SlideShare a Scribd company logo

CNS - Hut3 - Mobile Application (In)Security

CNS Group
CNS Group

Explaining common mobile application security weaknesses and how to mitigate them. Presentation by Adrian Hayter and Andy Swift at the CNS Security Chapter event series.

Technology
1 of 26
Download to read offline
. Mobile Application (In)security Explaining common mobile application security weaknesses and how to mitigate them. Adrian Hayter & Andy Swift CNS Hut 3 Team adrian.hayter@hut3.net / andy.swift@hut3.net
. Attack Vectors When penetration testing a mobile application, CNS Hut3 focuses on four distinct areas: • The Mobile Application • The Mobile Device – iPhone, Android, Windows Mobile, etc. • The Network – everything between the device and the server! • The Server – most mobile applications interface with one. Adrian Hayter & Andy Swift Page: 2/25
. Apps World CNS Hut3 went to Apps World... ...and met some random American guy (Steve Wozniak). Adrian Hayter & Andy Swift Page: 3/25
. How much do developers know about security? Which of these counts as confidential data? (a) Usernames & Passwords. (b) Documents obtained after successful authentication. (c) Session tokens. (d) All of the above. Adrian Hayter & Andy Swift Page: 4/25
. How much do developers know about security? Which of these counts as confidential data? (a) Usernames & Passwords. (8%) (b) Documents obtained after successful authentication. (4%) (c) Session tokens. (0%) (d) All of the above. (88%) Adrian Hayter & Andy Swift Page: 5/25
. How much do developers know about security? Which of the following is best practice for data sent to web servers? (a) Send login credentials over HTTPS. Use regular HTTP for everything else. (b) Force everything to be sent over HTTPS. (c) Provide both HTTP and HTTPS and let the user choose. (d) Allow HTTP but redirect immediately to HTTPS. Adrian Hayter & Andy Swift Page: 6/25
. How much do developers know about security? Which of the following is best practice for data sent to web servers? (a) Send login credentials over HTTPS. Use regular HTTP for everything else. (8%) (b) Force everything to be sent over HTTPS. (76%) (c) Provide both HTTP and HTTPS and let the user choose. (4%) (d) Allow HTTP but redirect immediately to HTTPS. (12%) Adrian Hayter & Andy Swift Page: 7/25
. How much do developers know about security? How should passwords be stored? (a) In plaintext. (b) Encoded using Base64. (c) Salted and then hashed. (d) Hashed and then salted. Adrian Hayter & Andy Swift Page: 8/25
. How much do developers know about security? How should passwords be stored? (a) In plaintext. (0%) (b) Encoded using Base64. (20%) (c) Salted and then hashed. (56%) (d) Hashed and then salted. (24%) Adrian Hayter & Andy Swift Page: 9/25
. How much do developers know about security? Which of these is the best choice for encrypting sensitive files? (a) SHA-3 (b) Develop our own (secret) in-house encryption mechanism. (c) AES-256 (d) 3DES Adrian Hayter & Andy Swift Page: 10/25
. How much do developers know about security? Which of these is the best choice for encrypting sensitive files? (a) SHA-3 (16%) (b) Develop our own (secret) in-house encryption mechanism. (4%) (c) AES-256 (76%) (d) 3DES (4%) Adrian Hayter & Andy Swift Page: 11/25
. How much do developers know about security? Which is the correct attitude to have towards server-side security? (a) We should put more focus on server-side security. (b) We should put equal focus on both server-side and app-side security. (c) We don’t need to focus on server-side security because the app is secure. (d) We should put more focus on app-side security but be aware of server-side security issues. Adrian Hayter & Andy Swift Page: 12/25
. How much do developers know about security? Which is the correct attitude to have towards server-side security? (a) We should put more focus on server-side security. (20%) (b) We should put equal focus on both server-side and app-side security. (68%) (c) We don’t need to focus on server-side security because the app is secure. (0%) (d) We should put more focus on app-side security but be aware of server-side security issues. (12%) Adrian Hayter & Andy Swift Page: 13/25
. Sensitive Data Storage As an application developer, you have (almost) no control over the user’s device. Presume the device is already compromised. If at all possible, don’t store sensitive data on the device. Sensitive Data includes: • Credentials (e.g. passwords, keys, etc.) • Session tokens (e.g. cookies) • Files containing user information. Mitigation: If you handle sensitive data, encrypt it before saving it to the device. Use a strong encryption algorithm like AES-256. Adrian Hayter & Andy Swift Page: 14/25
. Device Caches Many devices keep caches of user input and other data relating to the application. • Temporary Files – Downloads, Documents, etc. • User Dictionary – Depending on input type. • Application Snapshots (iOS) Mitigation: Remove files once they are no longer needed. Specify correct input types. Disable caches if possible. Adrian Hayter & Andy Swift Page: 15/25
. Device Caches: iOS Dictionary Accessible via jailbreaking: • /private/var/mobile/Library/Keyboard/dynamic-text.dat • /private/var/mobile/Library/Keyboard/en_GB-dynamic- text.dat The iOS “DynamicDictionary” keeps a record of everything typed into text boxes (Google searches, Facebook messages, SMS, email, etc.) Adrian Hayter & Andy Swift Page: 16/25
. Insecure Data Transmission If data is sent over an unencrypted channel, it can be intercepted and modified. You can’t control which networks a user connects to. How many people can resist free WiFi networks at coffee shops? Even trusted networks can’t be relied on due to Evil-twin attacks. Mitigation: Transmit data over an SSL / TLS connection at all times. Adrian Hayter & Andy Swift Page: 17/25
. SSL / TLS SSL / TLS misconfigurations are some of the most common security weaknesses. Application side: • Weak cipher selection. • Accepting invalid certificates. Server side: • Supporting old protocols, weak ciphers. • Renegotiation Denial of Service, BEAST, CRIME, BREACH Mitigation: Mostly configuration file changes! Adrian Hayter & Andy Swift Page: 18/25
. Jailbreaking / Rooting People are always going to jailbreak / root their phones. They will be able to access your application files, and possibly decompile the application. There is no point trying to perform “jailbreak detection” techniques. Your application runs with low privileges. A jailbroken / rooted device will always be able to evade this detection. Mitigation: Focus more on security of your application that trying to prevent people reading your code. If you have code in your application that you don’t want people to see, you shouldn’t be letting people put it on their devices in the first place! Adrian Hayter & Andy Swift Page: 19/25
. Android “Master Key” Exploits A vulnerability found in early 2013 effectively allowed an attacker to embed malicious code within a trusted and signed application without invalidating the signature. Despite its name, the “Master Key” exploits don’t actually expose any Android keys. Instead, a vulnerability in the handling of the ZIP-based APK files allows code modification. Mitigation: Upgrade to Android 4.4. All previous versions are vulnerable (approximately 99% of all Android devices). Adrian Hayter & Andy Swift Page: 20/25
. User Stupidity Adrian Hayter & Andy Swift Page: 21/25
. User Stupidity Mitigation: None Known. Adrian Hayter & Andy Swift Page: 21/25
. Vulnerabilities vs. Malware Number of vulnerabilities per mobile OS iOS vulnerabilities are by far the most common. Jailbreak exploits, lock screen bypasses, numerous native application related bugs. Android on the other hand has less vulnerabilities overall (open source code). Adrian Hayter & Andy Swift Page: 22/25
. Vulnerabilities vs. Malware Number of malware families per mobile OS Number of vulnerabilities is not necessarily an indication of the amount of malware a system suffers from. iOS vulnerabilities are often more complex, require a lot of user interaction. Apple have a rigorous vetting process for apps. Android’s app store has almost no protection whatsoever. Adrian Hayter & Andy Swift Page: 23/25
. Demos Adrian Hayter & Andy Swift Page: 24/25
. Questions? Ask away, or email: adrian.hayter@hut.net / andy.swift@hut3.net Adrian Hayter & Andy Swift Page: 25/25

