Lostar, profile picture
Uploaded byLostar
PPTX, PDF802 views

Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS

This document discusses using automated security testing tools to test mobile app updates on a "best effort" basis due to short release cycles. It finds that automated tools can detect around 54% of issues but may miss high risk issues. A proposed process classifies apps as high, medium, or low risk and applies different security testing techniques like penetration testing and code reviews based on the risk level and type of release. Automated testing is suggested for low risk app updates to catch basic issues based on the 80/20 rule.

Embed presentation

Download to read offline
B.E.S.T.-Mobile Best Effort Security Testing for Mobile Apps Murat Lostar
About Murat Lostar @muratlostar • IT since 1986 • Full time security since 1998 • Based in Istanbul & Turkey • ISC2 - CISSP, ISSMP, CSSLP, CCSP
Extracted Data from Apple AppStore • 3 Industries: Finance, eCommerce, Social Media • 50 Applications: • Finance: Akbank, Bloomberg, Chase, ING, PayPal… • eCommerce: AliBaba, Amazon, eBay, Kliksa, n11… • Social Media: Ask.fm, BIP, Facebook, Instagram, Tango… • 1051 Revisions
Revision Age of Mobile Apps 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 0-3 4-7 8-15 16-31 32-63 64-127 128-255 256-511 512- eCommerce Finance Social Media Source: Apple n=1051
Average App Revision Count = 21.02 - 5.00 10.00 15.00 20.00 25.00 30.00 2009 2010 2011 2012 2013 2014 2015 Avg.TotalNumberofVersions First version relase year Source: Apple n=50 (1051)
App update period (days) 2 4 8 16 32 64 128 256 512 1024 2010 2011 2012 2013 2014 2015 2016 Source: Apple n=1051
The Situation • Mobile app development • Agile is ad-hoc standard • New app release is under pressure • Competition • OS updates & new devices • New version every … 16-31 days (& decreasing)
The Requirement • Detailed manual penetration testing for each version (before release) • If possible, source code review
The Situation for Mobile App Security • Testing (mobile) applications are • Expensive • Takes time & resources • Mostly perfomed periodically • Once a year • 4 times a year
Problem • Detailed penetration NOT POSSIBLE (each time) • Not enough time • Not enough resources • Not needed! • Most of the app is the same • Is it? • Each new version is subject to • Developer mistakes, • Security vulnerabilities (including re-appear) • Time pressure • Less user acceptance testing • Less developer & unit testing • Less code review
BEST-Mobile • Best Effort Security Testing for Mobile Applications • Continue periodical, detailed pen-testing... • For each new version: Perform mobile application security tests with best effort and best efficiency • Use: Automated tools & Security Testing as a Service
Question • Can we trust automated testing? • Is there enough investment on automated mobile vulnerability
Tool / Research Staff Counts 3 4 5 6 7 8 9 10 11 12 13 5 15 25 35 45 55 65 75 85 95 105 2010 2011 2012 2013 2014 2015 Staff Counts Tool Counts Data gathered from projects’ offical websites and GitHub accounts.
Data From Mobile App Testers • Source • OWASP – WhiteHat, Pure Hacking, Lostar, BugCrowd, SecureNetwork, Metaintelli • 2014 – Detected and reported issues, n=1065 • Overall 54% found by automated tools • How about risk level?
Top 10 Mobile Risks Exploitability Prevalence Detectability Impact BEST Capability* 1 Weak Server Side Controls Easy Common Average Severe 61% 2 Insecure Data Storage Easy Common Average Severe 64% 3 Insufficient Transport Layer Protection Difficult Common Easy Moderate 91% 4 Unintended Data Leakage Easy Common Easy Severe 24% 5 Poor Authorization and Authentication Easy Common Easy Severe %14
Top 10 Mobile Risks Exploitability Prevalence Detectability Impact BEST Capability* 6 Broken Cryptography Easy Common Easy Severe 90% 7 Client Side Injection Easy Common Easy Moderate No data 8 Security Decisions Via Untrusted Inputs Easy Common Easy Severe No data 9 Improper Session Handling Easy Common Easy Severe 16% 10 Lack of Binary Protections Medium Common Easy Severe 82%
Verdict • Automated testing can NOT replace manual mobile penetration testing and code review. • It can however, can be used to see the basics (i.e.Usefull in the sence of pareto rule)
Proposed Testing Process 1. Classify Mobile Applications • High, Medium, Low
Proposed Testing Process 2. Use Classification for Pre-Relase Security TestingClass Major Release Minor Release Regular Reviews High Pre: PenTest + Code Review Pre: PenTest (Opt/Post: Code Review) External (PenTest+Code Review) Medium Pre: PenTest (Opt/Post: Code Review) Pre: BEST (Opt/Post: PenTest) PenTest + Code Review Low Pre: BEST (Post PenTest) Pre/Post: BEST PenTest
Proposed Testing Process 3. Decision Matrix App Class Major Issue Minor Issue High Postpone to fix Postpone for Risk Advisory Board Medium Postpone for Risk Advisory Board Postpone to verify and decide Low Issue verification Deploy, then fix
Thank You @muratlostar
Next Step • Put BEST into mobile SDLC • Strategies • Send the beta product to BEST tool • Integrate BEST tool with Bug Tracking System • Create automated bug/issue entries for each finding • When • Ath the end of each sprint • Part of testing process

