The document outlines the security enhancements and trends for mobile applications, particularly focusing on Android Q and iOS 13. It highlights significant changes such as updated encryption standards, refined permissions, and new capabilities introduced in the mobile operating systems to improve security. Additionally, it provides insights into the growing risks and challenges in mobile app security, urging the adoption of best practices and resources for development teams.

1. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
COMING SOON:
ANDROID Q & iOS 13
PRIVACY ENHANCEMENTS

2. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ALL THINGS MOBILE DEVSECOPS
Subscribe Here
https://www.nowsecure.com/go/subscribe/
Semi-monthly Newsletter
Delivered 1st & 3rd Wednesday of the month
Resources for the Mobile DevSecOps journey

3. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.3
ASK A QUESTION ANY TIME
Use the “Ask a Question” tab below the slides

4. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TONY RAMIREZ
MOBILE SECURITY ANALYST
NOWSECURE
AGENDA
INTRODUCTIONS
MOBILE TRENDS
ANDROID P & IOS 12
ANDROID Q & IOS 13
SECURITY TESTING
PREDICTIONS
Q&A
SPEAKER
4
BRIAN REED
CHIEF MOBILITY OFFICER
NOWSECURE
MODERATOR

5. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
THE WORLD’S MOBILE APP ECONOMY
42.6 3MILLION
Mobile Apps
US App Stores
BILLION
Mobile Device
Users
MILLION
Shortage in Cyber
Security Professionals
12MILLION
Mobile App
Developers
5
sources: Statista, (ISC)2
, BusinessOfApps (2018/2019)
5

6. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.6
MOBILE APP RISKS ARE REAL AND GROWING

7. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ANDROID P SECURITY HIGHLIGHTS
▪ TLS by default
▪ NetworkSecurityConfig will
need to be modified if an app
uses HTTP or other plaintext
protocols
▪ Client Side Encryption for
backups
▪ Limited access to sensor data
when in background
▪ Target SDK requirements
7

8. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
iOS 12 SECURITY HIGHLIGHTS
▪ Certificate Transparency
▪ Symantec Distrust
▪ WebKit Enhancements
▪ SameSite Cookie
▪ Cross-Origin-Resource-Policy
▪ Cross-Origin-Window-Policy
▪ Password Manager
8

9. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ANDROID Q
9

10. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ANDROID NETSEC & DATA IDENTIFIER ENHANCEMENTS
▪ SHA-2 CBC cipher suites removed
▪ Opt for GCM
▪ TLS 1.3 support added
▪ No 0-RTT allowed
▪ Restrictions on /proc/net file
▪ NetworkStatManager /
ConnectivityManager for VPNs
▪ Randomized MAC
▪ Non-resettable ID use require
permission
▪ Android ID and IMEI
10

11. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ANDROID MALWARE PROTECTIONS
▪ Clipboard data access
▪ App in focus OR Default IME (input method editor)
▪ Background activity launch restrictions
▪ Restrictions on Untrusted apps
▪ Can’t execute code from their /data/data
▪ Use JIT instead of AOT compiler for anti-tamper
▪ “Malware that modifies on-device compiled code” defense
▪ Performance cost
11

12. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ANDROID PERMISSIONS
▪ Location
▪ Foreground, background, deny.
▪ CAMERA permission required for Lens
and Sensor related device-specific
metadata
▪ ACCESS_FINE_LOCATION permission
▪ Telephony, Wi-Fi, and Bluetooth
APIs
▪ Impacts ability to do Network Scans
12

13. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ANDROID SCOPED STORAGE
▪ Will likely affect a majority of apps planning to update in Fall 2020
▪ Filtered view
▪ Your app sees its own directories and cannot access files
▪ MediaStore should be used to retrieve files
▪ It’s possible to opt out
▪ android:requestLegacyExternalStorage="true"
▪ Storage Access Framework
▪ Be wary of apps with ACTION_OPEN_DOCUMENT_TREE
permission
13

14. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ANDROID OTHER ENHANCEMENT
▪ Restrictions on SAW perm only on
(go devices)
▪ Google Maps Incognito Mode
▪ Warning system for older version
apps
▪ FLAG_WINDOW_IS_PARTIALLY_
OBSCURED
▪ Contact affinity not tracked
14

15. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
iOS 13
15

16. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
IOS PERMISSION CHANGES
▪ Location
▪ Allow Once, While in use,
Always, Deny
▪ If you want “Always” you’ll
need to user to accept “While
in use” or “Just once” first
▪ Bluetooth
▪ Purpose strings for requesting
access is required.
16

17. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
IOS NETWORK SECURITY ENHANCEMENTS
▪ TLS 1.3 is on by default
▪ Stricter requirements for trusted certs in iOS 13
▪ Larger RSA key ( 2048 or greater)
▪ SHA-1 signed certs are no longer trusted
▪ CommonName is no longer trusted
▪ Use Subject Alternative Name
17

18. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
IOS CRYPTOKIT
▪ Easier-to-use cryptography framework
▪ What used to be 100 lines of code can be done in 10 lines
▪ Curated list of “Good Crypto”
▪ Weak Algorithms are optional via Insecure module
▪ md5 and sha1
▪ Generate Public keys and store the private key in the Secure
Enclave
18

19. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
IOS CRYPTOKIT
▪ Not a replacement for use of
NSFileProtection classes, Network
Framework, or NSAppTransportSecurity
▪ NSFileProtection classes manage data
on device
▪ Network Framework is for TLS session
creation
▪ NSAppTransportSecurity is for enforcing
network security policy
▪ Use Examples:
▪ Apps with peer to peer payments
▪ Apps with paid features
▪ Apps with signing
▪ Apps with “Secure Container” need
19

20. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
SIGN IN WITH APPLE
▪ Apple SSO
▪ Tied in with Apple ID
▪ Required for third party apps who
have SSO featured
▪ Fake Email Address
▪ Relays messages to legitimate email
▪ Messages aren’t retained by Apple
▪ Methods for verifying if user is real
▪ Limit use of CAPTCHA
20

21. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
▪ iPadOS
▪ Expect support for storage peripherals
▪ More info to come…
▪ Stricter Guidelines for review
▪ How health data is shared - Guideline 5.1.3(i)
▪ Insurance Apps
▪ Sources of data used within the app - Guideline 5.1.1(vii)
▪ Apps must receive consent for data collection - Guideline 5.1.1(i)
▪ Better support for websockets
▪ URLSessionWebSocketTask
21
IOS OTHER ENHANCEMENTS

22. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
SECURITY TESTING
22

23. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
IOS SECURITY TESTING CONSIDERATIONS
▪ Look into common SSO pitfalls
▪ Be wary of websockets
▪ Insecure module should be considered a big NO NO
▪ Make sure devs are using CryptoKit for the correct use cases
▪ Don’t rebuild the wheel
▪ Make sure you’re apps can support the network enhancements to iOS 13
23

24. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
▪ Scoped Storage - Beware of the following:
▪ android:requestLegacyExternalStorage="true"
▪ ACTION_OPEN_DOCUMENT_TREE
▪ Confirm you are leveraging Android 9 features
▪ NSC - ClearText Policy
▪ Encrypted Backups
24
ANDROID SECURITY TESTING CONSIDERATIONS

25. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
▪ Crackdowns on CBC
▪ Android - more changes to enforce use of scoped storage
▪ Android - Incognito mode in 3rd party apps
▪ Android - Certificate Transparency through NSC
▪ Apple - Storage peripheral integration
▪ Apple - Hardware Wallets
▪ SSO mistakes everywhere
25
NOWSECURE PREDICTIONS

26. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
MOBILE APPSEC RESOURCES
26

27. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.27
LEVERAGE OWASP IN YOUR MOBILE APPSEC PROGRAM
Coverage: OWASP Mobile Top 10
https://bit.ly/2qQlFwh
Requirements: OWASP MASVS
https://bit.ly/32yA3gi
Testing: OWASP MSTG
https://bit.ly/2HOYLl0

28. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NOWSECURE MOBILE APPSEC RESOURCES
28
How to Set Up a Mobile AppSec Program
http://bit.ly/2Z07zsF
Phased Approach to Mobile DevSecOps
http://bit.ly/2XQ1ZiA
Secure Mobile Development Best Practices
http://bit.ly/2Y9ic07

29. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Blog by NowSecure Security Researcher
Ioannis Gasparis
1. Relying solely on obfuscation can be
dangerous (test first, obfuscate
second)
2. The implications of new languages
such as Kotlin on static analysis
techniques
3. The constant evolution of the mobile
space
READ HERE >>> http://bit.ly/3oCBeJZ
29
NOWSECURE BLOG ON SECURITY WITH KOTLIN

30. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Automated Mobile AppSec Testing Software
Expert Pen Testing & Security Services
Powers Security in Agile & DevOps Teams
World-Class Security Research Team
(builders of FRIDA & RADARE)
Founding Sponsor of OWASP MSTG &
Mobile Top 10
TRUSTED BY THE WORLD’S HIGHEST SECURITY ORGANIZATIONS
30
MOBILE
FORENSICS
OSS
TOOLS
ANALYST
WORKSTATION
DEVSECOPS
PLATFORM
PEN TESTING
SERVICES2009 2019

31. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NOWSECURE SOLUTION
Data
Repository
Dashboards &
Reports
Advanced
Configuration
Device
Farm
Compliance
Mapping
Analysis
Engine
31
NowSecure SOFTWARE NowSecure SERVICES
For Dev, QA & Security Teams
Automated Security Testing
Dynamic Testing Across Full Lifecycle
Scales to Continuous Testing & Monitoring
For App Owners, Dev & Security Teams
Expert Pen Testing Programs
Training & App Security Programs
Enterprise Mobile App Risk Assessments
Internal/Outsourced Development
On-Demand, API or CI/CD Integrated
on-prem or cloud

32. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
INSIDE NOWSECURE MOBILE APP RISK SCORING
32

33. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ATARC Federal Mobile Summit
Aug 6, 2019 | Washington, DC
Black Hat USA (Training + Conference)
Aug 2-8, 2019 | Las Vegas, NV
DevOps World/Jenkins World
Aug 12-15, 2019 | San Francisco, CA
droidconNYC
Aug 26-27, 2019 | New York City, NY
r2con
Sep 4-7, 2019 | Barcelona
OWASP Global AppSec - DC
Sep 9-13, 2019 | Washington, DC
NOWSECURE COMING ATTRACTIONS
DevOps Enterprise Summit
Oct 28-30, 2019 | Las Vegas, NV
All Day DevOps
Nov 6, 2019 | Online

34. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
BRIAN REED
CMO
NOWSECURE
34
OPEN Q&A
Use the “Ask a Question” tab below the slides
TONY RAMIREZ
MOBILE SECURITY ANALYST
NOWSECURE