iOS and Android security: Differences you need to know

•

2 likes•1,003 views

NowSecure Director of Research David Weistein recently spoke at the Security by Design Meetup in Washington, DC. This presentation offers information about risks impacting mobile and the differences between iOS and Android security. Recap here: https://www.nowsecure.com/blog/2016/08/24/android-buckles-down-and-ios-opens-up-trends-in-platform-security-affecting-developers/

Technology

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
iOS and Android Security:
Differences You Need to Know
August 22, 2016 | Security By Design Meetup

David Weinstein
Director of Research
@insitusec
● 10+ years of cybersecurity experience
● Former senior engineer at MITRE
Email: dweinstein@nowsecure.com
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure: Forged in mobile from day one
Top engineers and researchers
OSS authors of Radare, Frida,
Santoku Linux, and Android VTS
Disclosed Samsung keyboard vulnerability
Impacting 650M+ devices
worldwide
Regular speaking appearances
Black Hat USA, RSA Conference,
OWASP AppSec USA & more
100+ customers
From banking, healthcare, tech,
government & more
Founded in Oak Park, IL
With a strong background in
forensics & enterprise security
2009

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information..
Risk extends deeper than what’s on the surface
What everyone is focused
on: malware
The real security problem
extends much deeper:
Mobile apps leaking
sensitive data

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Mobile app security testing
● Fully automated static and dynamic
analysis with results in minutes
● Analysis for iOS and Android
performed on real devices
● Scalability and consistency via
Cloud-based solution

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Problems we address:
So you can succeed in testing mobile apps
1 Teams are overwhelmed with mobile app testing
2 Static testing returns too many false positives
3 Organizations lack a process for mobile

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Platform Security - Year In Review
Differential Privacy
Lock Screen Widgets
`
image3/image4 no longer enc.
Personal ID Codesigning
App Transport Security
Keychain ACLs, TouchID
canOpenUrl changes
Hardened Webkit
usesCleartextTraffic
SE Android Enforcing, Breaking
Apps
Instant Apps
Verified Boot
networkSecurityConfig
“Project Svelte”
Runtime Permissions
FS Permissions
Apple Android

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Quick Stats
Top 50 free iOS apps:
- 80% using NSAllowsArbitraryLoads
- 34% using NSExceptionDomains
- 0 using MinimumTLSVersion exception
Top 50 free Android apps:
- Only Chrome using networkSecurityPolicy,
services with isolatedProcess
- None leaving debuggable flag enabled
- 66% set allowBackup true

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information..

Looking for a high-intensity bootcamp covering the basics of secure mobile development? This slideshare was originally presented by mobile security expert and NowSecure CEO Andrew Hoog for a 60-minute workshop at Security by Design covering the following topics: + Introduction to identifying security flaws in mobile apps (and how to avoid them) + Examples of secure and insecure mobile apps and how to secure them + Overview of secure mobile development based on the NowSecure Secure Mobile Development Best Practices

How to make Android apps secure: dos and don’ts

NowSecure

Learn from the mobile app security fails of others and understand how to get Android app security right the first time around. A quarter of mobile apps include flaws that expose sensitive personal or corporate data that can be used for illicit purposes. And the security of a mobile app has a lot to do with a user’s impression of its quality. Fixing vulnerabilities in the late stages of your build-and-deploy cycle is a hassle, and more expensive. You’ve got to switch contexts, dig through code you haven’t thought about in weeks (or didn’t develop in the first place), and delay progress on your latest sprint. So, what can you, the savvy Android developer, do to get security right the first time around and save yourself work later? Or, if you’re a security practitioner, how can you give security guidance up front to help your colleagues on the development team work more efficiently?

Five mobile security challenges facing the enterprise

NowSecure

Shifting left: Continuous testing for better app quality and security

NowSecure

Mobile Penetration Testing: Episode II - Attack of the Code

NowSecure

In this, the second, episode of our mobile penetration testing trilogy, NowSecure Solutions Engineer Michael Krueger takes you beyond the device. Michael will explain how to perform network and web services/API testing to capture data exposed in transit between apps and backend services -- some of the highest risk security flaws around. This high intensity 30-minute crash course covers: + Man-in-the-middle (MITM) attacks + Taking advantage of improper certificate validation + Demonstration of a privilege escalation exploit of a web back-end vulnerability Watch it here: https://youtu.be/bT1-7ZkSdNY

