SlideShare a Scribd company logo

Mobile Day - App (In)security

Software Guru
Software Guru

Fernando Castañeda G. discusses mobile application security. He notes that mobile apps share significant personal data but have numerous security issues, as outlined in the OWASP Mobile Top 10 risks. These include improper platform usage, insecure data storage, insecure communication, and insecure authentication. Castañeda emphasizes the importance of understanding mobile platforms and frameworks, using secure channels like TLS, and performing penetration testing to identify and address security vulnerabilities in mobile apps. He recommends resources for learning mobile security best practices.

Software
1 of 33
Download to read offline
INTRODUCTION MOBILE INSECURITY THE END Mobile Aplication (In)Security Fernando Castañeda G. 31 de octubre de 2017
INTRODUCTION MOBILE INSECURITY THE END #WHOAMI Penetration Tester or Pentester Professor Penetration Testing Operating Systems Computer Organization and Architecture C Programming Language (Next Semester) Development of Secure Mobile Applications (Lawless) Developer Malware Reverse Engineering and CTF aficionado
INTRODUCTION MOBILE INSECURITY THE END PRINCIPLES AND STUFF "Hacker’s Ethics" Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position
INTRODUCTION MOBILE INSECURITY THE END HISTORY 1908 -> Professor Albert Jahnke (First attempt to build a physical wireless phone) 1907 -> Lewis Baumer (Forecasts for 1907)
INTRODUCTION MOBILE INSECURITY THE END NOWADAYS... War and (true)Hackers changed (almost) everything... First there were the PDAs, then came the fusion with cellphones that evolved into our useful devices We have an incredible power of processing in our pockets We can do almost everything we used to do on a PC on the last decade or process through a mainframe on the 90s with a single touch
INTRODUCTION MOBILE INSECURITY THE END SEEMS OK BUT... We share a lot of personal data through our devices Pictures Financial Data Medical Information Biometrics Private or Sensitive Data And so on...
INTRODUCTION MOBILE INSECURITY THE END SEEMS OK BUT... We share a lot of personal data through our devices Pictures Financial Data Medical Information Biometrics Private or Sensitive Data And so on... And it’s far from being safe... :(
INTRODUCTION MOBILE INSECURITY THE END SOME PROOFS Perhaps the most important, Information Leakage...
INTRODUCTION MOBILE INSECURITY THE END SOME PROOFS Perhaps the most important, Information Leakage...
INTRODUCTION MOBILE INSECURITY THE END REMEMBER THE TRIAD (CIA) Confidentiality Integrity Availability
INTRODUCTION MOBILE INSECURITY THE END CORE PROBLEMS Assumptions on user’s behaviour Low or null knowledge of the platform (Mostly)Developed under pressure Disinterest for InfoSec (must be functional before secure)
INTRODUCTION MOBILE INSECURITY THE END OPEN WEB APPLICATION SECURITY PROJECT Start operations on 2001 Becomes a foundation in 2004, in order to get resources to their projects OWASP depends on donations and the fees to their associates, partners and companies
INTRODUCTION MOBILE INSECURITY THE END WHAT IS RELEVANT FOR US OWASP MOBILE TOP 10 Code Vulnerability M1 Improper Platform Usage M2 Insecure Data Storage M3 Insecure Communication M4 Insecure Authentication M5 Insufficient Cryptography M6 Insecure Authorization M7 Client Code Quality M8 Code Tampering M9 Reverse Engineering M10 Extraneous Functionality
INTRODUCTION MOBILE INSECURITY THE END M1. IMPROPER PLATFORM USAGE Android and iOS are Operating Systems
INTRODUCTION MOBILE INSECURITY THE END M1. IMPROPER PLATFORM USAGE Android and iOS are Operating Systems Mobile Applications are not Web Applications (at all)
INTRODUCTION MOBILE INSECURITY THE END M1. IMPROPER PLATFORM USAGE Android and iOS are Operating Systems Mobile Applications are not Web Applications (at all) OWASP TOP 10 (not mobile) SQLi XSS XSRF and so on...
INTRODUCTION MOBILE INSECURITY THE END M2. INSECURE DATA STORAGE A lot of information can be extracted from stolen phones Sensitive data should not be saved in plain text...