Recommended

Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Mobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsMobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsSkycure
 
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityOpen Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityBlack Duck by Synopsys
 
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesOpen Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesBlack Duck by Synopsys
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 

Recommended

Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Mobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsMobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsSkycure
 
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityOpen Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 VulnerabilityBlack Duck by Synopsys
 
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesOpen Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source LicensesBlack Duck by Synopsys
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysBryson Bort
 
Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsBlack Duck by Synopsys
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EClare Nelson, CISSP, CIPP-E
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeDevSecCon
 
Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsAttack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsClare Nelson, CISSP, CIPP-E
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowNowSecure
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonClare Nelson, CISSP, CIPP-E
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 

More Related Content

What's hot

NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysBryson Bort
 
Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsBlack Duck by Synopsys
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EClare Nelson, CISSP, CIPP-E
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeDevSecCon
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowNowSecure
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonClare Nelson, CISSP, CIPP-E
 

What's hot (20)

NDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeawaysNDIA 2021 - solar winds overview and takeaways
NDIA 2021 - solar winds overview and takeaways
 
Threat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates NewsThreat Check for Struts Released, Equifax Breach Dominates News
Threat Check for Struts Released, Equifax Breach Dominates News
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 
Mobile security
Mobile securityMobile security
Mobile security
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Android Security
Android SecurityAndroid Security
Android Security
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
Guy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node CodeGuy Podjarmy - Secure Node Code
Guy Podjarmy - Secure Node Code
 
Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsAttack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition Systems
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to know
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
 

Similar to CNS - Hut3 - Mobile Application (In)Security

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptxsundar110567
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Securitysudip pudasaini
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primeramiable_indian
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 

Similar to CNS - Hut3 - Mobile Application (In)Security (20)

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptx
 
Android security
Android securityAndroid security
Android security
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A PrimerThe Top 10/20 Internet Security Vulnerabilities – A Primer
The Top 10/20 Internet Security Vulnerabilities – A Primer
 
Top Application Security Threats
Top Application Security Threats Top Application Security Threats
Top Application Security Threats
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

