iOS 12 Preview - What You Need To Know
•
0 likes•659 views
Originally presented on June 12, 2018 Much of the improvements for iOS 12 focused on privacy and reliability. What prompted these changes and how will it affect the path forward? In this discussion, Tony Ramirez, Mobile Security Analyst, shares about the following: + Learnings & remediations from iOS 11 + Predictions coming out of WWDC + How we see the newest software update, iOS 12, affecting mobile app security testing
Report
Share
Report
Share
Download to read offline
Recommended
Entwicklungen in Spielen als Innovationstreiber für Usability
Die Geschichte der Spieleentwicklung zeigt sehr kurze Innovationszyklen im Bereich von Usability und HMI, sowohl im Hard- als auch im Softwarebereich. Von diesen Entwicklungen können auch industrielle HMI-Konzepte profitieren: „Game inspired HMI Design“ steigert unter anderem die Individualisierbarkeit und die Lernförderlichkeit von HMIs und damit die Motivation und Arbeitsqualität der Nutzer.
Entwicklung in Spielen als Innovationstreiber für Usability
Betrachtung der Entwicklung von Computerspielen mit Blick auf Innovation, Motivation, Lernförderlichkeit
Gemeinsam kreativ für bessere Software - Vortragsreihe Dortmund
Wie gehören Software und Kreativität zusammen? Was ist Kreativität? Der Softwareentwicklungsprozess: Iteration und Exploration. Methodenüberblick anhand von zwei Beispielen: Affinity Diagramming und Paper Prototyping.
Online reputation management services
To better understand Online Reputation Management and Search Engine Optimization (SEO), you need to learn the underlying concepts behind these activities. Then, you will be on the path of owning your own (and your company's) reputation.
Psychology of Online Reputation Management and Search Engine Optimization (SEO)
To better understand Online Reputation Management and Search Engine Optimization (SEO), you need to learn the underlying concepts behind these activities. Then, you will be on the path of owning your own (and your company's) reputation.
Recommended
Entwicklungen in Spielen als Innovationstreiber für Usability
Die Geschichte der Spieleentwicklung zeigt sehr kurze Innovationszyklen im Bereich von Usability und HMI, sowohl im Hard- als auch im Softwarebereich. Von diesen Entwicklungen können auch industrielle HMI-Konzepte profitieren: „Game inspired HMI Design“ steigert unter anderem die Individualisierbarkeit und die Lernförderlichkeit von HMIs und damit die Motivation und Arbeitsqualität der Nutzer.
Entwicklung in Spielen als Innovationstreiber für Usability
Betrachtung der Entwicklung von Computerspielen mit Blick auf Innovation, Motivation, Lernförderlichkeit
Gemeinsam kreativ für bessere Software - Vortragsreihe Dortmund
Wie gehören Software und Kreativität zusammen? Was ist Kreativität? Der Softwareentwicklungsprozess: Iteration und Exploration. Methodenüberblick anhand von zwei Beispielen: Affinity Diagramming und Paper Prototyping.
Online reputation management services
To better understand Online Reputation Management and Search Engine Optimization (SEO), you need to learn the underlying concepts behind these activities. Then, you will be on the path of owning your own (and your company's) reputation.
Psychology of Online Reputation Management and Search Engine Optimization (SEO)
To better understand Online Reputation Management and Search Engine Optimization (SEO), you need to learn the underlying concepts behind these activities. Then, you will be on the path of owning your own (and your company's) reputation.
Wordcamp 2012 riaan knoetze - how to hijack a themeshop
Starting a WordPress theme shop is tough these days. The sheer number of competitors in the market are immense. This talk explores skills and practical considerations required to successfully distribute commercial themes and other ways to profit from child theme development.
Introduction to Lean UX
Introduction to Lean User Experience, Core principles, and Process of implementing Lean UX within your organization
Supercharge Your Wordpress Website With Inbound Marketing: A Complete Guide
SEO, Social Media, Email Marketing, CRO. Just a few of the many pieces needed to make successful digital marketing campaigns. But how do the pieces fit together so you can skyrocket your success?
