SlideShare a Scribd company logo

Mobile App Security - Best Practices

RedBlackTree
RedBlackTree

Slide deck for a Code Red talk given by Kadhambari Anbalagan, Software Architect at RedBlackTree.

Software
1 of 15
Download to read offline
Security Best Practices MOBILE APPS <CodeRed> Talks Kadhambari Anbalagan, Software Architect 5:00pm Monday, 8 April, 2017 RedBlackTree Terrace
What do the statistics say? Popular Free App Findings Among top 20 free apps, 80% of Android and 75% of iOS apps have been subjected to hacking. Top Paid Apps Findings Research reveals, among top 100 paid apps, 97% of Android and 87% of iOS apps have been subjected to hacking. <CodeRed> Talks
Reason? Apps that we build are Insecure <CodeRed> Talks
Mobile App Security Issues • Improper Platform usage • Insecure data • Insecure communication • Insecure Authentication • Insufficient Cryptography • Insecure Authorization • Code Quality Issues • Code Tampering • Reverse Engineering • Extraneous functionality <CodeRed> Talks
Improper Platform Usage Misuse of platform feature or lack of platform security controls for the android or IOS operating system What can happen? 1. Improper implementation of android Intents - Data leakage, restricted functions being called and program flow being manipulated 2. Using Keychain for secure data storage - In several scenarios, the keychain can be compromised and decrypted Best Practices Know your platform well Use intents carefully Use the keychain carefully <CodeRed> Talks
Insecure Data Vulnerabilities that leak personal information and provide access to hackers Report By NowSecure: 1 in 10 Mobile app leak private, sensitive data like email, username or password. Best Practices • When possible, do not store/cache data • Implement secure data storage • Securely store data only in RAM • Encryption using verified third party libraries <CodeRed> Talks
Insecure Communication Communication being sent in clear text as well as other insecure methods. Real World Example: Best Practices • Implement secure transmission of sensitive data • Use SSL/TLS or for increased security implement certificate pinning • Leverage app layer encryption to protect user data <CodeRed> Talks<CodeRed> Talks
Insecure Authentication Inability to Securely identify a user and maintain that user’s identity Real World Example: Best Practices • Use token based Authentication <CodeRed> Talks
Insufficient Cryptography • Process behind encryption and decryption may allow a hacker to decrypt sensitive data. • Algorithm behind encryption and decryption may be weak in nature. Vulnerable? • Poor key management processes • Use of custom encryption protocols • Use of insecure algorithms Best Practices • Implement secure data storage • Avoid custom encryption methods and use proven encryption algorithm and methods • Avoid storage of sensitive information on mobile • NIST guidelines on recommended algorithms <CodeRed> Talks
Insecure Authorization Failure of a server to properly enforce identity and permissions as stated by the mobile app Best Practices • Verify the roles and permissions of the authenticated user using only information contained in backend systems. Avoid relying on any roles or permission information that comes from the mobile device itself <CodeRed> Talks
Client code Quality Risks that come from vulnerabilities like buffer overflows, format string vulnerabilities and various code level mistakes Real World Example: Vitamio SDK – Used in thousands of mobile apps. Have millions of app downloads. In another instance high risk man in the middle vulnerability identified in one of the third party library used in an app. What to do ? • Avoid third party libraries with high risk flaws •Maintain consistent coding patterns •Write well documented and easily readable code •Via automation, identify buffer overflows and memory leaks through the use of third-party static analysis tools; <CodeRed> Talks
Code Tampering When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third party app marketplaces. Popular Example: What to Do? • implement anti tampering techniques such as checksums, digital signatures and other validation mechanisms to help detect file tampering <CodeRed> Talks
Reverse Engineering Analysis of a final binary to determine its source code, libraries, algorithms and more. Real World Example: Hackers decompiled mobile app and recompiled it so they dint have to pay for premium content. What to Do? • Increase code complexity and use obfuscation <CodeRed> Talks
Extraneous Functionality • Developers frequently include hidden backdoors or security controls they do not plan on releasing into production • This error creates risk when a feature is released to the wild that was never intended to be shared Real World example: What to do? • Carefully manage debug logs • Clean coding practices <CodeRed> Talks
Thank You

Recommended

Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingSoftware Guru
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defensePriyanka Aash
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 

Recommended

Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingSoftware Guru
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defensePriyanka Aash
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber ResiliencyAlert Logic
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityAnne Oikarinen
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usPriyanka Aash
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018Greg Foss
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...Edureka!
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
Android security testing
Android security testingAndroid security testing
Android security testingVodqaBLR
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Joel Aleburu
 
Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Tripwire
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesImportance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesElanusTechnologies
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 

More Related Content

What's hot

Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityAnne Oikarinen
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usPriyanka Aash
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018Greg Foss
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...Edureka!
 
