1. Mobile Application (In)security

Sam Bowne
Sam BowneInstructor at CCSF
CNIT 128 Hacking Mobile Devices 1. Mobile Application (In)security
Mobile OS Market Share • Link Ch 1a Android iOS
Attack Surface • Network communications • Often public Wi-Fi • Device theft • Locally stored data • Malicious apps on the phone • Often from Google Play • Other input sources • NFC, Bluetooth, camera, microphonw, SMS, USB, QR codes
1. Mobile Application (In)security
Key Problem Factors • Underdeveloped security awareness • By developers • Ever-changing attack surface • Custom development • In-house code mixed with libraries from many sources
OWASP Top Ten
• M1: Weak Server-Side Controls • The most critical issue • Not a flaw on the phone • Server errors and misconfigurations • A whole class covers this: CNIT 129S: Securing Web Applications OWASP Top Ten
• M2: Insecure Data Storage • Plaintext or obfuscated • M3: Insufficient Transport Layer Protection • Failure to validate TLS certificates • M4: Unintended Data Leakage • In logs, cache, snapshots, etc OWASP Top Ten
• M5: Poor Authorization and Authentication • Causes failures in access control • M6: Broken Cryptography • Hard-coded key, or key stored on device • M7: Client-Side Injection • App takes input from another app, server, etc. OWASP Top Ten
• M8: Security Decision Via Untrusted Inputs • Often Inter-Process Communication (IPC) • M9: Improper Session Handling • Exposing session tokens to adversary • M10: Lack of Binary Protections • Allows reverse-engineering and modification of app OWASP Top Ten
• iMAS • Framework to develop secure iOS apps • GoatDroid, iGoat, DV iOS • Deliberately insecure apps for practice • MobiSec • Mobile pentesting distribution, like Kali • Androick • For Android forensics OWASP Mobile Security Tools
• Link Ch 1b
1. Mobile Application (In)security
1. Mobile Application (In)security
1. Mobile Application (In)security
1. Mobile Application (In)security
1. Mobile Application (In)security
1 of 17

1. Mobile Application (In)security

Download to read offline
Education

For a college class: Hacking Mobile Devices at CCSF Instructor: Sam Bowne More info: https://samsclass.info/128/128_S19.shtml

Sam Bowne
Sam BowneInstructor at CCSF

Recommended

Practical Malware Analysis: Ch 11: Malware Behavior by
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
3.3K views59 slides
CNIT 128 6. Analyzing Android Applications (Part 1) by
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)Sam Bowne
915 views44 slides
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T... by
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
6.7K views72 slides
Introduction to Malware Detection and Reverse Engineering by
Introduction to Malware Detection and Reverse EngineeringIntroduction to Malware Detection and Reverse Engineering
Introduction to Malware Detection and Reverse Engineeringintertelinvestigations
933 views97 slides
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures by
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesSam Bowne
2.1K views48 slides
CNIT 127 Ch 6: The Wild World of Windows by
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsSam Bowne
1.5K views52 slides

More Related Content

What's hot

01 Metasploit kung fu introduction by
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introductionMostafa Abdel-sallam
593 views22 slides
Practical Malware Analysis: Ch 8: Debugging by
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Sam Bowne
2.9K views42 slides
How an Attacker "Audits" Your Software Systems by
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
471 views30 slides
CNIT 127: 8: Windows overflows (Part 2) by
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)Sam Bowne
628 views51 slides
Practical Malware Analysis: Ch 15: Anti-Disassembly by
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
6K views45 slides
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba... by
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Sam Bowne
2.1K views45 slides

What's hot(20)