Gabe Wahhab will outline how Inbound Marketing can supercharge your website!
Make It Rain With Web Scraping
Tutorial on scraping weather data using Python and BeautifulSoup. Show various techniques and thought processes behind scraping the information
Personas als Methode des Usability Engineerings
Wobei hilft mir eine Persona? Wie sollte eine Persona aussehen? Wann und wo kommt sie zum Einsatz?
YouTube Mobile Webapp: On the edge of Html5
Dan Delima of Google's presentation at the HTML5 DevDay Davao hackathon at the University of Eastern Philippines, Davao City, July 21, 2012. Cutting edge mobile HTML5 using YouTube mobile as an example.
Product Backlog Refinement with Structured Conversations
One of the most challenging and trouble-prone aspects of Agile product development is discovering the right product requirements to deliver at the right time, for the right customer, and refining them for delivery. This session will share a commonsense, tested approach for defining and refining backlog items so they are “ready” to get to “done.” Explore how refinement is crucial to smooth Scrum flow, shared understanding, and healthy product development team.
(Ellen's slides presented at April 2018 Global Scrum Gathering).
Acquisition, Loyalty and Retention: How a CDP Creates Customers for Life
As more and more companies join the e-commerce scene, brand loyalty continues to be tested. Consumers eager to try new brands, meaning marketers have a unique opportunity to engage with consumers they might not have in the past. But what is the key to actually capturing and retaining these consumers?
In the second webinar in our Definitive Guide to CDPs series our Product Marketing Manager, Jacob Spencer, shared inspiring CDP use cases for creating customers for life.
Discover how a CDP can help you take advantage of this digital spike with the ability to:
- Find new customers without relying on third-party cookie tracking
- Uphold and adjust privacy preferences with access to consent data in real time
- Increase return on ad spend and click-through rates like the Utah Jazz!
A Large-Scale Study of Test Coverage Evolution
While it is common for projects to measure what percentage of their statements are executed by tests, this single number is woefully inadequate at providing a detailed understanding of the extent to which a project’s code is tested, if there are gaps in the tests, and if these tests are useful in any meaningful way. For instance, seemingly simple changes in one part of the codebase may reduce the efficacy of existing tests that seem otherwise unrelated.
Code coverage can be useful to track long-term trends in how tested a project is, but on a day-to-day basis, can’t serve as an indicator for the change in test suite quality. In particular, moving the coverage needle even 0.01% can be extremely difficult in a project with millions of lines of code. At such a large scale, focus often drifts from which lines of code are covered to simply the number of lines covered. However, a change in the coverage of several hundred critical lines of code might be important for developers to take notice of. Over time, these small changes to which lines are covered add up to form a coverage debt, and can lead to a dangerous reduction in test suite effectiveness.
We are building tools and techniques to help every developer track and manage their coverage debt, easily answering questions like: Which lines are no longer covered, even though I didn’t change them? Which lines are non-deterministically covered, perhaps indicative of flaky tests? By answering these questions with hard data, we can provide developers with a rich understanding of the impact of their actions on test suite effectiveness.
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
Originally Recorded March 18, 2020
DevSecOps enthusiast D.J. Schleen unveils the latest updates to the DevSecOps Reference Architecture, an extensive chart of open-source tools and third-party applications that now includes mobile app pipelines. Join us to score your own copy and learn:
+ The most popular tools and integrations to automate and scale your pipeline
+ How and where mobile DevSecOps differs from web
+ Where to apply dynamic and interactive application security testing to speed app delivery
Android Q & iOS 13 Privacy Enhancements
Originally Recorded July 19, 2019
Apple and Google’s forthcoming mobile operating systems boast a bevy of privacy features that enable users to seize more control of their personal data.
NowSecure Mobile Security Analyst Tony Ramirez will dives into Android and iOS application security and privacy enhancements and what they mean for mobile DevSecOps teams. Join us to learn about:
+ Increased transparency and granularity over location tracking
+ New protections for sensitive information
+ Safer data exchanges in Android Q through TLS 1.3 encryption
Debunking the Top 5 Myths About Mobile AppSec
Originally presented June 24, 2019
https://www.nowsecure.com/resource/debunking-the-top-5-myths-about-mobile-appsec/
It’s hard to believe that mobile app stores are more than a decade old yet some crazy misconceptions about mobile application security still linger.