INTRODUCTION MOBILE INSECURITY THE END M2. INSECURE DATA STORAGE A lot of information can be extracted from stolen phones Sensitive data should not be saved in plain text... sensitive data should not be saved on client’s side Banking Apps asks for re authentication after some time of null activity, and that is perfect!
INTRODUCTION MOBILE INSECURITY THE END M2. INSECURE DATA STORAGE A lot of information can be extracted from stolen phones Sensitive data should not be saved in plain text... sensitive data should not be saved on client’s side Banking Apps asks for re authentication after some time of null activity, and that is perfect!
INTRODUCTION MOBILE INSECURITY THE END M3, M5 = INSECURE COMMUNICATION, INSUFFICIENT CRYPTOGRAPHY SSL/TLS is not only for WebPages There is a general misconception of cryptography
INTRODUCTION MOBILE INSECURITY THE END M3, M5 = INSECURE COMMUNICATION, INSUFFICIENT CRYPTOGRAPHY Cryptography Is Not the Solution Cryptography Is Very Difficult Cryptography Is the Easy Part -Niels Fergusson, Bruce Schneier, Tayadoshi Kohno (Cryptography Engineering) Good implementations and understanding are needed...
INTRODUCTION MOBILE INSECURITY THE END HOW DOES INSECURE COMMUNICATION AFFECTS MY APP? A Man in the Middle attack is always possible If I am in your network, I can sniff your packets If I used a proxy, I could intercept your requests
INTRODUCTION MOBILE INSECURITY THE END M4, M6 = INSECURE AUTHENTICATION, INSECURE AUTHORIZATION Client Side Authentication (?) Bad Semantics or "the ID in the petition manages it all" No cookies or Token or anything to identify an user Remember the AAA Authentication Authorization Accounting
INTRODUCTION MOBILE INSECURITY THE END MN. THE REST OF THE TOP VULNERABILITIES Some frameworks are new, are cool and untested Some functions are deprecated Sometimes debugging is forgotten when activated Sometimes there are weird reactions to certain actions
INTRODUCTION MOBILE INSECURITY THE END POC Turn off your camera Thou shalt not speak about this PoC This will not be public for the good of this fellow... (me)
INTRODUCTION MOBILE INSECURITY THE END IMAGES AVAILABLE LIVE ONLY Sorry :)
INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY Know your Framework Know your platform Use well known cryptographic implementations Secure Channels please! (certbot might help you get free trusted certificates) Look for deprecated functions Care about debugging, but remember to disable it when you finish debugging
INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY II The apps that you use, you wouldn’t like to see them broken, exposing your information If information gets leaked, you may face your client’s anger (and the law...) Care about Information Security Do some penetration testing
INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY II The apps that you use, you wouldn’t like to see them broken, exposing your information If information gets leaked, you may face your client’s anger (and the law...) Care about Information Security Do some penetration testing Or hire a good pentester
INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY II The apps that you use, you wouldn’t like to see them broken, exposing your information If information gets leaked, you may face your client’s anger (and the law...) Care about Information Security Do some penetration testing Or hire a good pentester Train!
INTRODUCTION MOBILE INSECURITY THE END WHERE CAN I TRAIN? Never pay expensive training (unless you really want it), there are a lot of good free resources. Click these to follow the training... ANDROID -> InsecureBankingv2 iOS -> Damn Vulnerable iOS Application Others -> You should solve both... Devour the OWASP stuff
INTRODUCTION MOBILE INSECURITY THE END DUDAS? FYI: http://fcastaneda.herokuapp.com/f/c/g/mobileday.pdf @f99942 || @fcg99942 fernando.castaneda@cert.unam.mx 6665726e616e646f@gmail.com
INTRODUCTION MOBILE INSECURITY THE END DUDAS? FYI: http://fcastaneda.herokuapp.com/f/c/g/mobileday.pdf @f99942 || @fcg99942 fernando.castaneda@cert.unam.mx 6665726e616e646f@gmail.com GRACIAS!!!!!!!!!!