CNS - Hut3 - Mobile Application (In)Security

  • 1. . Mobile Application (In)security Explaining common mobile application security weaknesses and how to mitigate them. Adrian Hayter & Andy Swift CNS Hut 3 Team adrian.hayter@hut3.net / andy.swift@hut3.net
  • 2. . Attack Vectors When penetration testing a mobile application, CNS Hut3 focuses on four distinct areas: • The Mobile Application • The Mobile Device – iPhone, Android, Windows Mobile, etc. • The Network – everything between the device and the server! • The Server – most mobile applications interface with one. Adrian Hayter & Andy Swift Page: 2/25
  • 3. . Apps World CNS Hut3 went to Apps World... ...and met some random American guy (Steve Wozniak). Adrian Hayter & Andy Swift Page: 3/25
  • 4. . How much do developers know about security? Which of these counts as confidential data? (a) Usernames & Passwords. (b) Documents obtained after successful authentication. (c) Session tokens. (d) All of the above. Adrian Hayter & Andy Swift Page: 4/25
  • 5. . How much do developers know about security? Which of these counts as confidential data? (a) Usernames & Passwords. (8%) (b) Documents obtained after successful authentication. (4%) (c) Session tokens. (0%) (d) All of the above. (88%) Adrian Hayter & Andy Swift Page: 5/25
  • 6. . How much do developers know about security? Which of the following is best practice for data sent to web servers? (a) Send login credentials over HTTPS. Use regular HTTP for everything else. (b) Force everything to be sent over HTTPS. (c) Provide both HTTP and HTTPS and let the user choose. (d) Allow HTTP but redirect immediately to HTTPS. Adrian Hayter & Andy Swift Page: 6/25
  • 7. . How much do developers know about security? Which of the following is best practice for data sent to web servers? (a) Send login credentials over HTTPS. Use regular HTTP for everything else. (8%) (b) Force everything to be sent over HTTPS. (76%) (c) Provide both HTTP and HTTPS and let the user choose. (4%) (d) Allow HTTP but redirect immediately to HTTPS. (12%) Adrian Hayter & Andy Swift Page: 7/25
  • 8. . How much do developers know about security? How should passwords be stored? (a) In plaintext. (b) Encoded using Base64. (c) Salted and then hashed. (d) Hashed and then salted. Adrian Hayter & Andy Swift Page: 8/25
  • 9. . How much do developers know about security? How should passwords be stored? (a) In plaintext. (0%) (b) Encoded using Base64. (20%) (c) Salted and then hashed. (56%) (d) Hashed and then salted. (24%) Adrian Hayter & Andy Swift Page: 9/25
  • 10. . How much do developers know about security? Which of these is the best choice for encrypting sensitive files? (a) SHA-3 (b) Develop our own (secret) in-house encryption mechanism. (c) AES-256 (d) 3DES Adrian Hayter & Andy Swift Page: 10/25
  • 11. . How much do developers know about security? Which of these is the best choice for encrypting sensitive files? (a) SHA-3 (16%) (b) Develop our own (secret) in-house encryption mechanism. (4%) (c) AES-256 (76%) (d) 3DES (4%) Adrian Hayter & Andy Swift Page: 11/25
  • 12. . How much do developers know about security? Which is the correct attitude to have towards server-side security? (a) We should put more focus on server-side security. (b) We should put equal focus on both server-side and app-side security. (c) We don’t need to focus on server-side security because the app is secure. (d) We should put more focus on app-side security but be aware of server-side security issues. Adrian Hayter & Andy Swift Page: 12/25
  • 13. . How much do developers know about security? Which is the correct attitude to have towards server-side security? (a) We should put more focus on server-side security. (20%) (b) We should put equal focus on both server-side and app-side security. (68%) (c) We don’t need to focus on server-side security because the app is secure. (0%) (d) We should put more focus on app-side security but be aware of server-side security issues. (12%) Adrian Hayter & Andy Swift Page: 13/25