More Related Content

PDF
Application Security - Making It Work
byIANS
 
PDF
Positive Technologies Application Inspector
byqqlan
 
PDF
Just4Meeting 2012 - How to protect your web applications
byMagno Logan
 
PDF
Continuous Quality For a 5 Star Mobile Apps Delivery
byPerfecto Mobile
 
DOC
Mobile App Testing Checklist
byManoj Lonar
 
PDF
Mobile App Testing by Mark Wilson
byphpwgtn
 
PPTX
Supply Chain Solutions for Modern Software Development
bySonatype
 
PDF
Penetration testing services
byAlisha Henderson
 
Application Security - Making It Work
byIANS
 
Positive Technologies Application Inspector
byqqlan
 
Just4Meeting 2012 - How to protect your web applications
byMagno Logan
 
Continuous Quality For a 5 Star Mobile Apps Delivery
byPerfecto Mobile
 
Mobile App Testing Checklist
byManoj Lonar
 
Mobile App Testing by Mark Wilson
byphpwgtn
 
Supply Chain Solutions for Modern Software Development
bySonatype
 
Penetration testing services
byAlisha Henderson
 

What's hot

PPTX
Agile and Secure Development
byNazar Tymoshyk, CEH, Ph.D.
 
PPTX
The State of Open Source Vulnerabilities - A WhiteSource Webinar
byWhiteSource
 
PDF
Roland van leusden mobile performance testing rtc 2014 v0.6
byRomania Testing
 
PDF
Stephen janaway mobile testing - that's just a smaller screen, right
byRomania Testing
 
PPTX
Accelerating Innovation with Software Supply Chain Management
bySonatype
 
PPTX
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
byKevin Fealey
 
PPTX
Continuous Acceleration with a Software Supply Chain Approach
bySonatype
 
PPTX
Application Hackers Have A Handbook. Why Shouldn't You?
byLondon School of Cyber Security
 
PPTX
A "Firewall" for Bad Binaries
bySonatype
 
PPTX
User Sentiment to Determine App Quality
byApigee | Google Cloud
 
POT
Mobile Test Coverage- Israel 4th meetup
byPerfecto Mobile
 
PDF
Anomaly detection and root cause analysis in distributed application transact...
byYuchen Zhao
 
PDF
Webinar - Developers Are Your Greatest AppSec Resource
bySynopsys Software Integrity Group
 
PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
byCigital
 
PPT
Good Security Starts with Software Assurance - Software Assurance Market Plac...
byPhil Agcaoili
 
PPTX
Cyber security - It starts with the embedded system
byRogue Wave Software
 
PPTX
OWASP Knoxville Inaugural Chapter Meeting
byPhil Agcaoili
 
PDF
Applicaiton Security - Building The Audit Program
byMichael Davis
 
PPTX
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
byChamila Wijayarathna
 
PPTX
Juc oct 2014 final
byPerfecto Mobile
 
Agile and Secure Development
byNazar Tymoshyk, CEH, Ph.D.
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
byWhiteSource
 
Roland van leusden mobile performance testing rtc 2014 v0.6
byRomania Testing
 
Stephen janaway mobile testing - that's just a smaller screen, right
byRomania Testing
 
Accelerating Innovation with Software Supply Chain Management
bySonatype
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
byKevin Fealey
 
Continuous Acceleration with a Software Supply Chain Approach
bySonatype
 
Application Hackers Have A Handbook. Why Shouldn't You?
byLondon School of Cyber Security
 
A "Firewall" for Bad Binaries
bySonatype
 
User Sentiment to Determine App Quality
byApigee | Google Cloud
 
Mobile Test Coverage- Israel 4th meetup
byPerfecto Mobile
 
Anomaly detection and root cause analysis in distributed application transact...
byYuchen Zhao
 
Webinar - Developers Are Your Greatest AppSec Resource
bySynopsys Software Integrity Group
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
byCigital
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
byPhil Agcaoili
 
Cyber security - It starts with the embedded system
byRogue Wave Software
 
OWASP Knoxville Inaugural Chapter Meeting
byPhil Agcaoili
 
Applicaiton Security - Building The Audit Program
byMichael Davis
 
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...
byChamila Wijayarathna
 
Juc oct 2014 final
byPerfecto Mobile
 

Viewers also liked

PDF
Mobile Penetration Testing: Episode 1 - The Forensic Menace
byNowSecure
 
PDF
Mobile Penetration Testing: Episode II - Attack of the Code
byNowSecure
 
PDF
Mobile Penetration Testing: Episode III - Attack of the Code
byNowSecure
 
PDF
Security testing in mobile applications
byJose Manuel Ortega Candel
 
PDF
Security Testing Mobile Applications
byDenim Group
 
PDF
Mobile Application Penetration Testing
byBGA Cyber Security
 
PPTX
Security testing of mobile applications
byGTestClub
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
byNowSecure
 
Mobile Penetration Testing: Episode II - Attack of the Code
byNowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
byNowSecure
 
Security testing in mobile applications
byJose Manuel Ortega Candel
 
Security Testing Mobile Applications
byDenim Group
 
Mobile Application Penetration Testing
byBGA Cyber Security
 
Security testing of mobile applications
byGTestClub
 

Similar to Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS

PDF
Mobile App Security Testing: Tools, Techniques & Insights
bydigitaljignect
 
ODP
Mobile Apps Security Testing -1
byKrisshhna Daasaarii
 
PDF
Challenges in Testing Mobile App Security
byCygnet Infotech
 
PPTX
A 5 minute guide to delivering Flawless Mobile Apps
byCygnet Infotech
 
PDF
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
byDenim Group
 
PDF
Mobile Application Penetration Testing: Ensuring the Security of Your Apps
byMobile Security
 
PDF
Importance Of Testing Mobile Apps For Security Vulnerabilities.pdf
bypcloudy2
 
PDF
App Testing SEO Expert Bangladesh LTD
byTasnim Jahan
 
PPTX
Mobile App Testing Strategy
bySoftware Assurance LLC
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
byflufftailshop
 
PDF
Understanding Mobile App Security Testing_ What It Is and How to Perform It.pdf
bykalichargn70th171
 
