SlideShare a Scribd company logo

Android P Security Updates: What You Need to Know

NowSecure
NowSecure

Originally presented August 23, 2018 2018 seems to be the year of privacy updates for both iOS and Android. In this webinar, Mobile Security Analyst Tony Ramirez takes a deeper look at security updates for Android including learnings from Android 8, what to expect for Android 9, and the implications for mobile app security.

Mobile
1 of 32
Download to read offline
Android P Security Updates What You Need to Know © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information.
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA + SPEAKERS BRIAN REED CHIEF MOBILITY OFFICER TONY RAMIREZ MOBILE SECURITY ANALYST ● Mobile Security Landscape ● The State of Android 8 ● Android Pie ● How Security Analysts Can Prepare ● Predictions & Recommendations
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NowSecure #MobSec5 Weekly mobile security news update SUBSCRIBE NOW: www.nowsecure.com/go/subscribe
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. DEEP MOBILE SECURITY EXPERTISE Open source Books & Speaking 4 Mobile threat research is in our DNA ● Dream team of security researchers ● Every waking moment spent: ○ Discovering critical vulns ○ Identifying novel attack vectors ○ Creating/maintaining renowned open-source mobile security tools/projects The NowSecure Mission ● Save the world from unsafe mobile apps ● Educate enterprises on the latest mobile threats ● Maximize the security of apps enterprises develop, purchase and use
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. MOBILE VULNS CONTINUE TO GROW 5 842 Disclosed vulnerabilities (CVEs) in 2017 1533 Lifetime (2006-2017) GOOGLE ANDROID   387 Disclosed vulnerabilities (CVEs) in 2017 1371 Lifetime (2006-2017) APPLE iOS http://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224 https://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. INSIDE THE MOBILE ATTACK SURFACE ▪GPS spoofing ▪Buffer overflow ▪allowBackup Flag ▪allowDebug Flag ▪Code Obfuscation ▪Configuration manipulation ▪Escalated privileges ▪URL schemes ▪GPS spoofing ▪Integrity/tampering/repacking ▪Side channel attacks ▪App signing key unprotected ▪JSON-RPC ▪Automatic Reference Counting 6 DATA AT REST CODE FUNCTIONALITY DATA IN TRANSIT API BACKEND ▪Data caching ▪Data stored in application directory ▪Decryption of keychain ▪Data stored in log files ▪Data cached in memory/RAM ▪Data stored in SD card ▪Platform vulnerabilities ▪Server misconfiguration ▪Cross-site scripting ▪Cross-site request forgery ▪Cross origin resource sharing ▪Brute force attacks ▪Side channel attacks ▪SQL injection ▪Privilege escalation ▪Data dumping ▪OS command execution ▪Weak input validation ▪Hypervisor attack ▪VPN ▪OS data caching ▪Passwords & data accessible ▪No/Weak encryption ▪TEE/Secure Enclave Processor ▪Side channel leak ▪SQLite database ▪Emulator variance ▪Wi-Fi (no/weak encryption) ▪Rogue access point ▪Packet sniffing ▪Man-in-the-middle ▪Session hijacking ▪DNS poisoning ▪TLS Downgrade ▪Fake TLS certificate ▪Improper TLS validation ▪HTTP Proxies ▪VPNs ▪Weak/No Local authentication ▪App transport security ▪Transmitted to insecure server ▪ Zip files in transit ▪Cookie “httpOnly” flag ▪Cookie “secure” flag ▪Android rooting/iOS jailbreak ▪User-initiated code ▪Confused deputy attack ▪Multimedia/file format parsers ▪Insecure 3rd party libraries ▪World Writable Files ▪World Writable Executables ▪Dynamic runtime injection ▪Unintended permissions ▪UI overlay/pin stealing ▪Intent hijacking ▪Zip directory traversal ▪Clipboard data ▪World Readable Files
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE INDUSTRY BENCHMARKS 0 59 60-69 70-79 80-89 90-100 *Scoring algorithm based on Industry Standard CVSS Scored findings Low RiskHgh Risk Caution Typical failures: Local Auth, Cookies, iOS ATS, Keysize Worst failures: RCE, Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE STATE OF Oreo [A YEAR IN REVIEW]