Have you heard these before?
- Testing mobile apps is the same as web apps
- SAST is good enough for mobile, you don’t need DAST
- Mobile apps are secure because Apple and Google security test them
- Outsourcing a penetration test once per year is sufficient to mitigate risk
Sort fact from fiction and learn how to ensure your mobile appsec program is on the right track. You may discover some surprising things about modern mobile application security.
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
Hear Radare creator Sergi (Pancake) Alvarez conduct a deep dive of r2frida, a framework that combines the best of Frida and Radare. Frida and Radare are leading open-source reverse engineering tools sponsored by NowSecure. Targeting intermediate to advanced users and security analysts, this overview will highlight the r2frida plug-in architecture.
Watch the webinar: http://bit.ly/2DBHt7M
Watch this webinar to learn:
+ What dynamic and static techniques the individual tools provide to assist security analysts with reverse engineering;
+ Why r2frida’s plugin architecture eases the task of performing reverse engineering workflows;
+ How to create your own new plug-in.
Building a Mobile App Pen Testing Blueprint
Mobile penetration testing helps uncover app exploits and vulnerabilities and is a crucial component of risk assessment. However, many people fear the complexity and don’t know where to get started.
It all begins with a solid plan of attack. NowSecure veterans of hundreds of mobile app pen tests will walk you through the process of assembling a pen testing playbook to hack your app.
This webinar covers:
+Tips and tricks for targeting common issues
+The best tools for the job
+How to document findings to close the loop on vulnerabilities.
Mobile App Security Predictions 2019
Originally presented January 23, 2019 -https://www.brighttalk.com/webcast/15139/344870?utm_source=Slideshare&utm_medium=referral&utm_campaign=344870
2019 is already shaping up to be a standout year for mobile appsec and secure DevOps. If we can say anything with certainty, it’s that cybersecurity is unpredictable and the wave of DevSecOps is unstoppable. But we foresee intensifying concerns about digital privacy amidst high-profile breaches.
This deck lists our predictions about what’s in store for our customers and the community in the year ahead. Our veteran industry leaders will prognosticate about developments in these areas:
+ Mobile ecosystem: OSes, devices, apps and app stores
+ Evolving mobile security threats
+ The rise of DevSecOps and the automation of everything
+ The disruptive economics of automating manual pen testing
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Originally Presented December 6, 2018
As DevOps teams seek to accelerate the mobile app dev pipeline, they rely on tools and best practices to gain speed. Because our engineering leader Jeff Fairman previously ran software development for a top online brokerage, he understands the challenges of scaling security testing to meet current demands.
After discovering the NowSecure automated testing platform, Jeff Fairman was so impressed with the tech that he joined the company to help DevOps and security teams build and release safe mobile apps. Listen this webinar to learn:
+ Why you need dynamic application security (DAST) testing to flag vulnerabilities in the post-build phase
+ The unique requirements, toolchain options and best practices for secure mobile DevOps
+ How to combine continuous daily testing with outsourced pen testing.
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
Originally Presenter October 18, 2018
Enterprise-grade ephemeral messaging provider Vaporstream knows firsthand that security needs to be built into the software development lifecycle rather than bolted on. Serving highly regulated industries such as federal government, energy, financial services and healthcare, Vaporstream’s leakproof communication platform provides the highest level of assurance that compliance professionals require. Vaporstream partners with NowSecure to test and certify its Android and iOS mobile messaging apps.
This case study webinar covers how Vaporstream adheres to a rigorous secure app lifecycle in order to meet customer expectations for secure communications:
+ Designing a secure app architecture & development process
+ Incorporating security testing into the release cycle
+ Comprehensive penetration testing
A Risk-Based Mobile App Security Testing Strategy
Originally presented on September 19, 2018
Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy.
Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/
Android P Security Updates: What You Need to Know
Originally presented August 23, 2018
2018 seems to be the year of privacy updates for both iOS and Android. In this webinar, Mobile Security Analyst Tony Ramirez takes a deeper look at security updates for Android including learnings from Android 8, what to expect for Android 9, and the implications for mobile app security.
More Related Content
Similar to iOS 12 Preview - What You Need To Know
Wordcamp 2012 riaan knoetze - how to hijack a themeshop
Starting a WordPress theme shop is tough these days. The sheer number of competitors in the market are immense. This talk explores skills and practical considerations required to successfully distribute commercial themes and other ways to profit from child theme development.
Introduction to Lean UX
Introduction to Lean User Experience, Core principles, and Process of implementing Lean UX within your organization
Supercharge Your Wordpress Website With Inbound Marketing: A Complete Guide
SEO, Social Media, Email Marketing, CRO. Just a few of the many pieces needed to make successful digital marketing campaigns. But how do the pieces fit together so you can skyrocket your success?
Gabe Wahhab will outline how Inbound Marketing can supercharge your website!
Make It Rain With Web Scraping
Tutorial on scraping weather data using Python and BeautifulSoup. Show various techniques and thought processes behind scraping the information
Personas als Methode des Usability Engineerings
Wobei hilft mir eine Persona? Wie sollte eine Persona aussehen? Wann und wo kommt sie zum Einsatz?
YouTube Mobile Webapp: On the edge of Html5
Dan Delima of Google's presentation at the HTML5 DevDay Davao hackathon at the University of Eastern Philippines, Davao City, July 21, 2012. Cutting edge mobile HTML5 using YouTube mobile as an example.
Product Backlog Refinement with Structured Conversations
One of the most challenging and trouble-prone aspects of Agile product development is discovering the right product requirements to deliver at the right time, for the right customer, and refining them for delivery. This session will share a commonsense, tested approach for defining and refining backlog items so they are “ready” to get to “done.” Explore how refinement is crucial to smooth Scrum flow, shared understanding, and healthy product development team.
(Ellen's slides presented at April 2018 Global Scrum Gathering).
Acquisition, Loyalty and Retention: How a CDP Creates Customers for Life
As more and more companies join the e-commerce scene, brand loyalty continues to be tested. Consumers eager to try new brands, meaning marketers have a unique opportunity to engage with consumers they might not have in the past. But what is the key to actually capturing and retaining these consumers?
In the second webinar in our Definitive Guide to CDPs series our Product Marketing Manager, Jacob Spencer, shared inspiring CDP use cases for creating customers for life.
Discover how a CDP can help you take advantage of this digital spike with the ability to:
- Find new customers without relying on third-party cookie tracking
- Uphold and adjust privacy preferences with access to consent data in real time
- Increase return on ad spend and click-through rates like the Utah Jazz!
A Large-Scale Study of Test Coverage Evolution
While it is common for projects to measure what percentage of their statements are executed by tests, this single number is woefully inadequate at providing a detailed understanding of the extent to which a project’s code is tested, if there are gaps in the tests, and if these tests are useful in any meaningful way. For instance, seemingly simple changes in one part of the codebase may reduce the efficacy of existing tests that seem otherwise unrelated.
Code coverage can be useful to track long-term trends in how tested a project is, but on a day-to-day basis, can’t serve as an indicator for the change in test suite quality. In particular, moving the coverage needle even 0.01% can be extremely difficult in a project with millions of lines of code. At such a large scale, focus often drifts from which lines of code are covered to simply the number of lines covered. However, a change in the coverage of several hundred critical lines of code might be important for developers to take notice of. Over time, these small changes to which lines are covered add up to form a coverage debt, and can lead to a dangerous reduction in test suite effectiveness.
We are building tools and techniques to help every developer track and manage their coverage debt, easily answering questions like: Which lines are no longer covered, even though I didn’t change them? Which lines are non-deterministically covered, perhaps indicative of flaky tests? By answering these questions with hard data, we can provide developers with a rich understanding of the impact of their actions on test suite effectiveness.
