SlideShare a Scribd company logo

The fundamentals of Android and iOS app security

NowSecure
NowSecure

Looking for a high-intensity bootcamp covering the basics of secure mobile development? This slideshare was originally presented by mobile security expert and NowSecure CEO Andrew Hoog for a 60-minute workshop at Security by Design covering the following topics: + Introduction to identifying security flaws in mobile apps (and how to avoid them) + Examples of secure and insecure mobile apps and how to secure them + Overview of secure mobile development based on the NowSecure Secure Mobile Development Best Practices

Technology
1 of 53
Download to read offline
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. The fundamentals of Android and iOS app security
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Andrew Hoog CEO | NowSecure @ahoog42 ahoog@nowsecure.com ● Computer scientist, mobile security and forensics researcher ● Author, expert witness, and patent-holder ● Regularly briefs senior government officials and top banking institutions about mobile security
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● Too many apps are vulnerable ● Security needs to be part of the development workflow ● Secure mobile development best practices ● Automated security testing and continuous integration (CI) in practice
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Too many mobile apps are vulnerable
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Real-world examples of mobile app security failures Starbucks Thieves siphoned money out of users’ accounts using the mobile app via USA Today Ola India’s largest startup with $1.1B in funding was hacked to allow unlimited free rides via The Next Web Hulu and Tinder App vulnerabilities offered access to free premium accounts via CNBC
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile apps with at least one high risk security or privacy flaw 2016 NowSecure Mobile Security Report A quarter of mobile apps are vulnerable 25%
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. More popular apps are more likely to include a security flaw 1M-5M Downloads 5M-10M Downloads 37% 46% 50% 100K-500K Downloads 2016 NowSecure Mobile Security Report
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Issues within apps downloaded more than 1 million times Apps exposing sensitive data Apps with security flaws 2016 NowSecure Mobile Security Report
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Developers aren’t trained in developing secure mobile apps Tools that identify mobile security flaws aren’t kept up-to-date Mobile app security is assumed (if it’s considered at all) Time and budget are not committed to mobile app security The roots of the mobile app security problem
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Why make security a part of the mobile app development workflow?
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Almost half of orgs deploy weekly or more often https://blog.newrelic.com/2016/02/04/data-culture-survey-results-faster-deployment/
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Developing with security in mind saves you time Requirements / Architecture Coding Integration / Component Testing System / Acceptance Testing Production / Post-Release Source: National Institute of Standards and Technology The cost (time, money, etc.) of fixing defects is 30xhigher after an app has been deployed
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Development / Integration Staging Production Dev Team Version Control Build & Unit Tests Automated Acceptance Tests Release User Acceptance Tests Check-in Check-in Check-in Trigger Trigger Trigger Trigger Trigger Approval Approval Feedback Feedback Feedback Feedback Feedback Feedback Engineer QA DevOps Shift security & performance testing to the left
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Secure mobile development best practices
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. OWASP Top 10 Mobile Risks (draft 2016 update) 42+ tips for building secure mobile apps Source material for mobile app security fundamentals
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1 Improper Platform Usage OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Misuse of a platform feature or lack of platform security controls for the Android or iOS operating systems. Issues may include incorrect use of the keychain on iOS or Android intents.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Android - Implement Intents Carefully Intents are used for inter-component signaling. Improper implementation could result in data leakage, restricted functions being called and program flow being manipulated. https://books.nowsecure.com/secure-mobile-development/en/android /implement-intents-carefully.html iOS - Use the Keychain Carefully iOS provides the keychain for secure data storage. However, in several scenarios, the keychain can be compromised and subsequently decrypted. https://books.nowsecure.com/secure-mobile-development/en/ios/use- the-keychain-carefully.html Best practice(s):
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 2 Insecure Data Storage OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Vulnerabilities that leak personal information and provide access to hackers.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 in 10apps leak private, sensitive data like email, username, or password NowSecure: 2016 NowSecure Mobile Security Report Data from testing 400,000 mobile apps
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Implement secure data storage Transmit and display but do not persist to memory. Ensure that an analog leak does not present itself where screenshots of the data are written to disk. Store only in RAM (clear at application close). https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/implement-secure-data-sto rage.html Securely store data in RAM Do not keep sensitive data (e.g., encryption keys) in RAM longer than required. Nullify any variables that hold keys after use. https://books.nowsecure.com/secure-mobile-development/en/ios/use-the-keychain-carefully.html Best practice(s):
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 3Insecure Communication OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Insecure communication refers to communications being sent in cleartext as well as other insecure methods.
