This presentation is aimed at Android app developers looking to deal with the insecurity that surrounds Android apps these days and how to create a secure app.
This document provides tips and techniques for analyzing Android applications (APKs), including decompiling APKs to view source code, investigating APK and SQLite databases, and securing sensitive data and authentication on mobile devices. It lists tools for extracting and decompiling APKs, and provides references and contact information.
The document discusses various security issues related to mobile applications including weak server-side controls, insecure data storage, insufficient transport layer protection, unintended data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted input, improper session handling, and lack of binary protections. It provides examples of issues like hardcoded passwords, insecure data storage on devices, and cross-site scripting vulnerabilities. The document also outlines fixes like encryption, access control, SSL pinning, parameterized queries, and disabling JavaScript to address these issues.
The document covers topics related to Android penetration testing including the Android security model, software stack, content providers, and secure coding practices. The Android security model uses app isolation and each app runs in its own Dalvik Virtual Machine. Content providers manage access to structured app data and enable inter-process communication. Reverse engineering the APK file by extracting and decompiling it is demonstrated as part of the app security testing process. Common insecure practices like hardcoding sensitive data and lack of encryption are also discussed.
This document discusses pentesting Android apps. It provides an overview of Android architecture and common attack surfaces, including the client software, communications channels, and server-side infrastructure. It describes setting up an environment for app analysis, exploiting vulnerabilities like insecure storage and logical flaws. The document demonstrates capturing network requests, reverse engineering apps, and provides developer tips to improve security like encrypting sensitive data and input sanitization.
This document discusses how to make Android applications more secure by summarizing techniques used by hackers and how to avoid their attacks. It provides an overview of the Android framework and security features like permissions. It then discusses how to secure the Android manifest file and avoid exposing unnecessary components. It demonstrates how to prevent attacks like reverse engineering APK files, SQL injections, and hacking in-app purchases through the billing services. The conclusion emphasizes that while Android is secure, users and unknown application sources can bypass protections, so developers must implement additional security measures within their applications.
Abusing Google Apps and Data API: Google is My Command and Control CenterAjin Abraham
This presentation is about abusing Google Apps to implement various attacks that ranges from Hostless Phishing to setting up a Botnet’s Command & Control Center.
This document provides tips and techniques for analyzing Android applications (APKs), including decompiling APKs to view source code, investigating APK and SQLite databases, and securing sensitive data and authentication on mobile devices. It lists tools for extracting and decompiling APKs, and provides references and contact information.
The document discusses various security issues related to mobile applications including weak server-side controls, insecure data storage, insufficient transport layer protection, unintended data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted input, improper session handling, and lack of binary protections. It provides examples of issues like hardcoded passwords, insecure data storage on devices, and cross-site scripting vulnerabilities. The document also outlines fixes like encryption, access control, SSL pinning, parameterized queries, and disabling JavaScript to address these issues.
The document covers topics related to Android penetration testing including the Android security model, software stack, content providers, and secure coding practices. The Android security model uses app isolation and each app runs in its own Dalvik Virtual Machine. Content providers manage access to structured app data and enable inter-process communication. Reverse engineering the APK file by extracting and decompiling it is demonstrated as part of the app security testing process. Common insecure practices like hardcoding sensitive data and lack of encryption are also discussed.
This document discusses pentesting Android apps. It provides an overview of Android architecture and common attack surfaces, including the client software, communications channels, and server-side infrastructure. It describes setting up an environment for app analysis, exploiting vulnerabilities like insecure storage and logical flaws. The document demonstrates capturing network requests, reverse engineering apps, and provides developer tips to improve security like encrypting sensitive data and input sanitization.
This document discusses how to make Android applications more secure by summarizing techniques used by hackers and how to avoid their attacks. It provides an overview of the Android framework and security features like permissions. It then discusses how to secure the Android manifest file and avoid exposing unnecessary components. It demonstrates how to prevent attacks like reverse engineering APK files, SQL injections, and hacking in-app purchases through the billing services. The conclusion emphasizes that while Android is secure, users and unknown application sources can bypass protections, so developers must implement additional security measures within their applications.