  • 14. . Sensitive Data Storage As an application developer, you have (almost) no control over the user’s device. Presume the device is already compromised. If at all possible, don’t store sensitive data on the device. Sensitive Data includes: • Credentials (e.g. passwords, keys, etc.) • Session tokens (e.g. cookies) • Files containing user information. Mitigation: If you handle sensitive data, encrypt it before saving it to the device. Use a strong encryption algorithm like AES-256. Adrian Hayter & Andy Swift Page: 14/25
  • 15. . Device Caches Many devices keep caches of user input and other data relating to the application. • Temporary Files – Downloads, Documents, etc. • User Dictionary – Depending on input type. • Application Snapshots (iOS) Mitigation: Remove files once they are no longer needed. Specify correct input types. Disable caches if possible. Adrian Hayter & Andy Swift Page: 15/25
  • 16. . Device Caches: iOS Dictionary Accessible via jailbreaking: • /private/var/mobile/Library/Keyboard/dynamic-text.dat • /private/var/mobile/Library/Keyboard/en_GB-dynamic- text.dat The iOS “DynamicDictionary” keeps a record of everything typed into text boxes (Google searches, Facebook messages, SMS, email, etc.) Adrian Hayter & Andy Swift Page: 16/25
  • 17. . Insecure Data Transmission If data is sent over an unencrypted channel, it can be intercepted and modified. You can’t control which networks a user connects to. How many people can resist free WiFi networks at coffee shops? Even trusted networks can’t be relied on due to Evil-twin attacks. Mitigation: Transmit data over an SSL / TLS connection at all times. Adrian Hayter & Andy Swift Page: 17/25
  • 18. . SSL / TLS SSL / TLS misconfigurations are some of the most common security weaknesses. Application side: • Weak cipher selection. • Accepting invalid certificates. Server side: • Supporting old protocols, weak ciphers. • Renegotiation Denial of Service, BEAST, CRIME, BREACH Mitigation: Mostly configuration file changes! Adrian Hayter & Andy Swift Page: 18/25
  • 19. . Jailbreaking / Rooting People are always going to jailbreak / root their phones. They will be able to access your application files, and possibly decompile the application. There is no point trying to perform “jailbreak detection” techniques. Your application runs with low privileges. A jailbroken / rooted device will always be able to evade this detection. Mitigation: Focus more on security of your application that trying to prevent people reading your code. If you have code in your application that you don’t want people to see, you shouldn’t be letting people put it on their devices in the first place! Adrian Hayter & Andy Swift Page: 19/25
  • 20. . Android “Master Key” Exploits A vulnerability found in early 2013 effectively allowed an attacker to embed malicious code within a trusted and signed application without invalidating the signature. Despite its name, the “Master Key” exploits don’t actually expose any Android keys. Instead, a vulnerability in the handling of the ZIP-based APK files allows code modification. Mitigation: Upgrade to Android 4.4. All previous versions are vulnerable (approximately 99% of all Android devices). Adrian Hayter & Andy Swift Page: 20/25
  • 21. . User Stupidity Adrian Hayter & Andy Swift Page: 21/25
  • 22. . User Stupidity Mitigation: None Known. Adrian Hayter & Andy Swift Page: 21/25
  • 23. . Vulnerabilities vs. Malware Number of vulnerabilities per mobile OS iOS vulnerabilities are by far the most common. Jailbreak exploits, lock screen bypasses, numerous native application related bugs. Android on the other hand has less vulnerabilities overall (open source code). Adrian Hayter & Andy Swift Page: 22/25
  • 24. . Vulnerabilities vs. Malware Number of malware families per mobile OS Number of vulnerabilities is not necessarily an indication of the amount of malware a system suffers from. iOS vulnerabilities are often more complex, require a lot of user interaction. Apple have a rigorous vetting process for apps. Android’s app store has almost no protection whatsoever. Adrian Hayter & Andy Swift Page: 23/25
  • 25. . Demos Adrian Hayter & Andy Swift Page: 24/25
  • 26. . Questions? Ask away, or email: adrian.hayter@hut.net / andy.swift@hut3.net Adrian Hayter & Andy Swift Page: 25/25