Recommended

Sw assignment week12
Sw assignment week12Sw assignment week12
Sw assignment week12you-ly05
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
viaForensics
 
Confraria Security & IT - Mobile Security
Confraria Security & IT - Mobile SecurityConfraria Security & IT - Mobile Security
Confraria Security & IT - Mobile Security
Vitor Domingos
 
Phone for Enterprises Business Corporations Governments
Phone for Enterprises Business Corporations GovernmentsPhone for Enterprises Business Corporations Governments
Phone for Enterprises Business Corporations Governments
John Adam
 
NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2Charles Klondike
 
Smartphone security issues
Smartphone security issuesSmartphone security issues
Smartphone security issuesAleksandra Gavrilovska
 
The Evolution of Mobile Security
The Evolution of Mobile SecurityThe Evolution of Mobile Security
The Evolution of Mobile Security
Samsung Business USA
 
Secure Messenger
Secure MessengerSecure Messenger
Secure Messenger
Innovecs
 

Recommended

Sw assignment week12
Sw assignment week12Sw assignment week12
Sw assignment week12you-ly05
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
viaForensics
 
Confraria Security & IT - Mobile Security
Confraria Security & IT - Mobile SecurityConfraria Security & IT - Mobile Security
Confraria Security & IT - Mobile Security
Vitor Domingos
 
Phone for Enterprises Business Corporations Governments
Phone for Enterprises Business Corporations GovernmentsPhone for Enterprises Business Corporations Governments
Phone for Enterprises Business Corporations Governments
John Adam
 
NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2Charles Klondike
 
Smartphone security issues
Smartphone security issuesSmartphone security issues
Smartphone security issuesAleksandra Gavrilovska
 
The Evolution of Mobile Security
The Evolution of Mobile SecurityThe Evolution of Mobile Security
The Evolution of Mobile Security
Samsung Business USA
 
Secure Messenger
Secure MessengerSecure Messenger
Secure Messenger
Innovecs
 
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAYTHUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
rccglp25giictwin
 
Hacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesHacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile Phones
David Rogers
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit Arya
Garvit Arya
 
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and CountermeasureI.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
Indonesia Honeynet Chapter
 
Mobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirtMobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirt
IGN MANTRA
 
Technical Overview of FIDO Solution
Technical Overview of FIDO SolutionTechnical Overview of FIDO Solution
Technical Overview of FIDO Solution
ForgeRock
 
SecuSUITE for Enterprise Brochure
SecuSUITE for Enterprise BrochureSecuSUITE for Enterprise Brochure
SecuSUITE for Enterprise Brochure
BlackBerry
 
SYPHERSAFE
SYPHERSAFESYPHERSAFE
SYPHERSAFE
Mustafa Kuğu
 
Bluejacking
BluejackingBluejacking
Bluejacking
Komal Singh
 
Mobilesecurity unit4-converted
Mobilesecurity unit4-convertedMobilesecurity unit4-converted
Mobilesecurity unit4-converted
DileepEsther
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
Novizul Evendi
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
Subho Halder
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Subho Halder
 
Security services company
Security services companySecurity services company
Security services company
AnsecHR Pune
 
Ambient Intelligence - Parham Beheshti
Ambient Intelligence - Parham BeheshtiAmbient Intelligence - Parham Beheshti
Ambient Intelligence - Parham Beheshti
WithTheBest
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
Fabio Pietrosanti
 
Mobile (in)security ?
Mobile (in)security ?Mobile (in)security ?
Mobile (in)security ?
Cláudio André
 
Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14 Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14
Mobile Edge Event
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
IJERA Editor
 
Digital spectacle by using cloud computing
Digital spectacle by using cloud computingDigital spectacle by using cloud computing
Digital spectacle by using cloud computing
Mandar Pathrikar
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011
Filip Maertens
 

More Related Content

What's hot

THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAYTHUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
rccglp25giictwin
 
Hacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesHacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile Phones
David Rogers
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit Arya
Garvit Arya
 
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and CountermeasureI.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
Indonesia Honeynet Chapter
 
Mobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirtMobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirt
IGN MANTRA
 
Technical Overview of FIDO Solution
Technical Overview of FIDO SolutionTechnical Overview of FIDO Solution
Technical Overview of FIDO Solution
ForgeRock
 
SecuSUITE for Enterprise Brochure
SecuSUITE for Enterprise BrochureSecuSUITE for Enterprise Brochure
SecuSUITE for Enterprise Brochure
BlackBerry
 
SYPHERSAFE
SYPHERSAFESYPHERSAFE
SYPHERSAFE
Mustafa Kuğu
 
Bluejacking
BluejackingBluejacking
Bluejacking
Komal Singh
 
Mobilesecurity unit4-converted
Mobilesecurity unit4-convertedMobilesecurity unit4-converted
Mobilesecurity unit4-converted
DileepEsther
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
Novizul Evendi
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
Subho Halder
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Subho Halder
 
