SlideShare a Scribd company logo

Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and Communications

NowSecure
NowSecure

+ How do vulnerable mobile apps and insecure V2D communications put drivers and manufacturers at risk? + Applying crashworthiness and safety ratings concepts to mobile app and connected car cybersecurity + How to manage mobile app security defects and vulnerabilities in the connected car and mobile app development process

Automotive
1 of 23
Download to read offline
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile App Crashworthiness Securing Vehicle-to-Device (V2D) Interfaces and Communications
Andrew Hoog CEO | NowSecure Twitter - @ahoog42 E-mail - ahoog@nowsecure.com • Computer scientist, mobile security & forensics researcher • Author, expert witness & patent-holder • Regularly briefs senior government officials & top banking institutions on mobile security
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents • Automakers are software companies • The vehicle-to-device & mobile app security problem • How to deliver more secure mobile apps • Questions
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Automakers = Software Companies
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. >100 million lines of code make up the modern automobile http://www.informationisbeautiful.net/visualizations/million-lines-of-code/
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Automakers are making progress in security, but there’s more to be done Some key findings: ● Automakers believe they’re less knowledgeable than other industries about secure software development ● Impediments to secure software development include pressure to meet release dates and lack of skills, training, policies ● Legacy technology makes it harder to make vehicles more secure https://www.slideshare.net/SecurityInnovation/car-cybersecurity-the-gap-still-exists Survey of developers, programmers, engineers, and executives from automakers and their electronics suppliers conducted in August 2016
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. The V2D & mobile app security problem
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Wide-angle overview of connected car entry points Wired ● OBD-II Port ● Network harness connectors ● Diagnostic Port ● On-board vehicle networks (e.g., CAN, FlexRay, Ethernet, MOST) ● CD/DVD player ● Vehicle Charging Port Wireless ● Short range ○ Radio Frequency (e.g., TPMS, KES) ○ Near-field communications ○ Wi-Fi ○ Bluetooth ○ Dedicated short range communications ● Long range ○ GPS receiver ○ GSM / CDMA ○ LTE !! McCarthy, C., Harnett, K., & Carter, A. (2014, October). Characterization of potential security threats in modern automobiles: A composite modeling approach. (Report No. DOT HS 812 074). Washington, DC: National Highway Traffic Safety Administration.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile platforms are vulnerable http://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224 523Disclosed vulnerabilities (CVEs) in Google Android in 2016 161Disclosed vulnerabilities (CVEs) in Apple iOS in 2016 http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49 691 CVEs over lifetime (2009-2016) 984 CVEs over lifetime (2007-2016)
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. And OS security updates are a problem iOSAndroid 31.3% 32.5% 20.8% 10.6% 2.8% 1.0% 1.0% a/o March 6, 2017 https://developer.android.com/about/dashboards/index.html a/o February 20, 2017 https://developer.apple.com/support/app-store/
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. And mobile apps are vulnerable 21% of Android apps had ≥1 high-risk security finding 2.36high-risk findings per app with ≥1 high-risk finding: 19%of iOS apps had ≥1 high-risk security finding 4.22high-risk findings per app with ≥1 high-risk finding:
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Example: Potential vulnerability in automaker apps ● Performed dynamic/static analysis of 10 popular automotive apps for Android ○ Apps published on Google Play by automakers ○ Remote start, media center, and other typical connected-car functionality ● Three apps included a vulnerable version of a third party library ○ OkHttp – an open-source library for sending and receiving HTTP requests ○ Vulnerable versions are those prior to 2.7.2 and 3.x prior to 3.1.2 ● The problem ○ A man-in-the-middle attack can bypass certificate pinning via CVE-2016-2402 ○ https://koz.io/pinning-cve-2016-2402/ ● Next step = confirming whether the app relies on that version for certificate pinning
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. The roots of the mobile security problem Developers aren’t trained in developing secure mobile apps Mobile app security is assumed (if it’s considered at all) Time and budget are not committed to mobile app security Tools that identify mobile security flaws aren’t kept up-to-date
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Making software secure prior to launch
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Developing with security in mind saves you money & time Requirements/ Architecture Coding Integration/ Component Testing System/ Acceptance Testing Production/ Post-Release Fixing software defects is 30xmore expensive post-deployment
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile app security testsNHTSA crash tests ● Side barrier crash test ● Side pole crash test ● Frontal crash test ● Rollover resistance test ● Forensics / data-storage tests ● Network / communications tests ● Back-end services tests ● Reverse-engineering tests
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Shift security testing to the left
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Crucial aspects of building security into the SDLC Document app security policies Code using secure development best practices Perform automated security assessments on each build Perform penetration testing on each release candidate Deploy more secure apps to production
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Document app security policies ● Establish cross-departmental buy-in ● Agree to adhere to a set of app security standards (and issues that block release) ● Explain how apps will be audited against those policies Code using secure development best practices ● Provide documentation of secure development best practices to developers ● Educate developers on secure coding practices and how flaws put the business at risk ● Provide feedback to developers when they need it (i.e., when their “heads are in the code”)
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Perform automated security assessments continually ● Work with your DevOps team to integrate it into developers’ existing workflow ● Plug into build servers and the continuous integration/continuous delivery (CI/CD) toolchain ● Populate issue trackers with security findings Perform penetration testing on release candidates ● Test an application from the perspective of an attacker ● Give a human free reign to apply their creativity and ingenuity in trying to compromise an app ● Create a checklist and use tools that support consistent reporting
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Also consider third-party apps that hook into connected cars
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Contact information: Jeff Nolan // VP Marketing (650) 549-4062 jnolan@nowsecure.com Let’s Talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 - a collection of the week’s mobile news that matters - https://www.nowsecure.com/go/subscribe