01 Metasploit kung fu introduction by Mostafa Abdel-sallam
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
Mostafa Abdel-sallam593 views
Practical Malware Analysis: Ch 8: Debugging by Sam Bowne
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
Sam Bowne2.9K views
How an Attacker "Audits" Your Software Systems by Security Innovation
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
Security Innovation471 views
CNIT 127: 8: Windows overflows (Part 2) by Sam Bowne
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)
Sam Bowne628 views
Practical Malware Analysis: Ch 15: Anti-Disassembly by Sam Bowne
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
Sam Bowne6K views
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba... by Sam Bowne
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Sam Bowne2.1K views
CNIT 126: Ch 2 & 3 by Sam Bowne
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
Sam Bowne484 views
Memory forensics by Sunil Kumar
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar2.8K views
4 Mapping the Application by Sam Bowne
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
Sam Bowne62 views
Pen-Testing with Metasploit by Mohammed Danish Amber
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
Mohammed Danish Amber2.3K views
DNS hijacking using cloud providers – No verification needed by Frans Rosén
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
Frans Rosén13.4K views
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis by Sam Bowne
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne2.6K views
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg by Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Eric Vanderburg1.7K views
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg by Sam Bowne
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne3.5K views
Cissp d5-cryptography v2012-mini coursev2 by infosecedu
Cissp d5-cryptography v2012-mini coursev2Cissp d5-cryptography v2012-mini coursev2
Cissp d5-cryptography v2012-mini coursev2
infosecedu63.3K views
CNIT 126: 10: Kernel Debugging with WinDbg by Sam Bowne
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne814 views
Android Hacking + Pentesting by Sina Manavi
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
Sina Manavi7.7K views
CISSP Prep: Ch 5. Communication and Network Security (Part 1) by Sam Bowne
CISSP Prep: Ch 5. Communication and Network Security (Part 1)CISSP Prep: Ch 5. Communication and Network Security (Part 1)
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
Sam Bowne2.4K views
Windows Security by Pooja Talreja
Windows Security Windows Security
Windows Security
Pooja Talreja3.3K views
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs by Sam Bowne
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Sam Bowne2K views

Similar to 1. Mobile Application (In)security

Mobilination Ntymoshyk Personal Mobile Security Final Public by
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicTjylen Veselyj
265 views34 slides
Session810 ken huang by
Session810 ken huangSession810 ken huang
Session810 ken huangKen Huang
639 views41 slides
CNIT 128 Ch 1: The mobile risk ecosystem by
CNIT 128 Ch 1: The mobile risk ecosystemCNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystemSam Bowne
4K views52 slides
Security and Privacy in Mobile Cloud Computing by
Security and Privacy in Mobile Cloud ComputingSecurity and Privacy in Mobile Cloud Computing
Security and Privacy in Mobile Cloud ComputingRam Kumar K R
1.2K views16 slides
Can You Steal From Me Now? Mobile and BYOD Security Risks by
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
987 views23 slides
OWASP Mobile TOP 10 2014 by
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
7K views43 slides

Similar to 1. Mobile Application (In)security(20)

Mobilination Ntymoshyk Personal Mobile Security Final Public by Tjylen Veselyj
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final Public
Tjylen Veselyj265 views
Session810 ken huang by Ken Huang
Session810 ken huangSession810 ken huang
Session810 ken huang
Ken Huang639 views
CNIT 128 Ch 1: The mobile risk ecosystem by Sam Bowne
CNIT 128 Ch 1: The mobile risk ecosystemCNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
Sam Bowne4K views
Security and Privacy in Mobile Cloud Computing by Ram Kumar K R
Security and Privacy in Mobile Cloud ComputingSecurity and Privacy in Mobile Cloud Computing
Security and Privacy in Mobile Cloud Computing
Ram Kumar K R1.2K views
Can You Steal From Me Now? Mobile and BYOD Security Risks by Michael Davis
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
Michael Davis987 views
OWASP Mobile TOP 10 2014 by Islam Azeddine Mennouchi
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi7K views
Mobile Security by Xavier Mertens
Mobile SecurityMobile Security
Mobile Security
Xavier Mertens6.2K views
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS by KazHackStan
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOSСергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOS
KazHackStan375 views
Unit-3.pptx by Ramya Nellutla
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
Ramya Nellutla624 views
Owasp Mobile Top 10 – 2014 by n|u - The Open Security Community
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014
n|u - The Open Security Community7.8K views
Personal Data Security in a Digital World by alxdvs
Personal Data Security in a Digital WorldPersonal Data Security in a Digital World
Personal Data Security in a Digital World
alxdvs548 views
ANDROID SECURITY by yogeshraut090
ANDROID SECURITYANDROID SECURITY
ANDROID SECURITY
yogeshraut090165 views
Securing the Enterprise Mobile Perimeter by Brian Gleeson
Securing the Enterprise Mobile PerimeterSecuring the Enterprise Mobile Perimeter
Securing the Enterprise Mobile Perimeter
Brian Gleeson1.3K views
Android vulnerability study by Sri Harsha Pamu
Android vulnerability studyAndroid vulnerability study
Android vulnerability study
Sri Harsha Pamu670 views
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015 by Sina Manavi
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi4.1K views
Securing Your Mobile Applications by Greg Patton
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile Applications
Greg Patton262 views
2012 12-04 --ncc_group_-_mobile_threat_war_room by NCC Group
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
NCC Group538 views
C0c0n 2011 mobile security presentation v1.2 by Santosh Satam
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
Santosh Satam2.9K views
ISACA CACS 2012 - Mobile Device Security and Privacy by Michael Davis
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis964 views
Mobile application securitry risks ISACA Silicon Valley 2012 by Symosis Security (Previously C-Level Security)
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
Symosis Security (Previously C-Level Security)646 views

