docs: owasp mobile top ten security

[AnnaPS]

Add a security section that talks about the most common topics and recommendations from the OWASP organization

[jolexxa]

🥳 Thank you so much! This is a great overview article.

When we tell readers what to do, we need to also tell them how to do it. Since a full-blown tutorial and explanation for each section is outside the scope of this overview article, we need to link to tutorials and guides that we've vetted and verified are useful and helpful for mobile developers. I'd say we'd need at least a handful more outbound links to useful technical implementation guides. They don't need to be Flutter-specific.

There are also common mistakes we need to draw more attention to with admonitions and highlights.

I'm not a security expert by any means, but I do know that humans are the weakest link of the process, and it's probably worth mentioning that and social engineering, even if it's a throw-away reference in a parenthetical. If you don't get the human-side of your organization figured out, no amount of technical best practices matter. And social engineering is an extremely common problem.

The other thing I've seen over and over (and seen resistance to improving) is a complete and total abandon for API key security. You covered this in the article, but we need to explain what the alternatives are and link to them. Anything in a front-end website or mobile app just isn't secure because it's available to be inspected/reverse engineered, tampered with, etc. So we need to press that creating microservices that keep the API key to themselves and expose revokable access tokens for front-ends is the best practice (afaik): i.e., we need to highlight the best solution for each class of vulnerabilities (since it's our job to provide opinions). There are other approaches to this problem, too.

Unrelated, but you should be able to run npm run format to fix formatting issues for CI.

[AnnaPS]

🥳 Thank you so much! This is a great overview article.

When we tell readers what to do, we need to also tell them how to do it. Since a full-blown tutorial and explanation for each section is outside the scope of this overview article, we need to link to tutorials and guides that we've vetted and verified are useful and helpful for mobile developers. I'd say we'd need at least a handful more outbound links to useful technical implementation guides. They don't need to be Flutter-specific.

There are also common mistakes we need to draw more attention to with admonitions and highlights.

I'm not a security expert by any means, but I do know that humans are the weakest link of the process, and it's probably worth mentioning that and social engineering, even if it's a throw-away reference in a parenthetical. If you don't get the human-side of your organization figured out, no amount of technical best practices matter. And social engineering is an extremely common problem.

The other thing I've seen over and over (and seen resistance to improving) is a complete and total abandon for API key security. You covered this in the article, but we need to explain what the alternatives are and link to them. Anything in a front-end website or mobile app just isn't secure because it's available to be inspected/reverse engineered, tampered with, etc. So we need to press that creating microservices that keep the API key to themselves and expose revokable access tokens for front-ends is the best practice (afaik): i.e., we need to highlight the best solution for each class of vulnerabilities (since it's our job to provide opinions). There are other approaches to this problem, too.

Unrelated, but you should be able to run npm run format to fix formatting issues for CI.

Thanks for the feedback, @jolexxa ❤️
I've added more information about social engineering as you mentioned. Also, regarding your suggestion to add links on "how to" I've been doing some research and found an interesting checklist on the OWASP website that gives examples of good techniques, so I think it would be a better idea instead of adding random articles or websites as we can still follow the information from OWASP.
What do you think?