTemplate
|usenext=Mobile2016NextLink
|next=M7-{{Mobile_Top_10_2016:ByTheNumbers
|7
|year=2016
|language=en}}
|useprev=Mobile2016PrevLink
|prev=M5-{{Mobile_Top_10_2016:ByTheNumbers
|5
|year=2016
|language=en}}
|year=2016
|language=en
}}

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016|language=en}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=1|year=2016|language=en}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Threat agents that exploit authorization vulnerabilities typically do so through automated attacks that use available or custom-built tools.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Once the adversary understands how the authorization scheme is vulnerable, they login to the application as a legitimate user. They successfully pass the authentication control. Once past authentication, they typically force-browse to a vulnerable endpoint to execute administrative functionality. This submission process is typically done via mobile malware within the device or botnets owned by the attacker.

</td>
<td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>To test for poor authorization schemes, testers can perform binary attacks against the mobile app and try to execute privileged functionality that should only be executable with a user of higher privilege while the mobile app is in 'offline' mode (for more information on binary attacks, see M9 and M10). As well, testers should try to execute any privileged functionality using a low-privilege session token within the corresponding POST/GET requests for the sensitive functionality to the backend server.Poor or missing authorization schemes allow an adversary to execute functionality they should not be entitled to using an authenticated but lower-privilege user of the mobile app. Authorization requirements are more vulnerable when making authorization decisions within the mobile device instead of through a remote server. This may be a requirement due to mobile requirements of offline usability.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The technical impact of poor authorization is similar in nature to the technical impact of poor authentication. The technical impact can be wide ranging in nature and dependent upon the nature of the over-privileged functionality that is executed. For example, over-privileged execution of remote or local administration functionality may result in destruction of systems or access to sensitive information.
</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>In the event that a user (anonymous or verified) is able to execute over-privileged functionality, the business may experience the following impacts:

* Reputational Damage;
* Fraud; or
* Information Theft.
</td>

{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=6|year=2016|language=en}}
It is important to recognize the difference between authentication and authorization. Authentication is the act of identifying an individual. Authorization is the act of checking that the identified individual has the permissions necessary to perform the act. The two are closely related as authorization checks should always immediately follow authentication of the an incoming request from a mobile device.

If an organization fails to authenticate and individual before executing an API endpoint requested from a mobile device, then the code automatically suffers from insecure authorization as well. It is essentially impossible for authorization checks to occur on an incoming request when the caller's identity is not established.

There are a few easy rules to follow when trying to determine if a mobile endpoint is suffering from insecure authorization:

* '''Presence of Insecure Direct Object Reference (IDOR) vulnerabilities''' - If you are seeing an Insecure Direct Object Reference Vulnerability (IDOR), the code is most likely not performing a valid authorization check; and

* '''Hidden Endpoints''' - Typically, developers do not perform authorization checks on backend hidden functionality as they assume the hidden functionality will only be seen by someone in the right role;

* '''User Role or Permission Transmissions''' - If the mobile app is transmitting the user's roles or permissions to a backend system as part of a request, it is suffering from insecure authorization.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=6|year=2016|language=en}}
In order to avoid insecure authorization checks, do the following:

* Verify the roles and permissions of the authenticated user using only information contained in backend systems. Avoid relying on any roles or permission information that comes from the mobile device itself;

* Backend code should independently verify that any incoming identifiers associated with a request (operands of a requested operation) that come along with the identify match up and belong to the incoming identity;

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=6|year=2016|language=en}}
'''Scenario #1:''' Insecure Direct Object Reference:

A user makes an API endpoint request to a backend REST API that includes an actor ID and an oAuth bearer token. The user includes their actor ID as part of the incoming URL and includes the access token as a standard header in the request. The backend verifies the presence of the bearer token but fails to validate the actor ID associated with the bearer token. As a result, the user can tweak the actor ID and attain account information of other users as part of the REST API request.

'''Scenario #2:''' Transmission of LDAP roles:

A user makes an API endpoint request to a backend REST API that includes a standard oAuth bearer token along with a header that includes a list of LDAP groups that the user belongs to. The backend request validates the bearer token and then inspects the incoming LDAP groups for the right group membership before continuing on to the sensitive functionality. However, the backend system does not perform an independent validation of LDAP group membership and instead relies upon the incoming LDAP information coming from the user. The user can tweak the incoming header and report to be a member of any LDAP group arbitrarily and perform administrative functionality.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=6|year=2016|language=en}}
{{Mobile_Top_10_2016:SubSubsectionOWASPReferencesTemplate}}
* [https://www.owasp.org/ References Go Here]
{{Mobile_Top_10_2016:SubSubsectionExternalReferencesTemplate}}
* [http://cwe.mitre.org/ External References]

Mobile Top 10 2016-M7-Poor Code Quality

2017-02-14T01:05:09Z

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M8-{{Mobile_Top_10_2016:ByTheNumbers |8 |year=2016 |langua..."

{{Mobile_Top_10_2016:TopTemplate
|usenext=Mobile2016NextLink
|next=M8-{{Mobile_Top_10_2016:ByTheNumbers
|8
|year=2016
|language=en}}
|useprev=Mobile2016PrevLink
|prev=M6-{{Mobile_Top_10_2016:ByTheNumbers
|6
|year=2016
|language=en}}
|year=2016
|language=en
}}

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016|language=en}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=3|prevalence=2|detectability=3|impact=2|year=2016|language=en}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Threat Agents include entities that can pass untrusted inputs to method calls made within mobile code. These types of issues are not necessarily security issues in and of themselves but lead to security vulnerabilities. For example, buffer overflows within older versions of Safari (a poor code quality vulnerability) led to high risk drive-by Jailbreak attacks. Poor code-quality issues are typically exploited via malware or phishing scams.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>An attacker will typically exploit vulnerabilities in this category by supplying carefully crafted inputs to the victim. These inputs are passed onto code that resides within the mobile device where exploitation takes place. Typical types of attacks will exploit memory leaks and buffer overflows.

</td>
<td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Code quality issues are fairly prevalent within most mobile code. The good news is that most code quality issues are fairly benign and result in bad programming practice. It is typically difficult to detect these types of issues through manual code review. Instead, attackers will use third-party tools that perform static analysis or perform fuzzing. These types of tools will typically identify memory leaks, buffer overflows, and other less severe issues that result in bad programming practice. Hackers with extreme low-level knowledge and expertise are able to effectively exploit these types of issues. The typical primary goal is to execute foreign code within the mobile code's address space.
</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Most exploitations that fall into this category result in foreign code execution or denial of service on remote server endpoints (and not the mobile device itself). However, in th event that buffer overflows/overruns do exist within the mobile device and the input can be derived from an external party, this could have a severely high technical impact and should be remediated.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The business impact from this category of vulnerabilities varies greatly, depending upon the nature of the exploit. Poor code quality issues that result in remote code execution could lead to the following business impacts:

* Information Theft;
* Reputational Damage;
* Intellectual Property Theft

Other less severe technical issues that fall into this category may lead to degradations in performance, memory usage, or poor front-end architecture.
</td>

{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=7|year=2016|language=en}}
This is the catch-all for code-level implementation problems in the mobile client. That's distinct from server-side coding mistakes. This captures the risks that come from vulnerabilities like buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.

This is distinct from Improper Platform Usage because it usually refers to the programming language itself (e.g., Java, Swift, Objective C, JavaScript). A buffer overflow in C or a DOM-based XSS in a Webview mobile app would be code quality issues.

The key characteristic of this risk is that it's code executing on the mobile device and the code needs to be changed in a fairly localised way. Fixing most risks requires code changes, but in the code quality case the risk comes from using the wrong API, using an API insecurely, using insecure language constructs, or some other code-level issue. Importantly: this is not code running on the server. This is a risk that captures bad code that executes on the mobile device itself.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=7|year=2016|language=en}}
In general, code quality issues can be avoided by doing the following:

* Maintain consistent coding patterns that everyone in the organization agrees upon;
* Write code that is easy to read and well-documented;
* When using buffers, always validate that the the lengths of any incoming buffer data will not exceed the length of the target buffer;
* Via automation, identify buffer overflows and memory leaks through the use of third-party static analysis tools; and
* Prioritize solving buffer overflows and memory leaks over other 'code quality' issues.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=7|year=2016|language=en}}
'''Scenario #1:''' Buffer Overflow example:

{{Mobile_Top_10_2016:ExampleBeginTemplate|year=2016}}
include <stdio.h>
int main(int argc, char **argv)
{
char buf[8]; // buffer for eight characters
gets(buf); // read from stdio (sensitive function!)
printf("%s\n", buf); // print out data stored in buf
return 0; // 0 as return value
}

{{Mobile_Top_10_2016:ExampleEndTemplate}}

In this example, taken from [https://www.owasp.org/index.php/Buffer_overflow_attack this] page, we should avoid the use of the gets function to avoid a buffer overflow. This is an example of what most static analysis tools will report as a code quality issue.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=7|year=2016|language=en}}
{{Mobile_Top_10_2016:SubSubsectionOWASPReferencesTemplate}}
* [https://www.owasp.org/index.php/Buffer_overflow_attack Buffer Overflow Examples]
{{Mobile_Top_10_2016:SubSubsectionExternalReferencesTemplate}}
* [http://cwe.mitre.org/ External References]

Mobile Top 10 2016-M8-Code Tampering

2017-02-14T01:04:58Z

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M9-{{Mobile_Top_10_2016:ByTheNumbers |9 |year=2016 |langua..."

{{Mobile_Top_10_2016:TopTemplate
|usenext=Mobile2016NextLink
|next=M9-{{Mobile_Top_10_2016:ByTheNumbers
|9
|year=2016
|language=en}}
|useprev=Mobile2016PrevLink
|prev=M7-{{Mobile_Top_10_2016:ByTheNumbers
|7
|year=2016
|language=en}}
|year=2016
|language=en
}}

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016|language=en}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=1|year=2016|language=en}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}> Typically, an attacker will exploit code modification via malicious forms of the apps hosted in third-party app stores. The attacker may also trick the user into installing the app via phishing attacks.
</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Typically, an attacker will do the following things to exploit this category:

* Make direct binary changes to the application package's core binary
* Make direct binary changes to the resources within the applicaiton's package
* Redirect or replace system APIs to intercept and execute foreign code that is malicious

</td>
<td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Modified forms of applications are surprisingly more common than you think. There is an entire security industry built around detecting and removing unauthorized versions of mobile apps within app stores. Depending upon the approach taken to solving the problem of detecting code modification, organizations can have limited to highly successful ways of detecting unauthorized versions of code in the wild.

This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.

Once the application is delivered to the mobile device, the code and data resources are resident there. An attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application's data and resources. This can provide the attacker a direct method of subverting the intended use of the software for personal or monetary gain.
</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The impact from code modification can be wide ranging in nature, depending upon the nature of the modification itself. Typical types of impacts include the following:

* Unauthorized new features;
* Identity theft; or
* Fraud.
</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The business impact from code modification typically results in the following:

* Revenue loss due to piracy; or
* Reputational damage.
</td>

{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=8|year=2016|language=en}}

Technically, all mobile code is vulnerable to code tampering. Mobile code runs within an environment that is not under the control of the organization producing the code. At the same time, there are plenty of different ways of altering the environment in which that code runs. These changes allow an adversary to tinker with the code and modify it at will.

Although mobile code is inherently vulnerable, it is important to ask yourself if it is worth detecting and trying to prevent unauthorized code modification. Apps written for certain business verticals (gaming for example) are much more vulnerable to the impacts of code modification than others (hospitality for example). As such, it is critical to consider the business impact before deciding whether or not to address this risk.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=8|year=2016|language=en}}
The mobile app must be able to detect at runtime that code has been added or changed from what it knows about its integrity at compile time. The app must be able to react appropriately at runtime to a code integrity violation.

The remediation strategies for this type of risk is outlined in more technical detail within the [https://www.owasp.org/index.php/OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project OWASP Reverse Engineering and Code Modification Prevention Project].

=== Android Root Detection ===

Typically, an app that has been modified will execute within a Jailbroken or rooted environment. As such, it is reasonable to try and detect these types of compromised environments at runtime and react accordingly (report to the server or shutdown). There are a few common ways to detect a rooted Android device:
Check for test-keys

* Check to see if build.prop includes the line ro.build.tags=test-keys indicating a developer build or unofficial ROM

Check for OTA certificates

* Check to see if the file /etc/security/otacerts.zip exists

Check for several known rooted apk's

* com.noshufou.android.su
* com.thirdparty.superuser
* eu.chainfire.supersu
* com.koushikdutta.superuser

Check for SU binaries

* /system/bin/su
* /system/xbin/su
* /sbin/su
* /system/su
* /system/bin/.ext/.su

Attempt SU command directly

* Attempt the to run the command su and check the id of the current user, if it returns 0 then the su command has been successful

=== iOS Jailbreak Detection ===

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=8|year=2016|language=en}}
There are a number of counterfeit applications that are available across the app stores. Some of these contain malware payloads. Many of the modified apps contain modified forms of the original core binary and associated resources. The attacker re-packages these as a new application and released them into third-party stores.

'''Scenario #1:''':

Games are a particularly popular target to attack using this method. The attacker will attract people that are not interested in paying for any freemium features of the game. Within the code, the attacker short-circuits conditional jumps that detect whether an in-application purchase is successful. This bypass allows the victim to attain game artifacts or new abilities without paying for them. The attacker has also inserted spyware that will steal the identity of the user.

'''Scenario #2:''':

Banking apps are another popular target to attack. These apps typically process sensitive information that will be useful to an attacker. An attacker could create a counterfeit version of the app that transmits the user's personally identifiable information (PII) along with username/password to a third-party site. This is reminiscent of the desktop equivalent of Zeus malware. This typically results in fraud against the bank.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=8|year=2016|language=en}}
{{Mobile_Top_10_2016:SubSubsectionOWASPReferencesTemplate}}
* [https://www.owasp.org/index.php/OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project OWASP Reverse Engineering and Code Modification Prevention Project]
{{Mobile_Top_10_2016:SubSubsectionExternalReferencesTemplate}}

[1] Arxan Research: [https://www.arxan.com/assets/1/7/State_of_Security_in_the_App_Economy_Report_Vol._2.pdf State of Security in the App Economy, Volume 2], November 2013:
:''“Adversaries have hacked 78 percent of the top 100 paid Android and iOS apps in 2013.”''

[2] HP Research: [http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.UuwZFPZvDi5 HP Research Reveals Nine out of 10 Mobile Applications Vulnerable to Attack], 18 November 2013:
:''"86 percent of applications tested lacked binary hardening, leaving applications vulnerable to information disclosure, buffer overflows and poor performance. To ensure security throughout the life cycle of the application, it is essential to build in the best security practices from conception."''

[3] North Carolina State University: [http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf Dissecting Android Malware: Characterization and Evolution], 7 September 2011:
:''“Our results show that 86.0% of them (Android Malware) repackage legitimate apps to include malicious payloads; 36.7% contain platform-level exploits to escalate privilege; 93.0% exhibit the bot-like capability.”''

[4] Tech Hive: [http://www.techhive.com/article/249310/apple_pulls_ripoff_apps_from_its_walled_garden.html Apple Pulls Ripoff Apps from its Walled Garden]Feb 4th, 2012:
:''“While Apple is known for screening apps before they are allowed to sprout up in its walled garden, clearly fake apps do get in. Once they do, getting them out depends on developers who raise a fuss.”''

[5] Tech Crunch: [http://techcrunch.com/2014/01/02/developer-spams-google-play-with-ripoffs-of-well-known-apps-again/ Developer Spams Google Play With RipOffs of Well-Known Apps… Again], January 2 2014:
:''“It’s not uncommon to search the Google Play app store and find a number of knock-off or “fake” apps aiming to trick unsuspecting searchers into downloading them over the real thing.”''

[6] Extreme Tech: [http://www.extremetech.com/mobile/153849-chinese-app-store-offers-pirated-ios-apps-without-the-need-to-jailbreak Chinese App Store Offers Pirated iOS Apps Without the Need To Jailbreak], April 19 2013:
:''“The site offers apps for free that would otherwise cost money, including big-name titles.”''

[7] OWASP: [https://www.owasp.org/index.php/Architectural_Principles_That_Prevent_Code_Modification_or_Reverse_Engineering Architectural Principles That Prevent Code Modification or Reverse Engineering], January 11th 2014.

[8] Gartner report: Avoiding Mobile App Development Security Pitfalls, 24 May 2013:
:''"For critical applications, such as transactional ones and sensitive enterprise applications, hardening should be used."''

[9] Gartner report: Emerging Technology Analysis: Mobile Application Shielding, March 26th, 2013:
:''"As more regulated and sensitive data applications move to mobile platforms the need to increase data protection increases. Mobile application shielding presents the opportunity to security providers to offer higher data protection standards to mobile platforms that exceed mobile OS security."''

[10] Gartner report: Proliferating Mobile Transaction Attack Vectors and What to Do About Them, March 1st, 2013:
:''"Use mobile application security testing services and self-defending application utilities to help prevent hacking attempts."''
[11] Gartner report: Select a Secure Mobile Wallet for Proximity, March 1st, 2013:
:''"Application hardening can fortify sensitive business code against hacking attempts, such as reverse engineering”''

[12] Forrester paper: Choose The Right Mobile Development Solutions For Your Organization, May 6th 2013:
:''“5 Key Protections: Data Protection, App Compliance, App-Level Threat Defense, Security Policy Enforcement, App Integrity”''

[13] John Wiley and Sons, Inc: [http://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123 iOS Hacker's Handbook], Published May 2012, ISBN 1118204123.

[14] McGraw Hill Education: [http://mobilehackingexposed.com/ Mobile Hacking Exposed], Published July 2013, ISBN 0071817018.

[15] Publisher Unannounced: [http://www.amazon.com/Android-Hackers-Handbook-Joshua-Drake/dp/111860864X Android Hacker's Handbook], To Be Published April 2014.

[16] Software Development Times: [http://sdt.bz/66393#ixzz2sHa7dFMp More than 5,000 apps in the Google Play Store are copied APKs, or 'thief-ware'], November 20 2013:
:''“In most cases, the 2,140 copycat developers that were found reassembled the apps almost identically, adding new advertising SDKs to siphon profits away from the original developers.''

[17] InfoSecurity Magazine: [http://www.infosecurity-magazine.com/view/36376/two-thirds-of-personal-banking-apps-found-full-of-vulnerabilities/ Two Thirds of Personal Banking Apps Found Full of Vulnerabilities], January 3 2014:
:''“But one of his more worrying findings came from disassembling the apps themselves ... what he found was hardcoded development credentials within the code. An attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users.”''

[18] InfoSecurity Magazine: [http://www.infosecurity-magazine.com/view/36686/mobile-malware-infects-millions-lte-spurs-growth/ Mobile Malware Infects Millions; LTE Spurs Growth], January 29 2014:
:''"Number of mobile malware samples is growing at a rapid clip, increasing by 20-fold in 2013... It is trivial for an attacker to hijack a legitimate Android application, inject malware into it and redistribute it for consumption. There are now binder kits available that will allow an attacker to automatically inject malware into an existing application"''

Mobile Top 10 2016-M9-Reverse Engineering

2017-02-14T01:04:49Z

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M10-{{Mobile_Top_10_2016:ByTheNumbers |10 |year=2016 |lang..."

{{Mobile_Top_10_2016:TopTemplate
|usenext=Mobile2016NextLink
|next=M10-{{Mobile_Top_10_2016:ByTheNumbers
|10
|year=2016
|language=en}}
|useprev=Mobile2016PrevLink
|prev=M8-{{Mobile_Top_10_2016:ByTheNumbers
|8
|year=2016
|language=en}}
|year=2016
|language=en
}}

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016|language=en}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=1|impact=2|year=2016|language=en}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>An attacker will typically download the targeted app from an app store and analyze it within their own local environment using a suite of different tools.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>An attacker must perform an analysis of the final core binary to determine its original string table, source code, libraries, algorithms, and resources embedded within the app. Attackers will use relatively affordable and well-understood tools like IDA Pro, Hopper, otool, strings, and other binary inspection tools from within the attacker's environment.

</td>
<td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Generally, all mobile code is susceptible to reverse engineering. Some apps are more susceptible than others. Code written in languages / frameworks that allow for dynamic introspection at runtime (Java, .NET, Objective C, Swift) are particularly at risk for reverse engineering. Detecting susceptibility to reverse engineering is fairly straight forward. First, decrypt the app store version of the app (if binary encryption is applied). Then, use the tools outlined in the "Attack Vectors" section of this document against the binary. Code will be susceptible if it is fairly easy to understand the app's controlflow path, string table, and any pseudocode/source-code generated by these tools.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>An attacker may exploit reverse engineering to achieve any of the following:

* Reveal information about back end servers;
* Reveal cryptographic constants and ciphers;
* Steal intellectual property;
* Perform attacks against back end systems; or
* Gain intelligence needed to perform subsequent code modification.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The business impacts from reverse engineering are quite varied. They include the following:

* Intellectual Property theft;
* Reputational Damage;
* Identity Theft; or
* Compromise of Backend Systems.
</td>

{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=9|year=2016|language=en}}Generally, most applications are susceptible to reverse engineering due to the inherent nature of code. Most languages used to write apps today are rich in metadata that greatly aides a programmer in debugging the app. This same capability also grealy aides an attacker in understanding how the app works.

An app is said to be susceptible to reverse engineering if an attacker can do any of the following things:

* Clearly understand the contents of a binary's string table
* Accurately perform cross-functional analysis
* Derive a reasonably accurate recreation of the source code from the binary

Although most apps are susceptible to reverse engineering, it's important to examine the potential business impact of reverse engineering when considering whether or not to mitigate this risk. See the examples below for a small sampling of what can be done with reverse engineering on its own.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=9|year=2016|language=en}}
In order to prevent effective reverse engineering, you must use an obfuscation tool. There are many free and commercial grade obfuscators on the market. Conversely, there are many different deobfuscators on the market. To measure the effectiveness of whatever obfuscation tool you choose, try deobfuscating the code using tools like IDA Pro and Hopper.

A good obfuscator will have the following abilities:

* Narrow down what methods / code segments to obfuscate;
* Tune the degree of obfuscation to balance performance impact;
* Withstand de-obfuscation from tools like IDA Pro and Hopper;
* Obfuscate string tables as well as methods

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=9|year=2016|language=en}}
'''Scenario #1:''' String Table Analysis:

The attacker runs 'strings' against the unencrypted app. As a result of the string table analysis, the attacker discovers a hardcoded connectivity string that contains authentication credentials to a backend database. The attacker uses those credentials to gain access to the database. The attacker steals a vast array of PII data about the app's users.