Abusing Google Apps and Data API: Google is My Command and Control CenterAjin Abraham
This presentation is about abusing Google Apps to implement various attacks that ranges from Hostless Phishing to setting up a Botnet’s Command & Control Center.
This document outlines various mobile application security vulnerabilities and methods for assessing mobile application security. It discusses insecure network protocols, cryptographic weaknesses, privacy issues related to data storage, authentication and session management vulnerabilities, environmental interaction risks, and challenges of securing mobile applications against reverse engineering. It provides examples of specific vulnerabilities discovered in mobile applications and frameworks. The document promotes applying a defense-in-depth approach to mobile application security based on the OWASP Mobile Application Security Verification Standard (MASVS).
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
The document discusses security issues related to mobile applications. It notes that mobile applications now store and process data both on the client and server sides, exposing them to vulnerabilities on both ends. Common vulnerabilities include insecure storage of sensitive data like credentials on the device, and insecure network communication that allows man-in-the-middle attacks when mobile devices use untrusted networks. The document advocates for effective security testing of mobile applications to identify and address such risks.
FIWARE Academy Courses
Identity Management - Keyrock GE
Lesson 3. Applications. How to create OAuth2 tokens.
https://edu.fiware.org/course/view.php?id=79
Álvaro Alonso
UPM-DIT. Security Chapter
FIWARE Academy
https://edu.fiware.org
http://fiware.org
This document discusses using Frida, an open source dynamic instrumentation toolkit, to bypass security checks in applications. It describes how Frida works by injecting JavaScript instrumentation scripts to inspect and modify running processes. Examples are given of using Frida to bypass encryption, PIN checks, root checking, and SSL pinning by hooking functions to log plaintext, force checks to return true, or ignore certificate validation. Alternative dynamic binary instrumentation tools like PIN and DynamoRIO are also mentioned.
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
The paper is about abusing and exploiting Firefox add-on Security model and explains how JavaScript functions, XPCOM and XPConnect interfaces, technologies like CORS and WebSocket, Session storing and full privilege execution can be abused by a hacker for malicious purposes. The widely popular browser add-ons can be targeted by hackers to implement new malicious attack vectors resulting in confidential data theft and full system compromise. This paper is supported by proof of concept add-ons which abuse and exploits the add-on coding in Firefox 17, the release which Mozilla boasts to have a more secure architecture against malicious plugins and add-ons. The proof of concept includes the implementation of a Local keylogger, a Remote keylogger, stealing Linux password files, spawning a Reverse Shell, stealing the authenticated Firefox session data, and Remote DDoS attack. All of these attack vectors are fully undetectable against anti-virus solutions and can bypass protection mechanisms.
Seminar on November 4, 2017
Currently many things has its own app on android. Are they secure enough? What if they are not engineered with security in mind? But most importantly, can we do something to them?
This document outlines an agenda for testing Android security. It discusses various stages of the development cycle and security testing approaches, including static and dynamic analysis, component security, and best practices. Automatic and hybrid tools are presented for analyzing apps through decompilation, emulation, and network traffic inspection. Specific tools are explained like Android Lint, QARK, Drozer, and SQLCipher. The document concludes with recommendations around permissions, encryption, input validation, and references.
Beyond the mcse red teaming active directoryPriyanka Aash
This document summarizes Sean Metcalf's presentation on red teaming Active Directory. It discusses leveraging PowerShell for offensive security, techniques for effective AD reconnaissance, and bypassing AD security defenses. The presentation provides an overview of key AD components, demonstrates offensive PowerShell commands, and outlines methods for discovering sensitive user and group information within the AD environment. It also reviews AD security controls and common techniques attackers use to circumvent defenses like LAPS and network segmentation.
This document summarizes common security issues in Android applications. It discusses how application components like activities, services, and broadcasts can be exploited if exposed via intents. It also covers how sensitive data stored in files, SQLite databases, log files, and network traffic can leak if not properly secured. The document provides recommendations to address these issues, such as encrypting sensitive data, validating intent parameters, and restricting component and permission access. Overall, it analyzes the main avenues of attack for Android apps and best practices for application hardening.