Android security testing
Android security testingAndroid security testing
Android security testingVodqaBLR
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Joel Aleburu
 
Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Tripwire
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 

What's hot (20)

Security testing
Security testingSecurity testing
Security testing
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber Resiliency
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application Security
 
Security testing
Security testingSecurity testing
Security testing
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
 
Android security testing
Android security testingAndroid security testing
Android security testing
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
 
Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 

Similar to Mobile App Security - Best Practices

Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesImportance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesElanusTechnologies
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!Shelly Megan
 
Secure codingguide
Secure codingguideSecure codingguide
Secure codingguideDavid Kwak
 
&lt;marquee>html title testfsdjk34254&lt;/marquee>
&lt;marquee>html title testfsdjk34254&lt;/marquee>&lt;marquee>html title testfsdjk34254&lt;/marquee>
&lt;marquee>html title testfsdjk34254&lt;/marquee>slideshareperson2
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the EnterpriseWill Adams
 

Similar to Mobile App Security - Best Practices (20)

Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesImportance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best Practices
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
 
Secure codingguide
Secure codingguideSecure codingguide
Secure codingguide
 
" onclick="alert(1)
" onclick="alert(1)" onclick="alert(1)
" onclick="alert(1)
 
&lt;marquee>html title testfsdjk34254&lt;/marquee>
&lt;marquee>html title testfsdjk34254&lt;/marquee>&lt;marquee>html title testfsdjk34254&lt;/marquee>
&lt;marquee>html title testfsdjk34254&lt;/marquee>
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Android security
Android securityAndroid security
Android security
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
How to Overcome the Challenges of Cloud Application
How to Overcome the Challenges of Cloud ApplicationHow to Overcome the Challenges of Cloud Application
How to Overcome the Challenges of Cloud Application
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
 

More from RedBlackTree

An Introduction to Druid
An Introduction to DruidAn Introduction to Druid
An Introduction to DruidRedBlackTree
 
The Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTree
The Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTreeThe Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTree
The Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTreeRedBlackTree
 
Navigation in React Native
Navigation in React NativeNavigation in React Native
Navigation in React NativeRedBlackTree
 
Introduction to React Native
Introduction to React NativeIntroduction to React Native
Introduction to React NativeRedBlackTree
 
Couchbase Chennai Meetup 2 - Couchbase - Mobile
Couchbase Chennai Meetup 2 - Couchbase - MobileCouchbase Chennai Meetup 2 - Couchbase - Mobile
Couchbase Chennai Meetup 2 - Couchbase - MobileRedBlackTree
 
Couchbase Chennai Meetup 2 - Big Data & Analytics
Couchbase Chennai Meetup 2 - Big Data & AnalyticsCouchbase Chennai Meetup 2 - Big Data & Analytics
Couchbase Chennai Meetup 2 - Big Data & AnalyticsRedBlackTree
 
Performance testing with Apache JMeter
Performance testing with Apache JMeterPerformance testing with Apache JMeter
Performance testing with Apache JMeterRedBlackTree
 
An Introduction to Couchbase Mobile
An Introduction to Couchbase MobileAn Introduction to Couchbase Mobile
An Introduction to Couchbase MobileRedBlackTree
 

More from RedBlackTree (8)

An Introduction to Druid
An Introduction to DruidAn Introduction to Druid
An Introduction to Druid
 
The Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTree
The Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTreeThe Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTree
The Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTree
 
Navigation in React Native
Navigation in React NativeNavigation in React Native
Navigation in React Native
 
Introduction to React Native
Introduction to React NativeIntroduction to React Native
Introduction to React Native
 