Mobile Penetration Testing: Episode 1 - The Forensic Menace

NowSecure

OWASP Mobile Top 10

NowSecure

5 Ways to Protect your Mobile Security

Lookout

Originally presented June 24, 2019 https://www.nowsecure.com/resource/debunking-the-top-5-myths-about-mobile-appsec/ It’s hard to believe that mobile app stores are more than a decade old yet some crazy misconceptions about mobile application security still linger. Have you heard these before? - Testing mobile apps is the same as web apps - SAST is good enough for mobile, you don’t need DAST - Mobile apps are secure because Apple and Google security test them - Outsourcing a penetration test once per year is sufficient to mitigate risk Sort fact from fiction and learn how to ensure your mobile appsec program is on the right track. You may discover some surprising things about modern mobile application security.

How Healthcare CISOs Can Secure Mobile Devices

Skycure

Original webinar: http://get.skycure.com/mobile-security-in-healthcare-webinar In this webinar, Jim Routh, CSO at Aetna, and Adi Sharabani, CEO and co-founder at Skycure, discuss: - The state of mobile security in Healthcare organizations - How to improve incident response and resilience of mHealth IT operations - How to leverage risk-based mobility to predict, detect and protect against threats

Accessibility Clickjacking, Devastating Android Vulnerability

Skycure

View recorded webinar - http://get.skycure.com/accessibility-clickjacking-webinar Accessibility Clickjacking, a vulnerability discovered by Skycure’s Mobile Threat Defense Research Team, is a method hackers may use to gain complete control over an Android device, including acquiring elevated privileges and exposing the content of all apps on the device. It can compromise container solutions and is extremely difficult to detect.

How to Add Advanced Threat Defense to Your EMM

Skycure

View recorded webinar here: http://hubs.ly/y0SRV90 In this webinar presentation we discuss how to: - Stop mobile attacks before they make it to the enterprise by leveraging crowd wisdom - Dynamically enforce BYOD, security and compliance policies based on actively detected threats - Leverage risk-based enterprise mobility management to detect and protect against corporate espionage via infiltrated mobile devices

Case Closed with IBM Application Security on Cloud infographic

IBM Security

This infographic demonstrates how to leverage IBM Application Security Analyzer (formerly IBM AppScan Mobile Analyzer and IBM AppScan Dynamic Analyzer) to improve mobile and Web application security, by performing periodic application security testing, identifying high-priority vulnerabilities and improving the effectiveness of your application security program. You’ll also have the peace of mind that’s derived by eliminating security vulnerabilities from Web and mobile applications before they’re placed into production and deployed. For additional information, please visit: www.ibm.com/applicationsecurity.

Xamarin security talk slideshare

Marcus de Wilde

Mobile hacking, pentest, and malware

Ammar WK

Nowadays, like the technology itself, hacking activities against mobile phone is growing very rapidly, both for mobile devices (operating system) or mobile applications, some applications providers even dedicate a penetration testing activity for applications that they created right before it gets released to the public, while others open a bug bounty programs, and sadly the rest just watch and do nothing. On the other side, malware developer arround the world also already move their main target and has been developing malware to take over the mobile devices which surely keep all our personal/private and our work, some of it even make us to pay for getting it back. This talks will be focusing more on the trend of mobile device security lately, mobile security penetration testing activity, also in practice, showing several types of common weaknesses/vulnerabiliies within the mobile applications and how the exploitation is done by the attacker, malware is created and planted, until it is successfully to take over the target mobile device.

The New NotCompatible

Lookout

Mobile App Hacking In A Nutshell

Prathan Phongthiproek

Android Security Development

hackstuff

Patches Arrren't Just for Pirates

webnowires

OSS Tools: Creating a Reverse Engineering Plug-in for r2frida

NowSecure

Hear Radare creator Sergi (Pancake) Alvarez conduct a deep dive of r2frida, a framework that combines the best of Frida and Radare. Frida and Radare are leading open-source reverse engineering tools sponsored by NowSecure. Targeting intermediate to advanced users and security analysts, this overview will highlight the r2frida plug-in architecture. Watch the webinar: http://bit.ly/2DBHt7M Watch this webinar to learn: + What dynamic and static techniques the individual tools provide to assist security analysts with reverse engineering; + Why r2frida’s plugin architecture eases the task of performing reverse engineering workflows; + How to create your own new plug-in.

