SlideShare a Scribd company logo

Building and Testing Secure Mobile Apps

T
TechWell

Mobile application development is now a mission-critical component of IT organizations and a big part of the software industry’s landscape. Due to the security threats associated with mobile devices, it is critical we build our apps—from the ground up—to be secure and trustworthy. However, many application developers and testers do not understand how to build and test secure mobile applications. Alan Crouch discusses the risks associated with mobile platforms/applications and describes proven practices for ensuring the safety of your mobile applications. Alan delves into the unique nuances of mobile platforms and how these differences impact the security approach when you are developing and testing mobile applications. Topics include session management, data encryption, securing legacy code, and platform security models. Learn what to watch out for when you start developing your next mobile app, and take away tips and tricks for effectively securing and testing existing apps.

Software
1 of 11
Download to read offline
F6 Session - Mobile Testing 4/28/17 11:00 AM Building and Testing Secure Mobile Apps Presented by: Alan Crouch Coveros, Inc. Brought to you by: 350 Corporate Way, Suite 400, Orange Park, FL 32073 888---268---8770 ·· 904---278---0524 - info@techwell.com - https://www.techwell.com/
Alan Crouch Coveros, Inc. Alan Crouch is a director of mobile testing with Coveros, Inc., which helps companies build better applications using agile, DevOps, and security best practices. Alan works with C-level and senior management at private companies and federal agencies to transform and adopt a more "mobile-first" approach to information technology. Alan has worked with Departments of Homeland Security, Defense, and Health and Human Services; Symantec; and mobile start- ups to build and test Android, iOS, and responsive web applications. His passion is the intersection of mobile testing and information security. Spare time finds Alan traveling the globe and creating adventures for his son and daughter. Follow Alan on Twitter @RealAlanCrouch or on LinkedIn.
4/6/17 1 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 1 Agility. Security. Delivered. Building and Tes-ng Secure Mobile Apps Alan R. Crouch @RealAlanCrouch Mobile Dev + Test 2017 San Diego, CA © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 2 Everyone Stand Up! Time for a liPle game.
4/6/17 2 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 3 About Me •  Alan Crouch is the Director of Mobile TesQng with Coveros, Inc., which helps companies build bePer applicaQons using agile, DevOps, and security best pracQces. Alan works with C-level and senior management at private companies and federal agencies to transform and adopt a more “mobile-first” approach to informaQon technology. Alan has worked with Departments of Homeland Security, Defense, and Health and Human Services; Symantec; and mobile start-ups to build and test Android, iOS, and responsive web applicaQons. His passion is the intersecQon of mobile tesQng and informaQon security. Spare Qme finds Alan traveling the globe and creaQng adventures for his son and daughter. Follow Alan on TwiPer @RealAlanCrouch © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 4 About Coveros •  Coveros builds security-criQcal applicaQons using agile methods. •  Coveros Services •  Agile transformaQons •  Agile development and tesQng •  DevOps and conQnuous integraQon •  ApplicaQon security analysis •  Agile, Mobile, DevOps & Security training Areas of Exper8se
4/6/17 3 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 5 Why Are You Here? •  How is your app going to be aPacked? •  How do you build an app that will stand up to aPackers? •  How do I test to make sure my app is secure? © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 6 How Is Your App Going to Be AFacked? •  APackers always look to gain something (Assets) •  Mobile Device •  Servers •  User Data •  Our Back-end Data •  Our Intellectual Property •  APackers (Threats) can be just about anyone •  Foreign Intelligence •  Cyber Mobs •  MarkeQng Firms •  The Crazy Ex
4/6/17 4 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 7 How Is Your App Going to Be AFacked? •  Common APack Vectors •  Weak Server Side Controls •  Insecure Data Storage •  Insufficient Transport Layer ProtecQon •  Unintended Data Leakage •  Poor AuthorizaQon and AuthenQcaQon •  Broken Cryptography •  Client Side InjecQon •  Code Quality •  Improper Session Handling •  Lack of Binary ProtecQons •  Improper Plajorm Usage •  Code Tampering •  Reverse Engineering Source: OWASP © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 8 Session Management Perform a check at each screen for state. Revoke session tokens periodically. Session Qme outs should clear all memory associated with user data and any master decrypQon keys Encryp:on of Data Device and server-side encrypQon of sensiQve data with a strong encrypQon algorithm (AES-256 at a minimum). Avoid using the same key for all apps. No homegrown encrypQon, please. Communica:on Security Properly implement SSL and send all your traffic to and rom your back-end servers or external interfaces over it. User Authen:ca:on Ensure separate salts for separate users. Use app specific unique idenQfiers over device-provided ones. Use authorizaQon tokens instead of passwords. Remove Hashes immediately aner use. Robust Security Tes:ng Implement robust security tesQng as part of your mobile SDLC (ideally in an automated DevOps Pipeline). No app gets released without tesQng and remediaQon. Enforcing Server-Side Controls Harden back-end systems and ensure adequate logs are retained for detecQon and response of instances. Rate limit IPs and ensure servers reject all unencrypted requests How Do You Build a SECURE Mobile App?