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. MAJOR FEATURES ADDED IN Oreo [2017] ● WebView Changes (multi process) ● Safe Browsing API for Webviews ● UI Overlay detection ● SSLv3 support dropped
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. MAJOR FEATURES ADDED IN Oreo [2017] ● App Install permissions ● OS downgrade protection ● Dev Options requires priv ● SECCOMP filtering ● Play Protect
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Pie
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NON-SDK RESTRICTIONS ● Use non-SDK interfaces may affect the behavior of your app ● Non-SDK interfaces are Java methods or fields that are not apart of the office Android SDK ● Non-SDK interfaces when referenced directly, via reflection, or JNI are restricted ● Greylisted APIs will print logs and may display a toast if used in the app ● Blacklisted APIs will throw an error if used in the app ● Manual install on Android P device required to test
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. PRIVACY IMPROVEMENTS ● Limited access to sensors in background ○ Camera and Microphone access are restricted from app ○ Accelerometer and other sensors won’t report
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. PRIVACY IMPROVEMENTS ● New Permission Group ○ CALL_LOG Group - Better control over access to phone call information, numbers, and device serial number ■ READ_PHONE_STATE permission
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. TLS BY DEFAULT ● cleartextTrafficPermitted is set to false by default ● Must explicitly set cleartextTrafficPermitted to true for domains that require HTTP in the Network Security Config A Security Analyst’s Guide to Network Security Configuration in Android P <network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomain="true">example.com</domain> </domain-config> <base-config cleartextTrafficPermitted="false"> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config> </network-security-config> Read the Blog
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ANDROID PROTECTED CONFIRMATION ● For user confirmation of protected actions ● Meant to be used as an integrity check ○ The user has seen the statement and agrees with the request ● You still need to encrypt your network communications
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ANDROID BACKUP ENCRYPTION ● Android 9 and + allow apps backups to be encrypted using client side secret ○ Pin, Password, or Pattern ● Requires: ○ android:allowBackup="true" ○ Device Pin/Password/Pattern ○ requireFlags="clientSideEncryption" ■ Part of your android:fullBackupContent
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. StrongBox Keymaster ● Hardware security implementation of Keymaster HAL ● True random-number generator ● Anti-tamper mechanisms ● Secure Storage ● Separate CPU OTHER ANDROID 9 SECURITY QUICK HITS 18 Hostname Verification Changes ● Android P implements RFC 2818 ● Subject Alt Name field will be used for Hostname Verification instead of Common Name Field targetSdkVersion ● Target API level must be Level 26 ● Number will increase with each release ● Expect mandatory target API level to be 28 next year APK Signature Scheme v3 ● Allows for rotation of signatures Expanded SECCOMP Filter ● Secure Computing (SECCOMP) filter applied to all apps ● System calls can expose the kernel to attack Per-App SELinux Domains ● Files must be shared via content provider DNS over TLS ● Support for DNS query encryption
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. RECOMMENDATIONS, PREDICTIONS, & NEXT STEPS
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NETWORK SECURITY CONFIGURATION DEFAULTS Android 6 and below Android 7 and 8 Android 9 <base-config cleartextTrafficPermitted="true"> <trust-anchors> <certificates src="system" /> <certificates src="user" /> </trust-anchors> </base-config> <base-config cleartextTrafficPermitted="true"> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config> <base-config cleartextTrafficPermitted="false"> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config>