This document discusses credentials theft trends and security research from CyberArk Labs. It outlines several major credentials theft incidents like the Anthem and SWIFT attacks. It also describes common attack vectors like abusing third party credentials, contaminated networks, and targeting security personnel. The document recommends removing local admins, improving credentials hygiene through access segregation, and implementing credentials management. It promotes security tools from CyberArk Labs like ACLight and Shimit to help address these issues. Finally, it mentions new research areas like credentials theft precognition and eliminating credentials theft hotspots.
This document discusses the history and future of credential theft attacks. It outlines several past credential theft incidents like the OPM breach and SWIFT bank attacks. It then discusses future trends like the risk of third-party credentials and contaminated networks. The document argues that cloud, DevOps, automation and new credential types increase risks and challenges for visibility and control. It demonstrates how attacks could compromise cloud environments and DevOps tooling. It recommends security measures like red teaming, credential hygiene and management to mitigate risks.
The document summarizes an OWASP and Rails Security meetup. It discusses common web application vulnerabilities like injection, cross-site scripting, insecure direct object references, missing authorization, cross-site request forgery, and unvalidated redirects. It provides examples of vulnerable code and solutions to prevent these issues. The document also introduces OWASP's Top 10 list of most critical web app vulnerabilities and tools like Brakeman and Code Climate that can detect vulnerabilities in Rails applications.
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.
This document discusses API abuse and how to prevent it. It defines API abuse as misusing API functions for malicious activities like server raids or sending excessive requests. There are two main types: remote client impersonation and API flaw exploitation. It provides examples of API abuse at companies like Uber and Voi. To prevent API abuse, the document recommends authenticating that requests come from legitimate apps, checking the app and runtime environment, and using a cloud service to verify authentication rather than checking in the app. App authentication can serve as an additional security factor to prevent API abuse.
This document provides instructions for setting up and integrating the FIWARE components Orion Context Broker, Keyrock Identity Manager, and Wilma PEP Proxy on a single machine. It describes how to install and test each component individually using Docker containers or VirtualBox images. It then explains how to configure the components to work together by setting up authentication in Keyrock and passing tokens through Wilma to authorize requests to Orion.
Web Application Penetration Testing Introductiongbud7
This document provides an overview of web application penetration testing. It discusses the goals of testing to evaluate security by simulating attacks. The testing process involves gathering information, understanding normal application behavior, and then applying targeted techniques to find weaknesses. The document outlines the reconnaissance, mapping, and active testing phases. It also demonstrates various tools like Burp Suite, W3AF, and SQL injection and cross-site scripting attacks.
Kadhambari Anbalagan, a software architect at RedBlackTree Terrace, will give a talk on Monday, April 8th at 5:00pm about security best practices for mobile apps. Research shows that the majority of top free and paid apps have been subjected to hacking. Common mobile app security issues include improper platform usage, insecure data storage, insecure communication, insecure authentication, insufficient cryptography, insecure authorization, code quality issues, code tampering, reverse engineering, and including extraneous functionality. The talk will provide best practices to address each of these issues.
OSCON 2018 Getting Started with Hyperledger IndyTracy Kuhrt
Presented at OSCON 2018. Hyperledger Indy is a distributed ledger built for decentralized identity and is one of the open source frameworks hosted by Hyperledger. It provides tools, libraries, and reusable components for creating and using independent digital identities rooted on blockchains or other distributed ledgers. In this presentation, I introduce The Linux Foundation and Hyperledger. We look at Decentralized Identity Concepts -- identity models, decentralized identity, zero-knowledge proofs, and verifiable credentials. We look at a demo that utilizes Hyperledger Indy and these concepts. We then look at Hyperledger Indy's software stack and roadmap and touch on how you can get involved.
This document outlines various mobile application security vulnerabilities and methods for assessing mobile application security. It discusses insecure network protocols, cryptographic weaknesses, privacy issues related to data storage, authentication and session management vulnerabilities, environmental interaction risks, and challenges of securing mobile applications against reverse engineering. It provides examples of specific vulnerabilities discovered in mobile applications and frameworks. The document promotes applying a defense-in-depth approach to mobile application security based on the OWASP Mobile Application Security Verification Standard (MASVS).