4/6/17 5 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 9 How Do You Build a SECURE Mobile App? •  Session Management •  Perform a check at the start of each acQvity/screen to see if the user is in a “logged in” state and if not, ask them to login. •  When an applicaQon’s session is Qmed out, the applicaQon should discard and clear all memory associated with the user data, and any master keys used to decrypt the data. •  Session tokens should be revocable (parQcularly on the server side). •  Use lower Qmeout values to invalidate expired sessions (in contrast to the typical Qmeout values on tradiQonal, non-mobile applicaQons). Source: OWASP SECURE © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 10 How Do You Build a SECURE Mobile App? •  Encryp:on of Data •  Data Storage •  Store sensiQve data on the server instead of the client-end device, whenever possible. •  Don’t store sensiQve informaQon on the device (e.g. GPS/tracking). •  Assume shared storage is untrusted. Do not store temp data in a world readable directory. •  Do not store sensiQve data in the keychain of iOS devices due to vulnerabiliQes in their cryptographic mechanisms. •  Do not store sensiQve informaQon in the form of typical strings. Instead use character arrays or NSMutableString (iOS specific) and clear their contents aner they are no longer needed. Source: OWASP SECURE
4/6/17 6 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 11 How Do You Build a SECURE Mobile App? •  Encryp:on of Data •  Keys and Standards •  Encrypt sensiQve data when storing it to non-volaQle memory (using a NIST approved encrypQon standard such as AES-256, 3DES, or Skipjack). •  Use the PBKDF2 funcQon to generate strong keys for encrypQon algorithms while ensuring high entropy as much as possible. •  EncrypQon keys should be generated real Qme for encrypQon/decrypQon as needed and discarded each Qme and not stored in RAM during applicaQon instance lifecycle. •  Remote Wipe •  Make use of remote wipe and kill switch APIs to remove sensiQve informaQon from the device in the event of then or loss. •  Use a Qme based expiraQon which will wipe sensiQve data from the mobile device once the applicaQon has not communicated with its servers for a given period of Qme. Source: OWASP SECURE © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 12 How Do You Build a SECURE Mobile App? •  Communica:on Security •  Always assume the provider network layer is insecure. •  Ensure the applicaQon validates the server’s SSL cerQficate (by checking the expiraQon date, issuer, subject, etc…) instead of checking to see if a cerQficate is simply present and/or just checking if the hash of the cerQficate matches. •  The applicaQon should only communicate with and accept data from authorized domain names/systems. •  To protect against aPacks which uQlize sonware such as SSLStrip, implement controls to detect if the connecQon is not HTTPS with every. •  The UI should make it as easy as possible for the user to find out if a cerQficate is valid (so the user is not totally reliant upon the applicaQon properly validaQng any cerQficates). •  Use cerQficates signed by trusted CerQficate Authority (CA) providers. Source: OWASP SECURE
4/6/17 7 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 13 How Do You Build a SECURE Mobile App? •  User Authen:ca:on (and Password Management) •  Using AuthorizaQon Tokens (OAuth model) •  Instead of passwords, use industry standard authorizaQon tokens (which expire as frequently as pracQcable) which can be securely stored on the device. •  Ensure tokens are Qme bounded to the specific service, as well as revocable (if possible server side). •  Device AuthenQcaQon •  Avoid solely using any device-provided idenQfier (like UID or MAC address) to idenQfy the device, but rather leverage idenQfiers specific to the applicaQon as well as the device (which ideally would not be reversible). •  Offline Access •  Add an intenQonal 2 second delay to the password entry process aner each unsuccessful entry aPempt. •  Perform an account/applicaQon lockout and/or applicaQon data wipe aner 10 number of invalid password aPempts. Source: OWASP SECURE © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 14 How Do You Build a SECURE Mobile App? •  User Authen:ca:on (and Password Management) •  SalQng •  Ensure that separate users uQlize different salts. •  Store salt passwords on the server-side, whenever possible. •  Salts should be sufficiently random or may be generated by pulling constant and unique values off of the system. Seed generaQon on mobile devices should use fairly unpredictable values (for example, by using the x,y,z magnetometer and/or temperature values), •  2-Factor AuthenQcaQon •  Based on risk assessment of the mobile applicaQon, consider uQlizing two-factor authenQcaQon. •  Hashing •  Wipe/clear memory locaQons holding passwords directly aner their hashes are calculated. •  Use only a NIST approved standard such as SHA-2 or an algorithm/library. Source: OWASP SECURE
4/6/17 8 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 15 How Do You Build a SECURE Mobile App? •  Robust Security Tes:ng •  Third Party Library Vulnerability Analysis •  ApplicaQon Scan of Web Services/REST services •  Internal Code Reviews •  StaQc Code Analysis •  Dynamic Analysis •  Traffic Analysis •  Fuzzing •  Reverse Engineering Source: OWASP SECURE © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 16 How Do You Build a SECURE Mobile App? •  Enforce Server-Side Controls •  Ensure that the backend system(s) are running with a hardened configuraQon with the latest security patches. •  Ensure adequate logs are retained on the backend in order to detect and respond to incidents and perform forensics (within the limits of data protecQon law). •  Employ rate limiQng and throPling on a per-user/IP basis. •  Ensure the server rejects all unencrypted requests (which it knows should always arrive encrypted). Source: OWASP SECURE
4/6/17 9 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 17 How Do You Test App Security? Source: OWASP iOS Android 3rd Party Library Vulnerability Analysis Sonatype IQ Server Web Services/Rest API Tes:ng Fiddler, Metasploit Framwork, SOAPUI, OWASP ZAP Sta:c Code Analysis Veracode, OWASP Xsecurity, Cxsuite, Clang QARK, lint, AndroBugs, Veracode Traffic Analysis Burp, OWASP ZAP, Wireshark, Mallory Fuzz Tes:ng JBroFuzz, WebScarab, WSFuzzer Reverse Engineering Jailbreak and DumpDecrypted APKTool, Androguard, ADB, DexDump, dex2jar, IDA Pro, JEB, VxStripper IOS App Security TesQng Cheat Sheet: hPps://www.owasp.org/index.php/IOS_ApplicaQon_Security_TesQng_Cheat_Sheet Android App Security TesQng Cheat Sheet: hPps://www.owasp.org/index.php/Android_TesQng_Cheat_Sheet Security Tools Chart © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 18 Ques-ons? Alan Crouch @RealAlanCrouch