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Example: SwiftKey vulnerabilities (CVE-2015-4640 & CVE-2015-4641) Best practice(s): Fully validate SSL/TLS An application not properly validating its connection to the server is susceptible to a man-in-the-middle attack by a privileged network attacker. https://books.nowsecure.com/secure-mobile-d evelopment/en/sensitive-data/fully-validate-ss l-tls.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 4Insecure Authentication OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile apps need to securely identify a user and maintain that user’s identity, especially when users are calling and sending sensitive data such as financial information.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Hide Account Numbers and Use Tokens Given the widespread use of mobile apps in public places, displaying partial numbers (e.g. *9881) can help ensure maximum privacy for this information. Unless there is a need to store the complete number on the device, store the partially hidden numbers. https://books.nowsecure.com/secure-mobile-develo pment/en/sensitive-data/hide-account-numbers-and -use-tokens.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 5Insufficient Cryptography OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. The process behind encryption and decryption may allow a hacker to decrypt sensitive data. The algorithm behind encryption and decryption may be weak in nature.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Implement secure data storage If storing sensitive data on the device is a requirement, add an additional layer of verified, third-party encryption. By adding another layer of encryption, you have more control over the implementation and mitigate attacks focused on the main OS encryption classes. https://books.nowsecure.com/secure-mobile-developme nt/en/sensitive-data/implement-secure-data-storage.ht ml Best practice(s):
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 6Insecure Authorization OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Insecure authorization refers to the failure of a server to properly enforce identity and permissions as stated by the mobile app.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Implement Proper Web Server Configuration Certain settings on a web server can increase security. One commonly overlooked vulnerability on a web server is information disclosure. Information disclosure can lead to serious problems because every piece of information attackers can gain from a server makes staging an attack easier. https://books.nowsecure.com/secure-mobile-d evelopment/en/servers/web-server-configurat ion.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 7 Client Code Quality OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Risks that come from vulnerabilities like buffer overflows, format-string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Vulnerabilities in the Vitamio SDK NowSecure Blog: World Writable Code Is Bad, MMMMKAY Best practice(s): Test third-party libraries Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code. https://books.nowsecure.com/secure-mobile-d evelopment/en/coding-practices/test-third-pa rty-libraries.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 8Code Tampering OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third-party app marketplaces.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● 50M downloads in 19 days on Android alone ● Within 3 days of initial release, malicious DroidJack software found on third-party app stores ● Remote Access Tool (RAT) can open a silent, backdoor for hackers Source: The Hacker News Example: PokemonGO
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Implement Anti-Tampering Techniques Employ anti-tamper and tamper-detection techniques to prevent illegitimate applications from executing. Use checksums, digital signatures, and other validation mechanisms to help detect file tampering. https://books.nowsecure.com/secure-mobile-development/en/coding-practices/anti- tamper-techniques.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 9Reverse Engineering OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Reverse engineering refers to the analysis of a final binary to determine its source code, libraries, algorithms, and more.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Increase Code Complexity and Use Obfuscation Reverse engineering apps can provide valuable insight into how your app works. Making your app more complex internally makes it more difficult for attackers to see how the app operates, which can reduce the number of attack vectors. https://books.nowsecure.com/secure-mobile-development/en/coding-practices/code -complexity-and-obfuscation.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1 Extraneous Functionality OWASP MOBILE TOP 10 2016 DRAFT0
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Developers frequently include hidden backdoors or security controls they do not plan on releasing into production. This error creates risk when a feature is released to the wild that was never intended to be shared.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Manufacturer of hardware chips and processors for mobile devices ● A debug tool, left open for carriers to test network connections, was left open on shipped devices Source: The Hacker News Example: MediaTek
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Carefully Manage Debug Logs Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. https://books.nowsecure.com/secure-mobile-development/en/caching-logging/carefu lly-manage-debug-logs.html
Review the NowSecure Secure Mobile Development Best Practices in their entirety: Read Now
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. You can view the GitHub repository here: https://github.com/nowsecure/ secure-mobile-development Contribute to the Secure Mobile Development Best Practices
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. In practice: continuous integration and automated mobile app security testing +
Don’t Panic Connect any time: @NowSecureMobile www.nowsecure.com Learn more about developing secure Android and iOS apps with the NowSecure Secure Mobile Development Best Practices: books.nowsecure.com/secure-mobile-development/