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
The document discusses security issues related to mobile applications. It notes that mobile applications now store and process data both on the client and server sides, exposing them to vulnerabilities on both ends. Common vulnerabilities include insecure storage of sensitive data like credentials on the device, and insecure network communication that allows man-in-the-middle attacks when mobile devices use untrusted networks. The document advocates for effective security testing of mobile applications to identify and address such risks.
FIWARE Academy Courses
Identity Management - Keyrock GE
Lesson 3. Applications. How to create OAuth2 tokens.
https://edu.fiware.org/course/view.php?id=79
Álvaro Alonso
UPM-DIT. Security Chapter
FIWARE Academy
https://edu.fiware.org
http://fiware.org
This document discusses using Frida, an open source dynamic instrumentation toolkit, to bypass security checks in applications. It describes how Frida works by injecting JavaScript instrumentation scripts to inspect and modify running processes. Examples are given of using Frida to bypass encryption, PIN checks, root checking, and SSL pinning by hooking functions to log plaintext, force checks to return true, or ignore certificate validation. Alternative dynamic binary instrumentation tools like PIN and DynamoRIO are also mentioned.
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
The paper is about abusing and exploiting Firefox add-on Security model and explains how JavaScript functions, XPCOM and XPConnect interfaces, technologies like CORS and WebSocket, Session storing and full privilege execution can be abused by a hacker for malicious purposes. The widely popular browser add-ons can be targeted by hackers to implement new malicious attack vectors resulting in confidential data theft and full system compromise. This paper is supported by proof of concept add-ons which abuse and exploits the add-on coding in Firefox 17, the release which Mozilla boasts to have a more secure architecture against malicious plugins and add-ons. The proof of concept includes the implementation of a Local keylogger, a Remote keylogger, stealing Linux password files, spawning a Reverse Shell, stealing the authenticated Firefox session data, and Remote DDoS attack. All of these attack vectors are fully undetectable against anti-virus solutions and can bypass protection mechanisms.
Seminar on November 4, 2017
Currently many things has its own app on android. Are they secure enough? What if they are not engineered with security in mind? But most importantly, can we do something to them?
This document outlines an agenda for testing Android security. It discusses various stages of the development cycle and security testing approaches, including static and dynamic analysis, component security, and best practices. Automatic and hybrid tools are presented for analyzing apps through decompilation, emulation, and network traffic inspection. Specific tools are explained like Android Lint, QARK, Drozer, and SQLCipher. The document concludes with recommendations around permissions, encryption, input validation, and references.
Beyond the mcse red teaming active directoryPriyanka Aash
This document summarizes Sean Metcalf's presentation on red teaming Active Directory. It discusses leveraging PowerShell for offensive security, techniques for effective AD reconnaissance, and bypassing AD security defenses. The presentation provides an overview of key AD components, demonstrates offensive PowerShell commands, and outlines methods for discovering sensitive user and group information within the AD environment. It also reviews AD security controls and common techniques attackers use to circumvent defenses like LAPS and network segmentation.
This document summarizes common security issues in Android applications. It discusses how application components like activities, services, and broadcasts can be exploited if exposed via intents. It also covers how sensitive data stored in files, SQLite databases, log files, and network traffic can leak if not properly secured. The document provides recommendations to address these issues, such as encrypting sensitive data, validating intent parameters, and restricting component and permission access. Overall, it analyzes the main avenues of attack for Android apps and best practices for application hardening.
This document discusses credentials theft trends and security research from CyberArk Labs. It outlines several major credentials theft incidents like the Anthem and SWIFT attacks. It also describes common attack vectors like abusing third party credentials, contaminated networks, and targeting security personnel. The document recommends removing local admins, improving credentials hygiene through access segregation, and implementing credentials management. It promotes security tools from CyberArk Labs like ACLight and Shimit to help address these issues. Finally, it mentions new research areas like credentials theft precognition and eliminating credentials theft hotspots.