'''Scenario #2:''' Cross-Functional Analysis:

The attacker uses IDA Pro against an unencrypted app. As a result of the string table analysis combined with functioanl cross-referencing, the attacker discovers Jailbreak detection code. The attacker uses this knowledge in a subequent code-modification attack to disable jailbreak detection within the mobile app. The attacker then deploys a version of the app that exploits method swizzling to steal customer information.

'''Scenario #3:''' Source Code Analysis:

Consider a banking Android application. The APK file can be easily extracted using 7zip/Winrar/WinZip/Gunzip. Once extracted, the attacker has manifest file, assets, resources and most importantly classes.dex file.

Then using Dex to Jar converter, an attacker can easily convert it to jar file. In next step, Java Decompiler (like JDgui) will provide you the code.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=9|year=2016|language=en}}
{{Mobile_Top_10_2016:SubSubsectionOWASPReferencesTemplate}}
* [https://www.owasp.org/index.php/OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project OWASP Reverse Engineering and Code Modification Prevention Project]
{{Mobile_Top_10_2016:SubSubsectionExternalReferencesTemplate}}

[1] Arxan Research: [https://www.arxan.com/assets/1/7/State_of_Security_in_the_App_Economy_Report_Vol._2.pdf State of Security in the App Economy, Volume 2], November 2013:
:''“Adversaries have hacked 78 percent of the top 100 paid Android and iOS apps in 2013.”''

[2] HP Research: [http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.UuwZFPZvDi5 HP Research Reveals Nine out of 10 Mobile Applications Vulnerable to Attack], 18 November 2013:
:''"86 percent of applications tested lacked binary hardening, leaving applications vulnerable to information disclosure, buffer overflows and poor performance. To ensure security throughout the life cycle of the application, it is essential to build in the best security practices from conception."''

[3] North Carolina State University: [http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf Dissecting Android Malware: Characterization and Evolution], 7 September 2011:
:''“Our results show that 86.0% of them (Android Malware) repackage legitimate apps to include malicious payloads; 36.7% contain platform-level exploits to escalate privilege; 93.0% exhibit the bot-like capability.”''

[4] Tech Hive: [http://www.techhive.com/article/249310/apple_pulls_ripoff_apps_from_its_walled_garden.html Apple Pulls Ripoff Apps from its Walled Garden]Feb 4th, 2012:
:''“While Apple is known for screening apps before they are allowed to sprout up in its walled garden, clearly fake apps do get in. Once they do, getting them out depends on developers who raise a fuss.”''

[5] Tech Crunch: [http://techcrunch.com/2014/01/02/developer-spams-google-play-with-ripoffs-of-well-known-apps-again/ Developer Spams Google Play With RipOffs of Well-Known Apps… Again], January 2 2014:
:''“It’s not uncommon to search the Google Play app store and find a number of knock-off or “fake” apps aiming to trick unsuspecting searchers into downloading them over the real thing.”''

[6] Extreme Tech: [http://www.extremetech.com/mobile/153849-chinese-app-store-offers-pirated-ios-apps-without-the-need-to-jailbreak Chinese App Store Offers Pirated iOS Apps Without the Need To Jailbreak], April 19 2013:
:''“The site offers apps for free that would otherwise cost money, including big-name titles.”''

[7] OWASP: [https://www.owasp.org/index.php/Architectural_Principles_That_Prevent_Code_Modification_or_Reverse_Engineering Architectural Principles That Prevent Code Modification or Reverse Engineering], January 11th 2014.

[8] Gartner report: Avoiding Mobile App Development Security Pitfalls, 24 May 2013:
:''"For critical applications, such as transactional ones and sensitive enterprise applications, hardening should be used."''

[9] Gartner report: Emerging Technology Analysis: Mobile Application Shielding, March 26th, 2013:
:''"As more regulated and sensitive data applications move to mobile platforms the need to increase data protection increases. Mobile application shielding presents the opportunity to security providers to offer higher data protection standards to mobile platforms that exceed mobile OS security."''

[10] Gartner report: Proliferating Mobile Transaction Attack Vectors and What to Do About Them, March 1st, 2013:
:''"Use mobile application security testing services and self-defending application utilities to help prevent hacking attempts."''
[11] Gartner report: Select a Secure Mobile Wallet for Proximity, March 1st, 2013:
:''"Application hardening can fortify sensitive business code against hacking attempts, such as reverse engineering”''

[12] Forrester paper: Choose The Right Mobile Development Solutions For Your Organization, May 6th 2013:
:''“5 Key Protections: Data Protection, App Compliance, App-Level Threat Defense, Security Policy Enforcement, App Integrity”''

[13] John Wiley and Sons, Inc: [http://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123 iOS Hacker's Handbook], Published May 2012, ISBN 1118204123.

[14] McGraw Hill Education: [http://mobilehackingexposed.com/ Mobile Hacking Exposed], Published July 2013, ISBN 0071817018.

[15] Publisher Unannounced: [http://www.amazon.com/Android-Hackers-Handbook-Joshua-Drake/dp/111860864X Android Hacker's Handbook], To Be Published April 2014.

[16] Software Development Times: [http://sdt.bz/66393#ixzz2sHa7dFMp More than 5,000 apps in the Google Play Store are copied APKs, or 'thief-ware'], November 20 2013:
:''“In most cases, the 2,140 copycat developers that were found reassembled the apps almost identically, adding new advertising SDKs to siphon profits away from the original developers.''

[17] InfoSecurity Magazine: [http://www.infosecurity-magazine.com/view/36376/two-thirds-of-personal-banking-apps-found-full-of-vulnerabilities/ Two Thirds of Personal Banking Apps Found Full of Vulnerabilities], January 3 2014:
:''“But one of his more worrying findings came from disassembling the apps themselves ... what he found was hardcoded development credentials within the code. An attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users.”''

[18] InfoSecurity Magazine: [http://www.infosecurity-magazine.com/view/36686/mobile-malware-infects-millions-lte-spurs-growth/ Mobile Malware Infects Millions; LTE Spurs Growth], January 29 2014:
:''"Number of mobile malware samples is growing at a rapid clip, increasing by 20-fold in 2013... It is trivial for an attacker to hijack a legitimate Android application, inject malware into it and redistribute it for consumption. There are now binder kits available that will allow an attacker to automatically inject malware into an existing application"''

Mobile Top 10 2016-M10-Extraneous Functionality

2017-02-14T01:04:39Z

Jonathan Carter: Created page with "{{Mobile_Top_10_2016:TopTemplate |usenext=Mobile2016NextLink |next=M1-{{Mobile_Top_10_2016:ByTheNumbers |1 |year=2016 |langua..."

{{Mobile_Top_10_2016:TopTemplate
|usenext=Mobile2016NextLink
|next=M1-{{Mobile_Top_10_2016:ByTheNumbers
|1
|year=2016
|language=en}}
|useprev=Mobile2016PrevLink
|prev=M9-{{Mobile_Top_10_2016:ByTheNumbers
|9
|year=2016
|language=en}}
|year=2016
|language=en
}}

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016|language=en}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=1|year=2016|language=en}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>Typically, an attacker seeks to understand extraneous functionality within a mobile app in order to discover hidden functionality in in backend systems. The attacker will typically exploit extraneous functionality directly from their own systems without any involvement by end-users.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>An attacker will download and examine the mobile app within their own local environment. They will examine log files, configuration files, and perhaps the binary itself to discover any hidden switches or test code that was left behind by the developers. They will exploit these switches and hidden functionality in the backend system to perform an attack.

</td>
<td colspan=2 {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>There is a high likelihood that any given mobile app contains extraneous functionality that is not directly exposed to the user via the interface. Most of this additional code is benign in nature and will not give an attacker any additional insight into backend capabilities. However, some extraneous functionality can be very useful to an attacker. Functionality that exposes information related to back-end test, demo, staging, or UAT environments should not be included in a production build. Additionally, administrative API endpoints, or unofficial endpoints should not be included in final production builds. Detecting extraneous functionality can be tricky. Automated static and dynamic analysis tools can pick up low hanging fruit (log statements). However, some backdoors are difficult to detect in an automated means. As such, it is always best to prevent these things using a manual code review.

</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The technical impact from extraneous functionality includes the following:

* Exposure of how backend systems work; or
* Unauthorized high-privileged actions executed.
</td>
<td {{Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate|year=2016}}>The business impact from extraneous functionality includes the following:

* Unauthorized Access to Sensitive Functionality;
* Reputational Damage; or
* Intellectual Property Theft.

</td>

{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=10|year=2016|language=en}}
Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment. For example, a developer may accidentally include a password as a comment in a hybrid app. Another example includes disabling of 2-factor authentication during testing.

The defining characteristic of this risk is leaving functionality enabled in the app that was not intended to be released.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=10|year=2016|language=en}}
The best way to prevent this vulnerability is to perform a manual secure code review using security champs or subject matter experts most knowledgable with this code. They should do the following:

# Examine the app's configuration settings to discover any hidden switches;
# Verify that all test code is not included in the final production build of the app;
# Examine all API endpoints accessed by the mobile app to verify that these endpoints are well documented and publicly available;
# Examine all log statements to ensure nothing overly descriptive about the backend is being written to the logs;

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=10|year=2016|language=en}}
'''Scenario #1:''' Administrative Endpoint Exposed:

As part of mobile endpoint testing, developers included a hidden interface within the mobile app that would display an administrative dashboard. This dashboard accessed admin information via the back-end API server. In the production version of the code, the developers did not include code that displayed the dashboard at any time. However, they did include the underlying code that could access the back-end admin API. An attacker performed a string table analysis of the binary and discovered the hardcoded URL to an administrative REST endpoint. The attacker subsequently used 'curl' to execute back-end administrative functionality.

The developers should have removed all extraneous code, including code that is not directly reachable by the native interface.

'''Scenario #2:''' Debug Flag in Configuration File:

An attacker tries manually added "debug=true" to a .properties file in a local app. Upon startup, the application is outputting log files that are overly descriptive and helpful to the attacker in understanding the backend systems. The attacker subsequently discovers vulnerabilities within the backend system as a result of the log.

The developers should have prevented the activation of 'debug mode' within a production build of the mobile app.

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=10|year=2016|language=en}}
{{Mobile_Top_10_2016:SubSubsectionOWASPReferencesTemplate}}
* [https://www.owasp.org OWASP References Go Here]
{{Mobile_Top_10_2016:SubSubsectionExternalReferencesTemplate}}
* [http://cwe.mitre.org External References Go Here]

Template:Mobile Top 10:RoundedBoxLinkBegin

2017-02-02T23:35:52Z

Jonathan Carter:

[[Mobile_Top_Ten_2016-M{{{risk}}}-{{Mobile_Top_10_2016:ByTheNumbers
|{{{risk}}}
|year=2016
|language=en}} |
{{Top 10:RoundedBoxBegin|year={{{year}}} }}

Template:Mobile Top 10 2016:SubSubsectionExternalReferencesTemplate

2017-01-24T22:59:01Z

Jonathan Carter: Created page with "'''{{Mobile_Top_10:LanguageFile|text=external|language={{{language}}} }}'''"

'''{{Mobile_Top_10:LanguageFile|text=external|language={{{language}}} }}'''

Template:Mobile Top 10 2016:SubSubsectionOWASPReferencesTemplate

2017-01-24T22:58:21Z

Jonathan Carter: Created page with "'''OWASP'''"

'''OWASP'''

Template:Mobile Top 10 2016:ExampleEndTemplate

2017-01-24T22:01:18Z

Jonathan Carter: Created page with "</div>"

</div>

Template:Mobile Top 10 2016:ExampleBeginTemplate

2017-01-24T21:59:45Z

Jonathan Carter: Created page with "<div style="border: 2px dashed #444444; background-color: {{#switch: {{{year}}} |2013=#E0E0E0 |#default=#D0D0D0}}; font-family: courier; padding: 4px;margin-left: +20px; margi..."

Template:Mobile Top 10 2016:SummaryTableRowStyleTemplate

2017-01-24T21:38:13Z

Jonathan Carter: Created page with "style="text-align: left; border: 3px solid #444444;""

style="text-align: left; border: 3px solid #444444;"

Template:Mobile Top 10 2016:SummaryTableHeaderEndTemplate

2017-01-24T21:31:43Z

Jonathan Carter:

<td style="font-size: 100%; font-weight: bold; background-color: #D9D9D9; color: #000000; border: 3px solid #444444"> {{Mobile_Top_10:LanguageFile|text=applicationBusinessSpecific|language={{{language}}} }} </td>
</tr>
<tr valign="top">

Template:Mobile Top 10:LanguageFile

2017-01-24T21:16:22Z

Jonathan Carter:

==='''Usage:''' ===
This File contains all the text that is used by OWASP Mobile Top 10 Templates 
Please leave a message to {{Template:Contact | name = Jonathan Carter | email =jonathan.carter@owasp.org | username = Jonathan Carter}}
if you liked to add a new localization 

If you use an undefined language you will get English output (default language). 
 
<nowiki>{{Mobile_Top_10:LanguageFile</nowiki> 
:<nowiki> |text=<parameter> </nowiki> 
:<nowiki> |language=<your language> </nowiki> 
:<nowiki> |year=<year> </nowiki> 
<nowiki>}}</nowiki> 
====Example:====
<nowiki>{{Mobile_Top_10:LanguageFile|text=tableOfContents|language=de}} =></nowiki> {{Mobile_Top_10:LanguageFile|text=tableOfContents|language=de}}
----
==='''Healthcheck'''===
tbd. 
In the meantime, please check:
* [[Mobile_Top_10_2016-Table_of_Contents | English Mobile Top 10 Wiki]]
* [[Germany/Projekte/Mobile_Top_10-2016-Inhaltsverzeichnis | German Mobile Top 10 Wiki]]
----
If you use an unknown parameter you will get the following Error message in your wiki page: 

<onlyinclude>{{#switch: {{{language}}}
| de = 
{{#switch: {{{text}}} <noinclude>
 </noinclude>
| documentRootMobileTop10 = Germany/Projekte/Mobile Top 10-{{{year}}}
| documentRootMobileTop10DeveloperEdition = Germany/Projekte/Mobile Top 10 fuer Entwickler-{{{year}}}<noinclude>

 </noinclude>
| mobileTop10TmpMessage = ==BAUSTELLE! Hier entsteht das deutsche Wiki der OWASP Mobile Top 10-2016==
| mobileTop10TmpMessageDeveloperEdition = ==BAUSTELLE! Hier entsteht das deutsche Wiki der OWASP Mobile Top 10 fuer Entwickler-2016==
| centerLink1 = [[Germany/Projekte/Mobile Top 10-2016-Inhaltsverzeichnis|2013 Inhaltsverzeichnis]]
| centerLink2 = [[Germany/Projekte/Mobile Top 10-2016-Top 10|2016 Die Mobile-Top-10-Risiken]]
| centerLink1DeveloperEdition = [[Germany/Projekte/Mobile Top 10 fuer Entwickler-2016/Inhaltsverzeichnis|Mobile Top 10 fuer Entwickler-2016: Inhaltsverzeichnis]]
| centerLink2DeveloperEdition = [[Germany/Projekte/Mobile Top 10 fuer Entwickler-2016/Mobile Top 10|Die Mobile Top-10-Risiken]]
| projectCategory = [[Category: Germany/Projekte/Mobile Top 10-2016]]
| projectCategoryDeveloperEdition = [[Category:OWASP Mobile Top 10 fuer Entwickler]] [[Category: Germany/Projekte/Mobile Top 10 fuer Entwickler-2016]]<noinclude>

 </noinclude>
| tableOfContents = Inhaltsverzeichnis
| foreword = Vorwort
| forewordTranslation = Vorwort der deutschen Übersetzung
| forward = Vorwort 
| forwardTranslation = Vorwort der deutschen Übersetzung 
| aboutOWASP = Über OWASP
| copyrightAndLicense Copyright und Lizenz
| introduction = Einleitung
| releaseNotes = Neuerungen
| risks = Risiken
| risk = Risiko
| subTitleApplicationRisks = (Sicherheitsrisiken für Anwendungen)
| riskLarge = RISIKO
| applicationSecurityRisks = Was sind Sicherheitsrisiken für Anwendungen?
| theMobileTop10 = Die Mobile Top-10-Risiken
| mobileTop10 = Mobile Top 10
| whatsNextforDevelopers = Nächste Schritte für Software-Entwickler
| whatsNextforVerifiers = Nächste Schritte für Prüfer
| whatsNextforOrganizations = Nächste Schritte für Organisationen
| noteAboutRisks = Anmerkungen zum Risikobegriff
| detailsAboutRiskFactors = Details zu Risiko-Faktoren
| appendix = Anlage
| warnings = Zur Beachtung
| acknowledgements = Danksagung
| attribution = Namensnennung/Danksagung
| whatChangedFrom2014to2016 = Was hat sich von Version 2014 zu 2016 verändert?
| welcome = Herzlich Willkommen
| whatAreApplicationSecurityRisks = Was sind Sicherheitsrisiken für Anwendungen?
| whatsMyRisk = Was sind meine Risiken?
| references = Referenzen
| establishAndUseAFullSetOfCommonSecurityControls = Etablierung und Nutzung umfassender Sicherheitsmaßnahmen
| startYourApplicationSecurityProgramNow = Starten Sie jetzt mit Ihrem Anwendungssicherheits-Programm!
| getOrganized = Organisation und Prozesse
| codeReview = Code-Analyse
| securityAndPenetrationTesting = Sicherheits- und Penetrationstests
| itsAboutRisksNotWeaknesses = Es geht nicht um Schwachstellen, sondern um Risiken
| mobileTop10RiskFactorSummary = Zusammenfassung der Mobile Top 10 Risiko-Faktoren
| additionalRisksToConsider = Weitere zu betrachtende Risiken <noinclude>

 </noinclude>
| improperPlatformUsage = Improper Platform Usage
| insecureDataStorage = Insecure Data Storage
| insecureCommunication = Insecure Communication
| insecureAuthentication = Insecure Authentication
| insufficientCryptography = Insufficient Cryptography
| insecureAuthorization = Insecure Authorization
| clientCodeQuality = Poor Code Quality
| codeTampering = Code Tampering
| reverseEngineering = Reverse Engineering
| extraneousFunctionality = Extraneous Functionality
| injection = Injection
| brokenAuthSessionMgmt = Fehler in Authentifizierung und Session-Management
| authentication = Authentifizierung 
| xss = Cross-Site Scripting (XSS)
| xssShort = XSS
| insecureDirectObjectReference = Unsichere direkte Objektreferenzen
| insecureDOR = Unsichere direkte Objektreferenzen
| securityMisconfig = Sicherheitsrelevante Fehlkonfiguration
| misconfig = Fehlkonfiguration
| sensitiveDataExposure = Verlust der Vertraulichkeit sensibler Daten<noinclude>ex: Sensitive Data Exposure</noinclude>
| sensData = Sens. Data<noinclude>(tbd)</noinclude>
| missingFunctionLevelACL = Fehlerhafte Autorisierung auf Anwendungsebene <noinclude>(tbd = Missing Function Level Access Control)</noinclude>
| functionAcc = Fehlerh. Autorisierung<noinclude>(tbd = Kurzform für Missing Function Level Access Control)</noinclude>
| csrf = Cross-Site Request Forgery (CSRF)
| csrfShort = CSRF
| usingVulnerableComponents = Benutzen von Komponenten mit bekannten Schwachstellen <noinclude>(tbd = Using Components with Known Vulnerabilities)</noinclude>
| vulnComponents = Komponenten mit Schwachstellen <noinclude>(tbd = vuln. Components)</noinclude>
| unvalidatedRedirectsForwards = Ungeprüfte Um- und Weiterleitungen
| unvalRedirects = Ungepr. Weiterltg.
| insecureCryptographicStorage = Kryptografisch unsichere Speicherung
| failureRestrictUrlAccess = Mangelhafter URL-Zugriffsschutz
| insufficientTLProtection = Unzureichende Absicherung der Transportschicht
| inProgress = In Arbeit <noinclude>

 </noinclude>
| applicationSpecific = Anwendungs- spezifisch
| appSpecific = Anw.- spezifisch
| applicationBusinessSpecific = Anwendungs-/ Geschäftsspezifisch
| appBusinessSpecific = Anw.-/ Geschäftsspez.
| exploitability = Ausnutzbarkeit
| easy = EINFACH
| average = DURCHSCHNITTLICH
| difficult = SCHWIERIG
| weakness =  
| prevalence = Verbreitung
| veryWidespread = AUSSERGEWÖHNLICH HÄUFIG
| widespread = SEHR HÄUFIG
| common = HÄUFIG
| uncommon = SELTEN
| detectability = Auffindbarkeit
| impact = Auswirkung
| severe = SCHWERWIEGEND
| moderate = MITTEL
| minor = GERING <noinclude>

 </noinclude>
| threatAgents = Bedrohungsquelle
| attackVectors = Angriffsvektor
| securityWeakness = Schwachstellen
| technicalImpacts = Technische Auswirkung
| businessImpacts = Auswirkung auf das Unternehmen
| threatAgentsImage = Image:Top 10 de threatAgents.png
| attackVectorsImage = Image:Top 10 de attackVectors.png
| securityWeaknessImage= Image:Top 10 de securityWeakness.png
| technicalImpactsImage = Image:Top 10 de technicalImpacts.png
| businessImpactsImage = Image:Top 10 de businessImpacts.png <noinclude>

 </noinclude>
| applicationSecurityRisksImage = Image:Mobile Top 10 de ApplicationSecurityRisks.png <noinclude>

 </noinclude>
| vulnerableTo = Bin ich durch {{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }} verwundbar?
| vulnerableTo1 = Bin ich durch
| vulnerableTo2 =  verwundbar?
| howPrevent = Wie kann ich {{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }} verhindern?
| howPrevent1 = Wie kann ich
| howPrevent2 =  verhindern?
| exampleScenarios = Mögliche Angriffsszenarien
| defendingOption = Verteidigungs-Option
| against = gegen
| userImpact = Auswirkung(en) auf den Benutzer <noinclude>