Recommended

mobile application security
mobile application securitymobile application security
mobile application security
-jyothish kumar sirigidi
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
Pawel Rzepa
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
Jose Manuel Ortega Candel
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 

Recommended

mobile application security
mobile application securitymobile application security
mobile application security
-jyothish kumar sirigidi
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
Appvigil - Mobile App Security Scanner
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
Pawel Rzepa
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
Jose Manuel Ortega Candel
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
BGA Cyber Security
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
n|u - The Open Security Community
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
Mykhailo Antonishyn
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
Abdelhamid Limami
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
Alfred Ouyang
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
Ios seminar
Ios seminarIos seminar
Ios seminar
Kurikkal Ashique
 
InfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidInfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and Android
Symosis Security (Previously C-Level Security)
 

More Related Content

What's hot

API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 

What's hot (20)

Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Zero Trust Model Presentation
Zero Trust Model PresentationZero Trust Model Presentation
Zero Trust Model Presentation
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 

Viewers also liked

Android vs i os features
Android vs i os featuresAndroid vs i os features
Android vs i os features
Guang Ying Yuan
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
Tom Eston
 

Viewers also liked (7)

Ios seminar
Ios seminarIos seminar
Ios seminar
 
InfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidInfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and Android
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS security
 
Android vs i os features
Android vs i os featuresAndroid vs i os features
Android vs i os features
 
Android vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityAndroid vs. iPhone for Mobile Security
Android vs. iPhone for Mobile Security
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
 

Similar to The fundamentals of Android and iOS app security

How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’ts
NowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 

Similar to The fundamentals of Android and iOS app security (20)

How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’ts
 
Five mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseFive mobile security challenges facing the enterprise
Five mobile security challenges facing the enterprise
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
 
It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to know
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testing
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
 
How to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdfHow to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdf
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Securing mobile apps in a BYOD world
Securing mobile apps in a BYOD worldSecuring mobile apps in a BYOD world
Securing mobile apps in a BYOD world
 

More from NowSecure

OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
NowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
NowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
NowSecure
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
NowSecure
 

More from NowSecure (20)

iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
 

Recently uploaded

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

The fundamentals of Android and iOS app security

  • 1. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. The fundamentals of Android and iOS app security
  • 2. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Andrew Hoog CEO | NowSecure @ahoog42 ahoog@nowsecure.com ● Computer scientist, mobile security and forensics researcher ● Author, expert witness, and patent-holder ● Regularly briefs senior government officials and top banking institutions about mobile security
  • 3. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● Too many apps are vulnerable ● Security needs to be part of the development workflow ● Secure mobile development best practices ● Automated security testing and continuous integration (CI) in practice
  • 4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Too many mobile apps are vulnerable
  • 5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Real-world examples of mobile app security failures Starbucks Thieves siphoned money out of users’ accounts using the mobile app via USA Today Ola India’s largest startup with $1.1B in funding was hacked to allow unlimited free rides via The Next Web Hulu and Tinder App vulnerabilities offered access to free premium accounts via CNBC
  • 6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile apps with at least one high risk security or privacy flaw 2016 NowSecure Mobile Security Report A quarter of mobile apps are vulnerable 25%
  • 7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. More popular apps are more likely to include a security flaw 1M-5M Downloads 5M-10M Downloads 37% 46% 50% 100K-500K Downloads 2016 NowSecure Mobile Security Report
  • 8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Issues within apps downloaded more than 1 million times Apps exposing sensitive data Apps with security flaws 2016 NowSecure Mobile Security Report
  • 9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Developers aren’t trained in developing secure mobile apps Tools that identify mobile security flaws aren’t kept up-to-date Mobile app security is assumed (if it’s considered at all) Time and budget are not committed to mobile app security The roots of the mobile app security problem
  • 10. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Why make security a part of the mobile app development workflow?
  • 11. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Almost half of orgs deploy weekly or more often https://blog.newrelic.com/2016/02/04/data-culture-survey-results-faster-deployment/
  • 12. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Developing with security in mind saves you time Requirements / Architecture Coding Integration / Component Testing System / Acceptance Testing Production / Post-Release Source: National Institute of Standards and Technology The cost (time, money, etc.) of fixing defects is 30xhigher after an app has been deployed
  • 13. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Development / Integration Staging Production Dev Team Version Control Build & Unit Tests Automated Acceptance Tests Release User Acceptance Tests Check-in Check-in Check-in Trigger Trigger Trigger Trigger Trigger Approval Approval Feedback Feedback Feedback Feedback Feedback Feedback Engineer QA DevOps Shift security & performance testing to the left
  • 14. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Secure mobile development best practices
  • 15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. OWASP Top 10 Mobile Risks (draft 2016 update) 42+ tips for building secure mobile apps Source material for mobile app security fundamentals
  • 16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
  • 17. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1 Improper Platform Usage OWASP MOBILE TOP 10 2016 DRAFT
  • 18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Misuse of a platform feature or lack of platform security controls for the Android or iOS operating systems. Issues may include incorrect use of the keychain on iOS or Android intents.
  • 19. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Android - Implement Intents Carefully Intents are used for inter-component signaling. Improper implementation could result in data leakage, restricted functions being called and program flow being manipulated. https://books.nowsecure.com/secure-mobile-development/en/android /implement-intents-carefully.html iOS - Use the Keychain Carefully iOS provides the keychain for secure data storage. However, in several scenarios, the keychain can be compromised and subsequently decrypted. https://books.nowsecure.com/secure-mobile-development/en/ios/use- the-keychain-carefully.html Best practice(s):
  • 20. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 2 Insecure Data Storage OWASP MOBILE TOP 10 2016 DRAFT
  • 21. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Vulnerabilities that leak personal information and provide access to hackers.
  • 22. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 in 10apps leak private, sensitive data like email, username, or password NowSecure: 2016 NowSecure Mobile Security Report Data from testing 400,000 mobile apps
  • 23. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Implement secure data storage Transmit and display but do not persist to memory. Ensure that an analog leak does not present itself where screenshots of the data are written to disk. Store only in RAM (clear at application close). https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/implement-secure-data-sto rage.html Securely store data in RAM Do not keep sensitive data (e.g., encryption keys) in RAM longer than required. Nullify any variables that hold keys after use. https://books.nowsecure.com/secure-mobile-development/en/ios/use-the-keychain-carefully.html Best practice(s):
  • 24. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 3Insecure Communication OWASP MOBILE TOP 10 2016 DRAFT
  • 25. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Insecure communication refers to communications being sent in cleartext as well as other insecure methods.
  • 26. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Example: SwiftKey vulnerabilities (CVE-2015-4640 & CVE-2015-4641) Best practice(s): Fully validate SSL/TLS An application not properly validating its connection to the server is susceptible to a man-in-the-middle attack by a privileged network attacker. https://books.nowsecure.com/secure-mobile-d evelopment/en/sensitive-data/fully-validate-ss l-tls.html