Similar to iOS 12 Preview - What You Need To Know (11)
Wordcamp 2012 riaan knoetze - how to hijack a themeshop
Wordcamp 2012 riaan knoetze - how to hijack a themeshop
Supercharge Your Wordpress Website With Inbound Marketing: A Complete Guide
Supercharge Your Wordpress Website With Inbound Marketing: A Complete Guide
Product Backlog Refinement with Structured Conversations
Product Backlog Refinement with Structured Conversations
Acquisition, Loyalty and Retention: How a CDP Creates Customers for Life
Acquisition, Loyalty and Retention: How a CDP Creates Customers for Life
More from NowSecure
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
Originally Recorded March 18, 2020
DevSecOps enthusiast D.J. Schleen unveils the latest updates to the DevSecOps Reference Architecture, an extensive chart of open-source tools and third-party applications that now includes mobile app pipelines. Join us to score your own copy and learn:
+ The most popular tools and integrations to automate and scale your pipeline
+ How and where mobile DevSecOps differs from web
+ Where to apply dynamic and interactive application security testing to speed app delivery
Android Q & iOS 13 Privacy Enhancements
Originally Recorded July 19, 2019
Apple and Google’s forthcoming mobile operating systems boast a bevy of privacy features that enable users to seize more control of their personal data.
NowSecure Mobile Security Analyst Tony Ramirez will dives into Android and iOS application security and privacy enhancements and what they mean for mobile DevSecOps teams. Join us to learn about:
+ Increased transparency and granularity over location tracking
+ New protections for sensitive information
+ Safer data exchanges in Android Q through TLS 1.3 encryption
Debunking the Top 5 Myths About Mobile AppSec
Originally presented June 24, 2019
https://www.nowsecure.com/resource/debunking-the-top-5-myths-about-mobile-appsec/
It’s hard to believe that mobile app stores are more than a decade old yet some crazy misconceptions about mobile application security still linger.
Have you heard these before?
- Testing mobile apps is the same as web apps
- SAST is good enough for mobile, you don’t need DAST
- Mobile apps are secure because Apple and Google security test them
- Outsourcing a penetration test once per year is sufficient to mitigate risk
Sort fact from fiction and learn how to ensure your mobile appsec program is on the right track. You may discover some surprising things about modern mobile application security.
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
Hear Radare creator Sergi (Pancake) Alvarez conduct a deep dive of r2frida, a framework that combines the best of Frida and Radare. Frida and Radare are leading open-source reverse engineering tools sponsored by NowSecure. Targeting intermediate to advanced users and security analysts, this overview will highlight the r2frida plug-in architecture.
Watch the webinar: http://bit.ly/2DBHt7M
Watch this webinar to learn:
+ What dynamic and static techniques the individual tools provide to assist security analysts with reverse engineering;
+ Why r2frida’s plugin architecture eases the task of performing reverse engineering workflows;
+ How to create your own new plug-in.
Building a Mobile App Pen Testing Blueprint
Mobile penetration testing helps uncover app exploits and vulnerabilities and is a crucial component of risk assessment. However, many people fear the complexity and don’t know where to get started.
It all begins with a solid plan of attack. NowSecure veterans of hundreds of mobile app pen tests will walk you through the process of assembling a pen testing playbook to hack your app.
This webinar covers:
+Tips and tricks for targeting common issues
+The best tools for the job
+How to document findings to close the loop on vulnerabilities.
Mobile App Security Predictions 2019
Originally presented January 23, 2019 -https://www.brighttalk.com/webcast/15139/344870?utm_source=Slideshare&utm_medium=referral&utm_campaign=344870
2019 is already shaping up to be a standout year for mobile appsec and secure DevOps. If we can say anything with certainty, it’s that cybersecurity is unpredictable and the wave of DevSecOps is unstoppable. But we foresee intensifying concerns about digital privacy amidst high-profile breaches.
This deck lists our predictions about what’s in store for our customers and the community in the year ahead. Our veteran industry leaders will prognosticate about developments in these areas:
+ Mobile ecosystem: OSes, devices, apps and app stores
+ Evolving mobile security threats
+ The rise of DevSecOps and the automation of everything
+ The disruptive economics of automating manual pen testing
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Originally Presented December 6, 2018
As DevOps teams seek to accelerate the mobile app dev pipeline, they rely on tools and best practices to gain speed. Because our engineering leader Jeff Fairman previously ran software development for a top online brokerage, he understands the challenges of scaling security testing to meet current demands.