More from Sam Bowne

Cyberwar by
CyberwarCyberwar
CyberwarSam Bowne
15 views22 slides
3: DNS vulnerabilities by
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
40 views40 slides
8. Software Development Security by
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
24 views85 slides
3. Attacking iOS Applications (Part 2) by
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
33 views45 slides
12 Elliptic Curves by
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
54 views50 slides
11. Diffie-Hellman by
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
58 views49 slides

More from Sam Bowne(20)

Cyberwar by Sam Bowne
CyberwarCyberwar
Cyberwar
Sam Bowne15 views
3: DNS vulnerabilities by Sam Bowne
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
Sam Bowne40 views
8. Software Development Security by Sam Bowne
8. Software Development Security8. Software Development Security
8. Software Development Security
Sam Bowne24 views
3. Attacking iOS Applications (Part 2) by Sam Bowne
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
Sam Bowne33 views
12 Elliptic Curves by Sam Bowne
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
Sam Bowne54 views
11. Diffie-Hellman by Sam Bowne
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
Sam Bowne58 views
2a Analyzing iOS Apps Part 1 by Sam Bowne
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
Sam Bowne42 views
9 Writing Secure Android Applications by Sam Bowne
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
Sam Bowne31 views
12 Investigating Windows Systems (Part 2 of 3) by Sam Bowne
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne30 views
10 RSA by Sam Bowne
10 RSA10 RSA
10 RSA
Sam Bowne33 views
12 Investigating Windows Systems (Part 1 of 3 by Sam Bowne
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne59 views
9. Hard Problems by Sam Bowne
9. Hard Problems9. Hard Problems
9. Hard Problems
Sam Bowne43 views
8 Android Implementation Issues (Part 1) by Sam Bowne
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
Sam Bowne23 views
11 Analysis Methodology by Sam Bowne
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
Sam Bowne12 views
8. Authenticated Encryption by Sam Bowne
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
Sam Bowne71 views
7. Attacking Android Applications (Part 2) by Sam Bowne
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
Sam Bowne35 views
7. Attacking Android Applications (Part 1) by Sam Bowne
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
Sam Bowne29 views
5. Stream Ciphers by Sam Bowne
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
Sam Bowne108 views
6 Scope & 7 Live Data Collection by Sam Bowne
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
Sam Bowne124 views
4. Block Ciphers by Sam Bowne
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
Sam Bowne86 views