Security services company
Security services companySecurity services company
Security services company
AnsecHR Pune
 
Ambient Intelligence - Parham Beheshti
Ambient Intelligence - Parham BeheshtiAmbient Intelligence - Parham Beheshti
Ambient Intelligence - Parham Beheshti
WithTheBest
 

What's hot (15)

THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAYTHUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
 
Hacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesHacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile Phones
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit Arya
 
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and CountermeasureI.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
 
Mobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirtMobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirt
 
Technical Overview of FIDO Solution
Technical Overview of FIDO SolutionTechnical Overview of FIDO Solution
Technical Overview of FIDO Solution
 
SecuSUITE for Enterprise Brochure
SecuSUITE for Enterprise BrochureSecuSUITE for Enterprise Brochure
SecuSUITE for Enterprise Brochure
 
SYPHERSAFE
SYPHERSAFESYPHERSAFE
SYPHERSAFE
 
Bluejacking
BluejackingBluejacking
Bluejacking
 
Mobilesecurity unit4-converted
Mobilesecurity unit4-convertedMobilesecurity unit4-converted
Mobilesecurity unit4-converted
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
Security services company
Security services companySecurity services company
Security services company
 
Ambient Intelligence - Parham Beheshti
Ambient Intelligence - Parham BeheshtiAmbient Intelligence - Parham Beheshti
Ambient Intelligence - Parham Beheshti
 

Similar to Mobile Day - App (In)security

2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
Fabio Pietrosanti
 
Mobile (in)security ?
Mobile (in)security ?Mobile (in)security ?
Mobile (in)security ?
Cláudio André
 
Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14 Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14
Mobile Edge Event
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
IJERA Editor
 
Digital spectacle by using cloud computing
Digital spectacle by using cloud computingDigital spectacle by using cloud computing
Digital spectacle by using cloud computing
Mandar Pathrikar
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011
Filip Maertens
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
IOT Security
IOT SecurityIOT Security
IOT Security
Sylvain Martinez
 
Mobile protection
Mobile protection Mobile protection
Mobile protection
preetpatel72
 
The new era of mega trends securtity
The new era of mega trends securtityThe new era of mega trends securtity
The new era of mega trends securtity
Ahmed Sallam
 
Securing Your Wearable Tech Brand
Securing Your Wearable Tech BrandSecuring Your Wearable Tech Brand
Securing Your Wearable Tech Brand
Simon Loe
 
A Quick Guide On What Is IoT Security_.pptx
A Quick Guide On What Is IoT Security_.pptxA Quick Guide On What Is IoT Security_.pptx
A Quick Guide On What Is IoT Security_.pptx
TurboAnchor
 
Portfolio Omerta Information Security - Engels
Portfolio Omerta Information Security - EngelsPortfolio Omerta Information Security - Engels
Portfolio Omerta Information Security - EngelsRemo Hardeman
 
Xpose- #1 Parental Control Application
Xpose- #1 Parental Control ApplicationXpose- #1 Parental Control Application
Xpose- #1 Parental Control Application
Hitesh Malviya
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
Peter Wood
 
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
AgileNetwork
 
Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 
Security Strategies for UC
Security Strategies for UCSecurity Strategies for UC
Security Strategies for UC
Digium
 

Similar to Mobile Day - App (In)security (20)

2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
 
Mobile (in)security ?
Mobile (in)security ?Mobile (in)security ?
Mobile (in)security ?
 
Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14 Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
 
Digital spectacle by using cloud computing
Digital spectacle by using cloud computingDigital spectacle by using cloud computing
Digital spectacle by using cloud computing
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
Mobile protection
Mobile protection Mobile protection
Mobile protection
 
The new era of mega trends securtity
The new era of mega trends securtityThe new era of mega trends securtity
The new era of mega trends securtity
 
Securing Your Wearable Tech Brand
Securing Your Wearable Tech BrandSecuring Your Wearable Tech Brand
Securing Your Wearable Tech Brand
 
A Quick Guide On What Is IoT Security_.pptx
A Quick Guide On What Is IoT Security_.pptxA Quick Guide On What Is IoT Security_.pptx
A Quick Guide On What Is IoT Security_.pptx
 
Portfolio Omerta Information Security - Engels
Portfolio Omerta Information Security - EngelsPortfolio Omerta Information Security - Engels
Portfolio Omerta Information Security - Engels
 