After discovering the NowSecure automated testing platform, Jeff Fairman was so impressed with the tech that he joined the company to help DevOps and security teams build and release safe mobile apps. Listen this webinar to learn:
+ Why you need dynamic application security (DAST) testing to flag vulnerabilities in the post-build phase
+ The unique requirements, toolchain options and best practices for secure mobile DevOps
+ How to combine continuous daily testing with outsourced pen testing.
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
Originally Presenter October 18, 2018
Enterprise-grade ephemeral messaging provider Vaporstream knows firsthand that security needs to be built into the software development lifecycle rather than bolted on. Serving highly regulated industries such as federal government, energy, financial services and healthcare, Vaporstream’s leakproof communication platform provides the highest level of assurance that compliance professionals require. Vaporstream partners with NowSecure to test and certify its Android and iOS mobile messaging apps.
This case study webinar covers how Vaporstream adheres to a rigorous secure app lifecycle in order to meet customer expectations for secure communications:
+ Designing a secure app architecture & development process
+ Incorporating security testing into the release cycle
+ Comprehensive penetration testing
A Risk-Based Mobile App Security Testing Strategy
Originally presented on September 19, 2018
Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy.
Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/
Android P Security Updates: What You Need to Know
Originally presented August 23, 2018
2018 seems to be the year of privacy updates for both iOS and Android. In this webinar, Mobile Security Analyst Tony Ramirez takes a deeper look at security updates for Android including learnings from Android 8, what to expect for Android 9, and the implications for mobile app security.
5 Tips for Agile Mobile App Security Testing
Originally Presented March 21, 2018
Most mobile app penetration tests or vulnerability assessments take anywhere from a couple of days to two weeks to deliver because of the manual approaches, brittle open source stacks in homegrown testing rigs and legacy application security testing (AST) tools. The shift to agile development common in mobile app development teams has left appsec testing behind. New mobile app builds are pushed daily, weekly or monthly, and appsec testing teams struggle to keep up. Each new build brings new code, including 3rd-party libraries, and with that code comes new potential vulnerabilities.
Application security & testing teams - this one’s for you. If you’re looking for ways to join the agile approach and keep pace with the speed of your development team’s CI/CD pipeline, take stock of these 5 tips for mobile appsec testing and integrate them into your company’s workflow.
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
From the creators behind top mobile tools R2 and FRIDA, get the inside scoop on the R2 and FRIDA OSS projects. Led by NowSecure Research Team including David Weinstein, Ole André and Pancake (Sergi Àlvarez), this webinar speaks to our favorite mobile AST OSS projects. Peek behind the curtain on these tools, check out on their latest updates, and learn about potential future enhancements.
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
Originally presented on January 23, 2018
A comprehensive analysis of iOS and Android apps found that a staggering 85% of those apps fail one or more of the OWASP Mobile Top 10 criteria. Given that the average mobile device has over 89 mobile apps on it, what are the odds your employees have one or more of the apps and what’s the real risk to your business?
Mobile apps power productivity in the modern business; don’t let a few bad apps bring it down.
5 Mobile App Security MUST-DOs in 2018
Originally presented on 12/5/2017
To close out the 2017 webinar season, our mobile security expert panel will review the top mobile threats of 2017 (e.g., Cloudbleed, Bootstomp, Broadpwn, and more) and then debate what’s next in mobile app security and mobile app security testing for 2018. See the slides from this spirited discussion of the security ramifications of the new iPhone X, iOS 11, Android 8, the latest innovations in the mobile app security testing, and more. Compare your mobile app security and mobile app security testing initiatives with what our experts say should be your top priorities in 2018.