PPTX
Testing Mobile Applications
byJohan Hoberg
 
PDF
Understanding Mobile App Security Testing_ What It Is and How to Perform It.pdf
byflufftailshop
 
PDF
Top 12 challenges in Mobile Testing
byAspire Systems
 
PDF
App Testing Tools and Frameworks A Comparative Analysis.pdf
bylubnayasminsebl
 
PDF
How to Find Vulnerabilities and Bugs in Mobile Applications
byJosiah Renaudin
 
PDF
Mobile Testing An Introduction to the Different Types and Approaches
bykalichargn70th171
 
PDF
Why Mobile App Penetration Testing Matters.pdf
byCyberPro Magazine
 
PDF
Mobile Testing_ An Introduction to the Different Types and Approaches.pdf
byflufftailshop
 
PDF
The Essentials of Mobile App Testing and Monitoring
byMobilePundits
 
Mobile App Security Testing: Tools, Techniques & Insights
bydigitaljignect
 
Mobile Apps Security Testing -1
byKrisshhna Daasaarii
 
Challenges in Testing Mobile App Security
byCygnet Infotech
 
A 5 minute guide to delivering Flawless Mobile Apps
byCygnet Infotech
 
Application Security Assessments by the Numbers - A Whole-istic View - OWASP ...
byDenim Group
 
Mobile Application Penetration Testing: Ensuring the Security of Your Apps
byMobile Security
 
Importance Of Testing Mobile Apps For Security Vulnerabilities.pdf
bypcloudy2
 
App Testing SEO Expert Bangladesh LTD
byTasnim Jahan
 
Mobile App Testing Strategy
bySoftware Assurance LLC
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
byflufftailshop
 
Understanding Mobile App Security Testing_ What It Is and How to Perform It.pdf
bykalichargn70th171
 
Testing Mobile Applications
byJohan Hoberg
 
Understanding Mobile App Security Testing_ What It Is and How to Perform It.pdf
byflufftailshop
 
Top 12 challenges in Mobile Testing
byAspire Systems
 
App Testing Tools and Frameworks A Comparative Analysis.pdf
bylubnayasminsebl
 
How to Find Vulnerabilities and Bugs in Mobile Applications
byJosiah Renaudin
 
Mobile Testing An Introduction to the Different Types and Approaches
bykalichargn70th171
 
Why Mobile App Penetration Testing Matters.pdf
byCyberPro Magazine
 
Mobile Testing_ An Introduction to the Different Types and Approaches.pdf
byflufftailshop
 