Xpose- #1 Parental Control Application
Xpose- #1 Parental Control ApplicationXpose- #1 Parental Control Application
Xpose- #1 Parental Control Application
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
 
Mobile security
Mobile securityMobile security
Mobile security
 
Security Strategies for UC
Security Strategies for UCSecurity Strategies for UC
Security Strategies for UC
 
Tt 06-ck
Tt 06-ckTt 06-ck
Tt 06-ck
 

More from Software Guru

Hola Mundo del Internet de las Cosas
Hola Mundo del Internet de las CosasHola Mundo del Internet de las Cosas
Hola Mundo del Internet de las Cosas
Software Guru
 
Estructuras de datos avanzadas: Casos de uso reales
Estructuras de datos avanzadas: Casos de uso realesEstructuras de datos avanzadas: Casos de uso reales
Estructuras de datos avanzadas: Casos de uso reales
Software Guru
 
Building bias-aware environments
Building bias-aware environmentsBuilding bias-aware environments
Building bias-aware environments
Software Guru
 
El secreto para ser un desarrollador Senior
El secreto para ser un desarrollador SeniorEl secreto para ser un desarrollador Senior
El secreto para ser un desarrollador Senior
Software Guru
 
Cómo encontrar el trabajo remoto ideal
Cómo encontrar el trabajo remoto idealCómo encontrar el trabajo remoto ideal
Cómo encontrar el trabajo remoto ideal
Software Guru
 
Automatizando ideas con Apache Airflow
Automatizando ideas con Apache AirflowAutomatizando ideas con Apache Airflow
Automatizando ideas con Apache Airflow
Software Guru
 
How thick data can improve big data analysis for business:
How thick data can improve big data analysis for business:How thick data can improve big data analysis for business:
How thick data can improve big data analysis for business:
Software Guru
 
Introducción al machine learning
Introducción al machine learningIntroducción al machine learning
Introducción al machine learning
Software Guru
 
Democratizando el uso de CoDi
Democratizando el uso de CoDiDemocratizando el uso de CoDi
Democratizando el uso de CoDi
Software Guru
 
Gestionando la felicidad de los equipos con Management 3.0
Gestionando la felicidad de los equipos con Management 3.0Gestionando la felicidad de los equipos con Management 3.0
Gestionando la felicidad de los equipos con Management 3.0
Software Guru
 
Taller: Creación de Componentes Web re-usables con StencilJS
Taller: Creación de Componentes Web re-usables con StencilJSTaller: Creación de Componentes Web re-usables con StencilJS
Taller: Creación de Componentes Web re-usables con StencilJS
Software Guru
 
El camino del full stack developer (o como hacemos en SERTI para que no solo ...
El camino del full stack developer (o como hacemos en SERTI para que no solo ...El camino del full stack developer (o como hacemos en SERTI para que no solo ...
El camino del full stack developer (o como hacemos en SERTI para que no solo ...
Software Guru
 
¿Qué significa ser un programador en Bitso?
¿Qué significa ser un programador en Bitso?¿Qué significa ser un programador en Bitso?
¿Qué significa ser un programador en Bitso?
Software Guru
 
Colaboración efectiva entre desarrolladores del cliente y tu equipo.
Colaboración efectiva entre desarrolladores del cliente y tu equipo.Colaboración efectiva entre desarrolladores del cliente y tu equipo.
Colaboración efectiva entre desarrolladores del cliente y tu equipo.
Software Guru
 
Pruebas de integración con Docker en Azure DevOps
Pruebas de integración con Docker en Azure DevOpsPruebas de integración con Docker en Azure DevOps
Pruebas de integración con Docker en Azure DevOps
Software Guru
 
Elixir + Elm: Usando lenguajes funcionales en servicios productivos
Elixir + Elm: Usando lenguajes funcionales en servicios productivosElixir + Elm: Usando lenguajes funcionales en servicios productivos
Elixir + Elm: Usando lenguajes funcionales en servicios productivos
Software Guru
 
Así publicamos las apps de Spotify sin stress
Así publicamos las apps de Spotify sin stressAsí publicamos las apps de Spotify sin stress
Así publicamos las apps de Spotify sin stress
Software Guru
 
Achieving Your Goals: 5 Tips to successfully achieve your goals
Achieving Your Goals: 5 Tips to successfully achieve your goalsAchieving Your Goals: 5 Tips to successfully achieve your goals
Achieving Your Goals: 5 Tips to successfully achieve your goals
Software Guru
 