Cybersecurity Fundamentals for Bar Associations

NowSecure

Three Secrets to Becoming a Mobile Security Superhero

Skycure

Jump-Start The MASVS

Prathan Phongthiproek

Mobile Hacking

Novizul Evendi

Web Application Securitysudip pudasaini

How To [relatively] Secure your Web Applications

Ammar WK

Malware on Smartphones and Tablets - The Inconvenient Truth

AGILLY

De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces. Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.

Sholove cyren web security - technical datasheet2

SHOLOVE INTERNATIONAL LLC

Безопасность данных мобильных приложений. Мифы и реальность.

Advanced monitoring

What's hot

2015 Cybersecurity PredictionsLookout

Debunking the Top 5 Myths About Mobile AppSec

NowSecure

How Healthcare CISOs Can Secure Mobile Devices

Skycure

Accessibility Clickjacking, Devastating Android Vulnerability

Skycure

How to Add Advanced Threat Defense to Your EMM

Skycure

Case Closed with IBM Application Security on Cloud infographic

IBM Security

Xamarin security talk slideshare

Marcus de Wilde

Mobile hacking, pentest, and malware

Ammar WK

The New NotCompatible

Lookout

Mobile App Hacking In A Nutshell

Prathan Phongthiproek

Android Security Development

hackstuff

Patches Arrren't Just for Pirates

webnowires

OSS Tools: Creating a Reverse Engineering Plug-in for r2frida

NowSecure

Cybersecurity Fundamentals for Bar Associations

NowSecure

Three Secrets to Becoming a Mobile Security Superhero

Skycure

Jump-Start The MASVS

Prathan Phongthiproek

Mobile Hacking

Novizul Evendi

Web Application Securitysudip pudasaini

How To [relatively] Secure your Web Applications

Ammar WK

Malware on Smartphones and Tablets - The Inconvenient Truth

AGILLY

What's hot (20)

2015 Cybersecurity Predictions

Debunking the Top 5 Myths About Mobile AppSec

How Healthcare CISOs Can Secure Mobile Devices

Accessibility Clickjacking, Devastating Android Vulnerability

How to Add Advanced Threat Defense to Your EMM

Case Closed with IBM Application Security on Cloud infographic

Xamarin security talk slideshare

Mobile hacking, pentest, and malware

The New NotCompatible

Mobile App Hacking In A Nutshell

Android Security Development

Patches Arrren't Just for Pirates

OSS Tools: Creating a Reverse Engineering Plug-in for r2frida

Cybersecurity Fundamentals for Bar Associations

Three Secrets to Becoming a Mobile Security Superhero

Jump-Start The MASVS

Mobile Hacking

Web Application Security

How To [relatively] Secure your Web Applications

Malware on Smartphones and Tablets - The Inconvenient Truth

Similar to iOS and Android security: Differences you need to know

Sholove cyren web security - technical datasheet2

SHOLOVE INTERNATIONAL LLC

Безопасность данных мобильных приложений. Мифы и реальность.

Advanced monitoring

Unicom Conference - Mobile Application Security

Subho Halder

Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices. The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations during development. We will be covering from basic OWASP top 10 security issues to live demos on different use-case scenarios on how a hacker can hack your application, and how to prevent them.

Trojan horseofbyod2

Stephanie Vanroelen

Secure Android Apps- nVisium Security

Jack Mannino

Challenges in Testing Mobile App SecurityCygnet Infotech

5 Mobile App Security MUST-DOs in 2018

NowSecure

Originally presented on 12/5/2017 To close out the 2017 webinar season, our mobile security expert panel will review the top mobile threats of 2017 (e.g., Cloudbleed, Bootstomp, Broadpwn, and more) and then debate what’s next in mobile app security and mobile app security testing for 2018. See the slides from this spirited discussion of the security ramifications of the new iPhone X, iOS 11, Android 8, the latest innovations in the mobile app security testing, and more. Compare your mobile app security and mobile app security testing initiatives with what our experts say should be your top priorities in 2018.