The Essentials of Mobile App Testing and Monitoring
byMobilePundits
 

More from Lostar

PPTX
VERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
byLostar
 
PPTX
KVKK ve GDPR'a BT Uyumu
byLostar
 
PPTX
DDoS - Dağıtık Hizmet Engelleme Saldırıları
byLostar
 
PPTX
Bulut & Güvenlik - Güvence Nasıl Sağlanır?
byLostar
 
PPTX
Endüstri 4.0 Güvenliği
byLostar
 
PPTX
IoT ve Güvenlik Ekim2017
byLostar
 
PPTX
Endüstri 4.0 / Güvenlik 4.0
byLostar
 
PPTX
Wannacry.Lostar
byLostar
 
PDF
BLOCKCHAIN
byLostar
 
PPTX
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
byLostar
 
PPTX
Kişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
byLostar
 
PPTX
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
byLostar
 
PPTX
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
byLostar
 
PPTX
Lostar Microsoft Zirve 2007 Guvenlik
byLostar
 
PPTX
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
byLostar
 
PPTX
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
byLostar
 
PPTX
Tedarikçi Güvenliği için Yol Haritası
byLostar
 
PPTX
Tedarikçi Kullanımı ve Riskler
byLostar
 
PPTX
Yeni TTK Guvenlik
byLostar
 
PPTX
Risk IT
byLostar
 
VERBİS'e kayıt nasıl yapılacak? KVKK - Lostar
byLostar
 
KVKK ve GDPR'a BT Uyumu
byLostar
 
DDoS - Dağıtık Hizmet Engelleme Saldırıları
byLostar
 
Bulut & Güvenlik - Güvence Nasıl Sağlanır?
byLostar
 
Endüstri 4.0 Güvenliği
byLostar
 
IoT ve Güvenlik Ekim2017
byLostar
 
Endüstri 4.0 / Güvenlik 4.0
byLostar
 
Wannacry.Lostar
byLostar
 
BLOCKCHAIN
byLostar
 
Dijitalleşme çağında bilgi güvenliği'nin önemli ve alınabilecek önlemler
byLostar
 
Kişisel Verileri Koruma Kanunu (KVKK) - BT Uyumu
byLostar
 
Herşeyin Güvenliği - Murat Lostar - 2.Bilişim Hukuku Zirvesi
byLostar
 
Bulut Bilişim Güvenliği Nasıl Ölçülür? Cloud Controls Matrix - Lostar
byLostar
 
Lostar Microsoft Zirve 2007 Guvenlik
byLostar
 
Cloud Based Business Continuity - Murat Lostar @ ISACA EUROCACS 2013
byLostar
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
byLostar
 
Tedarikçi Güvenliği için Yol Haritası
byLostar
 
Tedarikçi Kullanımı ve Riskler
byLostar
 
Yeni TTK Guvenlik
byLostar
 
Risk IT
byLostar
 

Recently uploaded

PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
The year in review - MarvelClient in 2025
bypanagenda
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 