Acciones de comunidades tech en tiempos del Covid19
Acciones de comunidades tech en tiempos del Covid19Acciones de comunidades tech en tiempos del Covid19
Acciones de comunidades tech en tiempos del Covid19
Software Guru
 
De lo operativo a lo estratégico: un modelo de management de diseño
De lo operativo a lo estratégico: un modelo de management de diseñoDe lo operativo a lo estratégico: un modelo de management de diseño
De lo operativo a lo estratégico: un modelo de management de diseño
Software Guru
 

More from Software Guru (20)

Hola Mundo del Internet de las Cosas
Hola Mundo del Internet de las CosasHola Mundo del Internet de las Cosas
Hola Mundo del Internet de las Cosas
 
Estructuras de datos avanzadas: Casos de uso reales
Estructuras de datos avanzadas: Casos de uso realesEstructuras de datos avanzadas: Casos de uso reales
Estructuras de datos avanzadas: Casos de uso reales
 
Building bias-aware environments
Building bias-aware environmentsBuilding bias-aware environments
Building bias-aware environments
 
El secreto para ser un desarrollador Senior
El secreto para ser un desarrollador SeniorEl secreto para ser un desarrollador Senior
El secreto para ser un desarrollador Senior
 
Cómo encontrar el trabajo remoto ideal
Cómo encontrar el trabajo remoto idealCómo encontrar el trabajo remoto ideal
Cómo encontrar el trabajo remoto ideal
 
Automatizando ideas con Apache Airflow
Automatizando ideas con Apache AirflowAutomatizando ideas con Apache Airflow
Automatizando ideas con Apache Airflow
 
How thick data can improve big data analysis for business:
How thick data can improve big data analysis for business:How thick data can improve big data analysis for business:
How thick data can improve big data analysis for business:
 
Introducción al machine learning
Introducción al machine learningIntroducción al machine learning
Introducción al machine learning
 
Democratizando el uso de CoDi
Democratizando el uso de CoDiDemocratizando el uso de CoDi
Democratizando el uso de CoDi
 
Gestionando la felicidad de los equipos con Management 3.0
Gestionando la felicidad de los equipos con Management 3.0Gestionando la felicidad de los equipos con Management 3.0
Gestionando la felicidad de los equipos con Management 3.0
 
Taller: Creación de Componentes Web re-usables con StencilJS
Taller: Creación de Componentes Web re-usables con StencilJSTaller: Creación de Componentes Web re-usables con StencilJS
Taller: Creación de Componentes Web re-usables con StencilJS
 
El camino del full stack developer (o como hacemos en SERTI para que no solo ...
El camino del full stack developer (o como hacemos en SERTI para que no solo ...El camino del full stack developer (o como hacemos en SERTI para que no solo ...
El camino del full stack developer (o como hacemos en SERTI para que no solo ...
 
¿Qué significa ser un programador en Bitso?
¿Qué significa ser un programador en Bitso?¿Qué significa ser un programador en Bitso?
¿Qué significa ser un programador en Bitso?
 
Colaboración efectiva entre desarrolladores del cliente y tu equipo.
Colaboración efectiva entre desarrolladores del cliente y tu equipo.Colaboración efectiva entre desarrolladores del cliente y tu equipo.
Colaboración efectiva entre desarrolladores del cliente y tu equipo.
 
Pruebas de integración con Docker en Azure DevOps
Pruebas de integración con Docker en Azure DevOpsPruebas de integración con Docker en Azure DevOps
Pruebas de integración con Docker en Azure DevOps
 
Elixir + Elm: Usando lenguajes funcionales en servicios productivos
Elixir + Elm: Usando lenguajes funcionales en servicios productivosElixir + Elm: Usando lenguajes funcionales en servicios productivos
Elixir + Elm: Usando lenguajes funcionales en servicios productivos
 
Así publicamos las apps de Spotify sin stress
Así publicamos las apps de Spotify sin stressAsí publicamos las apps de Spotify sin stress
Así publicamos las apps de Spotify sin stress
 
Achieving Your Goals: 5 Tips to successfully achieve your goals
Achieving Your Goals: 5 Tips to successfully achieve your goalsAchieving Your Goals: 5 Tips to successfully achieve your goals
Achieving Your Goals: 5 Tips to successfully achieve your goals
 