 </noinclude>
| external = Andere <noinclude>
 </noinclude>
| myUnused = FEHLER im 'Language File' (Aufruf des unbenutzten Objekts)
| #default = FEHLER im 'Language File' (Aufruf des unbekannten Objekts)
}} 
<noinclude>




</noinclude> | #default = 
{{#switch: {{{text}}} <noinclude>
 </noinclude>
| documentRootMobileTop10 = Mobile Top 10 {{{year}}}
| documentRootMobileTop10DeveloperEdition = Mobile Top 10 {{{year}}} Developer Edition<noinclude>

 </noinclude>
| mobileTop10TmpMessage = <noinclude>==The Mobile Top 10-2016 Wiki is under Connstruction. The Content is Not Finished yet==</noinclude>
| mobileTop10TmpMessageDeveloperEdition = ==The Mobile Top 10-2016 Developer Edition Wiki is under Connstruction. The Content is Not Finished yet==
| centerLink1 = [[Mobile Top 10 2016-Table of Contents | 2016 Table of Contents]]
| centerLink2 = [[Mobile_Top_10_2016-Top 10|2016 Mobile Top 10 List]]
| centerLink1DeveloperEdition = [[Mobile Top 10 2016 Developer Edition-Table of Contents|2016 Developer Edition-Table of Contents]]
| centerLink2DeveloperEdition = [[Mobile Top 10 2016 Developer Edition-Mobile Top 10 List|2016 Developer Edition-Mobile Top 10 List]]
| projectCategory = [[Category:OWASP Mobile Top Ten Project]] [[Category:OWASP Mobile Top Ten {{{year}}} Project]]
| projectCategoryDeveloperEdition = [[Category:OWASP Mobile Top Ten {{{year}}} Developer Edition]]<noinclude>
 </noinclude>
| tableOfContents = Table of Contents
| foreword = Foreword
| forewordTranslation = Foreword of the English Wiki
| forward = Forward 
| forwardTranslation = Forward of the English Wiki 
| aboutOWASP = About OWASP
| copyrightAndLicense Copyright and License
| introduction = Introduction
| releaseNotes = Release Notes
| risks = Risks
| risk = Risk
| subTitleApplicationRisks = (Application Security Risks)
| riskLarge = RISIK
| applicationSecurityRisks = Application Security Risks
| theMobileTop10 = The Mobile Top 10
| mobileTop10 = Mobile Top 10
| whatsNextforDevelopers = What's Next for Developers
| whatsNextforVerifiers = What's Next for Verifiers
| whatsNextforOrganizations = What's Next for Organizations
| noteAboutRisks = Note About Risks
| detailsAboutRiskFactors = Details About Risk Factors
| appendix = appendix
| warnings = Warnings
| acknowledgements = Acknowledgements
| attribution = Attribution
| whatChangedFrom2014to2016 = What Changed From 2014 to 2016?
| welcome = Welcome
| whatAreApplicationSecurityRisks = What Are Application Security Risks?
| whatsMyRisk = What's My Risk?
| references = References
| establishAndUseAFullSetOfCommonSecurityControls = Establish & Use Repeatable Security Processes and Standard Security Controls
| startYourApplicationSecurityProgramNow = Start Your Application Security Program Now
| getOrganized = Get Organized
| codeReview = Code Review
| securityAndPenetrationTesting = Security and Penetration Testing
| itsAboutRisksNotWeaknesses = It's About Risks, Not Weaknesses
| mobileTop10RiskFactorSummary = Mobile Top 10 Risk Factor Summary
| additionalRisksToConsider = Additional Risks to Consider <noinclude>

 </noinclude>
| improperPlatformUsage = Improper Platform Usage
| insecureDataStorage = Insecure Data Storage
| insecureCommunication = Insecure Communication
| insecureAuthentication = Insecure Authentication
| insufficientCryptography = Insufficient Cryptography
| insecureAuthorization = Insecure Authorization
| clientCodeQuality = Poor Code Quality
| codeTampering = Code Tampering
| reverseEngineering = Reverse Engineering
| extraneousFunctionality = Extraneous Functionality
| injection = Injection
| brokenAuthSessionMgmt = Broken Authentication and Session Management
| authentication = Authentication 
| xss = Cross-Site Scripting (XSS)
| xssShort = XSS
| insecureDirectObjectReference = Insecure Direct Object References
| insecureDOR = Insecure DOR
| securityMisconfig = Security Misconfiguration
| misconfig = Misconfig
| sensitiveDataExposure = Sensitive Data Exposure
| sensData = Sens. Data
| missingFunctionLevelACL = Missing Function Level Access Control
| functionAcc = Function Acc.
| csrf = Cross-Site Request Forgery (CSRF)
| csrfShort = CSRF
| usingVulnerableComponents = Using Components with Known Vulnerabilities
| vulnComponents = vuln. Components
| unvalidatedRedirectsForwards = Unvalidated Redirects and Forwards
| unvalRedirects = unval. Redirects
| insecureCryptographicStorage = Insecure Cryptographic Storage
| failureRestrictUrlAccess = Failure to Restrict URL Access
| insufficientTLProtection = Insufficient Transport Layer Protection
| inProgress = In Progress <noinclude>

 </noinclude>
| applicationSpecific = Application Specific
| appSpecific = App Specific
| applicationBusinessSpecific = Application / Business Specific
| appBusinessSpecific = App / Business Specific
| exploitability = Exploitability
| easy = EASY
| average = AVERAGE
| difficult = DIFFICULT
| weakness = Weakness 
| prevalence = Prevalence
| veryWidespread = VERY WIDESPREAD
| widespread = WIDESPREAD
| common = COMMON
| uncommon = UNCOMMON
| detectability = Detectability
| impact = Impact
| severe = SEVERE
| moderate = MODERATE
| minor = MINOR <noinclude>

 </noinclude>
| threatAgents = Threat Agents
| attackVectors = Attack Vectors
| securityWeakness = Security Weakness
| technicalImpacts = Technical Impacts
| businessImpacts = Business Impacts
| threatAgentsImage = Image:Top 10 threatAgents.png
| attackVectorsImage = Image:Top 10 attackVectors.png
| securityWeaknessImage= Image:Top 10 securityWeakness.png
| technicalImpactsImage = Image:Top 10 technicalImpacts.png
| businessImpactsImage = Image:Top 10 businessImpacts.png <noinclude>

 </noinclude>
| applicationSecurityRisksImage = Image:Mobile_Top_10_2016-appsec-risks.png <noinclude>

 </noinclude>
| vulnerableTo = Am I Vulnerable To {{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }}?
| vulnerableTo1 = Am I Vulnerable To
| vulnerableTo2 = ?
| howPrevent = How Do I Prevent {{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }}?
| howPrevent1 = How Do I Prevent
| howPrevent2 = ?
| exampleScenarios = Example Attack Scenarios
| defendingOption = Defending Option
| against = against
| userImpact = Impact to the User <noinclude>

 </noinclude>
| external = External <noinclude>
 </noinclude>
| myUnused = ERROR in the 'Language File' (Use of the unused Object) {{{text}}}
| #default = ERROR in the 'Language File' (Use of an unknown Object) {{{text}}}
}} 
}}</onlyinclude>

Template:Mobile Top 10:LanguageFile

2017-01-24T20:04:47Z

Jonathan Carter:

==='''Usage:''' ===
This File contains all the text that is used by OWASP Mobile Top 10 Templates 
Please leave a message to {{Template:Contact | name = Jonathan Carter | email =jonathan.carter@owasp.org | username = Jonathan Carter}}
if you liked to add a new localization 

If you use an undefined language you will get English output (default language). 
 
<nowiki>{{Mobile_Top_10:LanguageFile</nowiki> 
:<nowiki> |text=<parameter> </nowiki> 
:<nowiki> |language=<your language> </nowiki> 
:<nowiki> |year=<year> </nowiki> 
<nowiki>}}</nowiki> 
====Example:====
<nowiki>{{Mobile_Top_10:LanguageFile|text=tableOfContents|language=de}} =></nowiki> {{Mobile_Top_10:LanguageFile|text=tableOfContents|language=de}}
----
==='''Healthcheck'''===
tbd. 
In the meantime, please check:
* [[Mobile_Top_10_2016-Table_of_Contents | English Mobile Top 10 Wiki]]
* [[Germany/Projekte/Mobile_Top_10-2016-Inhaltsverzeichnis | German Mobile Top 10 Wiki]]
----
If you use an unknown parameter you will get the following Error message in your wiki page: 

<onlyinclude>{{#switch: {{{language}}}
| de = 
{{#switch: {{{text}}} <noinclude>
 </noinclude>
| documentRootMobileTop10 = Germany/Projekte/Mobile Top 10-{{{year}}}
| documentRootMobileTop10DeveloperEdition = Germany/Projekte/Mobile Top 10 fuer Entwickler-{{{year}}}<noinclude>

 </noinclude>
| mobileTop10TmpMessage = ==BAUSTELLE! Hier entsteht das deutsche Wiki der OWASP Mobile Top 10-2016==
| mobileTop10TmpMessageDeveloperEdition = ==BAUSTELLE! Hier entsteht das deutsche Wiki der OWASP Mobile Top 10 fuer Entwickler-2016==
| centerLink1 = [[Germany/Projekte/Mobile Top 10-2016-Inhaltsverzeichnis|2013 Inhaltsverzeichnis]]
| centerLink2 = [[Germany/Projekte/Mobile Top 10-2016-Top 10|2016 Die Mobile-Top-10-Risiken]]
| centerLink1DeveloperEdition = [[Germany/Projekte/Mobile Top 10 fuer Entwickler-2016/Inhaltsverzeichnis|Mobile Top 10 fuer Entwickler-2016: Inhaltsverzeichnis]]
| centerLink2DeveloperEdition = [[Germany/Projekte/Mobile Top 10 fuer Entwickler-2016/Mobile Top 10|Die Mobile Top-10-Risiken]]
| projectCategory = [[Category: Germany/Projekte/Mobile Top 10-2016]]
| projectCategoryDeveloperEdition = [[Category:OWASP Mobile Top 10 fuer Entwickler]] [[Category: Germany/Projekte/Mobile Top 10 fuer Entwickler-2016]]<noinclude>

 </noinclude>
| tableOfContents = Inhaltsverzeichnis
| foreword = Vorwort
| forewordTranslation = Vorwort der deutschen Übersetzung
| forward = Vorwort 
| forwardTranslation = Vorwort der deutschen Übersetzung 
| aboutOWASP = Über OWASP
| copyrightAndLicense Copyright und Lizenz
| introduction = Einleitung
| releaseNotes = Neuerungen
| risks = Risiken
| risk = Risiko
| subTitleApplicationRisks = (Sicherheitsrisiken für Anwendungen)
| riskLarge = RISIKO
| applicationSecurityRisks = Was sind Sicherheitsrisiken für Anwendungen?
| theMobileTop10 = Die Mobile Top-10-Risiken
| mobileTop10 = Mobile Top 10
| whatsNextforDevelopers = Nächste Schritte für Software-Entwickler
| whatsNextforVerifiers = Nächste Schritte für Prüfer
| whatsNextforOrganizations = Nächste Schritte für Organisationen
| noteAboutRisks = Anmerkungen zum Risikobegriff
| detailsAboutRiskFactors = Details zu Risiko-Faktoren
| appendix = Anlage
| warnings = Zur Beachtung
| acknowledgements = Danksagung
| attribution = Namensnennung/Danksagung
| whatChangedFrom2014to2016 = Was hat sich von Version 2014 zu 2016 verändert?
| welcome = Herzlich Willkommen
| whatAreApplicationSecurityRisks = Was sind Sicherheitsrisiken für Anwendungen?
| whatsMyRisk = Was sind meine Risiken?
| references = Referenzen
| establishAndUseAFullSetOfCommonSecurityControls = Etablierung und Nutzung umfassender Sicherheitsmaßnahmen
| startYourApplicationSecurityProgramNow = Starten Sie jetzt mit Ihrem Anwendungssicherheits-Programm!
| getOrganized = Organisation und Prozesse
| codeReview = Code-Analyse
| securityAndPenetrationTesting = Sicherheits- und Penetrationstests
| itsAboutRisksNotWeaknesses = Es geht nicht um Schwachstellen, sondern um Risiken
| mobileTop10RiskFactorSummary = Zusammenfassung der Mobile Top 10 Risiko-Faktoren
| additionalRisksToConsider = Weitere zu betrachtende Risiken <noinclude>

 </noinclude>
| improperPlatformUsage = Improper Platform Usage
| insecureDataStorage = Insecure Data Storage
| insecureCommunication = Insecure Communication
| insecureAuthentication = Insecure Authentication
| insufficientCryptography = Insufficient Cryptography
| insecureAuthorization = Insecure Authorization
| clientCodeQuality = Poor Code Quality
| codeTampering = Code Tampering
| reverseEngineering = Reverse Engineering
| extraneousFunctionality = Extraneous Functionality
| injection = Injection
| brokenAuthSessionMgmt = Fehler in Authentifizierung und Session-Management
| authentication = Authentifizierung 
| xss = Cross-Site Scripting (XSS)
| xssShort = XSS
| insecureDirectObjectReference = Unsichere direkte Objektreferenzen
| insecureDOR = Unsichere direkte Objektreferenzen
| securityMisconfig = Sicherheitsrelevante Fehlkonfiguration
| misconfig = Fehlkonfiguration
| sensitiveDataExposure = Verlust der Vertraulichkeit sensibler Daten<noinclude>ex: Sensitive Data Exposure</noinclude>
| sensData = Sens. Data<noinclude>(tbd)</noinclude>
| missingFunctionLevelACL = Fehlerhafte Autorisierung auf Anwendungsebene <noinclude>(tbd = Missing Function Level Access Control)</noinclude>
| functionAcc = Fehlerh. Autorisierung<noinclude>(tbd = Kurzform für Missing Function Level Access Control)</noinclude>
| csrf = Cross-Site Request Forgery (CSRF)
| csrfShort = CSRF
| usingVulnerableComponents = Benutzen von Komponenten mit bekannten Schwachstellen <noinclude>(tbd = Using Components with Known Vulnerabilities)</noinclude>
| vulnComponents = Komponenten mit Schwachstellen <noinclude>(tbd = vuln. Components)</noinclude>
| unvalidatedRedirectsForwards = Ungeprüfte Um- und Weiterleitungen
| unvalRedirects = Ungepr. Weiterltg.
| insecureCryptographicStorage = Kryptografisch unsichere Speicherung
| failureRestrictUrlAccess = Mangelhafter URL-Zugriffsschutz
| insufficientTLProtection = Unzureichende Absicherung der Transportschicht
| inProgress = In Arbeit <noinclude>

 </noinclude>
| applicationSpecific = Anwendungs- spezifisch
| appSpecific = Anw.- spezifisch
| applicationBusinessSpecific = Anwendungs-/ Geschäftsspezifisch
| appBusinessSpecific = Anw.-/ Geschäftsspez.
| exploitability = Ausnutzbarkeit
| easy = EINFACH
| average = DURCHSCHNITTLICH
| difficult = SCHWIERIG
| weakness =  
| prevalence = Verbreitung
| veryWidespread = AUSSERGEWÖHNLICH HÄUFIG
| widespread = SEHR HÄUFIG
| common = HÄUFIG
| uncommon = SELTEN
| detectability = Auffindbarkeit
| impact = Auswirkung
| severe = SCHWERWIEGEND
| moderate = MITTEL
| minor = GERING <noinclude>

 </noinclude>
| threatAgents = Bedrohungsquelle
| attackVectors = Angriffsvektor
| securityWeakness = Schwachstellen
| technicalImpacts = Technische Auswirkung
| businessImpacts = Auswirkung auf das Unternehmen
| threatAgentsImage = Image:Top 10 de threatAgents.png
| attackVectorsImage = Image:Top 10 de attackVectors.png
| securityWeaknessImage= Image:Top 10 de securityWeakness.png
| technicalImpactsImage = Image:Top 10 de technicalImpacts.png
| businessImpactsImage = Image:Top 10 de businessImpacts.png <noinclude>

 </noinclude>
| applicationSecurityRisksImage = Image:Mobile Top 10 de ApplicationSecurityRisks.png <noinclude>

 </noinclude>
| vulnerableTo = Bin ich durch {{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }} verwundbar?
| vulnerableTo1 = Bin ich durch
| vulnerableTo2 =  verwundbar?
| howPrevent = Wie kann ich {{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }} verhindern?
| howPrevent1 = Wie kann ich
| howPrevent2 =  verhindern?
| exampleScenarios = Mögliche Angriffsszenarien
| defendingOption = Verteidigungs-Option
| against = gegen
| userImpact = Auswirkung(en) auf den Benutzer <noinclude>

 </noinclude>
| external = Andere <noinclude>
 </noinclude>
| myUnused = FEHLER im 'Language File' (Aufruf des unbenutzten Objekts)
| #default = FEHLER im 'Language File' (Aufruf des unbekannten Objekts)
}} 
<noinclude>




</noinclude> | #default = 
{{#switch: {{{text}}} <noinclude>
 </noinclude>
| documentRootMobileTop10 = Mobile Top 10 {{{year}}}
| documentRootMobileTop10DeveloperEdition = Mobile Top 10 {{{year}}} Developer Edition<noinclude>

 </noinclude>
| mobileTop10TmpMessage = <noinclude>==The Mobile Top 10-2016 Wiki is under Connstruction. The Content is Not Finished yet==</noinclude>
| mobileTop10TmpMessageDeveloperEdition = ==The Mobile Top 10-2016 Developer Edition Wiki is under Connstruction. The Content is Not Finished yet==
| centerLink1 = [[Mobile Top 10 2016-Table of Contents | 2016 Table of Contents]]
| centerLink2 = [[Mobile_Top_10_2016-Top 10|2016 Mobile Top 10 List]]
| centerLink1DeveloperEdition = [[Mobile Top 10 2016 Developer Edition-Table of Contents|2016 Developer Edition-Table of Contents]]
| centerLink2DeveloperEdition = [[Mobile Top 10 2016 Developer Edition-Mobile Top 10 List|2016 Developer Edition-Mobile Top 10 List]]
| projectCategory = [[Category:OWASP Mobile Top Ten Project]] [[Category:OWASP Mobile Top Ten {{{year}}} Project]]
| projectCategoryDeveloperEdition = [[Category:OWASP Mobile Top Ten {{{year}}} Developer Edition]]<noinclude>
 </noinclude>
| tableOfContents = Table of Contents
| foreword = Foreword
| forewordTranslation = Foreword of the English Wiki
| forward = Forward 
| forwardTranslation = Forward of the English Wiki 
| aboutOWASP = About OWASP
| copyrightAndLicense Copyright and License
| introduction = Introduction
| releaseNotes = Release Notes
| risks = Risks
| risk = Risk
| subTitleApplicationRisks = (Application Security Risks)
| riskLarge = RISIK
| applicationSecurityRisks = Application Security Risks
| theMobileTop10 = The Mobile Top 10
| mobileTop10 = Mobile Top 10
| whatsNextforDevelopers = What's Next for Developers
| whatsNextforVerifiers = What's Next for Verifiers
| whatsNextforOrganizations = What's Next for Organizations
| noteAboutRisks = Note About Risks
| detailsAboutRiskFactors = Details About Risk Factors
| appendix = appendix
| warnings = Warnings
| acknowledgements = Acknowledgements
| attribution = Attribution
| whatChangedFrom2014to2016 = What Changed From 2014 to 2016?
| welcome = Welcome
| whatAreApplicationSecurityRisks = What Are Application Security Risks?
| whatsMyRisk = What's My Risk?
| references = References
| establishAndUseAFullSetOfCommonSecurityControls = Establish & Use Repeatable Security Processes and Standard Security Controls
| startYourApplicationSecurityProgramNow = Start Your Application Security Program Now
| getOrganized = Get Organized
| codeReview = Code Review
| securityAndPenetrationTesting = Security and Penetration Testing
| itsAboutRisksNotWeaknesses = It's About Risks, Not Weaknesses
| mobileTop10RiskFactorSummary = Mobile Top 10 Risk Factor Summary
| additionalRisksToConsider = Additional Risks to Consider <noinclude>

 </noinclude>
| improperPlatformUsage = Improper Platform Usage
| insecureDataStorage = Insecure Data Storage
| insecureCommunication = Insecure Communication
| insecureAuthentication = Insecure Authentication
| insufficientCryptography = Insufficient Cryptography
| insecureAuthorization = Insecure Authorization
| clientCodeQuality = Poor Code Quality
| codeTampering = Code Tampering
| reverseEngineering = Reverse Engineering
| extraneousFunctionality = Extraneous Functionality
| injection = Injection
| brokenAuthSessionMgmt = Broken Authentication and Session Management
| authentication = Authentication 
| xss = Cross-Site Scripting (XSS)
| xssShort = XSS
| insecureDirectObjectReference = Insecure Direct Object References
| insecureDOR = Insecure DOR
| securityMisconfig = Security Misconfiguration
| misconfig = Misconfig
| sensitiveDataExposure = Sensitive Data Exposure
| sensData = Sens. Data
| missingFunctionLevelACL = Missing Function Level Access Control
| functionAcc = Function Acc.
| csrf = Cross-Site Request Forgery (CSRF)
| csrfShort = CSRF
| usingVulnerableComponents = Using Components with Known Vulnerabilities
| vulnComponents = vuln. Components
| unvalidatedRedirectsForwards = Unvalidated Redirects and Forwards
| unvalRedirects = unval. Redirects
| insecureCryptographicStorage = Insecure Cryptographic Storage
| failureRestrictUrlAccess = Failure to Restrict URL Access
| insufficientTLProtection = Insufficient Transport Layer Protection
| inProgress = In Progress <noinclude>

 </noinclude>
| applicationSpecific = Application Specific
| appSpecific = App Specific
| applicationBusinessSpecific = Application / Business Specific
| appBusinessSpecific = App / Business Specific
| exploitability = Exploitability
| easy = EASY
| average = AVERAGE
| difficult = DIFFICULT
| weakness = Weakness 
| prevalence = Prevalence
| veryWidespread = VERY WIDESPREAD
| widespread = WIDESPREAD
| common = COMMON
| uncommon = UNCOMMON
| detectability = Detectability
| impact = Impact
| severe = SEVERE
| moderate = MODERATE
| minor = MINOR <noinclude>

 </noinclude>
| threatAgents = Threat Agents
| attackVectors = Attack Vectors
| securityWeakness = Security Weakness
| technicalImpacts = Technical Impacts
| businessImpacts = Business Impacts
| threatAgentsImage = Image:Top 10 threatAgents.png
| attackVectorsImage = Image:Top 10 attackVectors.png
| securityWeaknessImage= Image:Top 10 securityWeakness.png
| technicalImpactsImage = Image:Top 10 technicalImpacts.png
| businessImpactsImage = Image:Top 10 businessImpacts.png <noinclude>

 </noinclude>
| applicationSecurityRisksImage = Image:Mobile_Top_10_2016-appsec-risks.png <noinclude>

 </noinclude>
| vulnerableTo = Am I Vulnerable To {{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }}?
| vulnerableTo1 = Am I Vulnerable To
| vulnerableTo2 = ?
| howPrevent = How Do I Prevent {{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }}?
| howPrevent1 = How Do I Prevent
| howPrevent2 = ?
| exampleScenarios = Example Attack Scenarios
| defendingOption = Defending Option
| against = against
| userImpact = Impact to the User <noinclude>

 </noinclude>
| external = External <noinclude>
 </noinclude>
| myUnused = ERROR in the 'Language File' (Use of the unused Object)
| #default = ERROR in the 'Language File' (Use of an unknown Object)
}} 
}}</onlyinclude>

Template:Mobile Top 10 2016:ByTheNumbers

2017-01-24T18:58:12Z

Jonathan Carter:

Template:Mobile Top 10:LanguageFile

2017-01-24T18:58:05Z

Jonathan Carter:

==='''Usage:''' ===
This File contains all the text that is used by OWASP Mobile Top 10 Templates 
Please leave a message to {{Template:Contact | name = Jonathan Carter | email =jonathan.carter@owasp.org | username = Jonathan Carter}}
if you liked to add a new localization 

If you use an undefined language you will get English output (default language). 
 