Recently uploaded

Six Sigma Concept by Sahil Srivastava.pptx by
Six Sigma Concept by Sahil Srivastava.pptxSix Sigma Concept by Sahil Srivastava.pptx
Six Sigma Concept by Sahil Srivastava.pptxSahil Srivastava
44 views11 slides
MIXING OF PHARMACEUTICALS.pptx by
MIXING OF PHARMACEUTICALS.pptxMIXING OF PHARMACEUTICALS.pptx
MIXING OF PHARMACEUTICALS.pptxAnupkumar Sharma
121 views35 slides
The Accursed House by Émile Gaboriau by
The Accursed House by Émile GaboriauThe Accursed House by Émile Gaboriau
The Accursed House by Émile GaboriauDivyaSheta
251 views15 slides
ANGULARJS.pdf by
ANGULARJS.pdfANGULARJS.pdf
ANGULARJS.pdfArthyR3
51 views10 slides
A Guide to Applying for the Wells Mountain Initiative Scholarship 2023 by
A Guide to Applying for the Wells Mountain Initiative Scholarship 2023A Guide to Applying for the Wells Mountain Initiative Scholarship 2023
A Guide to Applying for the Wells Mountain Initiative Scholarship 2023Excellence Foundation for South Sudan
82 views26 slides
Papal.pdf by
Papal.pdfPapal.pdf
Papal.pdfMariaKenney3
68 views24 slides

Recently uploaded(20)

Six Sigma Concept by Sahil Srivastava.pptx by Sahil Srivastava
Six Sigma Concept by Sahil Srivastava.pptxSix Sigma Concept by Sahil Srivastava.pptx
Six Sigma Concept by Sahil Srivastava.pptx
Sahil Srivastava44 views
MIXING OF PHARMACEUTICALS.pptx by Anupkumar Sharma
MIXING OF PHARMACEUTICALS.pptxMIXING OF PHARMACEUTICALS.pptx
MIXING OF PHARMACEUTICALS.pptx
Anupkumar Sharma121 views
The Accursed House by Émile Gaboriau by DivyaSheta
The Accursed House by Émile GaboriauThe Accursed House by Émile Gaboriau
The Accursed House by Émile Gaboriau
DivyaSheta251 views
ANGULARJS.pdf by ArthyR3
ANGULARJS.pdfANGULARJS.pdf
ANGULARJS.pdf
ArthyR351 views
A Guide to Applying for the Wells Mountain Initiative Scholarship 2023 by Excellence Foundation for South Sudan
A Guide to Applying for the Wells Mountain Initiative Scholarship 2023A Guide to Applying for the Wells Mountain Initiative Scholarship 2023
A Guide to Applying for the Wells Mountain Initiative Scholarship 2023
Excellence Foundation for South Sudan82 views
Papal.pdf by MariaKenney3
Papal.pdfPapal.pdf
Papal.pdf
MariaKenney368 views
Mineral nutrition and Fertilizer use of Cashew by Aruna Srikantha Jayawardana
Mineral nutrition and Fertilizer use of Cashew Mineral nutrition and Fertilizer use of Cashew
Mineral nutrition and Fertilizer use of Cashew
Aruna Srikantha Jayawardana56 views
STRATEGIC MANAGEMENT MODULE 1_UNIT1 _UNIT2.pdf by Dr Vijay Vishwakarma
STRATEGIC MANAGEMENT MODULE 1_UNIT1 _UNIT2.pdfSTRATEGIC MANAGEMENT MODULE 1_UNIT1 _UNIT2.pdf
STRATEGIC MANAGEMENT MODULE 1_UNIT1 _UNIT2.pdf
Dr Vijay Vishwakarma130 views
CUNY IT Picciano.pptx by apicciano
CUNY IT Picciano.pptxCUNY IT Picciano.pptx
CUNY IT Picciano.pptx
apicciano64 views
Collective Bargaining and Understanding a Teacher Contract(16793704.1).pptx by Center for Integrated Training & Education
Collective Bargaining and Understanding a Teacher Contract(16793704.1).pptxCollective Bargaining and Understanding a Teacher Contract(16793704.1).pptx
Collective Bargaining and Understanding a Teacher Contract(16793704.1).pptx
Center for Integrated Training & Education106 views
Narration lesson plan by TARIQ KHAN
Narration lesson planNarration lesson plan
Narration lesson plan
TARIQ KHAN75 views
Jibachha publishing Textbook.docx by DrJibachhaSahVetphys
Jibachha publishing Textbook.docxJibachha publishing Textbook.docx
Jibachha publishing Textbook.docx
DrJibachhaSahVetphys54 views
JQUERY.pdf by ArthyR3
JQUERY.pdfJQUERY.pdf
JQUERY.pdf
ArthyR3105 views
Monthly Information Session for MV Asterix (November) by Esquimalt MFRC
Monthly Information Session for MV Asterix (November)Monthly Information Session for MV Asterix (November)
Monthly Information Session for MV Asterix (November)
Esquimalt MFRC107 views
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (FRIE... by Nguyen Thanh Tu Collection
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (FRIE...BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (FRIE...
BÀI TẬP BỔ TRỢ TIẾNG ANH 11 THEO ĐƠN VỊ BÀI HỌC - CẢ NĂM - CÓ FILE NGHE (FRIE...
Nguyen Thanh Tu Collection89 views
ICS3211_lecture 09_2023.pdf by Vanessa Camilleri
ICS3211_lecture 09_2023.pdfICS3211_lecture 09_2023.pdf
ICS3211_lecture 09_2023.pdf
Vanessa Camilleri141 views
Berry country.pdf by MariaKenney3
Berry country.pdfBerry country.pdf
Berry country.pdf
MariaKenney375 views
Nelson_RecordStore.pdf by BrynNelson5
Nelson_RecordStore.pdfNelson_RecordStore.pdf
Nelson_RecordStore.pdf
BrynNelson546 views
Pharmaceutical Analysis PPT (BP 102T) by yakshpharmacy009
Pharmaceutical Analysis PPT (BP 102T) Pharmaceutical Analysis PPT (BP 102T)
Pharmaceutical Analysis PPT (BP 102T)
yakshpharmacy009108 views
Creative Restart 2023: Atila Martins - Craft: A Necessity, Not a Choice by Taste
Creative Restart 2023: Atila Martins - Craft: A Necessity, Not a ChoiceCreative Restart 2023: Atila Martins - Craft: A Necessity, Not a Choice
Creative Restart 2023: Atila Martins - Craft: A Necessity, Not a Choice
Taste45 views