Acciones de comunidades tech en tiempos del Covid19
Acciones de comunidades tech en tiempos del Covid19Acciones de comunidades tech en tiempos del Covid19
Acciones de comunidades tech en tiempos del Covid19
 
De lo operativo a lo estratégico: un modelo de management de diseño
De lo operativo a lo estratégico: un modelo de management de diseñoDe lo operativo a lo estratégico: un modelo de management de diseño
De lo operativo a lo estratégico: un modelo de management de diseño
 

Recently uploaded

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
mz5nrf0n
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
Hironori Washizaki
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 

Recently uploaded (20)

AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
在线购买加拿大英属哥伦比亚大学毕业证本科学位证书原版一模一样
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 

Mobile Day - App (In)security

  • 1. INTRODUCTION MOBILE INSECURITY THE END Mobile Aplication (In)Security Fernando Castañeda G. 31 de octubre de 2017
  • 2. INTRODUCTION MOBILE INSECURITY THE END #WHOAMI Penetration Tester or Pentester Professor Penetration Testing Operating Systems Computer Organization and Architecture C Programming Language (Next Semester) Development of Secure Mobile Applications (Lawless) Developer Malware Reverse Engineering and CTF aficionado
  • 3. INTRODUCTION MOBILE INSECURITY THE END PRINCIPLES AND STUFF "Hacker’s Ethics" Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position
  • 4. INTRODUCTION MOBILE INSECURITY THE END HISTORY 1908 -> Professor Albert Jahnke (First attempt to build a physical wireless phone) 1907 -> Lewis Baumer (Forecasts for 1907)
  • 5. INTRODUCTION MOBILE INSECURITY THE END NOWADAYS... War and (true)Hackers changed (almost) everything... First there were the PDAs, then came the fusion with cellphones that evolved into our useful devices We have an incredible power of processing in our pockets We can do almost everything we used to do on a PC on the last decade or process through a mainframe on the 90s with a single touch
  • 6. INTRODUCTION MOBILE INSECURITY THE END SEEMS OK BUT... We share a lot of personal data through our devices Pictures Financial Data Medical Information Biometrics Private or Sensitive Data And so on...
  • 7. INTRODUCTION MOBILE INSECURITY THE END SEEMS OK BUT... We share a lot of personal data through our devices Pictures Financial Data Medical Information Biometrics Private or Sensitive Data And so on... And it’s far from being safe... :(
  • 8. INTRODUCTION MOBILE INSECURITY THE END SOME PROOFS Perhaps the most important, Information Leakage...
  • 9. INTRODUCTION MOBILE INSECURITY THE END SOME PROOFS Perhaps the most important, Information Leakage...
  • 10. INTRODUCTION MOBILE INSECURITY THE END REMEMBER THE TRIAD (CIA) Confidentiality Integrity Availability
  • 11. INTRODUCTION MOBILE INSECURITY THE END CORE PROBLEMS Assumptions on user’s behaviour Low or null knowledge of the platform (Mostly)Developed under pressure Disinterest for InfoSec (must be functional before secure)
  • 12. INTRODUCTION MOBILE INSECURITY THE END OPEN WEB APPLICATION SECURITY PROJECT Start operations on 2001 Becomes a foundation in 2004, in order to get resources to their projects OWASP depends on donations and the fees to their associates, partners and companies
  • 13. INTRODUCTION MOBILE INSECURITY THE END WHAT IS RELEVANT FOR US OWASP MOBILE TOP 10 Code Vulnerability M1 Improper Platform Usage M2 Insecure Data Storage M3 Insecure Communication M4 Insecure Authentication M5 Insufficient Cryptography M6 Insecure Authorization M7 Client Code Quality M8 Code Tampering M9 Reverse Engineering M10 Extraneous Functionality
  • 14. INTRODUCTION MOBILE INSECURITY THE END M1. IMPROPER PLATFORM USAGE Android and iOS are Operating Systems
  • 15. INTRODUCTION MOBILE INSECURITY THE END M1. IMPROPER PLATFORM USAGE Android and iOS are Operating Systems Mobile Applications are not Web Applications (at all)
  • 16. INTRODUCTION MOBILE INSECURITY THE END M1. IMPROPER PLATFORM USAGE Android and iOS are Operating Systems Mobile Applications are not Web Applications (at all) OWASP TOP 10 (not mobile) SQLi XSS XSRF and so on...
  • 17. INTRODUCTION MOBILE INSECURITY THE END M2. INSECURE DATA STORAGE A lot of information can be extracted from stolen phones Sensitive data should not be saved in plain text...