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NSC BEST PRACTICES ● Make sure your APIs honor NSC ● Explicitly set user as the only certificate source when possible. ● NSC does not perform Hostname verification
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ANDROID BACKUP BEST PRACTICES ● If android:allowBackup="true" - confirm if sensitive data is in the app and what locations they exist. ● Confirm if locations exist in android:fullBackupContent config file ● Confirm config file uses requireFlags="clientSideEncryption"
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT ABOUT SECURITY TESTING IMPLICATIONS? ● All apps should be targeting API level 26 at least ● NSC Defaults make affect the results of your testing ● Hostname verification testing ● Backup config
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ANDROID Q PREDICTIONS ● Android Quiche or Quesadilla? ● Likely continue closing more security edge cases & privacy items ● Certificate Transparency part of NSC ● Additional permission groups ● App Store requirements
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. LEVERAGE NOWSECURE MOBILE APPSEC TESTING FOR Android P
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE AUTOMATION PLATFORM NowSecure AUTO NowSecure WORKSTATION NowSecure INTEL NowSecure SERVICES Continuous Integration Continuous Monitoring Automated Security Testing in SDLC for Dev, QA & Security Teams Deep Pen Testing Analysis of Complex, High Risk Mobile Apps for Security Analysts Public App Store Risk Data for EMM, Threat & Security Teams Expert Pen Testing, Training & Mobile App Security Programs for App Owners, Dev & Security Teams Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine 26
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. LEVERAGE NOWSECURE TO PREP FOR ANDROID P NowSecure AUTO NowSecure INTEL Continuous Integration Continuous Monitoring Automated Security Testing in SDLC for Dev, QA & Security Teams Public App Store Risk Data for EMM, Threat & Security Teams Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine 27 Automatically test all your apps in the Dev pipeline before and after iOS 12 release Analyze the risk of all your 3rd party apps currently in use or considering to deploy on iOS12
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE APPSEC TESTING COVERAGE CHECKLIST ✓ Man in the Middle: Cert Validation ✓ Man in the Middle: Cert Pinning ✓ Man in the Middle: HTTP Connections ✓ SSL Downgrade ✓ Unprotected TLS traffic ✓ Cookie integrity ✓ Certificate Validity ✓ App Transport Security ✓ … ✓ App files & Log Files ✓ Keychain ✓ SD Card ✓ World Writable Files ✓ World Readable Files ✓ RAM ✓ Unencrypted credential storage ✓ SQLite Databases ✓ Secure Enclave Processor ✓ … ✓ Development flags ✓ Automatic Reference Counting ✓ Stack Smashing ✓ Bad Authentication/Authorization ✓ Root access ✓ Path Traversal ✓ SQL Injection ✓ Vulnerable 3rd party libraries ✓ Heartbleed ✓ Bad cryptography ✓ Obfuscation ✓ … CODE FUNCTIONALITY DATA IN MOTIONDATA AT REST Data Center & App Backend Network & Cloud Services Android APPS FRAMEWORKS NATIVE LIBRARIES MEMORY KERNEL HARDWARE TEST APP 28 AUTOMATED MOBILE APP SECURITY TESTING PLATFORM
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. INSIDE NOWSECURE MOBILE APP RISK SCORING 29
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE COMING ATTRACTIONS ATARC Federal Mobile Summit Aug 30, 2018 | Washington D.C. DevSecCon Boston 2018 Sep 10-11, 2018 | Boston, MA Chicago Cybersecurity Meetup Aug 23, 2018 | Chicago, IL CIOarena Chicago Sep 5, 2018 | Chicago, IL DevOps World / Jenkins World 2018 Sep 17-19, 2018 | San Jose, CA ISSA Austin Sep 18, 2018 | Austin, TX ISSA New England Sep 25, 2018 | San Jose, CA AppSec USA Oct 10-11, 2018 | San Jose, CA
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. OPEN Q&A BRIAN REED CHIEF MOBILITY OFFICER TONY RAMIREZ MOBILE SECURITY ANALYST Use the “Ask a Question” tab below the slides
Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 A digest of the week’s mobile security news that matters https://www.nowsecure.com/go/subscribe