<nowiki>{{Mobile_Top_10:LanguageFile</nowiki> 
:<nowiki> |text=<parameter> </nowiki> 
:<nowiki> |language=<your language> </nowiki> 
:<nowiki> |year=<year> </nowiki> 
<nowiki>}}</nowiki> 
====Example:====
<nowiki>{{Mobile_Top_10:LanguageFile|text=tableOfContents|language=de}} =></nowiki> {{Mobile_Top_10:LanguageFile|text=tableOfContents|language=de}}
----
==='''Healthcheck'''===
tbd. 
In the meantime, please check:
* [[Mobile_Top_10_2016-Table_of_Contents | English Mobile Top 10 Wiki]]
* [[Germany/Projekte/Mobile_Top_10-2016-Inhaltsverzeichnis | German Mobile Top 10 Wiki]]
----
If you use an unknown parameter you will get the following Error message in your wiki page: 

<onlyinclude>{{#switch: {{{language}}}
| de = 
{{#switch: {{{text}}} <noinclude>
 </noinclude>
| documentRootMobileTop10 = Germany/Projekte/Mobile Top 10-{{{year}}}
| documentRootMobileTop10DeveloperEdition = Germany/Projekte/Mobile Top 10 fuer Entwickler-{{{year}}}<noinclude>

 </noinclude>
| mobileTop10TmpMessage = ==BAUSTELLE! Hier entsteht das deutsche Wiki der OWASP Mobile Top 10-2016==
| mobileTop10TmpMessageDeveloperEdition = ==BAUSTELLE! Hier entsteht das deutsche Wiki der OWASP Mobile Top 10 fuer Entwickler-2016==
| centerLink1 = [[Germany/Projekte/Mobile Top 10-2016-Inhaltsverzeichnis|2013 Inhaltsverzeichnis]]
| centerLink2 = [[Germany/Projekte/Mobile Top 10-2016-Top 10|2016 Die Mobile-Top-10-Risiken]]
| centerLink1DeveloperEdition = [[Germany/Projekte/Mobile Top 10 fuer Entwickler-2016/Inhaltsverzeichnis|Mobile Top 10 fuer Entwickler-2016: Inhaltsverzeichnis]]
| centerLink2DeveloperEdition = [[Germany/Projekte/Mobile Top 10 fuer Entwickler-2016/Mobile Top 10|Die Mobile Top-10-Risiken]]
| projectCategory = [[Category: Germany/Projekte/Mobile Top 10-2016]]
| projectCategoryDeveloperEdition = [[Category:OWASP Mobile Top 10 fuer Entwickler]] [[Category: Germany/Projekte/Mobile Top 10 fuer Entwickler-2016]]<noinclude>

 </noinclude>
| tableOfContents = Inhaltsverzeichnis
| foreword = Vorwort
| forewordTranslation = Vorwort der deutschen Übersetzung
| forward = Vorwort 
| forwardTranslation = Vorwort der deutschen Übersetzung 
| aboutOWASP = Über OWASP
| copyrightAndLicense Copyright und Lizenz
| introduction = Einleitung
| releaseNotes = Neuerungen
| risks = Risiken
| risk = Risiko
| subTitleApplicationRisks = (Sicherheitsrisiken für Anwendungen)
| riskLarge = RISIKO
| applicationSecurityRisks = Was sind Sicherheitsrisiken für Anwendungen?
| theMobileTop10 = Die Mobile Top-10-Risiken
| mobileTop10 = Mobile Top 10
| whatsNextforDevelopers = Nächste Schritte für Software-Entwickler
| whatsNextforVerifiers = Nächste Schritte für Prüfer
| whatsNextforOrganizations = Nächste Schritte für Organisationen
| noteAboutRisks = Anmerkungen zum Risikobegriff
| detailsAboutRiskFactors = Details zu Risiko-Faktoren
| appendix = Anlage
| warnings = Zur Beachtung
| acknowledgements = Danksagung
| attribution = Namensnennung/Danksagung
| whatChangedFrom2014to2016 = Was hat sich von Version 2014 zu 2016 verändert?
| welcome = Herzlich Willkommen
| whatAreApplicationSecurityRisks = Was sind Sicherheitsrisiken für Anwendungen?
| whatsMyRisk = Was sind meine Risiken?
| references = Referenzen
| establishAndUseAFullSetOfCommonSecurityControls = Etablierung und Nutzung umfassender Sicherheitsmaßnahmen
| startYourApplicationSecurityProgramNow = Starten Sie jetzt mit Ihrem Anwendungssicherheits-Programm!
| getOrganized = Organisation und Prozesse
| codeReview = Code-Analyse
| securityAndPenetrationTesting = Sicherheits- und Penetrationstests
| itsAboutRisksNotWeaknesses = Es geht nicht um Schwachstellen, sondern um Risiken
| mobileTop10RiskFactorSummary = Zusammenfassung der Mobile Top 10 Risiko-Faktoren
| additionalRisksToConsider = Weitere zu betrachtende Risiken <noinclude>

 </noinclude>
| injection = Injection
| brokenAuthSessionMgmt = Fehler in Authentifizierung und Session-Management
| authentication = Authentifizierung 
| xss = Cross-Site Scripting (XSS)
| xssShort = XSS
| insecureDirectObjectReference = Unsichere direkte Objektreferenzen
| insecureDOR = Unsichere direkte Objektreferenzen
| securityMisconfig = Sicherheitsrelevante Fehlkonfiguration
| misconfig = Fehlkonfiguration
| sensitiveDataExposure = Verlust der Vertraulichkeit sensibler Daten<noinclude>ex: Sensitive Data Exposure</noinclude>
| sensData = Sens. Data<noinclude>(tbd)</noinclude>
| missingFunctionLevelACL = Fehlerhafte Autorisierung auf Anwendungsebene <noinclude>(tbd = Missing Function Level Access Control)</noinclude>
| functionAcc = Fehlerh. Autorisierung<noinclude>(tbd = Kurzform für Missing Function Level Access Control)</noinclude>
| csrf = Cross-Site Request Forgery (CSRF)
| csrfShort = CSRF
| usingVulnerableComponents = Benutzen von Komponenten mit bekannten Schwachstellen <noinclude>(tbd = Using Components with Known Vulnerabilities)</noinclude>
| vulnComponents = Komponenten mit Schwachstellen <noinclude>(tbd = vuln. Components)</noinclude>
| unvalidatedRedirectsForwards = Ungeprüfte Um- und Weiterleitungen
| unvalRedirects = Ungepr. Weiterltg.
| insecureCryptographicStorage = Kryptografisch unsichere Speicherung
| failureRestrictUrlAccess = Mangelhafter URL-Zugriffsschutz
| insufficientTLProtection = Unzureichende Absicherung der Transportschicht
| inProgress = In Arbeit <noinclude>

 </noinclude>
| applicationSpecific = Anwendungs- spezifisch
| appSpecific = Anw.- spezifisch
| applicationBusinessSpecific = Anwendungs-/ Geschäftsspezifisch
| appBusinessSpecific = Anw.-/ Geschäftsspez.
| exploitability = Ausnutzbarkeit
| easy = EINFACH
| average = DURCHSCHNITTLICH
| difficult = SCHWIERIG
| weakness =  
| prevalence = Verbreitung
| veryWidespread = AUSSERGEWÖHNLICH HÄUFIG
| widespread = SEHR HÄUFIG
| common = HÄUFIG
| uncommon = SELTEN
| detectability = Auffindbarkeit
| impact = Auswirkung
| severe = SCHWERWIEGEND
| moderate = MITTEL
| minor = GERING <noinclude>

 </noinclude>
| threatAgents = Bedrohungsquelle
| attackVectors = Angriffsvektor
| securityWeakness = Schwachstellen
| technicalImpacts = Technische Auswirkung
| businessImpacts = Auswirkung auf das Unternehmen
| threatAgentsImage = Image:Top 10 de threatAgents.png
| attackVectorsImage = Image:Top 10 de attackVectors.png
| securityWeaknessImage= Image:Top 10 de securityWeakness.png
| technicalImpactsImage = Image:Top 10 de technicalImpacts.png
| businessImpactsImage = Image:Top 10 de businessImpacts.png <noinclude>

 </noinclude>
| applicationSecurityRisksImage = Image:Mobile Top 10 de ApplicationSecurityRisks.png <noinclude>

 </noinclude>
| vulnerableTo = Bin ich durch {{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }} verwundbar?
| vulnerableTo1 = Bin ich durch
| vulnerableTo2 =  verwundbar?
| howPrevent = Wie kann ich {{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }} verhindern?
| howPrevent1 = Wie kann ich
| howPrevent2 =  verhindern?
| exampleScenarios = Mögliche Angriffsszenarien
| defendingOption = Verteidigungs-Option
| against = gegen
| userImpact = Auswirkung(en) auf den Benutzer <noinclude>

 </noinclude>
| external = Andere <noinclude>
 </noinclude>
| myUnused = FEHLER im 'Language File' (Aufruf des unbenutzten Objekts)
| #default = FEHLER im 'Language File' (Aufruf des unbekannten Objekts)
}} 
<noinclude>




</noinclude> | #default = 
{{#switch: {{{text}}} <noinclude>
 </noinclude>
| documentRootMobileTop10 = Mobile Top 10 {{{year}}}
| documentRootMobileTop10DeveloperEdition = Mobile Top 10 {{{year}}} Developer Edition<noinclude>

 </noinclude>
| mobileTop10TmpMessage = <noinclude>==The Mobile Top 10-2016 Wiki is under Connstruction. The Content is Not Finished yet==</noinclude>
| mobileTop10TmpMessageDeveloperEdition = ==The Mobile Top 10-2016 Developer Edition Wiki is under Connstruction. The Content is Not Finished yet==
| centerLink1 = [[Mobile Top 10 2016-Table of Contents | 2016 Table of Contents]]
| centerLink2 = [[Mobile_Top_10_2016-Top 10|2016 Mobile Top 10 List]]
| centerLink1DeveloperEdition = [[Mobile Top 10 2016 Developer Edition-Table of Contents|2016 Developer Edition-Table of Contents]]
| centerLink2DeveloperEdition = [[Mobile Top 10 2016 Developer Edition-Mobile Top 10 List|2016 Developer Edition-Mobile Top 10 List]]
| projectCategory = [[Category:OWASP Mobile Top Ten Project]] [[Category:OWASP Mobile Top Ten {{{year}}} Project]]
| projectCategoryDeveloperEdition = [[Category:OWASP Mobile Top Ten {{{year}}} Developer Edition]]<noinclude>
 </noinclude>
| tableOfContents = Table of Contents
| foreword = Foreword
| forewordTranslation = Foreword of the English Wiki
| forward = Forward 
| forwardTranslation = Forward of the English Wiki 
| aboutOWASP = About OWASP
| copyrightAndLicense Copyright and License
| introduction = Introduction
| releaseNotes = Release Notes
| risks = Risks
| risk = Risk
| subTitleApplicationRisks = (Application Security Risks)
| riskLarge = RISIK
| applicationSecurityRisks = Application Security Risks
| theMobileTop10 = The Mobile Top 10
| mobileTop10 = Mobile Top 10
| whatsNextforDevelopers = What's Next for Developers
| whatsNextforVerifiers = What's Next for Verifiers
| whatsNextforOrganizations = What's Next for Organizations
| noteAboutRisks = Note About Risks
| detailsAboutRiskFactors = Details About Risk Factors
| appendix = appendix
| warnings = Warnings
| acknowledgements = Acknowledgements
| attribution = Attribution
| whatChangedFrom2014to2016 = What Changed From 2014 to 2016?
| welcome = Welcome
| whatAreApplicationSecurityRisks = What Are Application Security Risks?
| whatsMyRisk = What's My Risk?
| references = References
| establishAndUseAFullSetOfCommonSecurityControls = Establish & Use Repeatable Security Processes and Standard Security Controls
| startYourApplicationSecurityProgramNow = Start Your Application Security Program Now
| getOrganized = Get Organized
| codeReview = Code Review
| securityAndPenetrationTesting = Security and Penetration Testing
| itsAboutRisksNotWeaknesses = It's About Risks, Not Weaknesses
| mobileTop10RiskFactorSummary = Mobile Top 10 Risk Factor Summary
| additionalRisksToConsider = Additional Risks to Consider <noinclude>

 </noinclude>
| improperPlatformUsage =
| insecureDataStorage =
| insecureCommunication =
| insecureAuthentication =
| insufficientCryptography =
| insecureAuthorization =
| clientCodeQuality =
| codeTampering =
| reverseEngineering =
| extraneousFunctionality =
| injection = Injection
| brokenAuthSessionMgmt = Broken Authentication and Session Management
| authentication = Authentication 
| xss = Cross-Site Scripting (XSS)
| xssShort = XSS
| insecureDirectObjectReference = Insecure Direct Object References
| insecureDOR = Insecure DOR
| securityMisconfig = Security Misconfiguration
| misconfig = Misconfig
| sensitiveDataExposure = Sensitive Data Exposure
| sensData = Sens. Data
| missingFunctionLevelACL = Missing Function Level Access Control
| functionAcc = Function Acc.
| csrf = Cross-Site Request Forgery (CSRF)
| csrfShort = CSRF
| usingVulnerableComponents = Using Components with Known Vulnerabilities
| vulnComponents = vuln. Components
| unvalidatedRedirectsForwards = Unvalidated Redirects and Forwards
| unvalRedirects = unval. Redirects
| insecureCryptographicStorage = Insecure Cryptographic Storage
| failureRestrictUrlAccess = Failure to Restrict URL Access
| insufficientTLProtection = Insufficient Transport Layer Protection
| inProgress = In Progress <noinclude>

 </noinclude>
| applicationSpecific = Application Specific
| appSpecific = App Specific
| applicationBusinessSpecific = Application / Business Specific
| appBusinessSpecific = App / Business Specific
| exploitability = Exploitability
| easy = EASY
| average = AVERAGE
| difficult = DIFFICULT
| weakness = Weakness 
| prevalence = Prevalence
| veryWidespread = VERY WIDESPREAD
| widespread = WIDESPREAD
| common = COMMON
| uncommon = UNCOMMON
| detectability = Detectability
| impact = Impact
| severe = SEVERE
| moderate = MODERATE
| minor = MINOR <noinclude>

 </noinclude>
| threatAgents = Threat Agents
| attackVectors = Attack Vectors
| securityWeakness = Security Weakness
| technicalImpacts = Technical Impacts
| businessImpacts = Business Impacts
| threatAgentsImage = Image:Top 10 threatAgents.png
| attackVectorsImage = Image:Top 10 attackVectors.png
| securityWeaknessImage= Image:Top 10 securityWeakness.png
| technicalImpactsImage = Image:Top 10 technicalImpacts.png
| businessImpactsImage = Image:Top 10 businessImpacts.png <noinclude>

 </noinclude>
| applicationSecurityRisksImage = Image:Mobile_Top_10_2016-appsec-risks.png <noinclude>

 </noinclude>
| vulnerableTo = Am I Vulnerable To {{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }}?
| vulnerableTo1 = Am I Vulnerable To
| vulnerableTo2 = ?
| howPrevent = How Do I Prevent {{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }}?
| howPrevent1 = How Do I Prevent
| howPrevent2 = ?
| exampleScenarios = Example Attack Scenarios
| defendingOption = Defending Option
| against = against
| userImpact = Impact to the User <noinclude>

 </noinclude>
| external = External <noinclude>
 </noinclude>
| myUnused = ERROR in the 'Language File' (Use of the unused Object)
| #default = ERROR in the 'Language File' (Use of an unknown Object)
}} 
}}</onlyinclude>

Template:Mobile2016NextLink

2017-01-24T18:42:13Z

Jonathan Carter: Created page with "{{{1}}} →"

[[{{Mobile_Top_10:LanguageFile|text=documentRootMobileTop10|language={{{language}}}|year={{{year}}} }}-{{{1}}}|{{{1}}} →]]

Template:Mobile2016PrevLink

2017-01-24T18:41:27Z

Jonathan Carter: Created page with "← {{{1}}}"

[[{{Mobile_Top_10:LanguageFile|text=documentRootMobileTop10|language={{{language}}}|year={{{year}}} }}-{{{1}}}|← {{{1}}}]]

Template:Mobile Top 10 2016:SummaryTableHeaderEndTemplate

2017-01-23T20:32:50Z

Jonathan Carter: Created page with " <td style="font-size: 100%; font-weight: bold; background-color: #D9D9D9; color: #000000; border: 3px solid #444444"> {{Top_10:LanguageFile|text=applicationBusinessSpecif..."

<td style="font-size: 100%; font-weight: bold; background-color: #D9D9D9; color: #000000; border: 3px solid #444444"> {{Top_10:LanguageFile|text=applicationBusinessSpecific|language={{{language}}} }} </td>
</tr>
<tr valign="top">

Template:Mobile Top 10 2016:SummaryTableValue-3-Template

2017-01-23T20:31:37Z

Jonathan Carter: Created page with "<td style="{{{style}}}; background-color: #FFFF00; color: #000000; border: 3px solid #444444" width="16.5%">{{{1}}} {{{2}}}</td>"

Template:Mobile Top 10 2016:SummaryTableValue-2-Template

2017-01-23T20:31:14Z

Jonathan Carter: Created page with "<td style="{{{style}}}; background-color: #FFB200; color: #000000; border: 3px solid #444444" width="16.5%">{{{1}}} {{{2}}}</td>"

Template:Mobile Top 10 2016:SummaryTableValue-0-Template

2017-01-23T20:30:52Z

Jonathan Carter: Created page with "<td style="background-color: #FF00FF; color: #000000; border: 3px solid #444444" width="16.5%">{{{1}}} {{{2}}}</td>"

Template:Mobile Top 10 2016:SummaryTableValue-1-Template

2017-01-23T20:30:14Z

Jonathan Carter: Created page with "<td style="{{{style}}}; background-color: #FF0000; color: #000000; border: 3px solid #444444" width="16.5%">{{{1}}} {{{2}}}</td>"

Template:Mobile Top 10:SummaryTableTemplate

2017-01-23T20:12:50Z

Jonathan Carter: Created page with "==Usage== <nowiki> {{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016}} {{Mobile_Top_10:SummaryTableTemplate|exploitability=2|prevalence=0|detectability=1|impa..."