Recommended

Rooting Your Devices to Test Outside the Box
Rooting Your Devices to Test Outside the BoxRooting Your Devices to Test Outside the Box
Rooting Your Devices to Test Outside the BoxTechWell
 
Securing Today’s Online Kids
Securing Today’s Online KidsSecuring Today’s Online Kids
Securing Today’s Online KidsPriyanka Aash
 
Apple Device Management
Apple Device ManagementApple Device Management
Apple Device ManagementHexnode
 
Invenio Conquer-Password-Mgmt
Invenio Conquer-Password-MgmtInvenio Conquer-Password-Mgmt
Invenio Conquer-Password-MgmtInvenio Advisors, LLC
 
iBeacon Flipbook
iBeacon Flipbook iBeacon Flipbook
iBeacon Flipbook JessamineAL
 
I Phone Summit Dmeeker Final
I Phone Summit Dmeeker FinalI Phone Summit Dmeeker Final
I Phone Summit Dmeeker Finalrajivmordani
 
Software system content
Software system contentSoftware system content
Software system contentAzlan Nawawi
 
Cyblock IOS App Datasheet
Cyblock IOS App DatasheetCyblock IOS App Datasheet
Cyblock IOS App DatasheetWavecrest Computing
 

Recommended

Rooting Your Devices to Test Outside the Box
Rooting Your Devices to Test Outside the BoxRooting Your Devices to Test Outside the Box
Rooting Your Devices to Test Outside the BoxTechWell
 
Securing Today’s Online Kids
Securing Today’s Online KidsSecuring Today’s Online Kids
Securing Today’s Online KidsPriyanka Aash
 
Apple Device Management
Apple Device ManagementApple Device Management
Apple Device ManagementHexnode
 