Recommended

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
NowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
NowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
NowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
NowSecure
 

Recommended

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
NowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
NowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
NowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
NowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
NowSecure
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
NowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
Shifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityShifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and security
NowSecure
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
NowSecure
 
Backstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitBackstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity Summit
ForgeRock
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
Prathan Phongthiproek
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Blueboxer2014
 
DevOps Unleashed: Strategies that Speed Deployments
DevOps Unleashed: Strategies that Speed DeploymentsDevOps Unleashed: Strategies that Speed Deployments
DevOps Unleashed: Strategies that Speed Deployments
ForgeRock
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Amazon Web Services
 

More Related Content

What's hot

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
NowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
NowSecure
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
NowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
Shifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityShifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and security
NowSecure
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
NowSecure
 
Backstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitBackstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity Summit
ForgeRock
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
Prathan Phongthiproek
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Blueboxer2014
 
DevOps Unleashed: Strategies that Speed Deployments
DevOps Unleashed: Strategies that Speed DeploymentsDevOps Unleashed: Strategies that Speed Deployments
DevOps Unleashed: Strategies that Speed Deployments
ForgeRock
 

What's hot (20)

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
Shifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityShifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and security
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
 
Backstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitBackstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity Summit
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
 
DevOps Unleashed: Strategies that Speed Deployments
DevOps Unleashed: Strategies that Speed DeploymentsDevOps Unleashed: Strategies that Speed Deployments
DevOps Unleashed: Strategies that Speed Deployments
 

Similar to Android P Security Updates: What You Need to Know

Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
Cláudio André
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Amazon Web Services
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
Araf Karsh Hamid
 
Security On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of ThingsSecurity On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of Things
ForgeRock
 
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Cloudera, Inc.
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
Tara Arnold
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
Mediacurrent
 
SplunkLive! Zurich 2017 - Data Obfuscation in Splunk Enterprise
SplunkLive! Zurich 2017 - Data Obfuscation in Splunk EnterpriseSplunkLive! Zurich 2017 - Data Obfuscation in Splunk Enterprise
SplunkLive! Zurich 2017 - Data Obfuscation in Splunk Enterprise
Splunk
 
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
Boonpoj Thongakaraniroj
 
How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’ts
NowSecure
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
 
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNetTecnologías para el Cumplimiento. Alexandre Bento. SafeNet
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet
Internet Security Auditors
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscaler
Zscaler
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
Apigee | Google Cloud
 
Building Saas for the Enterprise
Building Saas for the EnterpriseBuilding Saas for the Enterprise
Building Saas for the Enterprise
Beau Christensen
 
The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management
ForgeRock
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
Kevin Hakanson
 
Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...
Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...
Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...
Codemotion
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Eric Vanderburg
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 

Similar to Android P Security Updates: What You Need to Know (20)

Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 
Security On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of ThingsSecurity On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of Things
 
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In...
 
Security by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal SecuritySecurity by Design: An Introduction to Drupal Security
Security by Design: An Introduction to Drupal Security
 
Security by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal SecuritySecurity by design: An Introduction to Drupal Security
Security by design: An Introduction to Drupal Security
 
SplunkLive! Zurich 2017 - Data Obfuscation in Splunk Enterprise
SplunkLive! Zurich 2017 - Data Obfuscation in Splunk EnterpriseSplunkLive! Zurich 2017 - Data Obfuscation in Splunk Enterprise
SplunkLive! Zurich 2017 - Data Obfuscation in Splunk Enterprise
 
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
ANTI-ANTI-CODE-MODIFICATION MiSSConf(SP5) 2019
 
How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’ts
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNetTecnologías para el Cumplimiento. Alexandre Bento. SafeNet
Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscaler
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
Building Saas for the Enterprise
Building Saas for the EnterpriseBuilding Saas for the Enterprise
Building Saas for the Enterprise
 
The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management The Future is Now: What’s New in ForgeRock Access Management
The Future is Now: What’s New in ForgeRock Access Management
 
Developer's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web CryptographyDeveloper's Guide to JavaScript and Web Cryptography
Developer's Guide to JavaScript and Web Cryptography
 
Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...
Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...
Now you can trust the browser - Ben Gidley, Tim Charman - Codemotion Amsterda...
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 

More from NowSecure

Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
NowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
NowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
NowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
NowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
NowSecure
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
NowSecure
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
NowSecure
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
NowSecure
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
NowSecure
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
NowSecure
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
NowSecure
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
NowSecure
 