==Usage==
<nowiki>
{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=2|prevalence=0|detectability=1|impact=2|year=2016}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
{{Mobile_Top_10_2016:SummaryTableEndTemplate|year=2016}}
</nowiki>

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|year=2016}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=2|prevalence=0|detectability=1|impact=2|year=2016}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
{{Mobile_Top_10_2016:SummaryTableEndTemplate|year=2016}}
 
 
 
<nowiki>
{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|language=de|year=2016}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=2|prevalence=0|detectability=1|impact=2|year=2016|language=de}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
{{Mobile_Top_10_2016:SummaryTableEndTemplate|year=2016}}
</nowiki>

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|language=de|year=2016}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=2|prevalence=0|detectability=1|impact=2|year=2016|language=de}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
{{Mobile_Top_10_2016:SummaryTableEndTemplate|year=2016}}
 
 
 
<nowiki>
{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|language=de|year=2016}}
{{Mobile_Top_10:SummaryTableTemplate|exploitability=2|prevalence=0|detectability=1|impact=2|year=2016|language=de}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
{{Mobile_Top_10_2016:SummaryTableEndTemplate|year=2016}}
</nowiki>

{{Mobile_Top_10_2016:SummaryTableHeaderBeginTemplate|language=de|year=2016}}
{{Mobile_Top_10:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=0|detectability=1|impact=2|year=2016|language=de}}
{{Mobile_Top_10_2016:SummaryTableHeaderEndTemplate|year=2016}}
{{Mobile_Top_10_2016:SummaryTableEndTemplate|year=2016}}
 
 
 
<onlyinclude> {{#switch: {{{type}}}
| valueOnly =
{{#switch: {{{exploitability}}}
|1
|easy=
{{Mobile_Top_10_2016:SummaryTableValue-1-Template||{{Mobile_Top_10:LanguageFile|text=easy|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|2
|average=
{{Mobile_Top_10_2016:SummaryTableValue-2-Template||{{Mobile_Top_10:LanguageFile|text=average|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|3
|difficult=
{{Mobile_Top_10_2016:SummaryTableValue-3-Template||{{Mobile_Top_10:LanguageFile|text=difficult|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
}}

{{#switch: {{{prevalence}}}
|0
|veryWidespread=
{{Mobile_Top_10_2016:SummaryTableValue-0-Template||{{Mobile_Top_10:LanguageFile|text=veryWidespread|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|1
|widespread=
{{Mobile_Top_10_2016:SummaryTableValue-1-Template||{{Mobile_Top_10:LanguageFile|text=widespread|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|2
|common=
{{Mobile_Top_10_2016:SummaryTableValue-2-Template||{{Mobile_Top_10:LanguageFile|text=common|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|3
|uncommon=
{{Mobile_Top_10_2016:SummaryTableValue-3-Template||{{Mobile_Top_10:LanguageFile|text=uncommon|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
}}

{{#switch: {{{detectability}}}
|1
|easy=
{{Mobile_Top_10_2016:SummaryTableValue-1-Template||{{Mobile_Top_10:LanguageFile|text=easy|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|2
|average=
{{Mobile_Top_10_2016:SummaryTableValue-2-Template||{{Mobile_Top_10:LanguageFile|text=average|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|3
|difficult=
{{Mobile_Top_10_2016:SummaryTableValue-3-Template||{{Mobile_Top_10:LanguageFile|text=difficult|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
}}

{{#switch: {{{impact}}}
|1
|severe=
{{Mobile_Top_10_2016:SummaryTableValue-1-Template||{{Mobile_Top_10:LanguageFile|text=severe|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|2
|common=
{{Mobile_Top_10_2016:SummaryTableValue-2-Template||{{Mobile_Top_10:LanguageFile|text=moderate|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|3
|minor=
{{Mobile_Top_10_2016:SummaryTableValue-3-Template||{{Mobile_Top_10:LanguageFile|text=minor|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
}}
| #default = {{#switch: {{{exploitability}}}
|1
|easy=
{{Mobile_Top_10_2016:SummaryTableValue-1-Template|{{Mobile_Top_10:LanguageFile|text=exploitability|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=easy|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|2
|average=
{{Mobile_Top_10_2016:SummaryTableValue-2-Template|{{Mobile_Top_10:LanguageFile|text=exploitability|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=average|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|3
|difficult=
{{Mobile_Top_10_2016:SummaryTableValue-3-Template|{{Mobile_Top_10:LanguageFile|text=exploitability|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=difficult|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
}}

{{#switch: {{{prevalence}}}
|0
|veryWidespread=
{{Mobile_Top_10_2016:SummaryTableValue-0-Template|{{Mobile_Top_10:LanguageFile|text=prevalence|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=veryWidespread|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|1
|widespread=
{{Mobile_Top_10_2016:SummaryTableValue-1-Template|{{Mobile_Top_10:LanguageFile|text=prevalence|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=widespread|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|2
|common=
{{Mobile_Top_10_2016:SummaryTableValue-2-Template|{{Mobile_Top_10:LanguageFile|text=prevalence|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=common|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|3
|uncommon=
{{Mobile_Top_10_2016:SummaryTableValue-3-Template|{{Mobile_Top_10:LanguageFile|text=prevalence|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=uncommon|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
}}

{{#switch: {{{detectability}}}
|1
|easy=
{{Mobile_Top_10_2016:SummaryTableValue-1-Template|{{Mobile_Top_10:LanguageFile|text=detectability|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=easy|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|2
|average=
{{Mobile_Top_10_2016:SummaryTableValue-2-Template|{{Mobile_Top_10:LanguageFile|text=detectability|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=average|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|3
|difficult=
{{Mobile_Top_10_2016:SummaryTableValue-3-Template|{{Mobile_Top_10:LanguageFile|text=detectability|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=difficult|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
}}

{{#switch: {{{impact}}}
|1
|severe=
{{Mobile_Top_10_2016:SummaryTableValue-1-Template|{{Mobile_Top_10:LanguageFile|text=impact|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=severe|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|2
|common=
{{Mobile_Top_10_2016:SummaryTableValue-2-Template|{{Mobile_Top_10:LanguageFile|text=impact|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=moderate|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
|3
|minor=
{{Mobile_Top_10_2016:SummaryTableValue-3-Template|{{Mobile_Top_10:LanguageFile|text=impact|language={{{language}}} }}|{{Mobile_Top_10:LanguageFile|text=minor|language={{{language}}} }}|year={{{year}}}|style={{{style}}} }}
}}
}}</onlyinclude>

Template:Mobile Top 10:RoundedBoxLinkBegin

2017-01-23T19:38:57Z

Jonathan Carter:

[[MobileTopTen2016-M{{{risk}}} |
{{Top 10:RoundedBoxBegin|year={{{year}}} }}

Template:Mobile Top 10:RoundedBoxLinkBegin

2017-01-23T19:38:25Z

Jonathan Carter:

Test [[MobileTopTen2016-M{{{risk}}} |
{{Top 10:RoundedBoxBegin|year={{{year}}} }}

Template:Mobile Top 10:RoundedBoxLinkBegin

2017-01-23T19:30:43Z

Jonathan Carter:

[[MobileTopTen2016-M{{{risk}}} |
{{Top 10:RoundedBoxBegin|year={{{year}}} }}

Board

2016-11-01T15:35:46Z

Jonathan Carter:

__NOTOC__

= About the OWASP Board =

== Current OWASP Global Board - Effective January 2016 ==

* [[Matt Konda]] Chicago, USA - matt.konda(at)owasp.org
* [[User:Jsokol|Josh Sokol]] Texas, USA - josh.sokol(at)owasp.org
* [[Andrew van der Stock]] Australia - vanderaj(at)owasp.org
* [[User:MichaelCoates|Michael Coates]] - California, USA - michael.coates(at)owasp.org
* [[User:Tgondrom|Tobias Gondrom]] Hong Kong - tobias.gondrom(at)owasp.org
* [[User:brennan|Tom Brennan]] New Jersey, USA - tomb(at)owasp.org
* [[User:Jonathan_Carter|Jonathan Carter]] California, USA - jonathan.carter(at)owasp.org

== OWASP Board Elections ==
=== 2016 Election ===
[https://www.owasp.org/index.php/2016_Global_Board_of_Directors_Election 2016 Board Election]
=== 2015 Election ===
[https://www.owasp.org/index.php/2015_Global_Board_of_Directors_Election 2015 Board Election]
=== 2014 Election ===
[https://www.owasp.org/index.php/2014_Board_Elections 2014 Board Election]
=== 2013 Election ===
[https://www.owasp.org/index.php/2013_Board_Elections 2013 Board Election]
=== 2012 Election ===
[https://www.owasp.org/index.php/Membership/2012_Election 2012 Board Election]
=== 2011 Election ===
[https://www.owasp.org/index.php/Membership/2011Election 2011 Board Election]
=== 2009 Election ===
[https://www.owasp.org/index.php/Board_Election_2009 2009 Board Election]

= Agenda for 2016 Meetings =

* Teleconference Information: **CHECK MEETING INFORMATION**

* [https://www.owasp.org/index.php/International_Toll_Free_Calling_Information International Toll Free Calling Info]

* [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdG5uRzNYZE8ycDFabnBWNkU4SFpwREE Board Meeting Attendance Tracking]
* Meeting Template found [https://www.owasp.org/index.php/Board-Meeting-template here]

== Upcoming 2016 Meetings ==

* [[November 8, 2016]], 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=11&day=09&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[November 30, 2016]], 15:00-16:30 PST - placeholder only optional if needed - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=11&day=30&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[December 14, 2016]], 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=12&day=14&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]

== Past 2016 Meetings ==
* [[October 11, 2016]], at AppSecUSA 18:00 - 21:00 EDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=10&day=11&hour=22&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[September 21, 2016]] 07:00-08:30 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=09&day=21&hour=14&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[August 23, 2016]], 16:00-17:00 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=08&day=23&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[July 1, 2016]], 18:00-21:00 CEST, in Rome at AppSecEU - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=07&day=01&hour=16&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[July 27, 2016]], 07:00-08:00 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=07&day=27&hour=14&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[May 18, 2016]], 07:00-08:30 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=05&day=18&hour=14&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[April 20, 2016]], 16:00-17:00 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=04&day=20&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[March 16, 2016]], 16:00-17:00 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=03&day=16&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[February 17, 2016]], 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=02&day=17&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[January 13, 2016]], 16:00-17:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=01&day=14&hour=00&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]

= Board Communication =

[https://www.owasp.org/index.php/OWASP_Foundation_ByLaws ByLaws] 
[https://www.owasp.org/index.php/Governance/Conflict_of_Interest_Policy Conflict of Interest Policy and Signed Conflict Statements] 
[https://docs.google.com/a/owasp.org/folder/d/0BxI4iTO_QojvNW9jaXFyWGZwR28/edit Weekly Board/Staff Communication Documents] 
[https://www.google.com/calendar/embed?src=owasp.org_d1dcflbc5oul9nji1ftc3pjji8@group.calendar.google.com&ctz=Pacific/Honolulu OWASP Board Calendar]

== Best practices ==

Note: these best practices are merely a collection of procedures deemed good process for a board. '''They are not binding''' and have not been voted on or ratified by the board to this date. Online: [http://www.rulesonline.com/rror--00.htm http://www.rulesonline.com/rror--00.htm]

=== Best Practices for Board conduct:===
We consider it best practices for our board to follow in spirit the "Robert's Rules of Order".
* That means that board votes require a motion brought forth by one board member and to be seconded by an other board member.
** A motion should be specific, unique, and concise. It should include all the relevant details, be unambiguous, and leave as little room for interpretation as possible.
* After the motion has been seconded the board may discuss the issue and / or vote on it.

A board member makes a motion and the board waits for your motion to be seconded. With few exceptions, all motions need to be seconded by another member of the Board. This is to ensure that the Board does spend its time effectively and not evaluating a proposal which only one member favors.
* In a formal setting, they will say something along the lines of "I second the motion," or even just "I second."
* In certain cases, such as when a general consensus is apparent, the presiding officer can choose to skip this step and move on to the next one.

= Archive and Voting History =

[https://www.owasp.org/index.php/OWASP_Board_History Historical Board Members by Year]

[https://www.owasp.org/index.php/OWASP_Board_Votes Historical Board Votes]

=== Past OWASP Boards ===
[[Board-2014]]

[[Board-2013]]

[[Board-2012]]

[[Board-2011]]

== Archive for 2015 Meetings ==
* [[December 9, 2015]], 15:00-17:00 PST
* [[November 18, 2015]], 14:00-15:30 PST
* [[November 4, 2015]], 12:00-13:30 PST
* [[October 14, 2015]], 14:00-15:00 PDT
* [[September 25, 2015]] at AppSecUSA 18:00 - 20:00 PST
* [[August 12, 2015]], 16:00-17:00 PST
* [[July 22, 2015]], 14:00-15:00 PDT
* [[June 24, 2015]], 14:00-15:00 PDT
* [[May 22, 2015]], 18:00-20:00 CEST in Amsterdam @ AppSec-EU , 9:00am-11:00am PST;
* [[April 29, 2015]], 12:00-13:00 PST
* [[March 25, 2015]], 12:00-13:00 PST
* [[February 11, 2015]], 16:00-17:00 PST
* [[January 14, 2015]], 9am-10am PST

== Archive for 2014 Meetings ==
* [[December 10, 2014]], 9am-10am PST
* [[November 12, 2014]], 9am - 10am PST
* [[October 8, 2014]], 9am-10am PST
* [[September 16, 2014]], 6pm - 9pm MST, In person at Appsec USA
* [[August 13, 2014]], 9am-10am PST
* [[July 9, 2014]], 9am-10am PST
* [[June 27, 2014]], 8am - 4 pm BST, In person at AppSec Europe
* [[April 30, 2014]],9am - 12pm PST
* [[March 3, 2014]], 7am - 10am PST
* [[February 24, 2014]], 8am - 10am PST

== Archive for 2013 Meetings ==

*[[December 9, 2013]]

* December 2, 2013 - Special Board Meeting - [https://docs.google.com/spreadsheet/ccc?key=0ApZ9zE0hx0LNdGdJZ1BIaEZkc2V1QV81NmJ4dnI0R1E&usp=sharing 2014 Budget] walk through, Q & A (no meeting notes)

*[[November 22, 2013]] - In person meeting at AppSec USA - New York, NY

* November 11, 2013 - cancelled due to in person meeting on Nov. 22

*[[October 14, 2013]]

*[[September 9, 2013]]

*[[In person meeting at AppSec EU - Hamburg, Germany; August 19-24]]

* August 12, 2013 - canceled due to in person meeting on Aug 19

*[[July 8, 2013]]

*[[June 10, 2013]]

*[[May 31, 2013]]

*[[May 13, 2013]]

*[[April 8, 2013]]

*[[March 11, 2013]]

*[[February 11, 2013]]

*[[January 14, 2013]]

== Archive for 2012 Meetings ==

[https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdG5uRzNYZE8ycDFabnBWNkU4SFpwREE Board Meeting Attendance Tracking]

OWASP Foundation [https://www.owasp.org/images/a/ae/2012ByLawsFINAL.pdf ByLaws]

[https://www.owasp.org/index.php/Global_Committee_Pages Global Committees]

*[[January 9, 2012]]

*[[February 6, 2012]]

*[[February 15, 2012]]

*[[March 12, 2012]]

*[[April 5, 2012]]

*[[May 14,2012]]

*[[June 11, 2012]]

*[[July 11, 2012]]

*[[Aug 13, 2012]]

*[[Sept 10, 2012]]

*[[Oct 8, 2012]]

*[[Oct 24, 2012]]

*[[Nov 12, 2012]]

*[[Nov 26, 2012]] - 2013 Budget Focused

*[[Dec 10, 2012]]

*[[Dec 27, 2012]] - 2013 Budget Focused

== Archive for 2011 Meetings ==

*[[January 3, 2011]]

*[[March 7, 2011]]

*[[April_4_2011]]

*[[May_2_2011]]

*[[June 6, 2011]]

*[[July 11, 2011]]

*[[August 8, 2011]]

*[[September 6, 2011]]

*[[September 20, 2011]]

*[[September 22, 2011]]

*[[October 10, 2011]]

*[[November 14, 2011]]

*[[December 5, 2011]]

== Minutes for 2011 Meetings ==

<hr>

* [https://www.owasp.org/index.php/OWASP_Board_Votes Board Votes Historical]

<hr>

*[[Minutes January 3, 2011]]

*[[Minutes March 8, 2011]]

*[[Minutes April 4, 2011]]

*[[Minutes May 2, 2011]]

*[https://docs.google.com/a/owasp.org/document/d/1VD9ZHEwht9tmM8FKEQ6DBrtmL_gTAhSSnQhiFXYkJ7I/edit?hl=en_US&authkey=CIavkP4B June 6 2011]

*[https://docs.google.com/a/owasp.org/document/d/1VMwYrP6owtZ-SchBxUcWTIF-ITvzUX8PjUkLPwr2ipg/edit?hl=en_US&authkey=CIGTx5sD July 11 2011]

*[https://docs.google.com/a/owasp.org/document/d/1CLu9aQpS7LdeX87rJ5N9cuJ-RGGVzDWf34l6gdMml7M/edit?hl=en_US&authkey=CI-U5qEP August 8, 2011]

*[https://docs.google.com/a/owasp.org/document/d/1HM32VcvWb0hizD5_mhWMULLaouzuRgA3ZYjODRZwyAs/edit?hl=en_US September 6, 2011]

*[https://docs.google.com/a/owasp.org/document/d/1Y-8tZisUZM5ZKP8AxJqvkiNtFanVFM0m--bMG2PZ3ww/edit October 10, 2011]

*[https://docs.google.com/a/owasp.org/document/d/13-aHX2pSUXjCP8ivsbls6u1VX1BVSYewyMUH8LI7zpQ/edit November 14, 2011]

== Archive for 2010 Meetings ==
*[[January 5, 2010]]

*[[February 2, 2010]]

*[[March 2, 2010]] Postponed until March 9, 2010

*[[April 6, 2010]]

*[[May 4, 2010]]

*[[June 7, 2010]]

*[[July 12, 2010]]

*[[August 2, 2010]]

*[[September 8, 2010]]

*[[October 11, 2010]]

*[[November 9, 2010]]

*[[December_6_2010]]

== Archive of 2010 Meetings ==

*[[Jan 5, 2010]]

*[[Feb 2, 2010]]

*[[March 2, 2010]]

*[[Minutes April 6, 2010]]

*[[Minutes May 11, 2010]]

*[[Minutes June 7, 2010]]

*[[Minutes July 12, 2010]]

*[[Minutes October 11, 2010]]

*[[Minutes November 9, 2010]]

*[[Minutes_December_6,_2010]]

*[[OWASP Board Meetings January Agenda]]
*[[OWASP Board Meetings February Agenda]]
*[[OWASP Board Meetings March Agenda]]
*[[OWASP Board Meetings April09 Agenda]]
*[[OWASP Board Meetings May09 Agenda]]
*[[OWASP Board Meetings June 09 Agenda]]
*[[OWASP Board Meeting July 7, 2009 Agenda]]
*[[OWASP Board Meeting August 4, 2009 Agenda]]
*[[OWASP Board Meeting September 1, 2009 Agenda]]
*[[OWASP Board Meeting October 6, 2009 Agenda]]
*[[OWASP Board Meeting November 10, 2009 Agenda]]
*[[OWASP Board Meeting December 1, 2009 Agenda]]

== Archive of 2009 Meetings ==
* [[OWASP Board Meetings 01-06-09]]
* [[OWASP Board Meetings 02-03-09]]
* [[OWASP Board Meetings 03-10-09]]
* [[OWASP Board Meetings April 09]]
* [[OWASP Board Meetings May 09]]
* [[OWASP Board Meetings June 09]]
* [[OWASP Board Meeting July 09]]
* [[OWASP Board Meeting August 09]]
* [[OWASP Board Meeting September 09]]
* [[OWASP Board Meeting October 09]]
* [[OWASP Board Meeting December 09]]

== Archive for 2008 Meetings ==
*[[OWASP Board Meetings March Agenda]]
*[[OWASP Board Meetings April Agenda]]
*[[OWASP Board Meetings May Agenda]]
*[[OWASP Board Meetings June Agenda]]
*[[OWASP Board Meetings July Agenda]]
*[[OWASP Board Meetings August Agenda]]
*[[OWASP Board Meetings September Agenda]]
*[[OWASP Board Meetings October Agenda]]
*[[OWASP Board Meetings December Agenda]]

== Archive of 2008 Meetings ==
* [[OWASP Board Meetings 2-7-08]]
* [[OWASP Board Meetings 3-6-08]]
* [[OWASP Board Meetings 5-6-08]]
* [[OWASP Board Meetings 6-3-08]]
* [[OWASP Board Meetings 8-14-08]]
* [[OWASP Board Meetings 9-2-08]]
* [[Owasp Board Meetings 10-07-08]]
* [[Owasp Board Meetings 11-07-08]]
* [[Owasp Board Meetings 12-02-08]]

= Board Focus Ideas =

== First suggested priority of Board from Paul ==
* What are the top 5 "Initiatives" we want or believe the OWASP Community should be focusing on in 2016-2017? (Areas that should receive our time effort & money.)
* Intent here is to stimulate a Board level & Community discussion about strategic goals, and then actionable objectives that.....a) align with mission of OWASP, and b) stimulate enough interest at Community level to cause volunteers to engage & participate, and c) produce output of value and benefit to owasp community on a Global basis.

== Projects Ideas==

* Project Review & Project Platform - good progress, keep it going. We need "more" volunteer engagement to provide more diverse review.
* New Project Ideas. Where is industry going, where will it be in 5 years? OWASP should suggest projects that we need and find team to build them!
* Project Summit support & funding
* International Chapter / Region support & funding for projects
* Hire full or part time technical writer to help with project (from Simon, flagship project lead)
* a platform for funding pull requests / contributions to projects - this could be a way to financially reward folks for contributing. I know ZAP recently experimented with this - not sure how it went, but we have money - might be a good way to spend it (maybe leveraging something like the bithub idea https://whispersystems.org/blog/bithub/). I would want the ability to personally remove myself from the ability of receiving payment. (from John Melton, flagship project lead)
* help with applying for grants - including letting us know of available grants and helping us do the paperwork if necessary
* make inter-project recommendations - since you sit at a level where you see various projects, maybe make recommendations for areas where multiple projects could collaborate for added value (from John Melton, flagship project lead)
* project of the month - this may already happen, but if not, maybe the newsletter could feature a project every month, including information like a project overview, an audio interview with the project leader(s), a list of priority tasks for people to help with, etc. (from John Melton, flagship project lead)
* get access to available free tools - I've actually seen several tools that are available for use within OWASP, though I hear about them haphazardly. It would be good if there were a single resource for leads to know what was available. Thinking of things like: free licenses of paid software (intellij, webex) or access to products/services (surveymonkey, AWS, GCE or Azure credits) that could be useful to the project (from John Melton, flagship project lead)
* conducting surveys - We do surveys periodically, and I fill them out. Joanna has used them to good effect. We might be able to make that more regular and get good data on our projects.
* "help wanted" site - We use github issues on our project. However, one thing I hear repeatedly is project leaders saying they need help, and owasp members asking how to help. It seems like we could put up a "jobs" board of some kind to connect folks within the community for things like this. We could probably connect this to $ in some way if we wanted to. I imagine there's a tool out there that already does this too. (from John Melton, flagship project lead)
* continue and expand "summer of code" programs - I believe these programs add lots of value. Not only do they get practical things done on the projects, but they give us good visibility, get people involved in the projects (many continue to contribute), give us good press in the community, and invigorate the mentors as well. (from John Melton, flagship project lead)

== Training ==
* Training is OK now....but what do we want to do here? Business as usual?
* Update current project level training docs, or
* Begin some form of Curriculum for Academic use?

== Advocacy==
* Liaison with other Orgs
** ID those Developer groups and go to their conferences & meetings
** ...just a few, but caution is to approach 1-2 at a time and get an outcome
* Regulatory policy (lobbying). OK, if its is a hot topic to some....then BoD should encourage it and help first set of people get that WG started and provide small set of guidelines on Advocacy vs. Lobbying.
* Crank out true press releases or blogs say on quarterly basis when we have couple public releases.
* Consider WG and provide small set of guidelines on Advocacy vs. Lobbying.

== Community Portals ==
* Should be our goto destination for owasp community to access for current & relevant info on OWASP activities.
* Focused WG to take action on Wiki Cleanup & ease of use.
* Consider funding larger wiki cleanup and migration effort (Jim)

== Marketing ==
* General PR & Marketing the OWASP Story - Promote ourselves more!
* Crank up a Recruiting program - Both Corporate & Individual.