  • 18. INTRODUCTION MOBILE INSECURITY THE END M2. INSECURE DATA STORAGE A lot of information can be extracted from stolen phones Sensitive data should not be saved in plain text... sensitive data should not be saved on client’s side Banking Apps asks for re authentication after some time of null activity, and that is perfect!
  • 19. INTRODUCTION MOBILE INSECURITY THE END M2. INSECURE DATA STORAGE A lot of information can be extracted from stolen phones Sensitive data should not be saved in plain text... sensitive data should not be saved on client’s side Banking Apps asks for re authentication after some time of null activity, and that is perfect!
  • 20. INTRODUCTION MOBILE INSECURITY THE END M3, M5 = INSECURE COMMUNICATION, INSUFFICIENT CRYPTOGRAPHY SSL/TLS is not only for WebPages There is a general misconception of cryptography
  • 21. INTRODUCTION MOBILE INSECURITY THE END M3, M5 = INSECURE COMMUNICATION, INSUFFICIENT CRYPTOGRAPHY Cryptography Is Not the Solution Cryptography Is Very Difficult Cryptography Is the Easy Part -Niels Fergusson, Bruce Schneier, Tayadoshi Kohno (Cryptography Engineering) Good implementations and understanding are needed...
  • 22. INTRODUCTION MOBILE INSECURITY THE END HOW DOES INSECURE COMMUNICATION AFFECTS MY APP? A Man in the Middle attack is always possible If I am in your network, I can sniff your packets If I used a proxy, I could intercept your requests
  • 23. INTRODUCTION MOBILE INSECURITY THE END M4, M6 = INSECURE AUTHENTICATION, INSECURE AUTHORIZATION Client Side Authentication (?) Bad Semantics or "the ID in the petition manages it all" No cookies or Token or anything to identify an user Remember the AAA Authentication Authorization Accounting
  • 24. INTRODUCTION MOBILE INSECURITY THE END MN. THE REST OF THE TOP VULNERABILITIES Some frameworks are new, are cool and untested Some functions are deprecated Sometimes debugging is forgotten when activated Sometimes there are weird reactions to certain actions
  • 25. INTRODUCTION MOBILE INSECURITY THE END POC Turn off your camera Thou shalt not speak about this PoC This will not be public for the good of this fellow... (me)
  • 26. INTRODUCTION MOBILE INSECURITY THE END IMAGES AVAILABLE LIVE ONLY Sorry :)
  • 27. INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY Know your Framework Know your platform Use well known cryptographic implementations Secure Channels please! (certbot might help you get free trusted certificates) Look for deprecated functions Care about debugging, but remember to disable it when you finish debugging
  • 28. INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY II The apps that you use, you wouldn’t like to see them broken, exposing your information If information gets leaked, you may face your client’s anger (and the law...) Care about Information Security Do some penetration testing
  • 29. INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY II The apps that you use, you wouldn’t like to see them broken, exposing your information If information gets leaked, you may face your client’s anger (and the law...) Care about Information Security Do some penetration testing Or hire a good pentester
  • 30. INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY II The apps that you use, you wouldn’t like to see them broken, exposing your information If information gets leaked, you may face your client’s anger (and the law...) Care about Information Security Do some penetration testing Or hire a good pentester Train!
  • 31. INTRODUCTION MOBILE INSECURITY THE END WHERE CAN I TRAIN? Never pay expensive training (unless you really want it), there are a lot of good free resources. Click these to follow the training... ANDROID -> InsecureBankingv2 iOS -> Damn Vulnerable iOS Application Others -> You should solve both... Devour the OWASP stuff
  • 32. INTRODUCTION MOBILE INSECURITY THE END DUDAS? FYI: http://fcastaneda.herokuapp.com/f/c/g/mobileday.pdf @f99942 || @fcg99942 fernando.castaneda@cert.unam.mx 6665726e616e646f@gmail.com
  • 33. INTRODUCTION MOBILE INSECURITY THE END DUDAS? FYI: http://fcastaneda.herokuapp.com/f/c/g/mobileday.pdf @f99942 || @fcg99942 fernando.castaneda@cert.unam.mx 6665726e616e646f@gmail.com GRACIAS!!!!!!!!!!