Looking Forward and Looking Back: Lookout's Cybersecurity Predictions

Lookout

Securing Mobile Apps - Appfest Version

Subho Halder

Appaloosa & AppDome: deploy & protect mobile applications

Julien Ott

It's not about you: Mobile security in 2016

NowSecure

Legacy network security approaches define and defend a perimeter. Mobile technology explodes boundaries with apps you’re not always aware of on public networks you don't control. Dual-use devices complicate managing access to sensitive corporate resources and protecting endpoints. Traditional approaches to network, cloud, and application security don't solve the mobile security challenge. Sam Bakken, Content Marketing Manager at NowSecure, discusses the state of mobile security in 2016 and shares strategies for managing the boundless mobile periphery.

Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...

NowSecure

Mobile Penetration Testing: Episode III - Attack of the Code

NowSecure

No IoT Without Identity

ForgeRock

Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence

NowSecure

Mobile Application Security Threats through the Eyes of the Attacker

bugcrowd

"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016

Verimatrix

Verimatrix SVP of Marketing Steve Christian examines the security vulnerabilities that device and systems vendors become susceptible to as they aggregate and analyze sensitive customer data. His presentation underscores the importance of determining whether or not the expertise, data capture capabilities and computing infrastructures they have available in-house are agile and scalable enough to not only uncover and use detailed customer behavior, but also keep abreast of regulatory and legal data privacy regulations, which vary county-by-country.

Unified application security analyser

Tim Youm

Enable best-of-breed security testing for enterprise, web and mobile applications • Facilitate application security testing for your customers at the appropriate stage of their development lifecycle • Identify security vulnerabilities such as SQL injection and cross-site scripting (XSS) • Automate correlation of static, dynamic and interactive application security testing results • Deliver detailed reporting to your customers that summarise security vulnerabilities, assesses potential risk and offers remediation tactics

Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...

Skycure

How Aetna Mitigated 701 Malware Infections on Mobile Devices

Skycure

Similar to iOS and Android security: Differences you need to know (20)

Sholove cyren web security - technical datasheet2

Безопасность данных мобильных приложений. Мифы и реальность.

Unicom Conference - Mobile Application Security

Trojan horseofbyod2

Secure Android Apps- nVisium Security

Challenges in Testing Mobile App Security

5 Mobile App Security MUST-DOs in 2018

Looking Forward and Looking Back: Lookout's Cybersecurity Predictions

Securing Mobile Apps - Appfest Version

Appaloosa & AppDome: deploy & protect mobile applications

It's not about you: Mobile security in 2016

Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...

Mobile Penetration Testing: Episode III - Attack of the Code

No IoT Without Identity

Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence

Mobile Application Security Threats through the Eyes of the Attacker

"IoT Security - Make vs Buy?" - IoT Data Analytics & Visualization Summit 2016

Unified application security analyser

Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Dev...

How Aetna Mitigated 701 Malware Infections on Mobile Devices

More from NowSecure

iOS recon with Radare2

NowSecure

From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture

NowSecure

Originally Recorded March 18, 2020 DevSecOps enthusiast D.J. Schleen unveils the latest updates to the DevSecOps Reference Architecture, an extensive chart of open-source tools and third-party applications that now includes mobile app pipelines. Join us to score your own copy and learn: + The most popular tools and integrations to automate and scale your pipeline + How and where mobile DevSecOps differs from web + Where to apply dynamic and interactive application security testing to speed app delivery

Android Q & iOS 13 Privacy Enhancements

NowSecure

Originally Recorded July 19, 2019 Apple and Google’s forthcoming mobile operating systems boast a bevy of privacy features that enable users to seize more control of their personal data. NowSecure Mobile Security Analyst Tony Ramirez will dives into Android and iOS application security and privacy enhancements and what they mean for mobile DevSecOps teams. Join us to learn about: + Increased transparency and granularity over location tracking + New protections for sensitive information + Safer data exchanges in Android Q through TLS 1.3 encryption

Building a Mobile App Pen Testing Blueprint

NowSecure

Mobile penetration testing helps uncover app exploits and vulnerabilities and is a crucial component of risk assessment. However, many people fear the complexity and don’t know where to get started. It all begins with a solid plan of attack. NowSecure veterans of hundreds of mobile app pen tests will walk you through the process of assembling a pen testing playbook to hack your app. This webinar covers: +Tips and tricks for targeting common issues +The best tools for the job +How to document findings to close the loop on vulnerabilities.