This document discusses the history and future of credential theft attacks. It outlines several past credential theft incidents like the OPM breach and SWIFT bank attacks. It then discusses future trends like the risk of third-party credentials and contaminated networks. The document argues that cloud, DevOps, automation and new credential types increase risks and challenges for visibility and control. It demonstrates how attacks could compromise cloud environments and DevOps tooling. It recommends security measures like red teaming, credential hygiene and management to mitigate risks.
The document summarizes an OWASP and Rails Security meetup. It discusses common web application vulnerabilities like injection, cross-site scripting, insecure direct object references, missing authorization, cross-site request forgery, and unvalidated redirects. It provides examples of vulnerable code and solutions to prevent these issues. The document also introduces OWASP's Top 10 list of most critical web app vulnerabilities and tools like Brakeman and Code Climate that can detect vulnerabilities in Rails applications.
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.
This document discusses API abuse and how to prevent it. It defines API abuse as misusing API functions for malicious activities like server raids or sending excessive requests. There are two main types: remote client impersonation and API flaw exploitation. It provides examples of API abuse at companies like Uber and Voi. To prevent API abuse, the document recommends authenticating that requests come from legitimate apps, checking the app and runtime environment, and using a cloud service to verify authentication rather than checking in the app. App authentication can serve as an additional security factor to prevent API abuse.
This document provides instructions for setting up and integrating the FIWARE components Orion Context Broker, Keyrock Identity Manager, and Wilma PEP Proxy on a single machine. It describes how to install and test each component individually using Docker containers or VirtualBox images. It then explains how to configure the components to work together by setting up authentication in Keyrock and passing tokens through Wilma to authorize requests to Orion.
Web Application Penetration Testing Introductiongbud7
This document provides an overview of web application penetration testing. It discusses the goals of testing to evaluate security by simulating attacks. The testing process involves gathering information, understanding normal application behavior, and then applying targeted techniques to find weaknesses. The document outlines the reconnaissance, mapping, and active testing phases. It also demonstrates various tools like Burp Suite, W3AF, and SQL injection and cross-site scripting attacks.
Kadhambari Anbalagan, a software architect at RedBlackTree Terrace, will give a talk on Monday, April 8th at 5:00pm about security best practices for mobile apps. Research shows that the majority of top free and paid apps have been subjected to hacking. Common mobile app security issues include improper platform usage, insecure data storage, insecure communication, insecure authentication, insufficient cryptography, insecure authorization, code quality issues, code tampering, reverse engineering, and including extraneous functionality. The talk will provide best practices to address each of these issues.
OSCON 2018 Getting Started with Hyperledger IndyTracy Kuhrt
Presented at OSCON 2018. Hyperledger Indy is a distributed ledger built for decentralized identity and is one of the open source frameworks hosted by Hyperledger. It provides tools, libraries, and reusable components for creating and using independent digital identities rooted on blockchains or other distributed ledgers. In this presentation, I introduce The Linux Foundation and Hyperledger. We look at Decentralized Identity Concepts -- identity models, decentralized identity, zero-knowledge proofs, and verifiable credentials. We look at a demo that utilizes Hyperledger Indy and these concepts. We then look at Hyperledger Indy's software stack and roadmap and touch on how you can get involved.
This document provides an overview of secure coding best practices. It discusses common types of security vulnerabilities like buffer overflows caused by invalidated input, race conditions, access control problems, and weaknesses in authentication. The document then goes on to provide detailed guidance on how to avoid specific vulnerability types like buffer overflows, validating all input, avoiding race conditions, using secure file operations, elevating privileges safely, designing secure user interfaces, and writing secure helper applications and daemons. Checklists are also included to help developers implement secure coding practices.
This document summarizes information from a presentation on pen testing Android apps. It discusses the Android application development cycle, the OWASP Mobile Top 10 security risks, additional focus areas beyond the top 10 like secure data storage and preventing reverse engineering. It also outlines some Android Pie security enhancements like the hardware security module and defaulting to HTTPS. The presentation concludes by thanking the audience.