Recommended

Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
NowSecure
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
NowSecure
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
Sylvain Martinez
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017
Kevin Murphy
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
Cisco Canada
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
North Texas Chapter of the ISSA
 

Recommended

Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
NowSecure
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
NowSecure
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
Sylvain Martinez
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017 Cyber Resilency VANCOUVER, BC Nov 2017
Cyber Resilency VANCOUVER, BC Nov 2017
Kevin Murphy
 
Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere Tomorrow Starts Here - Security Everywhere
Tomorrow Starts Here - Security Everywhere
Cisco Canada
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
North Texas Chapter of the ISSA
 
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 PredictionsMobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Skycure
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Eric Vanderburg
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
NowSecure
 
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat ReportWebinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Cyren, Inc
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Eric Vanderburg
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Berezha Security Group
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
NowSecure
 
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of DefenseWebinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Cyren, Inc
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
EnergySec
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
Stanton Viaduc
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
EnergySec
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS
 
How Aetna Mitigated 701 Malware Infections on Mobile Devices
How Aetna Mitigated 701 Malware Infections on Mobile DevicesHow Aetna Mitigated 701 Malware Infections on Mobile Devices
How Aetna Mitigated 701 Malware Infections on Mobile Devices
Skycure
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & Defense
Jason Luttrell, CISSP, CISM
 
OFFENSIVE IDS
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDS
Sylvain Martinez
 
Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2
Sylvain Martinez
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
EnergySec
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
NowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 

More Related Content

What's hot

Mobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 PredictionsMobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 Predictions
Skycure
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Eric Vanderburg
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Zivaro Inc
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
NowSecure
 
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat ReportWebinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Cyren, Inc
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Eric Vanderburg
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Berezha Security Group
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
NowSecure
 
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of DefenseWebinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Cyren, Inc
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
EnergySec
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
Stanton Viaduc
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
EnergySec
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS
 
How Aetna Mitigated 701 Malware Infections on Mobile Devices
How Aetna Mitigated 701 Malware Infections on Mobile DevicesHow Aetna Mitigated 701 Malware Infections on Mobile Devices
How Aetna Mitigated 701 Malware Infections on Mobile Devices
Skycure
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & Defense
Jason Luttrell, CISSP, CISM
 
OFFENSIVE IDS
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDS
Sylvain Martinez
 
Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2
Sylvain Martinez
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
EnergySec
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 

What's hot (20)

Mobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 PredictionsMobile Security: 2016 Wrap-Up and 2017 Predictions
Mobile Security: 2016 Wrap-Up and 2017 Predictions
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat ReportWebinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
Webinar: Insights from CYREN's 2015-Q3 Cyber Threat Report
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of DefenseWebinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of Defense
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
HOW TO PREPARE FOR AND RESPOND TO A RANDSOMWARE ATTACK [Webinar]
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
 
How Aetna Mitigated 701 Malware Infections on Mobile Devices
How Aetna Mitigated 701 Malware Infections on Mobile DevicesHow Aetna Mitigated 701 Malware Infections on Mobile Devices
How Aetna Mitigated 701 Malware Infections on Mobile Devices
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & Defense
 
OFFENSIVE IDS
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDS
 
Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 

Similar to Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and Communications

Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
NowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Scaling AppSec through Education
Scaling AppSec through EducationScaling AppSec through Education
Scaling AppSec through Education
Grant Ongers
 
The Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security FrameworkThe Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security Framework
Real-Time Innovations (RTI)
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
NowSecure
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App Security
CA Technologies
 
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Vince Garr
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
Dinis Cruz
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
Tunde Ogunkoya
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
NowSecure
 
IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!
TechWell
 
Csa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCsa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nube
CSA Argentina
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to know
NowSecure
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015Francisco Anes
 
Open Source Software Security
Open Source Software SecurityOpen Source Software Security
Open Source Software Security
Netizen Corporation
 
Developex_presentation_v2
Developex_presentation_v2Developex_presentation_v2
Developex_presentation_v2Olga Rusu
 
Jim_Colombo_Resume_2016
Jim_Colombo_Resume_2016Jim_Colombo_Resume_2016
Jim_Colombo_Resume_2016Jim Colombo
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 

Similar to Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and Communications (20)

Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Scaling AppSec through Education
Scaling AppSec through EducationScaling AppSec through Education
Scaling AppSec through Education
 
The Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security FrameworkThe Inside Story: Leveraging the IIC's Industrial Internet Security Framework
The Inside Story: Leveraging the IIC's Industrial Internet Security Framework
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App Security
 
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
 
IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!IoT—Let’s Code Like It’s 1999!
IoT—Let’s Code Like It’s 1999!
 
Csa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nubeCsa Summit 2017 - Un viaje seguro hacia la nube
Csa Summit 2017 - Un viaje seguro hacia la nube
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to know
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015
 
Open Source Software Security
Open Source Software SecurityOpen Source Software Security
Open Source Software Security
 
Developex_presentation_v2
Developex_presentation_v2Developex_presentation_v2
Developex_presentation_v2
 
Jim_Colombo_Resume_2016
Jim_Colombo_Resume_2016Jim_Colombo_Resume_2016
Jim_Colombo_Resume_2016
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 

More from NowSecure

iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
NowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
NowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
NowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
NowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
NowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
NowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
NowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
NowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
NowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
NowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
NowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
NowSecure
 

More from NowSecure (20)

iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 

Recently uploaded

Things to remember while upgrading the brakes of your car
Things to remember while upgrading the brakes of your carThings to remember while upgrading the brakes of your car
Things to remember while upgrading the brakes of your car
jennifermiller8137
 
TRAINEES-RECORD-BOOK- electronics and electrical
TRAINEES-RECORD-BOOK- electronics and electricalTRAINEES-RECORD-BOOK- electronics and electrical
TRAINEES-RECORD-BOOK- electronics and electrical
JohnCarloPajarilloKa
 
What Could Cause The Headlights On Your Porsche 911 To Stop Working
What Could Cause The Headlights On Your Porsche 911 To Stop WorkingWhat Could Cause The Headlights On Your Porsche 911 To Stop Working
What Could Cause The Headlights On Your Porsche 911 To Stop Working
Lancer Service
 
5 Red Flags Your VW Camshaft Position Sensor Might Be Failing
5 Red Flags Your VW Camshaft Position Sensor Might Be Failing5 Red Flags Your VW Camshaft Position Sensor Might Be Failing
5 Red Flags Your VW Camshaft Position Sensor Might Be Failing
Fifth Gear Automotive Cross Roads
 
一比一原版(Columbia文凭证书)哥伦比亚大学毕业证如何办理
一比一原版(Columbia文凭证书)哥伦比亚大学毕业证如何办理一比一原版(Columbia文凭证书)哥伦比亚大学毕业证如何办理
一比一原版(Columbia文凭证书)哥伦比亚大学毕业证如何办理
afkxen
 