Mobile App Security Predictions 2019

NowSecure

Originally presented January 23, 2019 -https://www.brighttalk.com/webcast/15139/344870?utm_source=Slideshare&utm_medium=referral&utm_campaign=344870 2019 is already shaping up to be a standout year for mobile appsec and secure DevOps. If we can say anything with certainty, it’s that cybersecurity is unpredictable and the wave of DevSecOps is unstoppable. But we foresee intensifying concerns about digital privacy amidst high-profile breaches. This deck lists our predictions about what’s in store for our customers and the community in the year ahead. Our veteran industry leaders will prognosticate about developments in these areas: + Mobile ecosystem: OSes, devices, apps and app stores + Evolving mobile security threats + The rise of DevSecOps and the automation of everything + The disruptive economics of automating manual pen testing

Jeff's Journey: Best Practices for Securing Mobile App DevOps

NowSecure

Originally Presented December 6, 2018 As DevOps teams seek to accelerate the mobile app dev pipeline, they rely on tools and best practices to gain speed. Because our engineering leader Jeff Fairman previously ran software development for a top online brokerage, he understands the challenges of scaling security testing to meet current demands. After discovering the NowSecure automated testing platform, Jeff Fairman was so impressed with the tech that he joined the company to help DevOps and security teams build and release safe mobile apps. Listen this webinar to learn: + Why you need dynamic application security (DAST) testing to flag vulnerabilities in the post-build phase + The unique requirements, toolchain options and best practices for secure mobile DevOps + How to combine continuous daily testing with outsourced pen testing.

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

NowSecure

Originally Presenter October 18, 2018 Enterprise-grade ephemeral messaging provider Vaporstream knows firsthand that security needs to be built into the software development lifecycle rather than bolted on. Serving highly regulated industries such as federal government, energy, financial services and healthcare, Vaporstream’s leakproof communication platform provides the highest level of assurance that compliance professionals require. Vaporstream partners with NowSecure to test and certify its Android and iOS mobile messaging apps. This case study webinar covers how Vaporstream adheres to a rigorous secure app lifecycle in order to meet customer expectations for secure communications: + Designing a secure app architecture & development process + Incorporating security testing into the release cycle + Comprehensive penetration testing

A Risk-Based Mobile App Security Testing Strategy

NowSecure

Originally presented on September 19, 2018 Given the volume and velocity of mobile apps, there simply aren’t enough resources to test them all in the same manner. There has to be a better way. NowSecure introduces a new framework to help organizations craft a Risk-Based Mobile App Security Testing strategy. Watch the presentation here: https://www.nowsecure.com/webinars/a-risk-based-mobile-app-security-testing-strategy/

Android P Security Updates: What You Need to Know

NowSecure

iOS 12 Preview - What You Need To Know

NowSecure

Originally presented on June 12, 2018 Much of the improvements for iOS 12 focused on privacy and reliability. What prompted these changes and how will it affect the path forward? In this discussion, Tony Ramirez, Mobile Security Analyst, shares about the following: + Learnings & remediations from iOS 11 + Predictions coming out of WWDC + How we see the newest software update, iOS 12, affecting mobile app security testing

5 Tips for Agile Mobile App Security Testing

NowSecure

Originally Presented March 21, 2018 Most mobile app penetration tests or vulnerability assessments take anywhere from a couple of days to two weeks to deliver because of the manual approaches, brittle open source stacks in homegrown testing rigs and legacy application security testing (AST) tools. The shift to agile development common in mobile app development teams has left appsec testing behind. New mobile app builds are pushed daily, weekly or monthly, and appsec testing teams struggle to keep up. Each new build brings new code, including 3rd-party libraries, and with that code comes new potential vulnerabilities. Application security & testing teams - this one’s for you. If you’re looking for ways to join the agile approach and keep pace with the speed of your development team’s CI/CD pipeline, take stock of these 5 tips for mobile appsec testing and integrate them into your company’s workflow.

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA

NowSecure

85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?

NowSecure

Originally presented on January 23, 2018 A comprehensive analysis of iOS and Android apps found that a staggering 85% of those apps fail one or more of the OWASP Mobile Top 10 criteria. Given that the average mobile device has over 89 mobile apps on it, what are the odds your employees have one or more of the apps and what’s the real risk to your business? Mobile apps power productivity in the modern business; don’t let a few bad apps bring it down.

Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

NowSecure

What attackers know about your mobile apps that you don’t: Banking & FinTech

NowSecure

Our threat research team spends every waking moment reverse-engineering and cracking mobile apps and devices to help organizations reduce mobile risk. Originally presented on October 24, 2017, mobile security expert and NowSecure founder Andrew Hoog explains the attacker’s point-of-view, what attackers are looking for in mobile banking or financial services apps, and what makes your mobile app an appetizing target. He then provides tips for deploying a mobile app security testing program to ensure you proactively plug security holes, squash privacy leaks, and fill compliance gaps in your mobile apps.

Solving for Compliance: Mobile app security for banking and financial services

NowSecure

Mobile apps fall in scope for a number of regulatory requirements that govern the banking and financial services industries, such as: guidelines from the Federal Financial Institutions Examination Council (FFIEC), the Gramm–Leach–Bliley Act (GLBA), New York State cybersecurity requirements for financial services companies, the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act, and more. Luckily, a repeatable mobile app security assessment program and standardized reporting go a long way in both achieving compliance objectives and securing mobile apps and data. Originally presented on August 22, 2017, NowSecure Security Solutions Engineer Brian Lawrence explains: -- How and where exactly mobile apps fall in scope for various compliance regimes -- Mobile app security issues financial institutions must identify and fix for compliance purposes -- How assessment reports can be used to demonstrate due diligence

Leaky Mobile Apps: What You Need to Know

NowSecure

The amount of data collected by mobile devices and apps is shocking, and vulnerable mobile apps expose that data to compromise. In our static and dynamic analysis of hundreds-of-thousands of mobile apps, we found that 25 percent of them harbor at least one high-risk vulnerability such as collecting/transmitting location data, credentials, and more in cleartext. Mobile data may only be as secure as the weakest app on someone’s device. Mobile app developers need to protect the users of their apps by building high quality, secure apps. This presentation covers the most common mobile app vulnerabilities (including a real-world demonstration), how to identify those vulnerabilities, and what to do to remediate them. Slides from NowSecure Senior Solutions Engineer Jon Porter's talk at the OWASP Denver Chapter's July 2017 meeting.

Vetting Mobile Apps for Corporate Use: Security Essentials

NowSecure

Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...

NowSecure

A mobile app that’s vulnerable to man-in-the-middle (MITM) attacks can allow an attacker to capture, view, and modify sensitive traffic sent and received between the app and backend servers. At NowSecure, Michael Krueger and Tony Ramirez spend their days performing penetration tests on Android and iOS apps, which include exploiting MITM vulnerabilities and helping developers fix them. These slides are from a 30-minute webinar with Michael & Tony about MITM attacks on mobile apps and how to prevent them that will cover: -- Identifying man-in-the-middle vulnerabilities in mobile apps -- How to execute a mobile man-in-the-middle attack -- Right and wrong ways to implement certificate validation and certificate pinning

Next-level mobile app security: A programmatic approach

NowSecure

Katie Stzempka, VP of Customer Success & Services, shares some helpful guidance on how to launch and improve an internal mobile app security program. You'll learn: -- How to unite a disarray of tasks into a mobile app security testing process -- How to choose the right mobile app security testing tools for your maturity -- How to establish buy-in and collaborate with developers and your DevOps team

More from NowSecure (20)

iOS recon with Radare2

From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture

Android Q & iOS 13 Privacy Enhancements

Building a Mobile App Pen Testing Blueprint

Mobile App Security Predictions 2019

Jeff's Journey: Best Practices for Securing Mobile App DevOps

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

A Risk-Based Mobile App Security Testing Strategy

Android P Security Updates: What You Need to Know

iOS 12 Preview - What You Need To Know

5 Tips for Agile Mobile App Security Testing

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA

85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?

Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

What attackers know about your mobile apps that you don’t: Banking & FinTech

Solving for Compliance: Mobile app security for banking and financial services

Leaky Mobile Apps: What You Need to Know

Vetting Mobile Apps for Corporate Use: Security Essentials

Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...

Next-level mobile app security: A programmatic approach

Recently uploaded

Large Language Model (LLM) and it’s Geospatial Applications

Rohit Gautam

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

SOFTTECHHUB

As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.

RESUME BUILDER APPLICATION Project for students

KAMESHS29

Mind map of terminologies used in context of Generative AI

Kumud Singh

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Vladimir Iglovikov, Ph.D.