Invenio Conquer-Password-Mgmt
Invenio Conquer-Password-MgmtInvenio Conquer-Password-Mgmt
Invenio Conquer-Password-MgmtInvenio Advisors, LLC
 
iBeacon Flipbook
iBeacon Flipbook iBeacon Flipbook
iBeacon Flipbook JessamineAL
 
I Phone Summit Dmeeker Final
I Phone Summit Dmeeker FinalI Phone Summit Dmeeker Final
I Phone Summit Dmeeker Finalrajivmordani
 
Software system content
Software system contentSoftware system content
Software system contentAzlan Nawawi
 
Cyblock IOS App Datasheet
Cyblock IOS App DatasheetCyblock IOS App Datasheet
Cyblock IOS App DatasheetWavecrest Computing
 
Real-Time Contextual and Social Relevance in Mobile
Real-Time Contextual and Social Relevance in MobileReal-Time Contextual and Social Relevance in Mobile
Real-Time Contextual and Social Relevance in MobileTechWell
 
Agile Testing for Embedded and IoT Software Development
Agile Testing for Embedded and IoT Software DevelopmentAgile Testing for Embedded and IoT Software Development
Agile Testing for Embedded and IoT Software DevelopmentTechWell
 
Mobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to PracticeMobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to PracticeTechWell
 
A Look into the Future: App Testing and Quality in 2025
A Look into the Future: App Testing and Quality in 2025A Look into the Future: App Testing and Quality in 2025
A Look into the Future: App Testing and Quality in 2025TechWell
 
Build Smarter Mobile Apps with Real-Time Relevance
Build Smarter Mobile Apps with Real-Time RelevanceBuild Smarter Mobile Apps with Real-Time Relevance
Build Smarter Mobile Apps with Real-Time RelevanceJosiah Renaudin
 
Secure Beginner’s Guide Cryptography InfoSec Pro Guide.docx
Secure Beginner’s Guide Cryptography InfoSec Pro Guide.docxSecure Beginner’s Guide Cryptography InfoSec Pro Guide.docx
Secure Beginner’s Guide Cryptography InfoSec Pro Guide.docxjeffreye3
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Advanced monitoring
 
How you can secure an iOS APP? - AppnGameReskin
How you can secure an iOS APP? - AppnGameReskinHow you can secure an iOS APP? - AppnGameReskin
How you can secure an iOS APP? - AppnGameReskinAppngame Reskin
 
The IoT: Internet of Threats?
The IoT: Internet of Threats?The IoT: Internet of Threats?
The IoT: Internet of Threats?TechWell
 
OOW13: Developing secure mobile applications (CON8902)
OOW13: Developing secure mobile applications (CON8902)OOW13: Developing secure mobile applications (CON8902)
OOW13: Developing secure mobile applications (CON8902)GregOracle
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
NCS Cyber Job Fair Job Seeker Handbook, June 7, 2017, Huntsville, Alabama
NCS Cyber Job Fair Job Seeker Handbook, June 7, 2017, Huntsville, AlabamaNCS Cyber Job Fair Job Seeker Handbook, June 7, 2017, Huntsville, Alabama
NCS Cyber Job Fair Job Seeker Handbook, June 7, 2017, Huntsville, AlabamaClearedJobs.Net
 
Secure Your Mobile Content!
Secure Your Mobile Content!Secure Your Mobile Content!
Secure Your Mobile Content!Mike Brannon
 
The Journey to Continuous Testing
The Journey to Continuous TestingThe Journey to Continuous Testing
The Journey to Continuous TestingTechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
The 10 Commandments Security Of Mobile App Development
The 10 Commandments Security Of Mobile App DevelopmentThe 10 Commandments Security Of Mobile App Development
The 10 Commandments Security Of Mobile App DevelopmentMobio Solutions
 
Jan2016GregWithamResume
Jan2016GregWithamResumeJan2016GregWithamResume
Jan2016GregWithamResumeGreg Witham
 
Con8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-finalCon8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-finalOracleIDM
 
CIO Updates September 10, 2014
CIO Updates September 10, 2014CIO Updates September 10, 2014
CIO Updates September 10, 2014mmcloud
 
Using the Cloud to Load Test and Monitor Your Applications
Using the Cloud to Load Test and Monitor Your ApplicationsUsing the Cloud to Load Test and Monitor Your Applications
Using the Cloud to Load Test and Monitor Your ApplicationsTechWell
 
Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and RecoveringTechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization TechWell
 

More Related Content

Similar to Building and Testing Secure Mobile Apps

Real-Time Contextual and Social Relevance in Mobile
Real-Time Contextual and Social Relevance in MobileReal-Time Contextual and Social Relevance in Mobile
Real-Time Contextual and Social Relevance in MobileTechWell
 
Agile Testing for Embedded and IoT Software Development
Agile Testing for Embedded and IoT Software DevelopmentAgile Testing for Embedded and IoT Software Development
Agile Testing for Embedded and IoT Software DevelopmentTechWell
 
Mobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to PracticeMobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to PracticeTechWell
 
A Look into the Future: App Testing and Quality in 2025
A Look into the Future: App Testing and Quality in 2025A Look into the Future: App Testing and Quality in 2025
A Look into the Future: App Testing and Quality in 2025TechWell
 
Build Smarter Mobile Apps with Real-Time Relevance
Build Smarter Mobile Apps with Real-Time RelevanceBuild Smarter Mobile Apps with Real-Time Relevance
Build Smarter Mobile Apps with Real-Time RelevanceJosiah Renaudin
 
Secure Beginner’s Guide Cryptography InfoSec Pro Guide.docx
Secure Beginner’s Guide Cryptography InfoSec Pro Guide.docxSecure Beginner’s Guide Cryptography InfoSec Pro Guide.docx
Secure Beginner’s Guide Cryptography InfoSec Pro Guide.docxjeffreye3
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Advanced monitoring
 
How you can secure an iOS APP? - AppnGameReskin
How you can secure an iOS APP? - AppnGameReskinHow you can secure an iOS APP? - AppnGameReskin
How you can secure an iOS APP? - AppnGameReskinAppngame Reskin
 
The IoT: Internet of Threats?
The IoT: Internet of Threats?The IoT: Internet of Threats?
The IoT: Internet of Threats?TechWell
 
OOW13: Developing secure mobile applications (CON8902)
OOW13: Developing secure mobile applications (CON8902)OOW13: Developing secure mobile applications (CON8902)
OOW13: Developing secure mobile applications (CON8902)GregOracle
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
NCS Cyber Job Fair Job Seeker Handbook, June 7, 2017, Huntsville, Alabama
NCS Cyber Job Fair Job Seeker Handbook, June 7, 2017, Huntsville, AlabamaNCS Cyber Job Fair Job Seeker Handbook, June 7, 2017, Huntsville, Alabama
NCS Cyber Job Fair Job Seeker Handbook, June 7, 2017, Huntsville, AlabamaClearedJobs.Net
 
Secure Your Mobile Content!
Secure Your Mobile Content!Secure Your Mobile Content!
Secure Your Mobile Content!Mike Brannon
 
The Journey to Continuous Testing
The Journey to Continuous TestingThe Journey to Continuous Testing
The Journey to Continuous TestingTechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
The 10 Commandments Security Of Mobile App Development
The 10 Commandments Security Of Mobile App DevelopmentThe 10 Commandments Security Of Mobile App Development
The 10 Commandments Security Of Mobile App DevelopmentMobio Solutions
 
Jan2016GregWithamResume
Jan2016GregWithamResumeJan2016GregWithamResume
Jan2016GregWithamResumeGreg Witham
 
Con8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-finalCon8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-finalOracleIDM
 
CIO Updates September 10, 2014
CIO Updates September 10, 2014CIO Updates September 10, 2014
CIO Updates September 10, 2014mmcloud
 
Using the Cloud to Load Test and Monitor Your Applications
Using the Cloud to Load Test and Monitor Your ApplicationsUsing the Cloud to Load Test and Monitor Your Applications
Using the Cloud to Load Test and Monitor Your ApplicationsTechWell
 

Similar to Building and Testing Secure Mobile Apps (20)

Real-Time Contextual and Social Relevance in Mobile
Real-Time Contextual and Social Relevance in MobileReal-Time Contextual and Social Relevance in Mobile
Real-Time Contextual and Social Relevance in Mobile
 
Agile Testing for Embedded and IoT Software Development
Agile Testing for Embedded and IoT Software DevelopmentAgile Testing for Embedded and IoT Software Development
Agile Testing for Embedded and IoT Software Development
 
Mobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to PracticeMobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to Practice
 
A Look into the Future: App Testing and Quality in 2025
A Look into the Future: App Testing and Quality in 2025A Look into the Future: App Testing and Quality in 2025
A Look into the Future: App Testing and Quality in 2025
 
