Mobile Application Threat Modelling

Mobile Application Threat Modelling Name Institutional Affiliation Mobile Application Threat Modelling Introduction WhatsApp has been selected as the mobile application of interest for this paper. Mobile threat modeling is a process that requires keenness to pinpoint possible risks to applications. In order to develop a good threat model, developers should focus on the assets that need security, the technology protocols provide security, the controls needed to implement an application and possible attacks from threat agents. This paper will follow strategic steps to establish a good threat model for the WhatsApp application. The steps include a description of the mobile application architecture, the definition of requirements for the application, identification of threats and threat agents, identification of methods of attack, controls and threat model report. Step I: Mobile Application Architecture WhatsApp Messenger is an application connects an individual with a registered number using the internet. The number registered acts as the unique WhatsApp account. This is an app that has millions of users; the application uses various databases. This application has introduced a new era of exploration by use of Mnesia database and the XMPP server. The XMPP server is used to maintain message queue for the users (Paspatis et. al., 2018). This section explores the architecture of the application given that it is one of the fastest media transfer application and reliable. As one of the most preferred messaging application, WhatsApp can perform such functions as downloading of media. Once an individual installs the application in their smartphone, the app will validate phones numbers and contacts from the database, after a quick scan. Additionally, the app can be used to send data immediately since it integrates the camera and gallery of the smartphone. However, the efficiency and convenience the app provides users with is surprisingly free. This is due to the fact that there is more interest to explore user personal information in today’s world. Figure 1.0 XMPP Server; (Paspatis et. al., 2018). XMPP server is the extensible messaging and presence protocol. WhatsApp is able to connect users via the internet by using an open-source called Ejabberd. This is a Jabber server facility that makes use of the internet essential to enable the instantaneous transfer of messages between two or more users provided there is an internet connection. Figure 1.1 XMPP Server United Purpose vs. General Purpose The above architectural description shows that the application creates action tickets to avoid duplication. The tickets are stored in the form of double-linked lists in the Scheduler. The links follow a FIFO order that ensures new requests from the database are detected. The XMPP server and the Mnesia database are connected through the Data Fetcher threads. The connection transfers data to be stored in the mentioned database from the node. Tickets are further subjected to processing for action. The action tickets are consumed by the action threads to obtain the information they carry; this is mostly done to check whether the rules are matching or not. The connection between the database and handling queries is enabled by the Database Handler, which has a special functionality (Wottrich & Smit, 2018). This application requires quick adaptation to hotfixes and instant updates, which is facilitated with the use of ERLANG programming language. The language can also be used to notifications reach the user when they are offline, usually known as a push notification. Erlang is a special programming language that can be used to develop apps that are free of errors. Therefore, with Erlang, WhatsApp can withstand errors. WhatsApp utilizes Erlang through the Actor Model to ensure concurrency. This helps the actors send message to each other rather than using the traditional approach of memory sharing. Threads are different from Actors since the latter are made lightweight by design. Actors function perfectly when they exist within the same machine. However, the message passing abstractions can still work when the Actors are on different machines. The XMPP protocol is an important part of the architecture; it ensures that messages only reach the receiver node after the queue messages are received. The protocol is used to maintain message queue by WhatsApp. Once the recipient receives the message, the protocol also allows the sender to receive a notification. Immediate removal of messages from the server occurs after message delivery (Epsinoza et. al., 2017). Figure 1.3 Erlang Registration of WhatsApp Account WhatsApp account registration relies on the IMEI number. The user is then directed to input their password and username. In order to reinforce security, the registration process allows the user to select a unique key in form of a 5 digit PIN. Step II: Requirements for the Application Figure 1.4 Data Flow Diagram WhatsApp application requirements are discussed in terms of use cases, a description of software solution, enhancement requests, and other functional requirements. Use Cases The application is able to scan the contact list of the user and add contacts, the user can send a message to another person with an account, the user is able to participate in a group by sending messages and the app also enables the user to view message history. Software Solution The application is free of any costs. This is an application that allows online transmission of messages, whereby the application is able to integrate the contacts of the user with the app. Enhancement Requests The application has an extra feature known as ‘last seen’ whereby a user is able to the last time their contact used the application; it shows the exact date and time. Additionally, there is a feature known as ‘user profile’; this feature enables the user to set their preferred profile picture as well as a status of up to 150 characters. (Rosler & Schwenk, 2018). Functional Requirements Registration of User The application requires one to have a phone number that is valid. After the validity is verified, the user will be compelled to register the number upon application installation. The application is programmed to close in any case the user skips the registration step. Upon completion of registration, the phone number acts as the unique account on WhatsApp. Send Message After installation, the application allows the user to send instant messages to any of the listed contacts on the app. The app has a special delivery report feature that shows the send that the message is delivered successfully by displaying two ticks within the sent message. Broadcast Message The application enables any user to create a group out of the existing contacts on their account. Any message sent is broadcast to the created groups. Message Status WhatsApp operates in such a way that the user is able to know whether the message sent has been read or not. When the sent message is read, the sender is then able to see two ticks in that particular message. (Gupta, 2016). Software Attributes/Non-Functional Requirements Scalability WhatsApp application is able to serve 1 billion users at any given time. The messaging processes occur normally since...