The document discusses securing Android applications. It covers the Android architecture, permissions model, data storage, content providers, networking, SQLite encryption, static analysis, and obfuscation. The key topics are the Dalvik VM, sandbox model, permissions, signing applications, minimizing permissions, HTTPS for networking, SQLite encryption, Lint for static analysis, and Proguard for obfuscation.
The document provides an overview of securing Android applications according to the OWASP (Open Web Application Security Project) approach. It discusses the OWASP Mobile Security Project, performs a crash course on Android architecture and essentials, demonstrates threat modeling for Android apps, reviews the top 10 mobile risks and associated controls from OWASP, and provides resources for further information.
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
This document provides an introduction to mobile application security with a focus on Android. It discusses Android architecture, application fundamentals, security model, and tools for reverse engineering Android apps. It also summarizes the top 10 mobile risks from the OWASP Mobile Top 10 including issues like insecure data storage, authentication, authorization, and code quality. Hands-on examples are provided for reverse engineering apps and analyzing the application permissions.
The document provides an overview of security testing techniques for mobile applications on different platforms like Android, BlackBerry and iOS. It discusses topics like application threat models, traffic analysis and manipulation, insecure data storage, reverse engineering application binaries, analyzing application components and runtime behavior. The document also mentions tools used for tasks like decompilation, debugging, monitoring network/file activity. Specific platform security features for Android, BlackBerry and iOS are outlined.
This document provides guidance on secure coding practices. It discusses common types of security vulnerabilities like buffer overflows caused by invalidated input, race conditions, access control problems, and weaknesses in authentication. Specific chapters provide details on how to avoid buffer overflows, validate all input, prevent race conditions, operate files securely, design privileged processes carefully, create secure user interfaces, and develop helpers and daemons securely. Checklists are included to help developers incorporate security.
This document provides guidance on secure coding practices. It discusses common types of security vulnerabilities like buffer overflows caused by invalidated input, race conditions, access control problems, and weaknesses in authentication. Specific chapters cover how to avoid buffer overflows, validate all input, prevent race conditions and secure file operations, elevate privileges safely, design secure user interfaces and helpers, and follow security checklists. The document is intended to help developers write more secure code for Mac OS X and iOS applications.
The document provides an overview of security testing techniques for mobile applications on various platforms including Android, BlackBerry, and iOS. It discusses topics such as application threat models, traffic analysis and manipulation, insecure data storage, reverse engineering application binaries, analyzing application components and runtime behavior. The goal is to identify vulnerabilities that could impact the confidentiality, integrity or availability of the mobile application or user data.
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
This document discusses mobile code mining for discovery and exploits. It introduces the speaker, Hemil Shah, and provides an overview of mobile infrastructure, apps, and changes in the mobile environment compared to web. It then discusses several mobile attacks including insecure storage, insecure network communication, UI impersonation, activity monitoring, and system modification. It also covers decompiling Android apps and analyzing app code for security issues.
Standards and methodology for application security assessment Mykhailo Antonishyn
Based on the research results, it can be concluded that the ISO / IEC 27034 standard regulates that vulnerability testing should be carried out, but it is not specified how and what should be tested for vulnerabilities, but how and what is not described. NIST and NIAP both refer to OWASP MASVS and contain controls by which the mobile application is tested, mainly focusing on vulnerabilities that relate to vulnerabilities in data storage and authorization. This is confirmed by statistics provided by Digital Security. The most recognized is MASVS. One of the parts of MASVS describes what, how and how to test.
It should be noted that all standards rather weakly assess vulnerabilities that relate to interaction with the API. As can be seen from the tests described in Section 2.2, the most critical vulnerabilities are vulnerabilities that are associated with interaction with the application server.
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
Understanding how emerging standards like OAuth and OpenID Connect impact federation
Federation is a critical technology for reconciling user identity across Web applications. Now that users consume the same data through cloud and mobile, federation infrastructure must adapt to enable these new channels while maintaining security and providing a consistent user experience.
This webinar will examine the differences between identity federation across Web, cloud and mobile, look at API specific use cases and explore the impact of emerging federation standards.
