Projects/OWASP Mobile Security Project/Roadmap

Overview
The OWASP Mobile Security Project should be a one-stop shopping source of information for mobile application security. The ultimate vision for this project is that anyone seeking guidance on creating or assessing mobile applications should be able to find all the answers they need through OWASP resources. Beginning with a broad Threat Model and followed by a generic initial Mobile Top 10, additional sub-projects would be expected to be spun off. After initial guidance is provided to the community to help guide development initiatives, it would be expected that increasingly detailed technical guidance would follow through a series of sub projects.

The development of tools and efficiency-enhancing resources would be highly encouraged at all phases of the project. Standalone tools as well as extensions to existing tools (OWASP and open-source) would be of great use. Possible projects that are naturally related and would be ideal to promote and encourage development for in a mobile context include ESAPI and O2.

The entire roadmap spans a duration of 12-18 months for beta releases of each task. The concurrence of sub projects will help facilitate and increase the rate at which other sub projects mature.

Generic Threat Model
Timeline - 3 months for initial release
 * Should be considered in the context of mobile computing platforms;
 * Individual devices shouldn't be considered, but instead devices intended for mobile use and the mobile style of data consumption (leverage web services and cloud services, minimal processing on client, etc);
 * Threat model will shape the Top 10.

Generic Top 10
Timeline - 3 months for initial release
 * Using threat model as a base;
 * Perform an assessment of the standard top 10 to determine which threats are applicable, not applicable, or applicable in a modified context;
 * Perform gap analysis of both standard and mobile top 10 lists to demonstrate differentiation, and provide this document to the community;
 * Create the Top 10.

Fork Into Each Platform

 * iOS Project
 * Android Project
 * webOS Project
 * Windows Mobile Project
 * Blackberry Project

Alternate Development Environments For Mobile (Besides Java and Objective-C)

 * Flash
 * AIR
 * MonoDroid
 * MonoTouch
 * MacRuby
 * Perl

What each platform project could contain

 * Description of the security model
 * Assessment checklist
 * Wikis on individual vulnerabilities relevant to the platform
 * Defensive coding techniques
 * API security features
 * References to related OWASP projects and resources
 * Attacks and historic vulnerability information for each platform in "lessons learned" format

Mobile Development Guide
Using the threat model, Mobile Top 10, and other major areas identified through each other sub project, create a mobile development guide. The guide could follow the same general format as the regular development guide, or deviate slightly due to the vast differences between platforms.