Build Smarter Mobile Apps with Real-Time Relevance
Build Smarter Mobile Apps with Real-Time RelevanceBuild Smarter Mobile Apps with Real-Time Relevance
Build Smarter Mobile Apps with Real-Time Relevance
 
Secure Beginner’s Guide Cryptography InfoSec Pro Guide.docx
Secure Beginner’s Guide Cryptography InfoSec Pro Guide.docxSecure Beginner’s Guide Cryptography InfoSec Pro Guide.docx
Secure Beginner’s Guide Cryptography InfoSec Pro Guide.docx
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
How you can secure an iOS APP? - AppnGameReskin
How you can secure an iOS APP? - AppnGameReskinHow you can secure an iOS APP? - AppnGameReskin
How you can secure an iOS APP? - AppnGameReskin
 
The IoT: Internet of Threats?
The IoT: Internet of Threats?The IoT: Internet of Threats?
The IoT: Internet of Threats?
 
OOW13: Developing secure mobile applications (CON8902)
OOW13: Developing secure mobile applications (CON8902)OOW13: Developing secure mobile applications (CON8902)
OOW13: Developing secure mobile applications (CON8902)
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
 
NCS Cyber Job Fair Job Seeker Handbook, June 7, 2017, Huntsville, Alabama
NCS Cyber Job Fair Job Seeker Handbook, June 7, 2017, Huntsville, AlabamaNCS Cyber Job Fair Job Seeker Handbook, June 7, 2017, Huntsville, Alabama
NCS Cyber Job Fair Job Seeker Handbook, June 7, 2017, Huntsville, Alabama
 
Secure Your Mobile Content!
Secure Your Mobile Content!Secure Your Mobile Content!
Secure Your Mobile Content!
 
The Journey to Continuous Testing
The Journey to Continuous TestingThe Journey to Continuous Testing
The Journey to Continuous Testing
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
The 10 Commandments Security Of Mobile App Development
The 10 Commandments Security Of Mobile App DevelopmentThe 10 Commandments Security Of Mobile App Development
The 10 Commandments Security Of Mobile App Development
 
Jan2016GregWithamResume
Jan2016GregWithamResumeJan2016GregWithamResume
Jan2016GregWithamResume
 
Con8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-finalCon8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-final
 
CIO Updates September 10, 2014
CIO Updates September 10, 2014CIO Updates September 10, 2014
CIO Updates September 10, 2014
 
Using the Cloud to Load Test and Monitor Your Applications
Using the Cloud to Load Test and Monitor Your ApplicationsUsing the Cloud to Load Test and Monitor Your Applications
Using the Cloud to Load Test and Monitor Your Applications
 

More from TechWell

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and RecoveringTechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization TechWell
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTechWell
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartTechWell
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyTechWell
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTechWell
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowTechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityTechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyTechWell
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTechWell
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipTechWell
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsTechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GameTechWell
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsTechWell
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationTechWell
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessTechWell
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateTechWell
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessTechWell
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTechWell
 

More from TechWell (20)

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
 
Ma 15
Ma 15Ma 15
Ma 15
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
 

Recently uploaded

XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 

Recently uploaded (20)

XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 

Building and Testing Secure Mobile Apps

  • 3. 4/6/17 1 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 1 Agility. Security. Delivered. Building and Tes-ng Secure Mobile Apps Alan R. Crouch @RealAlanCrouch Mobile Dev + Test 2017 San Diego, CA © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 2 Everyone Stand Up! Time for a liPle game.
  • 4. 4/6/17 2 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 3 About Me •  Alan Crouch is the Director of Mobile TesQng with Coveros, Inc., which helps companies build bePer applicaQons using agile, DevOps, and security best pracQces. Alan works with C-level and senior management at private companies and federal agencies to transform and adopt a more “mobile-first” approach to informaQon technology. Alan has worked with Departments of Homeland Security, Defense, and Health and Human Services; Symantec; and mobile start-ups to build and test Android, iOS, and responsive web applicaQons. His passion is the intersecQon of mobile tesQng and informaQon security. Spare Qme finds Alan traveling the globe and creaQng adventures for his son and daughter. Follow Alan on TwiPer @RealAlanCrouch © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 4 About Coveros •  Coveros builds security-criQcal applicaQons using agile methods. •  Coveros Services •  Agile transformaQons •  Agile development and tesQng •  DevOps and conQnuous integraQon •  ApplicaQon security analysis •  Agile, Mobile, DevOps & Security training Areas of Exper8se
  • 5. 4/6/17 3 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 5 Why Are You Here? •  How is your app going to be aPacked? •  How do you build an app that will stand up to aPackers? •  How do I test to make sure my app is secure? © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 6 How Is Your App Going to Be AFacked? •  APackers always look to gain something (Assets) •  Mobile Device •  Servers •  User Data •  Our Back-end Data •  Our Intellectual Property •  APackers (Threats) can be just about anyone •  Foreign Intelligence •  Cyber Mobs •  MarkeQng Firms •  The Crazy Ex
  • 6. 4/6/17 4 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 7 How Is Your App Going to Be AFacked? •  Common APack Vectors •  Weak Server Side Controls •  Insecure Data Storage •  Insufficient Transport Layer ProtecQon •  Unintended Data Leakage •  Poor AuthorizaQon and AuthenQcaQon •  Broken Cryptography •  Client Side InjecQon •  Code Quality •  Improper Session Handling •  Lack of Binary ProtecQons •  Improper Plajorm Usage •  Code Tampering •  Reverse Engineering Source: OWASP © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 8 Session Management Perform a check at each screen for state. Revoke session tokens periodically. Session Qme outs should clear all memory associated with user data and any master decrypQon keys Encryp:on of Data Device and server-side encrypQon of sensiQve data with a strong encrypQon algorithm (AES-256 at a minimum). Avoid using the same key for all apps. No homegrown encrypQon, please. Communica:on Security Properly implement SSL and send all your traffic to and rom your back-end servers or external interfaces over it. User Authen:ca:on Ensure separate salts for separate users. Use app specific unique idenQfiers over device-provided ones. Use authorizaQon tokens instead of passwords. Remove Hashes immediately aner use. Robust Security Tes:ng Implement robust security tesQng as part of your mobile SDLC (ideally in an automated DevOps Pipeline). No app gets released without tesQng and remediaQon. Enforcing Server-Side Controls Harden back-end systems and ensure adequate logs are retained for detecQon and response of instances. Rate limit IPs and ensure servers reject all unencrypted requests How Do You Build a SECURE Mobile App?
  • 7. 4/6/17 5 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 9 How Do You Build a SECURE Mobile App? •  Session Management •  Perform a check at the start of each acQvity/screen to see if the user is in a “logged in” state and if not, ask them to login. •  When an applicaQon’s session is Qmed out, the applicaQon should discard and clear all memory associated with the user data, and any master keys used to decrypt the data. •  Session tokens should be revocable (parQcularly on the server side). •  Use lower Qmeout values to invalidate expired sessions (in contrast to the typical Qmeout values on tradiQonal, non-mobile applicaQons). Source: OWASP SECURE © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 10 How Do You Build a SECURE Mobile App? •  Encryp:on of Data •  Data Storage •  Store sensiQve data on the server instead of the client-end device, whenever possible. •  Don’t store sensiQve informaQon on the device (e.g. GPS/tracking). •  Assume shared storage is untrusted. Do not store temp data in a world readable directory. •  Do not store sensiQve data in the keychain of iOS devices due to vulnerabiliQes in their cryptographic mechanisms. •  Do not store sensiQve informaQon in the form of typical strings. Instead use character arrays or NSMutableString (iOS specific) and clear their contents aner they are no longer needed. Source: OWASP SECURE