You Will Learn
Best practices for federating identity across mobile and cloud
How emerging identity federation standards will impact your infrastructure
How to implement an identity-centric API security and management infrastructure
Presenters
Ehud Amiri
Director, Product Management, CA Technologies
Francois Lascelles
Chief Architect, Layer 7
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Amazon Web Services
The daily volume of cyberattacks that target applications and the frequency of associated breaches is overwhelming to even the most experienced security professionals. We cover important lessons learned from F5 Labs’ analysis of global attack data and breach root causes that are attributed to application threats. This helps you understand attackers’ top targets and motives and the changing application security landscape of systems used to launch application attacks. Addressing these threats requires practical controls that organizations can be successful with. We offer tips and tricks that you can work on immediately to address common application threats and appropriately prioritize your application security controls.
Mobile Enterprise Application PlatformNugroho Gito
mobile enterprise application, mobile application development, mobile enterprise, hybrid mobile, mobile security, reverse engineer, obfuscation, ibm, mobilefirst platform, bluemix, api management, mobile backend as a service
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat
OWASP’s 2017 top ten adds a new category called 'underprotected APIs', reflecting the growth of RESTful Web APIs and richer front-end clients which stress current security and access authorization approaches. You’ll learn about potential threats resulting from undersecured Web APIs and techniques to strengthen your API security posture. You'll gain a clear understanding of user authorization via OAuth2, software authorization via static API keys and the critical interplay between them. Of particular concern are mobile API consumers whose code is statically published with secrets which are often poorly concealed. Practical advice with code examples will show how to improve mobile API security. TLS is necessary but insufficient to fully secure client-server communications. Certificate pinning is explained with code examples to show how to strengthen channel communications. Some advanced techniques will be discussed such as app hardening, white box cryptography and mobile app attestation. You should gain a good understanding of the underprotected API problem, with some immediately practical tips to improve your API security posture and a sense of emerging tools and technologies that enable a significant step change in API security.
This document discusses MITRE ATT&CK, which is a knowledge base of adversary behavior techniques based on real-world observations. It is free, open, and globally accessible. The document explains how ATT&CK can be used for threat intelligence, detection, adversary emulation, and assessment/engineering. It provides examples of techniques like spearphishing attachments and profiles of adversary groups like APT29. It also describes how ATT&CK can help find gaps in an organization's defenses through red team testing.
Getting started with Android pentestingMinali Arora
Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She is also a part-time bug bounty hunter and blogger. The document discusses Android security architecture, testing methodologies, common vulnerabilities, and security tips for developers. It covers topics such as Android security model, application components, static and dynamic testing tools, and the OWASP top 10.
Aug '22 Drone Software Meetup shows how to label, train, deploy and test a machine learning model to count cars. Links to Jupyter Notebook and Drone source code for download.
Walkthrough of the DJI Mobile SDK tutorials that we converted from Java to Kotlin. See https://youtu.be/f5fWvFD5rwc for recording of the Drone Software SDK meetup
This session walks you through how our interns took some video from a drone and turned it into an Android App to count cars in a parking lot. This is a practical introduction to drone SDKs, Tensorflow and how to combine the two to do object detection on your Android phone from a drone.
Getting started with tensor flow datasets Godfrey Nolan
TensorFlow Datasets provides a variety of datasets that can be used for tasks like image classification, object detection, and question answering. It offers datasets for images, audio, text, and video. The library aims for simplicity, performance, determinism, customizability. Example code is provided to load datasets and split them into training, validation, and test sets. Popular image classification datasets included are CIFAR-10, MNIST, and ImageNet while COCO, KITTI, and OpenImages support object detection.
Using ML to make your UI tests more robustGodfrey Nolan
Common practice is to write lots of unit tests and API tests and only a few User Interface tests. Why? Because UI tests are brittle. Change one thing and all the other tests unravel. But what if we could use ML to help us out. Many of our apps have the same functionality such as login, checkout, share, pay etc. In this session we'll look at how we can use Object Detection and labeling techniques to make our UI tests more robust with a fraction of the code.