  • 27. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 4Insecure Authentication OWASP MOBILE TOP 10 2016 DRAFT
  • 28. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile apps need to securely identify a user and maintain that user’s identity, especially when users are calling and sending sensitive data such as financial information.
  • 29. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Hide Account Numbers and Use Tokens Given the widespread use of mobile apps in public places, displaying partial numbers (e.g. *9881) can help ensure maximum privacy for this information. Unless there is a need to store the complete number on the device, store the partially hidden numbers. https://books.nowsecure.com/secure-mobile-develo pment/en/sensitive-data/hide-account-numbers-and -use-tokens.html
  • 30. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 5Insufficient Cryptography OWASP MOBILE TOP 10 2016 DRAFT
  • 31. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. The process behind encryption and decryption may allow a hacker to decrypt sensitive data. The algorithm behind encryption and decryption may be weak in nature.
  • 32. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Implement secure data storage If storing sensitive data on the device is a requirement, add an additional layer of verified, third-party encryption. By adding another layer of encryption, you have more control over the implementation and mitigate attacks focused on the main OS encryption classes. https://books.nowsecure.com/secure-mobile-developme nt/en/sensitive-data/implement-secure-data-storage.ht ml Best practice(s):
  • 33. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 6Insecure Authorization OWASP MOBILE TOP 10 2016 DRAFT
  • 34. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Insecure authorization refers to the failure of a server to properly enforce identity and permissions as stated by the mobile app.
  • 35. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Implement Proper Web Server Configuration Certain settings on a web server can increase security. One commonly overlooked vulnerability on a web server is information disclosure. Information disclosure can lead to serious problems because every piece of information attackers can gain from a server makes staging an attack easier. https://books.nowsecure.com/secure-mobile-d evelopment/en/servers/web-server-configurat ion.html
  • 36. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 7 Client Code Quality OWASP MOBILE TOP 10 2016 DRAFT
  • 37. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Risks that come from vulnerabilities like buffer overflows, format-string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.
  • 38. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Vulnerabilities in the Vitamio SDK NowSecure Blog: World Writable Code Is Bad, MMMMKAY Best practice(s): Test third-party libraries Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code. https://books.nowsecure.com/secure-mobile-d evelopment/en/coding-practices/test-third-pa rty-libraries.html
  • 39. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 8Code Tampering OWASP MOBILE TOP 10 2016 DRAFT
  • 40. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third-party app marketplaces.
  • 41. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● 50M downloads in 19 days on Android alone ● Within 3 days of initial release, malicious DroidJack software found on third-party app stores ● Remote Access Tool (RAT) can open a silent, backdoor for hackers Source: The Hacker News Example: PokemonGO
  • 42. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Implement Anti-Tampering Techniques Employ anti-tamper and tamper-detection techniques to prevent illegitimate applications from executing. Use checksums, digital signatures, and other validation mechanisms to help detect file tampering. https://books.nowsecure.com/secure-mobile-development/en/coding-practices/anti- tamper-techniques.html
  • 43. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 9Reverse Engineering OWASP MOBILE TOP 10 2016 DRAFT
  • 44. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Reverse engineering refers to the analysis of a final binary to determine its source code, libraries, algorithms, and more.
  • 45. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Increase Code Complexity and Use Obfuscation Reverse engineering apps can provide valuable insight into how your app works. Making your app more complex internally makes it more difficult for attackers to see how the app operates, which can reduce the number of attack vectors. https://books.nowsecure.com/secure-mobile-development/en/coding-practices/code -complexity-and-obfuscation.html
  • 46. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1 Extraneous Functionality OWASP MOBILE TOP 10 2016 DRAFT0
  • 47. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Developers frequently include hidden backdoors or security controls they do not plan on releasing into production. This error creates risk when a feature is released to the wild that was never intended to be shared.
  • 48. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Manufacturer of hardware chips and processors for mobile devices ● A debug tool, left open for carriers to test network connections, was left open on shipped devices Source: The Hacker News Example: MediaTek
  • 49. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Carefully Manage Debug Logs Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. https://books.nowsecure.com/secure-mobile-development/en/caching-logging/carefu lly-manage-debug-logs.html
  • 50. Review the NowSecure Secure Mobile Development Best Practices in their entirety: Read Now
  • 51. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. You can view the GitHub repository here: https://github.com/nowsecure/ secure-mobile-development Contribute to the Secure Mobile Development Best Practices
  • 52. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. In practice: continuous integration and automated mobile app security testing +
  • 53. Don’t Panic Connect any time: @NowSecureMobile www.nowsecure.com Learn more about developing secure Android and iOS apps with the NowSecure Secure Mobile Development Best Practices: books.nowsecure.com/secure-mobile-development/