What do the symbols on vehicle dashboard mean?
What do the symbols on vehicle dashboard mean?What do the symbols on vehicle dashboard mean?
What do the symbols on vehicle dashboard mean?
Hyundai Motor Group
 
Empowering Limpopo Entrepreneurs Consulting SMEs.pptx
Empowering Limpopo Entrepreneurs Consulting SMEs.pptxEmpowering Limpopo Entrepreneurs Consulting SMEs.pptx
Empowering Limpopo Entrepreneurs Consulting SMEs.pptx
Precious Mvulane CA (SA),RA
 
一比一原版(WashU文凭证书)圣路易斯华盛顿大学毕业证如何办理
一比一原版(WashU文凭证书)圣路易斯华盛顿大学毕业证如何办理一比一原版(WashU文凭证书)圣路易斯华盛顿大学毕业证如何办理
一比一原版(WashU文凭证书)圣路易斯华盛顿大学毕业证如何办理
afkxen
 
What Is Recruitment Processing Outsourcing (RPO) Services?
What Is Recruitment Processing Outsourcing (RPO) Services?What Is Recruitment Processing Outsourcing (RPO) Services?
What Is Recruitment Processing Outsourcing (RPO) Services?
Impeccable HR
 
一比一原版(UNITEC毕业证)UNITEC理工学院毕业证成绩单如何办理
一比一原版(UNITEC毕业证)UNITEC理工学院毕业证成绩单如何办理一比一原版(UNITEC毕业证)UNITEC理工学院毕业证成绩单如何办理
一比一原版(UNITEC毕业证)UNITEC理工学院毕业证成绩单如何办理
bouvoy
 
What Are The Immediate Steps To Take When The VW Temperature Light Starts Fla...
What Are The Immediate Steps To Take When The VW Temperature Light Starts Fla...What Are The Immediate Steps To Take When The VW Temperature Light Starts Fla...
What Are The Immediate Steps To Take When The VW Temperature Light Starts Fla...
Import Motorworks
 
Skoda Octavia Rs for Sale Perth | Skoda Perth
Skoda Octavia Rs for Sale Perth | Skoda PerthSkoda Octavia Rs for Sale Perth | Skoda Perth
Skoda Octavia Rs for Sale Perth | Skoda Perth
Perth City Skoda
 
Statistics5,c.xz,c.;c.;d.c;d;ssssss.pptx
Statistics5,c.xz,c.;c.;d.c;d;ssssss.pptxStatistics5,c.xz,c.;c.;d.c;d;ssssss.pptx
Statistics5,c.xz,c.;c.;d.c;d;ssssss.pptx
coc7987515756
 
一比一原版(AIS毕业证)奥克兰商学院毕业证成绩单如何办理
一比一原版(AIS毕业证)奥克兰商学院毕业证成绩单如何办理一比一原版(AIS毕业证)奥克兰商学院毕业证成绩单如何办理
一比一原版(AIS毕业证)奥克兰商学院毕业证成绩单如何办理
eygkup
 
Kaizen SMT_MI_PCBA for Quality Engineerspptx
Kaizen SMT_MI_PCBA for Quality EngineerspptxKaizen SMT_MI_PCBA for Quality Engineerspptx
Kaizen SMT_MI_PCBA for Quality Engineerspptx
vaibhavsrivastava482521
 
AadiShakti Projects ( Asp Cranes ) Raipur
AadiShakti Projects ( Asp Cranes ) RaipurAadiShakti Projects ( Asp Cranes ) Raipur
AadiShakti Projects ( Asp Cranes ) Raipur
AadiShakti Projects
 
一比一原版(AUT毕业证)奥克兰理工大学毕业证成绩单如何办理
一比一原版(AUT毕业证)奥克兰理工大学毕业证成绩单如何办理一比一原版(AUT毕业证)奥克兰理工大学毕业证成绩单如何办理
一比一原版(AUT毕业证)奥克兰理工大学毕业证成绩单如何办理
mymwpc
 