Best Effort Security Testing for Mobile Applications - 2015 #ISC2CONGRESS

  • 1.
    B.E.S.T.-Mobile Best Effort SecurityTesting for Mobile Apps Murat Lostar
  • 2.
    About Murat Lostar @muratlostar • ITsince 1986 • Full time security since 1998 • Based in Istanbul & Turkey • ISC2 - CISSP, ISSMP, CSSLP, CCSP
  • 4.
    Extracted Data fromApple AppStore • 3 Industries: Finance, eCommerce, Social Media • 50 Applications: • Finance: Akbank, Bloomberg, Chase, ING, PayPal… • eCommerce: AliBaba, Amazon, eBay, Kliksa, n11… • Social Media: Ask.fm, BIP, Facebook, Instagram, Tango… • 1051 Revisions
  • 5.
    Revision Age ofMobile Apps 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 0-3 4-7 8-15 16-31 32-63 64-127 128-255 256-511 512- eCommerce Finance Social Media Source: Apple n=1051
  • 6.
    Average App RevisionCount = 21.02 - 5.00 10.00 15.00 20.00 25.00 30.00 2009 2010 2011 2012 2013 2014 2015 Avg.TotalNumberofVersions First version relase year Source: Apple n=50 (1051)
  • 7.
    App update period(days) 2 4 8 16 32 64 128 256 512 1024 2010 2011 2012 2013 2014 2015 2016 Source: Apple n=1051
  • 8.
    The Situation • Mobileapp development • Agile is ad-hoc standard • New app release is under pressure • Competition • OS updates & new devices • New version every … 16-31 days (& decreasing)
  • 9.
    The Requirement • Detailedmanual penetration testing for each version (before release) • If possible, source code review
  • 10.
    The Situation forMobile App Security • Testing (mobile) applications are • Expensive • Takes time & resources • Mostly perfomed periodically • Once a year • 4 times a year
  • 11.
    Problem • Detailed penetration NOTPOSSIBLE (each time) • Not enough time • Not enough resources • Not needed! • Most of the app is the same • Is it? • Each new version is subject to • Developer mistakes, • Security vulnerabilities (including re-appear) • Time pressure • Less user acceptance testing • Less developer & unit testing • Less code review
  • 12.
    BEST-Mobile • Best EffortSecurity Testing for Mobile Applications • Continue periodical, detailed pen-testing... • For each new version: Perform mobile application security tests with best effort and best efficiency • Use: Automated tools & Security Testing as a Service
  • 13.
    Question • Can wetrust automated testing? • Is there enough investment on automated mobile vulnerability
  • 14.
    Tool / ResearchStaff Counts 3 4 5 6 7 8 9 10 11 12 13 5 15 25 35 45 55 65 75 85 95 105 2010 2011 2012 2013 2014 2015 Staff Counts Tool Counts Data gathered from projects’ offical websites and GitHub accounts.
  • 15.
    Data From MobileApp Testers • Source • OWASP – WhiteHat, Pure Hacking, Lostar, BugCrowd, SecureNetwork, Metaintelli • 2014 – Detected and reported issues, n=1065 • Overall 54% found by automated tools • How about risk level?
  • 16.
    Top 10 MobileRisks Exploitability Prevalence Detectability Impact BEST Capability* 1 Weak Server Side Controls Easy Common Average Severe 61% 2 Insecure Data Storage Easy Common Average Severe 64% 3 Insufficient Transport Layer Protection Difficult Common Easy Moderate 91% 4 Unintended Data Leakage Easy Common Easy Severe 24% 5 Poor Authorization and Authentication Easy Common Easy Severe %14
  • 17.
    Top 10 MobileRisks Exploitability Prevalence Detectability Impact BEST Capability* 6 Broken Cryptography Easy Common Easy Severe 90% 7 Client Side Injection Easy Common Easy Moderate No data 8 Security Decisions Via Untrusted Inputs Easy Common Easy Severe No data 9 Improper Session Handling Easy Common Easy Severe 16% 10 Lack of Binary Protections Medium Common Easy Severe 82%
  • 18.
    Verdict • Automated testingcan NOT replace manual mobile penetration testing and code review. • It can however, can be used to see the basics (i.e.Usefull in the sence of pareto rule)
  • 19.
    Proposed Testing Process 1.Classify Mobile Applications • High, Medium, Low
  • 20.
    Proposed Testing Process 2.Use Classification for Pre-Relase Security TestingClass Major Release Minor Release Regular Reviews High Pre: PenTest + Code Review Pre: PenTest (Opt/Post: Code Review) External (PenTest+Code Review) Medium Pre: PenTest (Opt/Post: Code Review) Pre: BEST (Opt/Post: PenTest) PenTest + Code Review Low Pre: BEST (Post PenTest) Pre/Post: BEST PenTest
  • 21.
    Proposed Testing Process 3.Decision Matrix App Class Major Issue Minor Issue High Postpone to fix Postpone for Risk Advisory Board Medium Postpone for Risk Advisory Board Postpone to verify and decide Low Issue verification Deploy, then fix
  • 22.
  • 23.
    Next Step • PutBEST into mobile SDLC • Strategies • Send the beta product to BEST tool • Integrate BEST tool with Bug Tracking System • Create automated bug/issue entries for each finding • When • Ath the end of each sprint • Part of testing process

Editor's Notes

  • #15 AppUse: https://appsec-labs.com/appuse/ iAnalyzer: https://appsec-labs.com/iNalyzer/ Anubis: https://anubis.iseclab.org/ Akana: http://akana.mobiseclab.org/index.jsp Drozer: https://www.mwrinfosecurity.com/products/drozer/ Droidbox: https://github.com/pjlantz/droidbox Androguard: https://github.com/androguard/androguard Android Hooker: https://github.com/AndroidHooker/hooker Androwarn: https://github.com/maaaaz/androwarn/ YSO-Mobile-Security-Framework: https://github.com/ajinabraham/YSO-Mobile-Security-Framework IDB: http://www.idbtool.com/ Selenium for Android: https://github.com/selendroid/selendroid Vezir-Project: https://github.com/oguzhantopgul/Vezir-Project