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Originally presented on 11/30/2017 at the 2017 NH-ISAC Third Party Risk Governance Summit
What attackers know about your mobile apps that you don’t: Banking & FinTech
Our threat research team spends every waking moment reverse-engineering and cracking mobile apps and devices to help organizations reduce mobile risk. Originally presented on October 24, 2017, mobile security expert and NowSecure founder Andrew Hoog explains the attacker’s point-of-view, what attackers are looking for in mobile banking or financial services apps, and what makes your mobile app an appetizing target. He then provides tips for deploying a mobile app security testing program to ensure you proactively plug security holes, squash privacy leaks, and fill compliance gaps in your mobile apps.
Solving for Compliance: Mobile app security for banking and financial services
Mobile apps fall in scope for a number of regulatory requirements that govern the banking and financial services industries, such as: guidelines from the Federal Financial Institutions Examination Council (FFIEC), the Gramm–Leach–Bliley Act (GLBA), New York State cybersecurity requirements for financial services companies, the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act, and more. Luckily, a repeatable mobile app security assessment program and standardized reporting go a long way in both achieving compliance objectives and securing mobile apps and data.
Originally presented on August 22, 2017, NowSecure Security Solutions Engineer Brian Lawrence explains:
-- How and where exactly mobile apps fall in scope for various compliance regimes
-- Mobile app security issues financial institutions must identify and fix for compliance purposes
-- How assessment reports can be used to demonstrate due diligence
Leaky Mobile Apps: What You Need to Know
The amount of data collected by mobile devices and apps is shocking, and vulnerable mobile apps expose that data to compromise. In our static and dynamic analysis of hundreds-of-thousands of mobile apps, we found that 25 percent of them harbor at least one high-risk vulnerability such as collecting/transmitting location data, credentials, and more in cleartext. Mobile data may only be as secure as the weakest app on someone’s device. Mobile app developers need to protect the users of their apps by building high quality, secure apps. This presentation covers the most common mobile app vulnerabilities (including a real-world demonstration), how to identify those vulnerabilities, and what to do to remediate them.
Slides from NowSecure Senior Solutions Engineer Jon Porter's talk at the OWASP Denver Chapter's July 2017 meeting.
Vetting Mobile Apps for Corporate Use: Security Essentials
What does a sensible approach to approving and denying Android and iOS apps for use by staff look like? It starts with accurate, up-to-date security assessment data. NowSecure VP of Customer Success and Services Katie Strzempka covers how to take a data-driven approach to evaluating mobile apps for use at your organization.
More from NowSecure (20)
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
iOS 12 Preview - What You Need To Know
- 1. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information.
- 2. ● ● ● ● ●
- 6. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ 6 ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪Cross origin resource sharing ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
- 8. ● ○
- 9. ● ● ● ●
- 10. ● ● ● ● ●
- 11. ● ● ● ● ● ●
- 14. ● ● ● ○ ●
- 15. ● ● ○ ○ ● ●
- 16. ● ● ○ ● ○ ● ●
- 17. ● ○ ● ○ ● ○ ●
- 18. ● ○ ○ ○ ● ● ○
- 20. ● ● ○ ● ● ●
- 21. ● ● ●
- 22. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information.
- 23. ● ○ ● ● ●
- 24. ● ○ ○ ○ ● ● Content Security Policy HttpOnly Cookies Subresource Integrity SameSite Cookies Cross-Origin- Resource-Policy Cross-Origin- Window-Policy Cross-Site Scripting ✓ ✓ Comprised CDN ✓ Cross-Site Request Forgeries ✓ Speculative Execution Attacks ✓ ✓ ✓ ✓ Window Control Attacks ✓
- 25. ● ● ● ● ○ ○ ○ HTTP response: :status: 200 Set-Cookie: auth=abc…123; HttpOnly; SameSite=strict Content-Security-Policy: default-src 'self'; script-scr cdn.example; frame-src social.example; frame-ancestors news.example; Cross-Origin-Resource-Policy: Same Cross-Origin-Window-Policy: Deny <script src="https://cdn.example/framework.js" integrity="sha256-8WqyJLuWKRB…oZkCnxQbWwJVw="> </script> Subresource integrity Cross-Origin Lockdown
- 26. ● ○ ● ● ○ ○ ○
- 27. ● ● ○ ● ● ●
- 28. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
- 29. 29
- 30. 30