Digital Fleet Management - Why Your Business Need It?
Digital Fleet Management - Why Your Business Need It?Digital Fleet Management - Why Your Business Need It?
Digital Fleet Management - Why Your Business Need It?
jennifermiller8137
 
5 Warning Signs Your Mercedes Exhaust Back Pressure Sensor Is Failing
5 Warning Signs Your Mercedes Exhaust Back Pressure Sensor Is Failing5 Warning Signs Your Mercedes Exhaust Back Pressure Sensor Is Failing
5 Warning Signs Your Mercedes Exhaust Back Pressure Sensor Is Failing
Fifth Gear Automotive Argyle
 
Hero Glamour Xtec Brochure | Hero MotoCorp
Hero Glamour Xtec Brochure | Hero MotoCorpHero Glamour Xtec Brochure | Hero MotoCorp
Hero Glamour Xtec Brochure | Hero MotoCorp
Hero MotoCorp
 

Recently uploaded (20)

Things to remember while upgrading the brakes of your car
Things to remember while upgrading the brakes of your carThings to remember while upgrading the brakes of your car
Things to remember while upgrading the brakes of your car
 
TRAINEES-RECORD-BOOK- electronics and electrical
TRAINEES-RECORD-BOOK- electronics and electricalTRAINEES-RECORD-BOOK- electronics and electrical
TRAINEES-RECORD-BOOK- electronics and electrical
 
What Could Cause The Headlights On Your Porsche 911 To Stop Working
What Could Cause The Headlights On Your Porsche 911 To Stop WorkingWhat Could Cause The Headlights On Your Porsche 911 To Stop Working
What Could Cause The Headlights On Your Porsche 911 To Stop Working
 
5 Red Flags Your VW Camshaft Position Sensor Might Be Failing
5 Red Flags Your VW Camshaft Position Sensor Might Be Failing5 Red Flags Your VW Camshaft Position Sensor Might Be Failing
5 Red Flags Your VW Camshaft Position Sensor Might Be Failing
 
一比一原版(Columbia文凭证书)哥伦比亚大学毕业证如何办理
一比一原版(Columbia文凭证书)哥伦比亚大学毕业证如何办理一比一原版(Columbia文凭证书)哥伦比亚大学毕业证如何办理
一比一原版(Columbia文凭证书)哥伦比亚大学毕业证如何办理
 
What do the symbols on vehicle dashboard mean?
What do the symbols on vehicle dashboard mean?What do the symbols on vehicle dashboard mean?
What do the symbols on vehicle dashboard mean?
 
Empowering Limpopo Entrepreneurs Consulting SMEs.pptx
Empowering Limpopo Entrepreneurs Consulting SMEs.pptxEmpowering Limpopo Entrepreneurs Consulting SMEs.pptx
Empowering Limpopo Entrepreneurs Consulting SMEs.pptx
 
一比一原版(WashU文凭证书)圣路易斯华盛顿大学毕业证如何办理
一比一原版(WashU文凭证书)圣路易斯华盛顿大学毕业证如何办理一比一原版(WashU文凭证书)圣路易斯华盛顿大学毕业证如何办理
一比一原版(WashU文凭证书)圣路易斯华盛顿大学毕业证如何办理
 
What Is Recruitment Processing Outsourcing (RPO) Services?
What Is Recruitment Processing Outsourcing (RPO) Services?What Is Recruitment Processing Outsourcing (RPO) Services?
What Is Recruitment Processing Outsourcing (RPO) Services?
 
一比一原版(UNITEC毕业证)UNITEC理工学院毕业证成绩单如何办理
一比一原版(UNITEC毕业证)UNITEC理工学院毕业证成绩单如何办理一比一原版(UNITEC毕业证)UNITEC理工学院毕业证成绩单如何办理
一比一原版(UNITEC毕业证)UNITEC理工学院毕业证成绩单如何办理
 
What Are The Immediate Steps To Take When The VW Temperature Light Starts Fla...
What Are The Immediate Steps To Take When The VW Temperature Light Starts Fla...What Are The Immediate Steps To Take When The VW Temperature Light Starts Fla...
What Are The Immediate Steps To Take When The VW Temperature Light Starts Fla...
 
