Improper Platform Usage: -
It covers misuse of a platform failure or feature to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the KeyChain, or some other security control that is part of mobile operating system.
Insecure Data Storage: -
It covers insecure data storage and unintended data leakage.
Insecure Communication: -
It covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc
Insecure Authentication: -
This category captures notions of authenticating the end user or bad session management including failure to identify the user at all when should be required, failure to maintain user's identity when required and weakness in session management.
Insufficient Cryptography: -
The code applies to a sensitive information asset. However, the cryptography is insufficient in some way. To note that everything related to SSL/TLS goes to insecure communication and if the app fails to use cryptography at all when it is required that goes under Insecure Data Storage. This category is for issues where cryptography is attempted but it wasn't done correctly.
Insecure Authorization: -
It relates to any failures in authorization (eg authorization decisions in the client side, forced browsing, etc). It is distinct from authentication issues (eg, device enrolment, user identification, etc).
If the app does not authenticate users at all in a situation where it should (eg, granting anonymous access to some resource or service when authenticated and authorized access is required), then that is an authentication failure not an authorization failure.
Client Code Quality: -
This was the "Security Decisions via untrusted inputs", one of our lesser used categories. This would be the catch all for code level implementation problems in the mobile client. That's distinct from server side coding mistakes. This would capture things like buffer overflows, format string vulnerabilities, and various other code level mistakes where the solution is to rewrite some code that's running on the mobile.
Code Tampering: -
This category covers binary patching, local resouirce modification, method hooking, method swizzling, and dynamic memory modification.
Once the application is delivered to the mobile device, the code and data resources are resident there. An attacker can either directly modify the code, change the contents of memory dynamically, change or replace system APIs that the application uses, or modify the application's data and resources. This can provide the attacker a direct way of subverting the intended use of the software for personal or monetary gain.
Reverse Engineering: -
This category includes analysis of the final core binary to determine it's source code, libraries, algorithms, and other assets. Softwares such as IDA Pro, Hopper, otool, and other binary inspection tool gives the attacker insight into the inner workings of the application.
Study Material
Quiz