  • 8. 4/6/17 6 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 11 How Do You Build a SECURE Mobile App? •  Encryp:on of Data •  Keys and Standards •  Encrypt sensiQve data when storing it to non-volaQle memory (using a NIST approved encrypQon standard such as AES-256, 3DES, or Skipjack). •  Use the PBKDF2 funcQon to generate strong keys for encrypQon algorithms while ensuring high entropy as much as possible. •  EncrypQon keys should be generated real Qme for encrypQon/decrypQon as needed and discarded each Qme and not stored in RAM during applicaQon instance lifecycle. •  Remote Wipe •  Make use of remote wipe and kill switch APIs to remove sensiQve informaQon from the device in the event of then or loss. •  Use a Qme based expiraQon which will wipe sensiQve data from the mobile device once the applicaQon has not communicated with its servers for a given period of Qme. Source: OWASP SECURE © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 12 How Do You Build a SECURE Mobile App? •  Communica:on Security •  Always assume the provider network layer is insecure. •  Ensure the applicaQon validates the server’s SSL cerQficate (by checking the expiraQon date, issuer, subject, etc…) instead of checking to see if a cerQficate is simply present and/or just checking if the hash of the cerQficate matches. •  The applicaQon should only communicate with and accept data from authorized domain names/systems. •  To protect against aPacks which uQlize sonware such as SSLStrip, implement controls to detect if the connecQon is not HTTPS with every. •  The UI should make it as easy as possible for the user to find out if a cerQficate is valid (so the user is not totally reliant upon the applicaQon properly validaQng any cerQficates). •  Use cerQficates signed by trusted CerQficate Authority (CA) providers. Source: OWASP SECURE
  • 9. 4/6/17 7 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 13 How Do You Build a SECURE Mobile App? •  User Authen:ca:on (and Password Management) •  Using AuthorizaQon Tokens (OAuth model) •  Instead of passwords, use industry standard authorizaQon tokens (which expire as frequently as pracQcable) which can be securely stored on the device. •  Ensure tokens are Qme bounded to the specific service, as well as revocable (if possible server side). •  Device AuthenQcaQon •  Avoid solely using any device-provided idenQfier (like UID or MAC address) to idenQfy the device, but rather leverage idenQfiers specific to the applicaQon as well as the device (which ideally would not be reversible). •  Offline Access •  Add an intenQonal 2 second delay to the password entry process aner each unsuccessful entry aPempt. •  Perform an account/applicaQon lockout and/or applicaQon data wipe aner 10 number of invalid password aPempts. Source: OWASP SECURE © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 14 How Do You Build a SECURE Mobile App? •  User Authen:ca:on (and Password Management) •  SalQng •  Ensure that separate users uQlize different salts. •  Store salt passwords on the server-side, whenever possible. •  Salts should be sufficiently random or may be generated by pulling constant and unique values off of the system. Seed generaQon on mobile devices should use fairly unpredictable values (for example, by using the x,y,z magnetometer and/or temperature values), •  2-Factor AuthenQcaQon •  Based on risk assessment of the mobile applicaQon, consider uQlizing two-factor authenQcaQon. •  Hashing •  Wipe/clear memory locaQons holding passwords directly aner their hashes are calculated. •  Use only a NIST approved standard such as SHA-2 or an algorithm/library. Source: OWASP SECURE
  • 10. 4/6/17 8 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 15 How Do You Build a SECURE Mobile App? •  Robust Security Tes:ng •  Third Party Library Vulnerability Analysis •  ApplicaQon Scan of Web Services/REST services •  Internal Code Reviews •  StaQc Code Analysis •  Dynamic Analysis •  Traffic Analysis •  Fuzzing •  Reverse Engineering Source: OWASP SECURE © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 16 How Do You Build a SECURE Mobile App? •  Enforce Server-Side Controls •  Ensure that the backend system(s) are running with a hardened configuraQon with the latest security patches. •  Ensure adequate logs are retained on the backend in order to detect and respond to incidents and perform forensics (within the limits of data protecQon law). •  Employ rate limiQng and throPling on a per-user/IP basis. •  Ensure the server rejects all unencrypted requests (which it knows should always arrive encrypted). Source: OWASP SECURE
  • 11. 4/6/17 9 © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 17 How Do You Test App Security? Source: OWASP iOS Android 3rd Party Library Vulnerability Analysis Sonatype IQ Server Web Services/Rest API Tes:ng Fiddler, Metasploit Framwork, SOAPUI, OWASP ZAP Sta:c Code Analysis Veracode, OWASP Xsecurity, Cxsuite, Clang QARK, lint, AndroBugs, Veracode Traffic Analysis Burp, OWASP ZAP, Wireshark, Mallory Fuzz Tes:ng JBroFuzz, WebScarab, WSFuzzer Reverse Engineering Jailbreak and DumpDecrypted APKTool, Androguard, ADB, DexDump, dex2jar, IDA Pro, JEB, VxStripper IOS App Security TesQng Cheat Sheet: hPps://www.owasp.org/index.php/IOS_ApplicaQon_Security_TesQng_Cheat_Sheet Android App Security TesQng Cheat Sheet: hPps://www.owasp.org/index.php/Android_TesQng_Cheat_Sheet Security Tools Chart © COPYRIGHT 2016 COVEROS, INC. ALL RIGHTS RESERVED. 18 Ques-ons? Alan Crouch @RealAlanCrouch