1. Mobile Application (In)security

  • 1. CNIT 128 Hacking Mobile Devices 1. Mobile Application (In)security
  • 2. Mobile OS Market Share • Link Ch 1a Android iOS
  • 3. Attack Surface • Network communications • Often public Wi-Fi • Device theft • Locally stored data • Malicious apps on the phone • Often from Google Play • Other input sources • NFC, Bluetooth, camera, microphonw, SMS, USB, QR codes
  • 5. Key Problem Factors • Underdeveloped security awareness • By developers • Ever-changing attack surface • Custom development • In-house code mixed with libraries from many sources
  • 7. • M1: Weak Server-Side Controls • The most critical issue • Not a flaw on the phone • Server errors and misconfigurations • A whole class covers this: CNIT 129S: Securing Web Applications OWASP Top Ten
  • 8. • M2: Insecure Data Storage • Plaintext or obfuscated • M3: Insufficient Transport Layer Protection • Failure to validate TLS certificates • M4: Unintended Data Leakage • In logs, cache, snapshots, etc OWASP Top Ten
  • 9. • M5: Poor Authorization and Authentication • Causes failures in access control • M6: Broken Cryptography • Hard-coded key, or key stored on device • M7: Client-Side Injection • App takes input from another app, server, etc. OWASP Top Ten
  • 10. • M8: Security Decision Via Untrusted Inputs • Often Inter-Process Communication (IPC) • M9: Improper Session Handling • Exposing session tokens to adversary • M10: Lack of Binary Protections • Allows reverse-engineering and modification of app OWASP Top Ten
  • 11. • iMAS • Framework to develop secure iOS apps • GoatDroid, iGoat, DV iOS • Deliberately insecure apps for practice • MobiSec • Mobile pentesting distribution, like Kali • Androick • For Android forensics OWASP Mobile Security Tools