Skoda Octavia Rs for Sale Perth | Skoda Perth
Skoda Octavia Rs for Sale Perth | Skoda PerthSkoda Octavia Rs for Sale Perth | Skoda Perth
Skoda Octavia Rs for Sale Perth | Skoda Perth
 
Statistics5,c.xz,c.;c.;d.c;d;ssssss.pptx
Statistics5,c.xz,c.;c.;d.c;d;ssssss.pptxStatistics5,c.xz,c.;c.;d.c;d;ssssss.pptx
Statistics5,c.xz,c.;c.;d.c;d;ssssss.pptx
 
一比一原版(AIS毕业证)奥克兰商学院毕业证成绩单如何办理
一比一原版(AIS毕业证)奥克兰商学院毕业证成绩单如何办理一比一原版(AIS毕业证)奥克兰商学院毕业证成绩单如何办理
一比一原版(AIS毕业证)奥克兰商学院毕业证成绩单如何办理
 
Kaizen SMT_MI_PCBA for Quality Engineerspptx
Kaizen SMT_MI_PCBA for Quality EngineerspptxKaizen SMT_MI_PCBA for Quality Engineerspptx
Kaizen SMT_MI_PCBA for Quality Engineerspptx
 
AadiShakti Projects ( Asp Cranes ) Raipur
AadiShakti Projects ( Asp Cranes ) RaipurAadiShakti Projects ( Asp Cranes ) Raipur
AadiShakti Projects ( Asp Cranes ) Raipur
 
一比一原版(AUT毕业证)奥克兰理工大学毕业证成绩单如何办理
一比一原版(AUT毕业证)奥克兰理工大学毕业证成绩单如何办理一比一原版(AUT毕业证)奥克兰理工大学毕业证成绩单如何办理
一比一原版(AUT毕业证)奥克兰理工大学毕业证成绩单如何办理
 
Digital Fleet Management - Why Your Business Need It?
Digital Fleet Management - Why Your Business Need It?Digital Fleet Management - Why Your Business Need It?
Digital Fleet Management - Why Your Business Need It?
 
5 Warning Signs Your Mercedes Exhaust Back Pressure Sensor Is Failing
5 Warning Signs Your Mercedes Exhaust Back Pressure Sensor Is Failing5 Warning Signs Your Mercedes Exhaust Back Pressure Sensor Is Failing
5 Warning Signs Your Mercedes Exhaust Back Pressure Sensor Is Failing
 
Hero Glamour Xtec Brochure | Hero MotoCorp
Hero Glamour Xtec Brochure | Hero MotoCorpHero Glamour Xtec Brochure | Hero MotoCorp
Hero Glamour Xtec Brochure | Hero MotoCorp
 

Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and Communications

  • 1. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile App Crashworthiness Securing Vehicle-to-Device (V2D) Interfaces and Communications
  • 2. Andrew Hoog CEO | NowSecure Twitter - @ahoog42 E-mail - ahoog@nowsecure.com • Computer scientist, mobile security & forensics researcher • Author, expert witness & patent-holder • Regularly briefs senior government officials & top banking institutions on mobile security
  • 3. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents • Automakers are software companies • The vehicle-to-device & mobile app security problem • How to deliver more secure mobile apps • Questions
  • 4. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Automakers = Software Companies
  • 5. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. >100 million lines of code make up the modern automobile http://www.informationisbeautiful.net/visualizations/million-lines-of-code/
  • 6. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Automakers are making progress in security, but there’s more to be done Some key findings: ● Automakers believe they’re less knowledgeable than other industries about secure software development ● Impediments to secure software development include pressure to meet release dates and lack of skills, training, policies ● Legacy technology makes it harder to make vehicles more secure https://www.slideshare.net/SecurityInnovation/car-cybersecurity-the-gap-still-exists Survey of developers, programmers, engineers, and executives from automakers and their electronics suppliers conducted in August 2016
  • 7. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. The V2D & mobile app security problem
  • 8. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Wide-angle overview of connected car entry points Wired ● OBD-II Port ● Network harness connectors ● Diagnostic Port ● On-board vehicle networks (e.g., CAN, FlexRay, Ethernet, MOST) ● CD/DVD player ● Vehicle Charging Port Wireless ● Short range ○ Radio Frequency (e.g., TPMS, KES) ○ Near-field communications ○ Wi-Fi ○ Bluetooth ○ Dedicated short range communications ● Long range ○ GPS receiver ○ GSM / CDMA ○ LTE !! McCarthy, C., Harnett, K., & Carter, A. (2014, October). Characterization of potential security threats in modern automobiles: A composite modeling approach. (Report No. DOT HS 812 074). Washington, DC: National Highway Traffic Safety Administration.
  • 9. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
  • 10. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile platforms are vulnerable http://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224 523Disclosed vulnerabilities (CVEs) in Google Android in 2016 161Disclosed vulnerabilities (CVEs) in Apple iOS in 2016 http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49 691 CVEs over lifetime (2009-2016) 984 CVEs over lifetime (2007-2016)
  • 11. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. And OS security updates are a problem iOSAndroid 31.3% 32.5% 20.8% 10.6% 2.8% 1.0% 1.0% a/o March 6, 2017 https://developer.android.com/about/dashboards/index.html a/o February 20, 2017 https://developer.apple.com/support/app-store/
  • 12. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. And mobile apps are vulnerable 21% of Android apps had ≥1 high-risk security finding 2.36high-risk findings per app with ≥1 high-risk finding: 19%of iOS apps had ≥1 high-risk security finding 4.22high-risk findings per app with ≥1 high-risk finding:
  • 13. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Example: Potential vulnerability in automaker apps ● Performed dynamic/static analysis of 10 popular automotive apps for Android ○ Apps published on Google Play by automakers ○ Remote start, media center, and other typical connected-car functionality ● Three apps included a vulnerable version of a third party library ○ OkHttp – an open-source library for sending and receiving HTTP requests ○ Vulnerable versions are those prior to 2.7.2 and 3.x prior to 3.1.2 ● The problem ○ A man-in-the-middle attack can bypass certificate pinning via CVE-2016-2402 ○ https://koz.io/pinning-cve-2016-2402/ ● Next step = confirming whether the app relies on that version for certificate pinning
  • 14. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. The roots of the mobile security problem Developers aren’t trained in developing secure mobile apps Mobile app security is assumed (if it’s considered at all) Time and budget are not committed to mobile app security Tools that identify mobile security flaws aren’t kept up-to-date
  • 15. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Making software secure prior to launch
  • 16. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Developing with security in mind saves you money & time Requirements/ Architecture Coding Integration/ Component Testing System/ Acceptance Testing Production/ Post-Release Fixing software defects is 30xmore expensive post-deployment
  • 17. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile app security testsNHTSA crash tests ● Side barrier crash test ● Side pole crash test ● Frontal crash test ● Rollover resistance test ● Forensics / data-storage tests ● Network / communications tests ● Back-end services tests ● Reverse-engineering tests
  • 18. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Shift security testing to the left
  • 19. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Crucial aspects of building security into the SDLC Document app security policies Code using secure development best practices Perform automated security assessments on each build Perform penetration testing on each release candidate Deploy more secure apps to production
  • 20. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Document app security policies ● Establish cross-departmental buy-in ● Agree to adhere to a set of app security standards (and issues that block release) ● Explain how apps will be audited against those policies Code using secure development best practices ● Provide documentation of secure development best practices to developers ● Educate developers on secure coding practices and how flaws put the business at risk ● Provide feedback to developers when they need it (i.e., when their “heads are in the code”)
  • 21. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Perform automated security assessments continually ● Work with your DevOps team to integrate it into developers’ existing workflow ● Plug into build servers and the continuous integration/continuous delivery (CI/CD) toolchain ● Populate issue trackers with security findings Perform penetration testing on release candidates ● Test an application from the perspective of an attacker ● Give a human free reign to apply their creativity and ingenuity in trying to compromise an app ● Create a checklist and use tools that support consistent reporting
  • 22. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Also consider third-party apps that hook into connected cars
  • 23. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Contact information: Jeff Nolan // VP Marketing (650) 549-4062 jnolan@nowsecure.com Let’s Talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 - a collection of the week’s mobile news that matters - https://www.nowsecure.com/go/subscribe