Your SlideShare is downloading. ×
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Developing Secure Mobile Applications

300

Published on

Developing secure mobile applications Developing secure IOS applications …

Developing secure mobile applications Developing secure IOS applications
Developing secure Android applications

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
300
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Developing Secure Mobile Applications Clinton Mugge Symosis Security1
  • 2. Introduction Clinton Mugge • 18 Years as a Security Professional • Counterintelligence Agent/Big “5” Security Auditor/Director of Consulting/Symosis Security Symosis Security • Web Application and Web Services • Mobile Assessments • Compliance Tailored Audits • Application Security Training • U.S. Based Consultants2 Symosis Security
  • 3. Agenda • Rise of “Mobile” • What is “Mobile” • “Mobile” Fears • “Mobile” Mindset • “Mobile” Best Practices • Security Tools for Testing “Mobile” • Questions?3 Symosis Security
  • 4. The Rise of “MOBILE”  Mobile Data Growth Source: Cisco Global Mobile Data Traffic Forecast4 Symosis Security
  • 5. The Rise of “MOBILE”  Mobile Device Growth Source: Gartner Group and JPMorgan Chase5 Symosis Security
  • 6. What is “MOBILE” • Is it defined by Hardware Platform?6 Symosis Security
  • 7. What is “MOBILE” • Is it defined by size?7 Symosis Security
  • 8. What is “MOBILE” • Is it defined by a constant idea?8 Symosis Security
  • 9. What is “MOBILE” • Mobile IS perception • Mobile tomorrow will not resemble what we perceive today • Mobile today is the convergence of data and voice communications and entertainment • Mobile will constantly change9 Symosis Security
  • 10. The Fear Understanding what can go wrong10 Symosis Security
  • 11. “Mobile” Fears • Platforms Behaving Badly11 Symosis Security
  • 12. “Mobile” Fears • Developers Behaving Badly12 Symosis Security
  • 13. “Mobile” Fears • Applications Behaving Badly13 Symosis Security
  • 14. “Mobile” Fears • Applications Behaving Badly14 Symosis Security
  • 15. “Mobile” Fears • Many applications have known security issues: Application Platform Score • Banking Chase Mobile iPhone • Investing Wikinvest iPhone • Commerce • Mail Amazon Mobile Android • Social Hushmail Android • Tax Facebook iPhone IRS2Go iPhone Source: ViaForensics15 Symosis Security
  • 16. “Mobile” Fears • Mobile platforms are targeted by common security threats: • Phishing • Malware • Viruses • Worms Do not become an easy target!16 Symosis Security
  • 17. The Mindset Think Security17 Symosis Security
  • 18. Embrace a Secure “Mobile” Mindset  This is NOT your fathers Oldsmobile  Users do NOT own the file system  Users EXPECT you to protect them  Others WILL be looking  Users ARE more educated, - kind of -  Educate them to the “WHY” in your experience18 Symosis Security
  • 19. Avoid “Mobile” Pitfalls  HTTP used instead of HTTPS  Keychains used improperly  User input not sanitized  Improper caching of data  Sensitive log files  URL handler parameters  UIPasteboard UITextAutocorrection (iOS)  Backgrounding Sensitive Screens (iOS)19 Symosis Security
  • 20. Best Practices Understanding how to do right20 Symosis Security
  • 21. “Mobile” Best Practices  Breakdown approach into core elements:  Design  Installation  Privacy  Authentication and Authorization  Communications and Session Management  Data Validation  Data Storage  Error Handling  Auditing21 Symosis Security
  • 22. “Mobile” Best Practices  Design  Define Engineering Goals  Define Type of Data  Define Use Cases  Authenticated/Unauthenticated  Online/Offline Use  Identify if Previously Solved  Evaluate Platform Controls  HTML5 vs. Native22 Symosis Security
  • 23. “Mobile” Best Practices Installation Concerns  Privacy Concerns  Application Rights  Terms of Service / License Agreement  Installation Locations  Function Follows Disclosure  File Permissions  Third Party Calls  Code Signing  Masking Input23 Symosis Security
  • 24. “Mobile” Best Practices  Authentication  Passwords  Pins  Authorization  API Keys  Cookies  Impersonation  Communications  Encrypted/Unencrypted Transport  Proper SSL Certification Validation  Handling of the User Context24 Symosis Security
  • 25. “Mobile” Best Practices  Data Storage and Handling  Encrypted/Unencrypted  Validate Input  URL/URI Handlers  Error Handling and Auditing  Server Errors / Information Disclosure  Logged Data (client/server)25 Symosis Security
  • 26. Cardinal Rules  Do NOT blindly trust the OS (OS behaving badly)  Trust Nobody (Developers behaving badly)  Do NOT trust the User (Applications behaving badly) “If there’s any way they can do it wrong, they will” Captain Ed Murphy Jr., US Army “If anything can go wrong, it will”26 Symosis Security
  • 27. Security Testing Trust but VERIFY!27 Symosis Security
  • 28. iOS / Andriod Testing Tools  Platform SDKs  Understand the strengths and weaknesses  Communication Channels  HTTP Proxy  NSURL files  Reverse engineering / Code analysis / Debugging  Otool, shark / davlik/dexdump/smali  Review Memory leaks, uninitialized variables, buffer overflow, type mismatch, dead code,  Sensitive data in storage  Cached (keyboard, snapshots), plist files, SQLite database, log files  Jailbreaking / Rooting28 Symosis Security
  • 29. Questions ??????????29 Symosis Security
  • 30. Contact Information Clinton Mugge Symosis Security www.symosis.com clinton@symosis.com30 Symosis Security

Ă—