More from NowSecure (13)

Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 

Android P Security Updates: What You Need to Know

  • 1. Android P Security Updates What You Need to Know © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information.
  • 2. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA + SPEAKERS BRIAN REED CHIEF MOBILITY OFFICER TONY RAMIREZ MOBILE SECURITY ANALYST ● Mobile Security Landscape ● The State of Android 8 ● Android Pie ● How Security Analysts Can Prepare ● Predictions & Recommendations
  • 3. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NowSecure #MobSec5 Weekly mobile security news update SUBSCRIBE NOW: www.nowsecure.com/go/subscribe
  • 4. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. DEEP MOBILE SECURITY EXPERTISE Open source Books & Speaking 4 Mobile threat research is in our DNA ● Dream team of security researchers ● Every waking moment spent: ○ Discovering critical vulns ○ Identifying novel attack vectors ○ Creating/maintaining renowned open-source mobile security tools/projects The NowSecure Mission ● Save the world from unsafe mobile apps ● Educate enterprises on the latest mobile threats ● Maximize the security of apps enterprises develop, purchase and use
  • 5. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. MOBILE VULNS CONTINUE TO GROW 5 842 Disclosed vulnerabilities (CVEs) in 2017 1533 Lifetime (2006-2017) GOOGLE ANDROID   387 Disclosed vulnerabilities (CVEs) in 2017 1371 Lifetime (2006-2017) APPLE iOS http://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224 https://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49
  • 6. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. INSIDE THE MOBILE ATTACK SURFACE ▪GPS spoofing ▪Buffer overflow ▪allowBackup Flag ▪allowDebug Flag ▪Code Obfuscation ▪Configuration manipulation ▪Escalated privileges ▪URL schemes ▪GPS spoofing ▪Integrity/tampering/repacking ▪Side channel attacks ▪App signing key unprotected ▪JSON-RPC ▪Automatic Reference Counting 6 DATA AT REST CODE FUNCTIONALITY DATA IN TRANSIT API BACKEND ▪Data caching ▪Data stored in application directory ▪Decryption of keychain ▪Data stored in log files ▪Data cached in memory/RAM ▪Data stored in SD card ▪Platform vulnerabilities ▪Server misconfiguration ▪Cross-site scripting ▪Cross-site request forgery ▪Cross origin resource sharing ▪Brute force attacks ▪Side channel attacks ▪SQL injection ▪Privilege escalation ▪Data dumping ▪OS command execution ▪Weak input validation ▪Hypervisor attack ▪VPN ▪OS data caching ▪Passwords & data accessible ▪No/Weak encryption ▪TEE/Secure Enclave Processor ▪Side channel leak ▪SQLite database ▪Emulator variance ▪Wi-Fi (no/weak encryption) ▪Rogue access point ▪Packet sniffing ▪Man-in-the-middle ▪Session hijacking ▪DNS poisoning ▪TLS Downgrade ▪Fake TLS certificate ▪Improper TLS validation ▪HTTP Proxies ▪VPNs ▪Weak/No Local authentication ▪App transport security ▪Transmitted to insecure server ▪ Zip files in transit ▪Cookie “httpOnly” flag ▪Cookie “secure” flag ▪Android rooting/iOS jailbreak ▪User-initiated code ▪Confused deputy attack ▪Multimedia/file format parsers ▪Insecure 3rd party libraries ▪World Writable Files ▪World Writable Executables ▪Dynamic runtime injection ▪Unintended permissions ▪UI overlay/pin stealing ▪Intent hijacking ▪Zip directory traversal ▪Clipboard data ▪World Readable Files
  • 7. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE INDUSTRY BENCHMARKS 0 59 60-69 70-79 80-89 90-100 *Scoring algorithm based on Industry Standard CVSS Scored findings Low RiskHgh Risk Caution Typical failures: Local Auth, Cookies, iOS ATS, Keysize Worst failures: RCE, Man in Middle Attack, Invalid Certificate, Known Vulnerable 3rd Party Libraries, Unencrypted credentials/PII in local files or over HTTP
  • 8. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE STATE OF Oreo [A YEAR IN REVIEW]
  • 9. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. MAJOR FEATURES ADDED IN Oreo [2017] ● WebView Changes (multi process) ● Safe Browsing API for Webviews ● UI Overlay detection ● SSLv3 support dropped