<headertabs/>

Board

2016-11-01T15:34:53Z

Jonathan Carter:

__NOTOC__

= About the OWASP Board =

== Current OWASP Global Board - Effective January 2016 ==

* [[Matt Konda]] Chicago, USA - matt.konda(at)owasp.org
* [[User:Jsokol|Josh Sokol]] Texas, USA - josh.sokol(at)owasp.org
* [[Andrew van der Stock]] Australia - vanderaj(at)owasp.org
* [[User:MichaelCoates|Michael Coates]] - California, USA - michael.coates(at)owasp.org
* [[User:Tgondrom|Tobias Gondrom]] Hong Kong - tobias.gondrom(at)owasp.org
* [[User:brennan|Tom Brennan]] New Jersey, USA - tomb(at)owasp.org
* [[User:jcarter|Jonathan Carter]] California, USA - jonathan.carter(at)owasp.org

== OWASP Board Elections ==
=== 2016 Election ===
[https://www.owasp.org/index.php/2016_Global_Board_of_Directors_Election 2016 Board Election]
=== 2015 Election ===
[https://www.owasp.org/index.php/2015_Global_Board_of_Directors_Election 2015 Board Election]
=== 2014 Election ===
[https://www.owasp.org/index.php/2014_Board_Elections 2014 Board Election]
=== 2013 Election ===
[https://www.owasp.org/index.php/2013_Board_Elections 2013 Board Election]
=== 2012 Election ===
[https://www.owasp.org/index.php/Membership/2012_Election 2012 Board Election]
=== 2011 Election ===
[https://www.owasp.org/index.php/Membership/2011Election 2011 Board Election]
=== 2009 Election ===
[https://www.owasp.org/index.php/Board_Election_2009 2009 Board Election]

= Agenda for 2016 Meetings =

* Teleconference Information: **CHECK MEETING INFORMATION**

* [https://www.owasp.org/index.php/International_Toll_Free_Calling_Information International Toll Free Calling Info]

* [https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdG5uRzNYZE8ycDFabnBWNkU4SFpwREE Board Meeting Attendance Tracking]
* Meeting Template found [https://www.owasp.org/index.php/Board-Meeting-template here]

== Upcoming 2016 Meetings ==

* [[November 8, 2016]], 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=11&day=09&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[November 30, 2016]], 15:00-16:30 PST - placeholder only optional if needed - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=11&day=30&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[December 14, 2016]], 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=12&day=14&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]

== Past 2016 Meetings ==
* [[October 11, 2016]], at AppSecUSA 18:00 - 21:00 EDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=10&day=11&hour=22&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[September 21, 2016]] 07:00-08:30 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=09&day=21&hour=14&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[August 23, 2016]], 16:00-17:00 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=08&day=23&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[July 1, 2016]], 18:00-21:00 CEST, in Rome at AppSecEU - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=07&day=01&hour=16&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[July 27, 2016]], 07:00-08:00 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=07&day=27&hour=14&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[May 18, 2016]], 07:00-08:30 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=05&day=18&hour=14&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[April 20, 2016]], 16:00-17:00 PDT - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=04&day=20&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[March 16, 2016]], 16:00-17:00 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=03&day=16&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[February 17, 2016]], 15:00-16:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=02&day=17&hour=23&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]
* [[January 13, 2016]], 16:00-17:30 PST - [http://www.timeanddate.com/worldclock/meetingdetails.html?year=2016&month=01&day=14&hour=00&min=0&sec=0&p1=224&p2=24&p3=263&p4=78&p5=37&p6=102&p7=152 TimeZone Converter ]

= Board Communication =

[https://www.owasp.org/index.php/OWASP_Foundation_ByLaws ByLaws] 
[https://www.owasp.org/index.php/Governance/Conflict_of_Interest_Policy Conflict of Interest Policy and Signed Conflict Statements] 
[https://docs.google.com/a/owasp.org/folder/d/0BxI4iTO_QojvNW9jaXFyWGZwR28/edit Weekly Board/Staff Communication Documents] 
[https://www.google.com/calendar/embed?src=owasp.org_d1dcflbc5oul9nji1ftc3pjji8@group.calendar.google.com&ctz=Pacific/Honolulu OWASP Board Calendar]

== Best practices ==

Note: these best practices are merely a collection of procedures deemed good process for a board. '''They are not binding''' and have not been voted on or ratified by the board to this date. Online: [http://www.rulesonline.com/rror--00.htm http://www.rulesonline.com/rror--00.htm]

=== Best Practices for Board conduct:===
We consider it best practices for our board to follow in spirit the "Robert's Rules of Order".
* That means that board votes require a motion brought forth by one board member and to be seconded by an other board member.
** A motion should be specific, unique, and concise. It should include all the relevant details, be unambiguous, and leave as little room for interpretation as possible.
* After the motion has been seconded the board may discuss the issue and / or vote on it.

A board member makes a motion and the board waits for your motion to be seconded. With few exceptions, all motions need to be seconded by another member of the Board. This is to ensure that the Board does spend its time effectively and not evaluating a proposal which only one member favors.
* In a formal setting, they will say something along the lines of "I second the motion," or even just "I second."
* In certain cases, such as when a general consensus is apparent, the presiding officer can choose to skip this step and move on to the next one.

= Archive and Voting History =

[https://www.owasp.org/index.php/OWASP_Board_History Historical Board Members by Year]

[https://www.owasp.org/index.php/OWASP_Board_Votes Historical Board Votes]

=== Past OWASP Boards ===
[[Board-2014]]

[[Board-2013]]

[[Board-2012]]

[[Board-2011]]

== Archive for 2015 Meetings ==
* [[December 9, 2015]], 15:00-17:00 PST
* [[November 18, 2015]], 14:00-15:30 PST
* [[November 4, 2015]], 12:00-13:30 PST
* [[October 14, 2015]], 14:00-15:00 PDT
* [[September 25, 2015]] at AppSecUSA 18:00 - 20:00 PST
* [[August 12, 2015]], 16:00-17:00 PST
* [[July 22, 2015]], 14:00-15:00 PDT
* [[June 24, 2015]], 14:00-15:00 PDT
* [[May 22, 2015]], 18:00-20:00 CEST in Amsterdam @ AppSec-EU , 9:00am-11:00am PST;
* [[April 29, 2015]], 12:00-13:00 PST
* [[March 25, 2015]], 12:00-13:00 PST
* [[February 11, 2015]], 16:00-17:00 PST
* [[January 14, 2015]], 9am-10am PST

== Archive for 2014 Meetings ==
* [[December 10, 2014]], 9am-10am PST
* [[November 12, 2014]], 9am - 10am PST
* [[October 8, 2014]], 9am-10am PST
* [[September 16, 2014]], 6pm - 9pm MST, In person at Appsec USA
* [[August 13, 2014]], 9am-10am PST
* [[July 9, 2014]], 9am-10am PST
* [[June 27, 2014]], 8am - 4 pm BST, In person at AppSec Europe
* [[April 30, 2014]],9am - 12pm PST
* [[March 3, 2014]], 7am - 10am PST
* [[February 24, 2014]], 8am - 10am PST

== Archive for 2013 Meetings ==

*[[December 9, 2013]]

* December 2, 2013 - Special Board Meeting - [https://docs.google.com/spreadsheet/ccc?key=0ApZ9zE0hx0LNdGdJZ1BIaEZkc2V1QV81NmJ4dnI0R1E&usp=sharing 2014 Budget] walk through, Q & A (no meeting notes)

*[[November 22, 2013]] - In person meeting at AppSec USA - New York, NY

* November 11, 2013 - cancelled due to in person meeting on Nov. 22

*[[October 14, 2013]]

*[[September 9, 2013]]

*[[In person meeting at AppSec EU - Hamburg, Germany; August 19-24]]

* August 12, 2013 - canceled due to in person meeting on Aug 19

*[[July 8, 2013]]

*[[June 10, 2013]]

*[[May 31, 2013]]

*[[May 13, 2013]]

*[[April 8, 2013]]

*[[March 11, 2013]]

*[[February 11, 2013]]

*[[January 14, 2013]]

== Archive for 2012 Meetings ==

[https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0ApZ9zE0hx0LNdG5uRzNYZE8ycDFabnBWNkU4SFpwREE Board Meeting Attendance Tracking]

OWASP Foundation [https://www.owasp.org/images/a/ae/2012ByLawsFINAL.pdf ByLaws]

[https://www.owasp.org/index.php/Global_Committee_Pages Global Committees]

*[[January 9, 2012]]

*[[February 6, 2012]]

*[[February 15, 2012]]

*[[March 12, 2012]]

*[[April 5, 2012]]

*[[May 14,2012]]

*[[June 11, 2012]]

*[[July 11, 2012]]

*[[Aug 13, 2012]]

*[[Sept 10, 2012]]

*[[Oct 8, 2012]]

*[[Oct 24, 2012]]

*[[Nov 12, 2012]]

*[[Nov 26, 2012]] - 2013 Budget Focused

*[[Dec 10, 2012]]

*[[Dec 27, 2012]] - 2013 Budget Focused

== Archive for 2011 Meetings ==

*[[January 3, 2011]]

*[[March 7, 2011]]

*[[April_4_2011]]

*[[May_2_2011]]

*[[June 6, 2011]]

*[[July 11, 2011]]

*[[August 8, 2011]]

*[[September 6, 2011]]

*[[September 20, 2011]]

*[[September 22, 2011]]

*[[October 10, 2011]]

*[[November 14, 2011]]

*[[December 5, 2011]]

== Minutes for 2011 Meetings ==

<hr>

* [https://www.owasp.org/index.php/OWASP_Board_Votes Board Votes Historical]

<hr>

*[[Minutes January 3, 2011]]

*[[Minutes March 8, 2011]]

*[[Minutes April 4, 2011]]

*[[Minutes May 2, 2011]]

*[https://docs.google.com/a/owasp.org/document/d/1VD9ZHEwht9tmM8FKEQ6DBrtmL_gTAhSSnQhiFXYkJ7I/edit?hl=en_US&authkey=CIavkP4B June 6 2011]

*[https://docs.google.com/a/owasp.org/document/d/1VMwYrP6owtZ-SchBxUcWTIF-ITvzUX8PjUkLPwr2ipg/edit?hl=en_US&authkey=CIGTx5sD July 11 2011]

*[https://docs.google.com/a/owasp.org/document/d/1CLu9aQpS7LdeX87rJ5N9cuJ-RGGVzDWf34l6gdMml7M/edit?hl=en_US&authkey=CI-U5qEP August 8, 2011]

*[https://docs.google.com/a/owasp.org/document/d/1HM32VcvWb0hizD5_mhWMULLaouzuRgA3ZYjODRZwyAs/edit?hl=en_US September 6, 2011]

*[https://docs.google.com/a/owasp.org/document/d/1Y-8tZisUZM5ZKP8AxJqvkiNtFanVFM0m--bMG2PZ3ww/edit October 10, 2011]

*[https://docs.google.com/a/owasp.org/document/d/13-aHX2pSUXjCP8ivsbls6u1VX1BVSYewyMUH8LI7zpQ/edit November 14, 2011]

== Archive for 2010 Meetings ==
*[[January 5, 2010]]

*[[February 2, 2010]]

*[[March 2, 2010]] Postponed until March 9, 2010

*[[April 6, 2010]]

*[[May 4, 2010]]

*[[June 7, 2010]]

*[[July 12, 2010]]

*[[August 2, 2010]]

*[[September 8, 2010]]

*[[October 11, 2010]]

*[[November 9, 2010]]

*[[December_6_2010]]

== Archive of 2010 Meetings ==

*[[Jan 5, 2010]]

*[[Feb 2, 2010]]

*[[March 2, 2010]]

*[[Minutes April 6, 2010]]

*[[Minutes May 11, 2010]]

*[[Minutes June 7, 2010]]

*[[Minutes July 12, 2010]]

*[[Minutes October 11, 2010]]

*[[Minutes November 9, 2010]]

*[[Minutes_December_6,_2010]]

*[[OWASP Board Meetings January Agenda]]
*[[OWASP Board Meetings February Agenda]]
*[[OWASP Board Meetings March Agenda]]
*[[OWASP Board Meetings April09 Agenda]]
*[[OWASP Board Meetings May09 Agenda]]
*[[OWASP Board Meetings June 09 Agenda]]
*[[OWASP Board Meeting July 7, 2009 Agenda]]
*[[OWASP Board Meeting August 4, 2009 Agenda]]
*[[OWASP Board Meeting September 1, 2009 Agenda]]
*[[OWASP Board Meeting October 6, 2009 Agenda]]
*[[OWASP Board Meeting November 10, 2009 Agenda]]
*[[OWASP Board Meeting December 1, 2009 Agenda]]

== Archive of 2009 Meetings ==
* [[OWASP Board Meetings 01-06-09]]
* [[OWASP Board Meetings 02-03-09]]
* [[OWASP Board Meetings 03-10-09]]
* [[OWASP Board Meetings April 09]]
* [[OWASP Board Meetings May 09]]
* [[OWASP Board Meetings June 09]]
* [[OWASP Board Meeting July 09]]
* [[OWASP Board Meeting August 09]]
* [[OWASP Board Meeting September 09]]
* [[OWASP Board Meeting October 09]]
* [[OWASP Board Meeting December 09]]

== Archive for 2008 Meetings ==
*[[OWASP Board Meetings March Agenda]]
*[[OWASP Board Meetings April Agenda]]
*[[OWASP Board Meetings May Agenda]]
*[[OWASP Board Meetings June Agenda]]
*[[OWASP Board Meetings July Agenda]]
*[[OWASP Board Meetings August Agenda]]
*[[OWASP Board Meetings September Agenda]]
*[[OWASP Board Meetings October Agenda]]
*[[OWASP Board Meetings December Agenda]]

== Archive of 2008 Meetings ==
* [[OWASP Board Meetings 2-7-08]]
* [[OWASP Board Meetings 3-6-08]]
* [[OWASP Board Meetings 5-6-08]]
* [[OWASP Board Meetings 6-3-08]]
* [[OWASP Board Meetings 8-14-08]]
* [[OWASP Board Meetings 9-2-08]]
* [[Owasp Board Meetings 10-07-08]]
* [[Owasp Board Meetings 11-07-08]]
* [[Owasp Board Meetings 12-02-08]]

= Board Focus Ideas =

== First suggested priority of Board from Paul ==
* What are the top 5 "Initiatives" we want or believe the OWASP Community should be focusing on in 2016-2017? (Areas that should receive our time effort & money.)
* Intent here is to stimulate a Board level & Community discussion about strategic goals, and then actionable objectives that.....a) align with mission of OWASP, and b) stimulate enough interest at Community level to cause volunteers to engage & participate, and c) produce output of value and benefit to owasp community on a Global basis.

== Projects Ideas==

* Project Review & Project Platform - good progress, keep it going. We need "more" volunteer engagement to provide more diverse review.
* New Project Ideas. Where is industry going, where will it be in 5 years? OWASP should suggest projects that we need and find team to build them!
* Project Summit support & funding
* International Chapter / Region support & funding for projects
* Hire full or part time technical writer to help with project (from Simon, flagship project lead)
* a platform for funding pull requests / contributions to projects - this could be a way to financially reward folks for contributing. I know ZAP recently experimented with this - not sure how it went, but we have money - might be a good way to spend it (maybe leveraging something like the bithub idea https://whispersystems.org/blog/bithub/). I would want the ability to personally remove myself from the ability of receiving payment. (from John Melton, flagship project lead)
* help with applying for grants - including letting us know of available grants and helping us do the paperwork if necessary
* make inter-project recommendations - since you sit at a level where you see various projects, maybe make recommendations for areas where multiple projects could collaborate for added value (from John Melton, flagship project lead)
* project of the month - this may already happen, but if not, maybe the newsletter could feature a project every month, including information like a project overview, an audio interview with the project leader(s), a list of priority tasks for people to help with, etc. (from John Melton, flagship project lead)
* get access to available free tools - I've actually seen several tools that are available for use within OWASP, though I hear about them haphazardly. It would be good if there were a single resource for leads to know what was available. Thinking of things like: free licenses of paid software (intellij, webex) or access to products/services (surveymonkey, AWS, GCE or Azure credits) that could be useful to the project (from John Melton, flagship project lead)
* conducting surveys - We do surveys periodically, and I fill them out. Joanna has used them to good effect. We might be able to make that more regular and get good data on our projects.
* "help wanted" site - We use github issues on our project. However, one thing I hear repeatedly is project leaders saying they need help, and owasp members asking how to help. It seems like we could put up a "jobs" board of some kind to connect folks within the community for things like this. We could probably connect this to $ in some way if we wanted to. I imagine there's a tool out there that already does this too. (from John Melton, flagship project lead)
* continue and expand "summer of code" programs - I believe these programs add lots of value. Not only do they get practical things done on the projects, but they give us good visibility, get people involved in the projects (many continue to contribute), give us good press in the community, and invigorate the mentors as well. (from John Melton, flagship project lead)

== Training ==
* Training is OK now....but what do we want to do here? Business as usual?
* Update current project level training docs, or
* Begin some form of Curriculum for Academic use?

== Advocacy==
* Liaison with other Orgs
** ID those Developer groups and go to their conferences & meetings
** ...just a few, but caution is to approach 1-2 at a time and get an outcome
* Regulatory policy (lobbying). OK, if its is a hot topic to some....then BoD should encourage it and help first set of people get that WG started and provide small set of guidelines on Advocacy vs. Lobbying.
* Crank out true press releases or blogs say on quarterly basis when we have couple public releases.
* Consider WG and provide small set of guidelines on Advocacy vs. Lobbying.

== Community Portals ==
* Should be our goto destination for owasp community to access for current & relevant info on OWASP activities.
* Focused WG to take action on Wiki Cleanup & ease of use.
* Consider funding larger wiki cleanup and migration effort (Jim)

== Marketing ==
* General PR & Marketing the OWASP Story - Promote ourselves more!
* Crank up a Recruiting program - Both Corporate & Individual.

<headertabs/>

Template:Mobile Top 10 2016:SubsectionAdvancedTemplate

2016-03-10T08:05:55Z

Jonathan Carter:

==='''Usage:''' ===
# Start Table
#* <nowiki>{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} </nowiki>
#* <nowiki>{{Mobile_Top_10:SubsectionTableBeginTemplate|type=headertab}} </nowiki>
#:
# hint: use 'position=firstLeft', 'firstWhole' or 'firstLongLeft' for the 1st element 
::{|
| <nowiki>{{Mobile_Top_10_2016_Developer_Edition_De:SubsectionAdvancedTemplate</nowiki> ||  
|-
|   <nowiki>|type={{Mobile_Top_10_2016:StyleTemplate}}</nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|subsection=<defOp|example|freetext|howPrevent|references|userImpact|vulnerableTo></nowiki> ||  
|-
|   <nowiki>|title=your title</nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|position=<firstLeft|firstWhole|firstLongLeft|left|right|whole|longLeft|longRight></nowiki> ||  
|-
|   <nowiki>|risk=<1-10|11> </nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|year=<2016|2016> </nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|language=de </nowiki> || <nowiki>  </nowiki>
|-
|   || according to [[:Template:Mobile Top 10:LanguageFile]] <nowiki> ---> </nowiki>
|-
| <nowiki>}} </nowiki> ||  
|-
|  outdatet: ||  
|-
|   <nowiki>|number=<1|2|3|4|left|right|whole></nowiki> || <nowiki> </nowiki>
|}
:3. End Table
:* <nowiki>{{Mobile_Top_10:SubsectionTableEndTemplate}} </nowiki>
:* <nowiki>{{Mobile_Top_10_2016:BottomAdvancedTemplate </nowiki>
::: <nowiki> |type={{Mobile_Top_10_2016:StyleTemplate}}</nowiki>
::: <nowiki> |useprev=PrevLink_Germany_Projekte</nowiki>
::: <nowiki> |prev=Top_10_fuer_Entwickler</nowiki>
::: <nowiki> |usenext=NextLink_Germany_Projekte</nowiki>
::: <nowiki> |next=Top_10_fuer_Entwickler/Die Top-10-Risiken</nowiki>
:: <nowiki>}}</nowiki>

=== '''Example:''' ===
:<nowiki>{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate</nowiki>
::<nowiki>|type={{Mobile_Top_10_2016:StyleTemplate}}</nowiki>
::<nowiki>|subsection=vulnerableTo</nowiki>
::<nowiki>|position=firstLeft</nowiki>
::<nowiki>|risk=1</nowiki>
::<nowiki>|year=2016</nowiki>
::<nowiki>|language=de</nowiki>
:<nowiki>}}</nowiki>
:<nowiki>1st box</nowiki>
:<nowiki>{{Mobile_Top_10:SubsectionTableEndTemplate}}</nowiki>

===English New Syntax===
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2016}}
1st box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2016}}
2nd box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=1|year=2016}}
3rd box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=1|year=2016}}
4th box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|year=2016}}
5th box (big box)
{{Mobile_Top_10:SubsectionTableEndTemplate}}
 
===English old Syntax 2016===
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=1|risk=1|year=2016}}
1st box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=2|risk=1|year=2016}}
2nd box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=3|risk=1|year=2016}}
3rd box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=4|risk=1|year=2016}}
4th box

{{Mobile_Top_10:SubsectionTableEndTemplate}}
 
===English Old Syntax 2016===
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=1|risk=1}}
1st box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=2|risk=1}}
2nd box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=3|risk=1}}
3rd box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=4|risk=1}}
4th box

{{Mobile_Top_10:SubsectionTableEndTemplate}}
 
===German 2016===
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2016|language=de}}
1st box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2016|language=de}}
2nd box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=1|year=2016|language=de}}
3rd box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=1|year=2016|language=de}}
4th box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|year=2016|language=de}}
5th box (big box)

{{Mobile_Top_10:SubsectionTableEndTemplate}}

 
===German 2016===
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|language=de}}
1st box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|language=de}}
2nd box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=1|language=de}}
3rd box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=1|language=de}}
4th box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|language=de}}
5th box (big box)

{{Mobile_Top_10:SubsectionTableEndTemplate}}

 
===Special 2016===
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=2|year=2016}}
1st box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=2|year=2016}}
2nd box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=2|year=2016}}
3rd box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=userImpact|position=right|risk=2|year=2016}}
4th box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=1|position=longLeft|risk=2|year=2016}}
5th box (long box)

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=2|position=right|risk=2|year=2016}}
6th box

{{Mobile_Top_10_2016:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=left|risk=2|year=2016}}
7th box

{{Mobile_Top_10:SubsectionTableEndTemplate}}

<onlyinclude> {{#ifeq: {{{type}}} | box |
{{#switch: {{{position}}}
| firstLeft = 
<tr>
<td
| firstWhole = 
<tr>
<td colspan="2"
| firstLongLeft =
<tr>
<td rowspan="2"
| left = 
</td></tr>
<tr>
<td
| right = 
</td>
<td
| whole =
</td></tr>
<tr>
<td colspan="2"
| longLeft =
</td></tr>
<tr>
<td rowspan="2"
| longRight = 
</td>
<td rowspan="2"
| #default = 
{{#switch: {{{number}}} 
| left = 
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| right = 
</td>
<td
| whole = 
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| 1 = 
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| 2 = 
</td>
<td
| 3 = 
</td></tr>
<tr>
<td
| 4 = 
</td>
<td
}}
}}
style="vertical-align: top; padding:5px; width: 50%;
border: 3px solid {{Mobile_Top_10:BorderColor|year={{{year}}} }};
background-color: {{Mobile_Top_10:BackgroundColor|year={{{year}}} }};">
<div style="font-style: bold;
{{#switch: {{{year}}}
| 2016=color: #000000; border-bottom: #999999 solid 1px; margin-bottom: 3px; padding-bottom: 3px;
| #default=color: #4F81BD;
}};
font-size: 150%;">

{{#switch: {{{subsection}}}
| freetext= {{{title}}}
| example= {{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| howPrevent= {{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| defOp= {{Mobile_Top_10:LanguageFile|text=defendingOption|language={{{language}}} }} {{{title}}} {{Mobile_Top_10:LanguageFile|text=against|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}':
| userImpact= {{Mobile_Top_10:LanguageFile|text=userImpact|language={{{language}}} }}
| references= {{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
| vulnerableTo={{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| #default= 
{{#switch: {{{number}}} 
| left
| right
| whole={{{title}}}
| 1={{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| 2={{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| 3={{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| 4={{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
}}
}}</div>
| {{Mobile_Top_10_2016:SubsectionColoredTemplate|
{{#switch: {{{subsection}}}
| freetext= {{{title}}}
| example= {{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| howPrevent= {{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| defOp= {{Mobile_Top_10:LanguageFile|text=defendingOption|language={{{language}}} }} {{{title}}} {{Mobile_Top_10:LanguageFile|text=against|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}':
| userImpact= {{Mobile_Top_10:LanguageFile|text=userImpact|language={{{language}}} }}
| references= {{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
| vulnerableTo= {{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| #default= 
{{#switch: {{{number}}} 
| left
| right
| whole={{{title}}}
| 1={{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| 2={{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| 3={{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| 4={{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
}}
}}|}}
}} </onlyinclude>

Template:Mobile Top 10 2016:SubsectionColoredTemplate

2016-03-10T08:04:28Z

Jonathan Carter: Created page with "<div style="background-color: {{#switch: {{{year}}} | 2016=#55DF8E | #default=#558EDF}}; color: #FFFFFF; font-size: 180%; padding: 6px; padding-top: 8px; font-weight: bold; bo..."