Presented by Vladimir Iglovikov: - https://www.linkedin.com/in/iglovikov/ - https://x.com/viglovikov - https://www.instagram.com/ternaus/ This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation. Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners. This case study covers various aspects, including: People: The contributors and community that have supported Albumentations. Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions. Challenges: The hurdles in monetizing open-source projects and measuring user engagement. Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration. Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community. Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations. Mental Health: Maintaining balance and not feeling pressured by user demands. Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth. Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects. Explore more about Albumentations and join the community at: GitHub: https://github.com/albumentations-team/albumentations Website: https://albumentations.ai/ LinkedIn: https://www.linkedin.com/company/100504475 Twitter: https://x.com/albumentations

Full-RAG: A modern architecture for hyper-personalization

Zilliz

Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

Alex Pruden

This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second). Paper: https://eprint.iacr.org/2023/1886

Building RAG with self-deployed Milvus vector database and Snowpark Container...

Zilliz

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

A tale of scale & speed: How the US Navy is enabling software delivery from l...

sonjaschweigert1

Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved: - Reduction in onboarding time from 5 weeks to 1 day - Improved developer experience and productivity through actionable findings and reduction of false positives - Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO) Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production. We will cover: - How to remove silos in DevSecOps - How to build efficient development pipeline roles and component templates - How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence) - How to streamline operations with automated policy checks on container images

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Neo4j

Dr. Sean Tan, Head of Data Science, Changi Airport Group Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Neo4j

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Recently uploaded (20)

Large Language Model (LLM) and it’s Geospatial Applications

20240607 QFM018 Elixir Reading List May 2024

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

RESUME BUILDER APPLICATION Project for students

Mind map of terminologies used in context of Generative AI

National Security Agency - NSA mobile device best practices

Securing your Kubernetes cluster_ a step-by-step guide to success !

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Full-RAG: A modern architecture for hyper-personalization

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs

Building RAG with self-deployed Milvus vector database and Snowpark Container...

Epistemic Interaction - tuning interfaces to provide information for AI support

A tale of scale & speed: How the US Navy is enabling software delivery from l...

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

DevOps and Testing slides at DASA Connect

iOS and Android security: Differences you need to know

2. David Weinstein Director of Research @insitusec ● 10+ years of cybersecurity experience ● Former senior engineer at MITRE Email: dweinstein@nowsecure.com © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

3. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. NowSecure: Forged in mobile from day one Top engineers and researchers OSS authors of Radare, Frida, Santoku Linux, and Android VTS Disclosed Samsung keyboard vulnerability Impacting 650M+ devices worldwide Regular speaking appearances Black Hat USA, RSA Conference, OWASP AppSec USA & more 100+ customers From banking, healthcare, tech, government & more Founded in Oak Park, IL With a strong background in forensics & enterprise security 2009

4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.. Risk extends deeper than what’s on the surface What everyone is focused on: malware The real security problem extends much deeper: Mobile apps leaking sensitive data

5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile app security testing ● Fully automated static and dynamic analysis with results in minutes ● Analysis for iOS and Android performed on real devices ● Scalability and consistency via Cloud-based solution

6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Problems we address: So you can succeed in testing mobile apps 1 Teams are overwhelmed with mobile app testing 2 Static testing returns too many false positives 3 Organizations lack a process for mobile

7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Platform Security - Year In Review Differential Privacy Lock Screen Widgets ` image3/image4 no longer enc. Personal ID Codesigning App Transport Security Keychain ACLs, TouchID canOpenUrl changes Hardened Webkit usesCleartextTraffic SE Android Enforcing, Breaking Apps Instant Apps Verified Boot networkSecurityConfig “Project Svelte” Runtime Permissions FS Permissions Apple Android

8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Quick Stats Top 50 free iOS apps: - 80% using NSAllowsArbitraryLoads - 34% using NSExceptionDomains - 0 using MinimumTLSVersion exception Top 50 free Android apps: - Only Chrome using networkSecurityPolicy, services with isolatedProcess - None leaving debuggable flag enabled - 66% set allowBackup true

iOS and Android security: Differences you need to know

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to iOS and Android security: Differences you need to know

Similar to iOS and Android security: Differences you need to know (20)

More from NowSecure

More from NowSecure (20)

Recently uploaded

Recently uploaded (20)

iOS and Android security: Differences you need to know