  • 10. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. MAJOR FEATURES ADDED IN Oreo [2017] ● App Install permissions ● OS downgrade protection ● Dev Options requires priv ● SECCOMP filtering ● Play Protect
  • 11. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Pie
  • 12. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NON-SDK RESTRICTIONS ● Use non-SDK interfaces may affect the behavior of your app ● Non-SDK interfaces are Java methods or fields that are not apart of the office Android SDK ● Non-SDK interfaces when referenced directly, via reflection, or JNI are restricted ● Greylisted APIs will print logs and may display a toast if used in the app ● Blacklisted APIs will throw an error if used in the app ● Manual install on Android P device required to test
  • 13. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. PRIVACY IMPROVEMENTS ● Limited access to sensors in background ○ Camera and Microphone access are restricted from app ○ Accelerometer and other sensors won’t report
  • 14. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. PRIVACY IMPROVEMENTS ● New Permission Group ○ CALL_LOG Group - Better control over access to phone call information, numbers, and device serial number ■ READ_PHONE_STATE permission
  • 15. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. TLS BY DEFAULT ● cleartextTrafficPermitted is set to false by default ● Must explicitly set cleartextTrafficPermitted to true for domains that require HTTP in the Network Security Config A Security Analyst’s Guide to Network Security Configuration in Android P <network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomain="true">example.com</domain> </domain-config> <base-config cleartextTrafficPermitted="false"> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config> </network-security-config> Read the Blog
  • 16. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ANDROID PROTECTED CONFIRMATION ● For user confirmation of protected actions ● Meant to be used as an integrity check ○ The user has seen the statement and agrees with the request ● You still need to encrypt your network communications
  • 17. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ANDROID BACKUP ENCRYPTION ● Android 9 and + allow apps backups to be encrypted using client side secret ○ Pin, Password, or Pattern ● Requires: ○ android:allowBackup="true" ○ Device Pin/Password/Pattern ○ requireFlags="clientSideEncryption" ■ Part of your android:fullBackupContent
  • 18. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. StrongBox Keymaster ● Hardware security implementation of Keymaster HAL ● True random-number generator ● Anti-tamper mechanisms ● Secure Storage ● Separate CPU OTHER ANDROID 9 SECURITY QUICK HITS 18 Hostname Verification Changes ● Android P implements RFC 2818 ● Subject Alt Name field will be used for Hostname Verification instead of Common Name Field targetSdkVersion ● Target API level must be Level 26 ● Number will increase with each release ● Expect mandatory target API level to be 28 next year APK Signature Scheme v3 ● Allows for rotation of signatures Expanded SECCOMP Filter ● Secure Computing (SECCOMP) filter applied to all apps ● System calls can expose the kernel to attack Per-App SELinux Domains ● Files must be shared via content provider DNS over TLS ● Support for DNS query encryption
  • 19. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. RECOMMENDATIONS, PREDICTIONS, & NEXT STEPS
  • 20. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NETWORK SECURITY CONFIGURATION DEFAULTS Android 6 and below Android 7 and 8 Android 9 <base-config cleartextTrafficPermitted="true"> <trust-anchors> <certificates src="system" /> <certificates src="user" /> </trust-anchors> </base-config> <base-config cleartextTrafficPermitted="true"> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config> <base-config cleartextTrafficPermitted="false"> <trust-anchors> <certificates src="system" /> </trust-anchors> </base-config>