<div style="background-color: {{#switch: {{{year}}} | 2016=#55DF8E | #default=#558EDF}}; color: #FFFFFF; font-size: 180%; padding: 6px; padding-top: 8px; font-weight: bold; border: 3px solid {{#switch: {{{year}}} | 2016=#207F4A | #default=#204A7F}}; border-right: none; border-left: none; margin: 0;">{{{1}}}</div>
{{{2}}}

Template:Mobile Top 10:SubsectionTableEndTemplate

2016-03-10T08:03:30Z

Jonathan Carter: Created page with "</td></tr></table>"

</td></tr></table>

Template:Mobile Top 10 2016:SubsectionAdvancedTemplate

2016-03-10T07:55:33Z

Jonathan Carter:

==='''Usage:''' ===
# Start Table
#* <nowiki>{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} </nowiki>
#* <nowiki>{{Mobile_Top_10:SubsectionTableBeginTemplate|type=headertab}} </nowiki>
#:
# hint: use 'position=firstLeft', 'firstWhole' or 'firstLongLeft' for the 1st element 
::{|
| <nowiki>{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate</nowiki> ||  
|-
|   <nowiki>|type={{Mobile_Top_10_2016:StyleTemplate}}</nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|subsection=<defOp|example|freetext|howPrevent|references|userImpact|vulnerableTo></nowiki> ||  
|-
|   <nowiki>|title=your title</nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|position=<firstLeft|firstWhole|firstLongLeft|left|right|whole|longLeft|longRight></nowiki> ||  
|-
|   <nowiki>|risk=<1-10|11> </nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|year=<2010|2013> </nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|language=de </nowiki> || <nowiki>  </nowiki>
|-
|   || according to [[:Template:Top 10:LanguageFile]] <nowiki> ---> </nowiki>
|-
| <nowiki>}} </nowiki> ||  
|-
|  outdatet: ||  
|-
|   <nowiki>|number=<1|2|3|4|left|right|whole></nowiki> || <nowiki> </nowiki>
|}
:3. End Table
:* <nowiki>{{Top_10:SubsectionTableEndTemplate}} </nowiki>
:* <nowiki>{{Top_10_2010:BottomAdvancedTemplate </nowiki>
::: <nowiki> |type={{Mobile_Top_10_2016:StyleTemplate}}</nowiki>
::: <nowiki> |useprev=PrevLink_Germany_Projekte</nowiki>
::: <nowiki> |prev=Top_10_fuer_Entwickler</nowiki>
::: <nowiki> |usenext=NextLink_Germany_Projekte</nowiki>
::: <nowiki> |next=Top_10_fuer_Entwickler/Die Top-10-Risiken</nowiki>
:: <nowiki>}}</nowiki>

=== '''Example:''' ===
:<nowiki>{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate</nowiki>
::<nowiki>|type={{Mobile_Top_10_2016:StyleTemplate}}</nowiki>
::<nowiki>|subsection=vulnerableTo</nowiki>
::<nowiki>|position=firstLeft</nowiki>
::<nowiki>|risk=1</nowiki>
::<nowiki>|year=2013</nowiki>
::<nowiki>|language=de</nowiki>
:<nowiki>}}</nowiki>
:<nowiki>1st box</nowiki>
:<nowiki>{{Top_10:SubsectionTableEndTemplate}}</nowiki>

===English New Syntax===
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2013}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2013}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|year=2013}}
5th box (big box)
{{Top_10:SubsectionTableEndTemplate}}
 
===English old Syntax 2013===
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=1|risk=1|year=2013}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=2|risk=1|year=2013}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=3|risk=1|year=2013}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=4|risk=1|year=2013}}
4th box

{{Top_10:SubsectionTableEndTemplate}}
 
===English Old Syntax 2010===
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=1|risk=1}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=2|risk=1}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=3|risk=1}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=4|risk=1}}
4th box

{{Top_10:SubsectionTableEndTemplate}}
 
===German 2013===
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2013|language=de}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2013|language=de}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=de}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=de}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|year=2013|language=de}}
5th box (big box)

{{Top_10:SubsectionTableEndTemplate}}

 
===German 2010===
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|language=de}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|language=de}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=1|language=de}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=1|language=de}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|language=de}}
5th box (big box)

{{Top_10:SubsectionTableEndTemplate}}

 
===Special 2013===
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=2|year=2013}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=2|year=2013}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=2|year=2013}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=userImpact|position=right|risk=2|year=2013}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=1|position=longLeft|risk=2|year=2013}}
5th box (long box)

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=2|position=right|risk=2|year=2013}}
6th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=left|risk=2|year=2013}}
7th box

{{Top_10:SubsectionTableEndTemplate}}

<onlyinclude> {{#ifeq: {{{type}}} | box |
{{#switch: {{{position}}}
| firstLeft = 
<tr>
<td
| firstWhole = 
<tr>
<td colspan="2"
| firstLongLeft =
<tr>
<td rowspan="2"
| left = 
</td></tr>
<tr>
<td
| right = 
</td>
<td
| whole =
</td></tr>
<tr>
<td colspan="2"
| longLeft =
</td></tr>
<tr>
<td rowspan="2"
| longRight = 
</td>
<td rowspan="2"
| #default = 
{{#switch: {{{number}}} 
| left = 
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| right = 
</td>
<td
| whole = 
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| 1 = 
{{Mobile_Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| 2 = 
</td>
<td
| 3 = 
</td></tr>
<tr>
<td
| 4 = 
</td>
<td
}}
}}
style="vertical-align: top; padding:5px; width: 50%;
border: 3px solid {{Mobile_Top_10:BorderColor|year={{{year}}} }};
background-color: {{Mobile_Top_10:BackgroundColor|year={{{year}}} }};">
<div style="font-style: bold;
{{#switch: {{{year}}}
| 2013=color: #000000; border-bottom: #999999 solid 1px; margin-bottom: 3px; padding-bottom: 3px;
| #default=color: #4F81BD;
}};
font-size: 150%;">

{{#switch: {{{subsection}}}
| freetext= {{{title}}}
| example= {{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| howPrevent= {{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| defOp= {{Mobile_Top_10:LanguageFile|text=defendingOption|language={{{language}}} }} {{{title}}} {{Mobile_Top_10:LanguageFile|text=against|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}':
| userImpact= {{Mobile_Top_10:LanguageFile|text=userImpact|language={{{language}}} }}
| references= {{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
| vulnerableTo={{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| #default= 
{{#switch: {{{number}}} 
| left
| right
| whole={{{title}}}
| 1={{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| 2={{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| 3={{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| 4={{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
}}
}}</div>
| {{Top_10_2010:SubsectionColoredTemplate|
{{#switch: {{{subsection}}}
| freetext= {{{title}}}
| example= {{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| howPrevent= {{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| defOp= {{Mobile_Top_10:LanguageFile|text=defendingOption|language={{{language}}} }} {{{title}}} {{Mobile_Top_10:LanguageFile|text=against|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}':
| userImpact= {{Mobile_Top_10:LanguageFile|text=userImpact|language={{{language}}} }}
| references= {{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
| vulnerableTo= {{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| #default= 
{{#switch: {{{number}}} 
| left
| right
| whole={{{title}}}
| 1={{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| 2={{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| 3={{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| 4={{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
}}
}}|}}
}} </onlyinclude>

Template:Mobile Top 10 2016:ByTheNumbers

2016-03-10T07:52:27Z

Jonathan Carter:

==='''Usage:''' ===
<nowiki>{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }}</nowiki>
 
=== '''Example:''' ===
<nowiki>{{Mobile_Top_10_2016:ByTheNumbers|1|language=de|year=2016}}
{{Mobile_Top_10_2016:ByTheNumbers|2|year=2016}} 
{{Mobile_Top_10_2016:ByTheNumbers|2|language=de}} </nowiki>
 
{| class="wikitable" cellspacing="1" cellpadding="1" border="1" width="100%;"
|-
! style="min-width: 4%" |Number
! style="min-width: 48%" |English 2016
! style="min-width: 48%" |German 2016
|-
| 1
| {{Mobile_Top_10_2016:ByTheNumbers|1}}
| {{Mobile_Top_10_2016:ByTheNumbers|1|language=de}}
|-
| 2
| {{Mobile_Top_10_2016:ByTheNumbers|2}}
| {{Mobile_Top_10_2016:ByTheNumbers|2|language=de}}
|-
| 3
| {{Mobile_Top_10_2016:ByTheNumbers|3}}
| {{Mobile_Top_10_2016:ByTheNumbers|3|language=de}}
|-
| 4
| {{Mobile_Top_10_2016:ByTheNumbers|4}}
| {{Mobile_Top_10_2016:ByTheNumbers|4|language=de}}
|-
| 5
| {{Mobile_Top_10_2016:ByTheNumbers|5}}
| {{Mobile_Top_10_2016:ByTheNumbers|5|language=de}}
|-
| 6
| {{Mobile_Top_10_2016:ByTheNumbers|6}}
| {{Mobile_Top_10_2016:ByTheNumbers|6|language=de}}
|-
| 7
| {{Mobile_Top_10_2016:ByTheNumbers|7}}
| {{Mobile_Top_10_2016:ByTheNumbers|7|language=de}}
|-
| 8
| {{Mobile_Top_10_2016:ByTheNumbers|8}}
| {{Mobile_Top_10_2016:ByTheNumbers|8|language=de}}
|-
| 9
| {{Mobile_Top_10_2016:ByTheNumbers|9}}
| {{Mobile_Top_10_2016:ByTheNumbers|9|language=de}}
|-
| 10
| {{Mobile_Top_10_2016:ByTheNumbers|10}}
| {{Mobile_Top_10_2016:ByTheNumbers|10|language=de}}
|-
| 11
| {{Mobile_Top_10_2016:ByTheNumbers|11}}
| {{Mobile_Top_10_2016:ByTheNumbers|11|language=de}}
|}

<onlyinclude>{{#switch: {{{year}}}
| 2013 =
{{#switch: {{{1}}}
| 1={{Mobile_Top_10:LanguageFile|text=injection|language={{{language}}} }}
| 2={{Mobile_Top_10:LanguageFile|text=brokenAuthSessionMgmt|language={{{language}}} }}
| 3={{Mobile_Top_10:LanguageFile|text=xss|language={{{language}}} }}
| 4={{Mobile_Top_10:LanguageFile|text=insecureDirectObjectReference|language={{{language}}} }}
| 5={{Mobile_Top_10:LanguageFile|text=securityMisconfig|language={{{language}}} }}
| 6={{Mobile_Top_10:LanguageFile|text=sensitiveDataExposure|language={{{language}}} }}
| 7={{Mobile_Top_10:LanguageFile|text=missingFunctionLevelACL|language={{{language}}} }}
| 8={{Mobile_Top_10:LanguageFile|text=csrf|language={{{language}}} }}
| 9={{Mobile_Top_10:LanguageFile|text=usingVulnerableComponents|language={{{language}}} }}
| 10={{Mobile_Top_10:LanguageFile|text=unvalidatedRedirectsForwards|language={{{language}}} }}
| 11={{Mobile_Top_10:LanguageFile|text=inProgress|language={{{language}}} }}
}}
| #default =
{{#switch: {{{1}}}
| 1={{Mobile_Top_10:LanguageFile|text=injection|language={{{language}}} }}
| 2={{Mobile_Top_10:LanguageFile|text=xss|language={{{language}}} }}
| 3={{Mobile_Top_10:LanguageFile|text=brokenAuthSessionMgmt|language={{{language}}} }}
| 4={{Mobile_Top_10:LanguageFile|text=insecureDirectObjectReference|language={{{language}}} }}
| 5={{Mobile_Top_10:LanguageFile|text=csrf|language={{{language}}} }}
| 6={{Mobile_Top_10:LanguageFile|text=securityMisconfig|language={{{language}}} }}
| 7={{Mobile_Top_10:LanguageFile|text=insecureCryptographicStorage|language={{{language}}} }}
| 8={{Mobile_Top_10:LanguageFile|text=failureRestrictUrlAccess|language={{{language}}} }}
| 9={{Mobile_Top_10:LanguageFile|text=insufficientTLProtection|language={{{language}}} }}
| 10={{Mobile_Top_10:LanguageFile|text=unvalidatedRedirectsForwards|language={{{language}}} }}
| 11={{Mobile_Top_10:LanguageFile|text=inProgress|language={{{language}}} }}
}}
}}</onlyinclude>

Template:Mobile Top 10 2016:ByTheNumbers

2016-03-10T07:49:22Z

Jonathan Carter: Created page with "  <!--------------------------------------..."

==='''Usage:''' ===
<nowiki>{{Mobile_Top_10_2016:ByTheNumbers|{{{risk}}}|year={{{year}}}|language={{{language}}} }}</nowiki>
 
=== '''Example:''' ===
<nowiki>{{Mobile_Top_10_2016:ByTheNumbers|1|language=de|year=2016}}
{{Mobile_Top_10_2016:ByTheNumbers|2|year=2016}} 
{{Mobile_Top_10_2016:ByTheNumbers|2|language=de}} </nowiki>
 
{| class="wikitable" cellspacing="1" cellpadding="1" border="1" width="100%;"
|-
! style="min-width: 4%" |Number
! style="min-width: 24%" |English 2016
! style="min-width: 24%" |German 2016
! style="min-width: 24%" |English 2016
! style="min-width: 24%" |German 2016
|-
| 1
| {{Mobile_Top_10_2016:ByTheNumbers|1}}
| {{Mobile_Top_10_2016:ByTheNumbers|1|language=de}}
| {{Mobile_Top_10_2016:ByTheNumbers|1|year=2016}}
| {{Mobile_Top_10_2016:ByTheNumbers|1|language=de|year=2016}}
|-
| 2
| {{Mobile_Top_10_2016:ByTheNumbers|2}}
| {{Mobile_Top_10_2016:ByTheNumbers|2|language=de}}
| {{Mobile_Top_10_2016:ByTheNumbers|2|year=2016}}
| {{Mobile_Top_10_2016:ByTheNumbers|2|language=de|year=2016}}
|-
| 3
| {{Mobile_Top_10_2016:ByTheNumbers|3}}
| {{Mobile_Top_10_2016:ByTheNumbers|3|language=de}}
| {{Mobile_Top_10_2016:ByTheNumbers|3|year=2016}}
| {{Mobile_Top_10_2016:ByTheNumbers|3|language=de|year=2016}}
|-
| 4
| {{Mobile_Top_10_2016:ByTheNumbers|4}}
| {{Mobile_Top_10_2016:ByTheNumbers|4|language=de}}
| {{Mobile_Top_10_2016:ByTheNumbers|4|year=2016}}
| {{Mobile_Top_10_2016:ByTheNumbers|4|language=de|year=2016}}
|-
| 5
| {{Mobile_Top_10_2016:ByTheNumbers|5}}
| {{Mobile_Top_10_2016:ByTheNumbers|5|language=de}}
| {{Mobile_Top_10_2016:ByTheNumbers|5|year=2016}}
| {{Mobile_Top_10_2016:ByTheNumbers|5|language=de|year=2016}}
|-
| 6
| {{Mobile_Top_10_2016:ByTheNumbers|6}}
| {{Mobile_Top_10_2016:ByTheNumbers|6|language=de}}
| {{Mobile_Top_10_2016:ByTheNumbers|6|year=2016}}
| {{Mobile_Top_10_2016:ByTheNumbers|6|language=de|year=2016}}
|-
| 7
| {{Mobile_Top_10_2016:ByTheNumbers|7}}
| {{Mobile_Top_10_2016:ByTheNumbers|7|language=de}}
| {{Mobile_Top_10_2016:ByTheNumbers|7|year=2016}}
| {{Mobile_Top_10_2016:ByTheNumbers|7|language=de|year=2016}}
|-
| 8
| {{Mobile_Top_10_2016:ByTheNumbers|8}}
| {{Mobile_Top_10_2016:ByTheNumbers|8|language=de}}
| {{Mobile_Top_10_2016:ByTheNumbers|8|year=2016}}
| {{Mobile_Top_10_2016:ByTheNumbers|8|language=de|year=2016}}
|-
| 9
| {{Mobile_Top_10_2016:ByTheNumbers|9}}
| {{Mobile_Top_10_2016:ByTheNumbers|9|language=de}}
| {{Mobile_Top_10_2016:ByTheNumbers|9|year=2016}}
| {{Mobile_Top_10_2016:ByTheNumbers|9|language=de|year=2016}}
|-
| 10
| {{Mobile_Top_10_2016:ByTheNumbers|10}}
| {{Mobile_Top_10_2016:ByTheNumbers|10|language=de}}
| {{Mobile_Top_10_2016:ByTheNumbers|10|year=2016}}
| {{Mobile_Top_10_2016:ByTheNumbers|10|language=de|year=2016}}
|-
| 11
| {{Mobile_Top_10_2016:ByTheNumbers|11}}
| {{Mobile_Top_10_2016:ByTheNumbers|11|language=de}}
| {{Mobile_Top_10_2016:ByTheNumbers|11|year=2016}}
| {{Mobile_Top_10_2016:ByTheNumbers|11|language=de|year=2016}}
|}

<onlyinclude>{{#switch: {{{year}}}
| 2013 =
{{#switch: {{{1}}}
| 1={{Mobile_Top_10:LanguageFile|text=injection|language={{{language}}} }}
| 2={{Mobile_Top_10:LanguageFile|text=brokenAuthSessionMgmt|language={{{language}}} }}
| 3={{Mobile_Top_10:LanguageFile|text=xss|language={{{language}}} }}
| 4={{Mobile_Top_10:LanguageFile|text=insecureDirectObjectReference|language={{{language}}} }}
| 5={{Mobile_Top_10:LanguageFile|text=securityMisconfig|language={{{language}}} }}
| 6={{Mobile_Top_10:LanguageFile|text=sensitiveDataExposure|language={{{language}}} }}
| 7={{Mobile_Top_10:LanguageFile|text=missingFunctionLevelACL|language={{{language}}} }}
| 8={{Mobile_Top_10:LanguageFile|text=csrf|language={{{language}}} }}
| 9={{Mobile_Top_10:LanguageFile|text=usingVulnerableComponents|language={{{language}}} }}
| 10={{Mobile_Top_10:LanguageFile|text=unvalidatedRedirectsForwards|language={{{language}}} }}
| 11={{Mobile_Top_10:LanguageFile|text=inProgress|language={{{language}}} }}
}}
| #default =
{{#switch: {{{1}}}
| 1={{Mobile_Top_10:LanguageFile|text=injection|language={{{language}}} }}
| 2={{Mobile_Top_10:LanguageFile|text=xss|language={{{language}}} }}
| 3={{Mobile_Top_10:LanguageFile|text=brokenAuthSessionMgmt|language={{{language}}} }}
| 4={{Mobile_Top_10:LanguageFile|text=insecureDirectObjectReference|language={{{language}}} }}
| 5={{Mobile_Top_10:LanguageFile|text=csrf|language={{{language}}} }}
| 6={{Mobile_Top_10:LanguageFile|text=securityMisconfig|language={{{language}}} }}
| 7={{Mobile_Top_10:LanguageFile|text=insecureCryptographicStorage|language={{{language}}} }}
| 8={{Mobile_Top_10:LanguageFile|text=failureRestrictUrlAccess|language={{{language}}} }}
| 9={{Mobile_Top_10:LanguageFile|text=insufficientTLProtection|language={{{language}}} }}
| 10={{Mobile_Top_10:LanguageFile|text=unvalidatedRedirectsForwards|language={{{language}}} }}
| 11={{Mobile_Top_10:LanguageFile|text=inProgress|language={{{language}}} }}
}}
}}</onlyinclude>

