Identify Threats and Threat Agents

Now that you have identified the mobile app’s requirements, “please see steps 1, 2 document attached” you will define its threats.
In Section 3 of the report, you will:
1. Identify possible threats to the mobile application
a. Identify the threat agents
2. Outline the process for defining what threats apply to your mobile application
After you have identified threats and threat agents, move to the next step, where you will consider the ways an attacker might reach your app’s data.

Identify Methods of Attack

In the previous step, you identified threat agents. In this step and in Section 4 of the report, you will identify different methods an attacker can use to reach the data. These data can be sensitive information to the device or something sensitive to the app itself.
Provide senior management an understanding of the possible methods of attack of your app.
When you have identified the attack methods, move to the next step, where you will analyze threats to your app.

Consider Controls

You have identified the methods of attack, and now you will discuss the controls to prevent attacks. Consider the following questions:
• What are the controls to detect an attack? Define these controls by platform.
• What are the controls to mitigate/minimize impact of an attack? Define these controls by platform.
• What are the privacy controls (i.e., controls to protect users’ private information)? An example of this would be a security prompt for users to access an address book or geo-location.
• Create a mapping of controls to each specific method of attack (defined in the previous step)
o Create a level of assurance framework based on controls implemented. This would be subjective to a certain point, but it would be useful in guiding organizations that want to achieve a certain level of risk management based on the threats and vulnerabilities.