  • 21. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NSC BEST PRACTICES ● Make sure your APIs honor NSC ● Explicitly set user as the only certificate source when possible. ● NSC does not perform Hostname verification
  • 22. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ANDROID BACKUP BEST PRACTICES ● If android:allowBackup="true" - confirm if sensitive data is in the app and what locations they exist. ● Confirm if locations exist in android:fullBackupContent config file ● Confirm config file uses requireFlags="clientSideEncryption"
  • 23. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT ABOUT SECURITY TESTING IMPLICATIONS? ● All apps should be targeting API level 26 at least ● NSC Defaults make affect the results of your testing ● Hostname verification testing ● Backup config
  • 24. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ANDROID Q PREDICTIONS ● Android Quiche or Quesadilla? ● Likely continue closing more security edge cases & privacy items ● Certificate Transparency part of NSC ● Additional permission groups ● App Store requirements
  • 25. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. LEVERAGE NOWSECURE MOBILE APPSEC TESTING FOR Android P
  • 26. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE AUTOMATION PLATFORM NowSecure AUTO NowSecure WORKSTATION NowSecure INTEL NowSecure SERVICES Continuous Integration Continuous Monitoring Automated Security Testing in SDLC for Dev, QA & Security Teams Deep Pen Testing Analysis of Complex, High Risk Mobile Apps for Security Analysts Public App Store Risk Data for EMM, Threat & Security Teams Expert Pen Testing, Training & Mobile App Security Programs for App Owners, Dev & Security Teams Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine 26
  • 27. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. LEVERAGE NOWSECURE TO PREP FOR ANDROID P NowSecure AUTO NowSecure INTEL Continuous Integration Continuous Monitoring Automated Security Testing in SDLC for Dev, QA & Security Teams Public App Store Risk Data for EMM, Threat & Security Teams Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine 27 Automatically test all your apps in the Dev pipeline before and after iOS 12 release Analyze the risk of all your 3rd party apps currently in use or considering to deploy on iOS12
  • 28. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE APPSEC TESTING COVERAGE CHECKLIST ✓ Man in the Middle: Cert Validation ✓ Man in the Middle: Cert Pinning ✓ Man in the Middle: HTTP Connections ✓ SSL Downgrade ✓ Unprotected TLS traffic ✓ Cookie integrity ✓ Certificate Validity ✓ App Transport Security ✓ … ✓ App files & Log Files ✓ Keychain ✓ SD Card ✓ World Writable Files ✓ World Readable Files ✓ RAM ✓ Unencrypted credential storage ✓ SQLite Databases ✓ Secure Enclave Processor ✓ … ✓ Development flags ✓ Automatic Reference Counting ✓ Stack Smashing ✓ Bad Authentication/Authorization ✓ Root access ✓ Path Traversal ✓ SQL Injection ✓ Vulnerable 3rd party libraries ✓ Heartbleed ✓ Bad cryptography ✓ Obfuscation ✓ … CODE FUNCTIONALITY DATA IN MOTIONDATA AT REST Data Center & App Backend Network & Cloud Services Android APPS FRAMEWORKS NATIVE LIBRARIES MEMORY KERNEL HARDWARE TEST APP 28 AUTOMATED MOBILE APP SECURITY TESTING PLATFORM
  • 29. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. INSIDE NOWSECURE MOBILE APP RISK SCORING 29
  • 30. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE COMING ATTRACTIONS ATARC Federal Mobile Summit Aug 30, 2018 | Washington D.C. DevSecCon Boston 2018 Sep 10-11, 2018 | Boston, MA Chicago Cybersecurity Meetup Aug 23, 2018 | Chicago, IL CIOarena Chicago Sep 5, 2018 | Chicago, IL DevOps World / Jenkins World 2018 Sep 17-19, 2018 | San Jose, CA ISSA Austin Sep 18, 2018 | Austin, TX ISSA New England Sep 25, 2018 | San Jose, CA AppSec USA Oct 10-11, 2018 | San Jose, CA
  • 31. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. OPEN Q&A BRIAN REED CHIEF MOBILITY OFFICER TONY RAMIREZ MOBILE SECURITY ANALYST Use the “Ask a Question” tab below the slides
  • 32. Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 A digest of the week’s mobile security news that matters https://www.nowsecure.com/go/subscribe