Template:Mobile Top 10 2016:SubsectionAdvancedTemplate

2016-03-10T07:40:25Z

Jonathan Carter:

==='''Usage:''' ===
# Start Table
#* <nowiki>{{Top_10:SubsectionTableBeginTemplate|type=main}} </nowiki>
#* <nowiki>{{Top_10:SubsectionTableBeginTemplate|type=headertab}} </nowiki>
#:
# hint: use 'position=firstLeft', 'firstWhole' or 'firstLongLeft' for the 1st element 
::{|
| <nowiki>{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate</nowiki> ||  
|-
|   <nowiki>|type={{Mobile_Top_10_2016:StyleTemplate}}</nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|subsection=<defOp|example|freetext|howPrevent|references|userImpact|vulnerableTo></nowiki> ||  
|-
|   <nowiki>|title=your title</nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|position=<firstLeft|firstWhole|firstLongLeft|left|right|whole|longLeft|longRight></nowiki> ||  
|-
|   <nowiki>|risk=<1-10|11> </nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|year=<2010|2013> </nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|language=de </nowiki> || <nowiki>  </nowiki>
|-
|   || according to [[:Template:Top 10:LanguageFile]] <nowiki> ---> </nowiki>
|-
| <nowiki>}} </nowiki> ||  
|-
|  outdatet: ||  
|-
|   <nowiki>|number=<1|2|3|4|left|right|whole></nowiki> || <nowiki> </nowiki>
|}
:3. End Table
:* <nowiki>{{Top_10:SubsectionTableEndTemplate}} </nowiki>
:* <nowiki>{{Top_10_2010:BottomAdvancedTemplate </nowiki>
::: <nowiki> |type={{Mobile_Top_10_2016:StyleTemplate}}</nowiki>
::: <nowiki> |useprev=PrevLink_Germany_Projekte</nowiki>
::: <nowiki> |prev=Top_10_fuer_Entwickler</nowiki>
::: <nowiki> |usenext=NextLink_Germany_Projekte</nowiki>
::: <nowiki> |next=Top_10_fuer_Entwickler/Die Top-10-Risiken</nowiki>
:: <nowiki>}}</nowiki>

=== '''Example:''' ===
:<nowiki>{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate</nowiki>
::<nowiki>|type={{Mobile_Top_10_2016:StyleTemplate}}</nowiki>
::<nowiki>|subsection=vulnerableTo</nowiki>
::<nowiki>|position=firstLeft</nowiki>
::<nowiki>|risk=1</nowiki>
::<nowiki>|year=2013</nowiki>
::<nowiki>|language=de</nowiki>
:<nowiki>}}</nowiki>
:<nowiki>1st box</nowiki>
:<nowiki>{{Top_10:SubsectionTableEndTemplate}}</nowiki>

===English New Syntax===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2013}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2013}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|year=2013}}
5th box (big box)
{{Top_10:SubsectionTableEndTemplate}}
 
===English old Syntax 2013===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=1|risk=1|year=2013}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=2|risk=1|year=2013}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=3|risk=1|year=2013}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=4|risk=1|year=2013}}
4th box

{{Top_10:SubsectionTableEndTemplate}}
 
===English Old Syntax 2010===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=1|risk=1}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=2|risk=1}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=3|risk=1}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|number=4|risk=1}}
4th box

{{Top_10:SubsectionTableEndTemplate}}
 
===German 2013===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2013|language=de}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2013|language=de}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=de}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=de}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|year=2013|language=de}}
5th box (big box)

{{Top_10:SubsectionTableEndTemplate}}

 
===German 2010===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|language=de}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|language=de}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=1|language=de}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=right|risk=1|language=de}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|language=de}}
5th box (big box)

{{Top_10:SubsectionTableEndTemplate}}

 
===Special 2013===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=2|year=2013}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=howPrevent|position=right|risk=2|year=2013}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=example|position=left|risk=2|year=2013}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=userImpact|position=right|risk=2|year=2013}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=1|position=longLeft|risk=2|year=2013}}
5th box (long box)

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=defOp|title=2|position=right|risk=2|year=2013}}
6th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Mobile_Top_10_2016:StyleTemplate}}|subsection=references|position=left|risk=2|year=2013}}
7th box

{{Top_10:SubsectionTableEndTemplate}}

<onlyinclude> {{#ifeq: {{{type}}} | box |
{{#switch: {{{position}}}
| firstLeft = 
<tr>
<td
| firstWhole = 
<tr>
<td colspan="2"
| firstLongLeft =
<tr>
<td rowspan="2"
| left = 
</td></tr>
<tr>
<td
| right = 
</td>
<td
| whole =
</td></tr>
<tr>
<td colspan="2"
| longLeft =
</td></tr>
<tr>
<td rowspan="2"
| longRight = 
</td>
<td rowspan="2"
| #default = 
{{#switch: {{{number}}} 
| left = 
{{Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| right = 
</td>
<td
| whole = 
{{Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| 1 = 
{{Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| 2 = 
</td>
<td
| 3 = 
</td></tr>
<tr>
<td
| 4 = 
</td>
<td
}}
}}
style="vertical-align: top; padding:5px; width: 50%;
border: 3px solid {{Mobile_Top_10:BorderColor|year={{{year}}} }};
background-color: {{Mobile_Top_10:BackgroundColor|year={{{year}}} }};">
<div style="font-style: bold;
{{#switch: {{{year}}}
| 2013=color: #000000; border-bottom: #999999 solid 1px; margin-bottom: 3px; padding-bottom: 3px;
| #default=color: #4F81BD;
}};
font-size: 150%;">

{{#switch: {{{subsection}}}
| freetext= {{{title}}}
| example= {{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| howPrevent= {{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| defOp= {{Mobile_Top_10:LanguageFile|text=defendingOption|language={{{language}}} }} {{{title}}} {{Mobile_Top_10:LanguageFile|text=against|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}':
| userImpact= {{Mobile_Top_10:LanguageFile|text=userImpact|language={{{language}}} }}
| references= {{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
| vulnerableTo={{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| #default= 
{{#switch: {{{number}}} 
| left
| right
| whole={{{title}}}
| 1={{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| 2={{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| 3={{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| 4={{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
}}
}}</div>
| {{Top_10_2010:SubsectionColoredTemplate|
{{#switch: {{{subsection}}}
| freetext= {{{title}}}
| example= {{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| howPrevent= {{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| defOp= {{Mobile_Top_10:LanguageFile|text=defendingOption|language={{{language}}} }} {{{title}}} {{Mobile_Top_10:LanguageFile|text=against|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}':
| userImpact= {{Mobile_Top_10:LanguageFile|text=userImpact|language={{{language}}} }}
| references= {{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
| vulnerableTo= {{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| #default= 
{{#switch: {{{number}}} 
| left
| right
| whole={{{title}}}
| 1={{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| 2={{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| 3={{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| 4={{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
}}
}}|}}
}} </onlyinclude>

Template:Mobile Top 10 2016:SubsectionAdvancedTemplate

2016-03-10T07:34:54Z

Jonathan Carter:

==='''Usage:''' ===
# Start Table
#* <nowiki>{{Top_10:SubsectionTableBeginTemplate|type=main}} </nowiki>
#* <nowiki>{{Top_10:SubsectionTableBeginTemplate|type=headertab}} </nowiki>
#:
# hint: use 'position=firstLeft', 'firstWhole' or 'firstLongLeft' for the 1st element 
::{|
| <nowiki>{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate</nowiki> ||  
|-
|   <nowiki>|type={{Top_10_2010:StyleTemplate}}</nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|subsection=<defOp|example|freetext|howPrevent|references|userImpact|vulnerableTo></nowiki> ||  
|-
|   <nowiki>|title=your title</nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|position=<firstLeft|firstWhole|firstLongLeft|left|right|whole|longLeft|longRight></nowiki> ||  
|-
|   <nowiki>|risk=<1-10|11> </nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|year=<2010|2013> </nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|language=de </nowiki> || <nowiki>  </nowiki>
|-
|   || according to [[:Template:Top 10:LanguageFile]] <nowiki> ---> </nowiki>
|-
| <nowiki>}} </nowiki> ||  
|-
|  outdatet: ||  
|-
|   <nowiki>|number=<1|2|3|4|left|right|whole></nowiki> || <nowiki> </nowiki>
|}
:3. End Table
:* <nowiki>{{Top_10:SubsectionTableEndTemplate}} </nowiki>
:* <nowiki>{{Top_10_2010:BottomAdvancedTemplate </nowiki>
::: <nowiki> |type={{Top_10_2010:StyleTemplate}}</nowiki>
::: <nowiki> |useprev=PrevLink_Germany_Projekte</nowiki>
::: <nowiki> |prev=Top_10_fuer_Entwickler</nowiki>
::: <nowiki> |usenext=NextLink_Germany_Projekte</nowiki>
::: <nowiki> |next=Top_10_fuer_Entwickler/Die Top-10-Risiken</nowiki>
:: <nowiki>}}</nowiki>

=== '''Example:''' ===
:<nowiki>{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate</nowiki>
::<nowiki>|type={{Top_10_2010:StyleTemplate}}</nowiki>
::<nowiki>|subsection=vulnerableTo</nowiki>
::<nowiki>|position=firstLeft</nowiki>
::<nowiki>|risk=1</nowiki>
::<nowiki>|year=2013</nowiki>
::<nowiki>|language=de</nowiki>
:<nowiki>}}</nowiki>
:<nowiki>1st box</nowiki>
:<nowiki>{{Top_10:SubsectionTableEndTemplate}}</nowiki>

===English New Syntax===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2013}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2013}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|year=2013}}
5th box (big box)
{{Top_10:SubsectionTableEndTemplate}}
 
===English old Syntax 2013===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=1|year=2013}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=2|risk=1|year=2013}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=1|year=2013}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=1|year=2013}}
4th box

{{Top_10:SubsectionTableEndTemplate}}
 
===English Old Syntax 2010===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=1}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=2|risk=1}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=1}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=1}}
4th box

{{Top_10:SubsectionTableEndTemplate}}
 
===German 2013===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2013|language=de}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2013|language=de}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=de}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=de}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|year=2013|language=de}}
5th box (big box)

{{Top_10:SubsectionTableEndTemplate}}

 
===German 2010===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|language=de}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|language=de}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|language=de}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|language=de}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|language=de}}
5th box (big box)

{{Top_10:SubsectionTableEndTemplate}}

 
===Special 2013===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=2|year=2013}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=2|year=2013}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=2|year=2013}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=right|risk=2|year=2013}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|title=1|position=longLeft|risk=2|year=2013}}
5th box (long box)

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|title=2|position=right|risk=2|year=2013}}
6th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=left|risk=2|year=2013}}
7th box

{{Top_10:SubsectionTableEndTemplate}}

<onlyinclude> {{#ifeq: {{{type}}} | box |
{{#switch: {{{position}}}
| firstLeft = 
<tr>
<td
| firstWhole = 
<tr>
<td colspan="2"
| firstLongLeft =
<tr>
<td rowspan="2"
| left = 
</td></tr>
<tr>
<td
| right = 
</td>
<td
| whole =
</td></tr>
<tr>
<td colspan="2"
| longLeft =
</td></tr>
<tr>
<td rowspan="2"
| longRight = 
</td>
<td rowspan="2"
| #default = 
{{#switch: {{{number}}} 
| left = 
{{Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| right = 
</td>
<td
| whole = 
{{Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| 1 = 
{{Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| 2 = 
</td>
<td
| 3 = 
</td></tr>
<tr>
<td
| 4 = 
</td>
<td
}}
}}
style="vertical-align: top; padding:5px; width: 50%;
border: 3px solid {{Top_10:BorderColor|year={{{year}}} }};
background-color: {{Top_10:BackgroundColor|year={{{year}}} }};">
<div style="font-style: bold;
{{#switch: {{{year}}}
| 2013=color: #000000; border-bottom: #999999 solid 1px; margin-bottom: 3px; padding-bottom: 3px;
| #default=color: #4F81BD;
}};
font-size: 150%;">

{{#switch: {{{subsection}}}
| freetext= {{{title}}}
| example= {{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| howPrevent= {{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| defOp= {{Mobile_Top_10:LanguageFile|text=defendingOption|language={{{language}}} }} {{{title}}} {{Mobile_Top_10:LanguageFile|text=against|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}':
| userImpact= {{Mobile_Top_10:LanguageFile|text=userImpact|language={{{language}}} }}
| references= {{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
| vulnerableTo={{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| #default= 
{{#switch: {{{number}}} 
| left
| right
| whole={{{title}}}
| 1={{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| 2={{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| 3={{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| 4={{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
}}
}}</div>
| {{Top_10_2010:SubsectionColoredTemplate|
{{#switch: {{{subsection}}}
| freetext= {{{title}}}
| example= {{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| howPrevent= {{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| defOp= {{Mobile_Top_10:LanguageFile|text=defendingOption|language={{{language}}} }} {{{title}}} {{Mobile_Top_10:LanguageFile|text=against|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}':
| userImpact= {{Mobile_Top_10:LanguageFile|text=userImpact|language={{{language}}} }}
| references= {{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
| vulnerableTo= {{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| #default= 
{{#switch: {{{number}}} 
| left
| right
| whole={{{title}}}
| 1={{Mobile_Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| 2={{Mobile_Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Mobile_Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| 3={{Mobile_Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| 4={{Mobile_Top_10:LanguageFile|text=references|language={{{language}}} }}
}}
}}|}}
}} </onlyinclude>

Template:Mobile Top 10 2016:SubsectionAdvancedTemplate

2016-03-10T07:25:47Z

Jonathan Carter: Created page with "  <!--------------------------------------------------..."

==='''Usage:''' ===
# Start Table
#* <nowiki>{{Top_10:SubsectionTableBeginTemplate|type=main}} </nowiki>
#* <nowiki>{{Top_10:SubsectionTableBeginTemplate|type=headertab}} </nowiki>
#:
# hint: use 'position=firstLeft', 'firstWhole' or 'firstLongLeft' for the 1st element 
::{|
| <nowiki>{{Top_10_2010_Developer_Edition_De:SubsectionAdvancedTemplate</nowiki> ||  
|-
|   <nowiki>|type={{Top_10_2010:StyleTemplate}}</nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|subsection=<defOp|example|freetext|howPrevent|references|userImpact|vulnerableTo></nowiki> ||  
|-
|   <nowiki>|title=your title</nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|position=<firstLeft|firstWhole|firstLongLeft|left|right|whole|longLeft|longRight></nowiki> ||  
|-
|   <nowiki>|risk=<1-10|11> </nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|year=<2010|2013> </nowiki> || <nowiki>  </nowiki>
|-
|   <nowiki>|language=de </nowiki> || <nowiki>  </nowiki>
|-
|   || according to [[:Template:Top 10:LanguageFile]] <nowiki> ---> </nowiki>
|-
| <nowiki>}} </nowiki> ||  
|-
|  outdatet: ||  
|-
|   <nowiki>|number=<1|2|3|4|left|right|whole></nowiki> || <nowiki> </nowiki>
|}
:3. End Table
:* <nowiki>{{Top_10:SubsectionTableEndTemplate}} </nowiki>
:* <nowiki>{{Top_10_2010:BottomAdvancedTemplate </nowiki>
::: <nowiki> |type={{Top_10_2010:StyleTemplate}}</nowiki>
::: <nowiki> |useprev=PrevLink_Germany_Projekte</nowiki>
::: <nowiki> |prev=Top_10_fuer_Entwickler</nowiki>
::: <nowiki> |usenext=NextLink_Germany_Projekte</nowiki>
::: <nowiki> |next=Top_10_fuer_Entwickler/Die Top-10-Risiken</nowiki>
:: <nowiki>}}</nowiki>

=== '''Example:''' ===
:<nowiki>{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate</nowiki>
::<nowiki>|type={{Top_10_2010:StyleTemplate}}</nowiki>
::<nowiki>|subsection=vulnerableTo</nowiki>
::<nowiki>|position=firstLeft</nowiki>
::<nowiki>|risk=1</nowiki>
::<nowiki>|year=2013</nowiki>
::<nowiki>|language=de</nowiki>
:<nowiki>}}</nowiki>
:<nowiki>1st box</nowiki>
:<nowiki>{{Top_10:SubsectionTableEndTemplate}}</nowiki>

===English New Syntax===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2013}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2013}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|year=2013}}
5th box (big box)
{{Top_10:SubsectionTableEndTemplate}}
 
===English old Syntax 2013===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=1|year=2013}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=2|risk=1|year=2013}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=1|year=2013}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=1|year=2013}}
4th box

{{Top_10:SubsectionTableEndTemplate}}
 
===English Old Syntax 2010===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=1|risk=1}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=2|risk=1}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=3|risk=1}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|number=4|risk=1}}
4th box

{{Top_10:SubsectionTableEndTemplate}}
 
===German 2013===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2013|language=de}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2013|language=de}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=de}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|year=2013|language=de}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|year=2013|language=de}}
5th box (big box)

{{Top_10:SubsectionTableEndTemplate}}

 
===German 2010===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|language=de}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|language=de}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|language=de}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=1|language=de}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|title=1|position=whole|risk=1|language=de}}
5th box (big box)

{{Top_10:SubsectionTableEndTemplate}}

 
===Special 2013===
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=2|year=2013}}
1st box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=2|year=2013}}
2nd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=2|year=2013}}
3rd box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=userImpact|position=right|risk=2|year=2013}}
4th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|title=1|position=longLeft|risk=2|year=2013}}
5th box (long box)

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=defOp|title=2|position=right|risk=2|year=2013}}
6th box

{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=left|risk=2|year=2013}}
7th box

{{Top_10:SubsectionTableEndTemplate}}

<onlyinclude> {{#ifeq: {{{type}}} | box |
{{#switch: {{{position}}}
| firstLeft = 
<tr>
<td
| firstWhole = 
<tr>
<td colspan="2"
| firstLongLeft =
<tr>
<td rowspan="2"
| left = 
</td></tr>
<tr>
<td
| right = 
</td>
<td
| whole =
</td></tr>
<tr>
<td colspan="2"
| longLeft =
</td></tr>
<tr>
<td rowspan="2"
| longRight = 
</td>
<td rowspan="2"
| #default = 
{{#switch: {{{number}}} 
| left = 
{{Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| right = 
</td>
<td
| whole = 
{{Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| 1 = 
{{Top_10:SubsectionTableBeginTemplate|type=main}}
<tr>
<td
| 2 = 
</td>
<td
| 3 = 
</td></tr>
<tr>
<td
| 4 = 
</td>
<td
}}
}}
style="vertical-align: top; padding:5px; width: 50%;
border: 3px solid {{Top_10:BorderColor|year={{{year}}} }};
background-color: {{Top_10:BackgroundColor|year={{{year}}} }};">
<div style="font-style: bold;
{{#switch: {{{year}}}
| 2013=color: #000000; border-bottom: #999999 solid 1px; margin-bottom: 3px; padding-bottom: 3px;
| #default=color: #4F81BD;
}};
font-size: 150%;">

{{#switch: {{{subsection}}}
| freetext= {{{title}}}
| example= {{Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| howPrevent= {{Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| defOp= {{Top_10:LanguageFile|text=defendingOption|language={{{language}}} }} {{{title}}} {{Top_10:LanguageFile|text=against|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}':
| userImpact= {{Top_10:LanguageFile|text=userImpact|language={{{language}}} }}
| references= {{Top_10:LanguageFile|text=references|language={{{language}}} }}
| vulnerableTo={{Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| #default= 
{{#switch: {{{number}}} 
| left
| right
| whole={{{title}}}
| 1={{Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| 2={{Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| 3={{Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| 4={{Top_10:LanguageFile|text=references|language={{{language}}} }}
}}
}}</div>
| {{Top_10_2010:SubsectionColoredTemplate|
{{#switch: {{{subsection}}}
| freetext= {{{title}}}
| example= {{Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| howPrevent= {{Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| defOp= {{Top_10:LanguageFile|text=defendingOption|language={{{language}}} }} {{{title}}} {{Top_10:LanguageFile|text=against|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}':
| userImpact= {{Top_10:LanguageFile|text=userImpact|language={{{language}}} }}
| references= {{Top_10:LanguageFile|text=references|language={{{language}}} }}
| vulnerableTo= {{Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| #default= 
{{#switch: {{{number}}} 
| left
| right
| whole={{{title}}}
| 1={{Top_10:LanguageFile|text=vulnerableTo1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Top_10:LanguageFile|text=vulnerableTo2|language={{{language}}} }}
| 2={{Top_10:LanguageFile|text=howPrevent1|language={{{language}}} }} '{{Top_10_2010:ByTheNumbers|{{{risk}}}|language={{{language}}}|year={{{year}}} }}'{{Top_10:LanguageFile|text=howPrevent2|language={{{language}}} }}
| 3={{Top_10:LanguageFile|text=exampleScenarios|language={{{language}}} }}
| 4={{Top_10:LanguageFile|text=references|language={{{language}}} }}
}}
}}|}}
}} </onlyinclude>

Template:Mobile Top 10 2016:StyleTemplate

2016-03-10T07:13:10Z

Jonathan Carter: Created page with "box"

box

Template:Mobile Top 10 2016:BottomTemplate

2016-03-10T07:10:34Z

Jonathan Carter: Created page with "{{LinkBar |useprev={{{useprev}}} |prev={{{prev}}} |usenext={{{usenext}}} |next={{{next}}} |usemain=Template:Mobile_Top_10_2016-CenterLink | year={{{yea..."

{{LinkBar
|useprev={{{useprev}}}
|prev={{{prev}}}
|usenext={{{usenext}}}
|next={{{next}}}
|usemain=Template:Mobile_Top_10_2016-CenterLink
| year={{{year}}}
|language={{{language}}}
}}
----
<center>''© 2002-2016 OWASP Foundation''
This document is licensed under the Creative Commons [http://creativecommons.org/licenses/by-sa/3.0/ Attribution-ShareAlike 3.0] license. Some rights reserved. [http://creativecommons.org/licenses/by-sa/3.0/ [[File:CC-by-sa-3_0-88x31.png]] ]</center>

{{Mobile_Top_10:LanguageFile|text=projectCategory|language={{{language}}}|year={{{year}}} }}