The document discusses Java best practices for writing high quality code. It recommends following principles like FIRST for unit testing - making tests fast, isolated, repeatable, self-verifying, and timely. It also recommends techniques like test-driven development, where you write a failing test first before producing the minimum amount of code to pass that test. Continuous integration, code coverage metrics, and refactoring existing code gradually with more tests are presented as ways to improve code quality over time. Finally, several books on software design patterns, refactoring, and effective Java practices are referenced for further guidance.
The document discusses using drones and AI to count sheep by taking images of sheep with a drone, training a neural network model to identify sheep in images, and deploying the model on the drone to count sheep in real time and validate the counts. Key components include the DJI Mobile SDK, Google Tensorflow, collecting training data, training and evaluating models in Google Cloud, and deploying the model on the drone to test and validate sheep counts.
The document discusses securing mobile apps for drones. It covers how drones can be hacked, such as connecting via WiFi or RF hijacking. Famous drone hacks are mentioned but not described. Mobile apps, manufacturers' SDKs, and the OWASP top 10 mobile risks are reviewed. Best practices discussed include not storing sensitive data locally and using SSL pinning. Resources for drone development and mobile security are provided. The presentation aims to help developers write more secure mobile apps for controlling drones.
The document discusses Agile testing techniques for Swift including unit testing with XCTest and GUI testing with XCUI. It provides details on mocking with Cuckoo, API testing with Postman, integrating tests with Jenkins, and measuring quality with SonarQube. Sample code is shown for unit tests, API tests, and GUI tests of a sample ETAMock app. Continuous integration with Jenkins and SonarQube is demonstrated along with links for further information.
The document discusses refactoring code to improve its structure and readability without changing its external behavior. It defines refactoring as restructuring software to make it easier to understand and modify. The goals of refactoring are to reduce technical debt by improving code quality. Examples show refactoring an Android app by extracting methods, renaming variables for clarity, and converting the architecture to MVP pattern to separate concerns. Lessons recommend writing unit tests first and using metrics as a guide rather than mandate when refactoring.
This document provides an agenda and overview for a mobile agile testing workshop covering both Android and iOS testing. The Android section covers unit, UI, and API testing tools like JUnit, Espresso, and Postman. It also discusses test-driven development. The iOS section similarly covers unit testing with XCTest, UI testing with XCUI, mocking with Cuckoo, and tools like Postman and Jenkins. The document emphasizes why testing is important for catching bugs, making changes confidently, and extending the lifespan of codebases.
From Maps to Apps the Future of Drone TechnologyGodfrey Nolan
Look at the current state of the Drone market for mobile developers, some examples of what you legally can and cannot do and talk about the potential opportunities available in this new app market.
This presentation discusses integrating Quickbooks data with Tableau visualization software. It covers new features in Tableau 10 like cluster analysis and cross database joins. It also explains how to export a Quickbooks company file to Quickbooks online, connect Tableau 10 to the online Quickbooks data, and use sample data to learn how to visualize Quickbooks financial information in Tableau dashboards and charts.
8. Opening files as WORLD_READABLE, WORLD_WRITABLE
Opening databases as WORLD_READABLE, WORLD_WRITABLE
Unencrypted SQLite database
Storing data on SD-CARD via WRITE_TO_EXTERNAL_STORAGE
Check app permissions
Check app is not looking for root permissions
Search for hardcoded usernames and passwords
Search for API calls
Detect Unencrypted communications
Check for basic obfuscation
Check location requests
9. Check app permissions
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
CALL_PHONE
CAMERA
INTERNET
READ_CALENDAR
READ_CONTACTS
READ_INPUT_STATE
READ_SMS
RECORD_AUDIO
SEND_SMS
WRITE_CALENDAR
WRITE_CONTACTS
12. Version 1
Run SPE
Version 2
Run SPE
Version 3
Run SPE
13. Secure Policy Enforcer (SPE)
Aspect Security’s Contrast
Checkmarx
Veracode Mobile
Using a CA cert to sign your APK
Mobile Device Management tools –
MobiControl