Couchbase Chennai Meetup 2 - Couchbase - Mobile
Couchbase Chennai Meetup 2 - Couchbase - MobileCouchbase Chennai Meetup 2 - Couchbase - Mobile
Couchbase Chennai Meetup 2 - Couchbase - Mobile
 
Couchbase Chennai Meetup 2 - Big Data & Analytics
Couchbase Chennai Meetup 2 - Big Data & AnalyticsCouchbase Chennai Meetup 2 - Big Data & Analytics
Couchbase Chennai Meetup 2 - Big Data & Analytics
 
Performance testing with Apache JMeter
Performance testing with Apache JMeterPerformance testing with Apache JMeter
Performance testing with Apache JMeter
 
An Introduction to Couchbase Mobile
An Introduction to Couchbase MobileAn Introduction to Couchbase Mobile
An Introduction to Couchbase Mobile
 

Recently uploaded

What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 

Recently uploaded (20)

What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 

Mobile App Security - Best Practices

  • 1. Security Best Practices MOBILE APPS <CodeRed> Talks Kadhambari Anbalagan, Software Architect 5:00pm Monday, 8 April, 2017 RedBlackTree Terrace
  • 2. What do the statistics say? Popular Free App Findings Among top 20 free apps, 80% of Android and 75% of iOS apps have been subjected to hacking. Top Paid Apps Findings Research reveals, among top 100 paid apps, 97% of Android and 87% of iOS apps have been subjected to hacking. <CodeRed> Talks
  • 3. Reason? Apps that we build are Insecure <CodeRed> Talks
  • 4. Mobile App Security Issues • Improper Platform usage • Insecure data • Insecure communication • Insecure Authentication • Insufficient Cryptography • Insecure Authorization • Code Quality Issues • Code Tampering • Reverse Engineering • Extraneous functionality <CodeRed> Talks
  • 5. Improper Platform Usage Misuse of platform feature or lack of platform security controls for the android or IOS operating system What can happen? 1. Improper implementation of android Intents - Data leakage, restricted functions being called and program flow being manipulated 2. Using Keychain for secure data storage - In several scenarios, the keychain can be compromised and decrypted Best Practices Know your platform well Use intents carefully Use the keychain carefully <CodeRed> Talks
  • 6. Insecure Data Vulnerabilities that leak personal information and provide access to hackers Report By NowSecure: 1 in 10 Mobile app leak private, sensitive data like email, username or password. Best Practices • When possible, do not store/cache data • Implement secure data storage • Securely store data only in RAM • Encryption using verified third party libraries <CodeRed> Talks
  • 7. Insecure Communication Communication being sent in clear text as well as other insecure methods. Real World Example: Best Practices • Implement secure transmission of sensitive data • Use SSL/TLS or for increased security implement certificate pinning • Leverage app layer encryption to protect user data <CodeRed> Talks<CodeRed> Talks
  • 8. Insecure Authentication Inability to Securely identify a user and maintain that user’s identity Real World Example: Best Practices • Use token based Authentication <CodeRed> Talks
  • 9. Insufficient Cryptography • Process behind encryption and decryption may allow a hacker to decrypt sensitive data. • Algorithm behind encryption and decryption may be weak in nature. Vulnerable? • Poor key management processes • Use of custom encryption protocols • Use of insecure algorithms Best Practices • Implement secure data storage • Avoid custom encryption methods and use proven encryption algorithm and methods • Avoid storage of sensitive information on mobile • NIST guidelines on recommended algorithms <CodeRed> Talks
  • 10. Insecure Authorization Failure of a server to properly enforce identity and permissions as stated by the mobile app Best Practices • Verify the roles and permissions of the authenticated user using only information contained in backend systems. Avoid relying on any roles or permission information that comes from the mobile device itself <CodeRed> Talks
  • 11. Client code Quality Risks that come from vulnerabilities like buffer overflows, format string vulnerabilities and various code level mistakes Real World Example: Vitamio SDK – Used in thousands of mobile apps. Have millions of app downloads. In another instance high risk man in the middle vulnerability identified in one of the third party library used in an app. What to do ? • Avoid third party libraries with high risk flaws •Maintain consistent coding patterns •Write well documented and easily readable code •Via automation, identify buffer overflows and memory leaks through the use of third-party static analysis tools; <CodeRed> Talks
  • 12. Code Tampering When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third party app marketplaces. Popular Example: What to Do? • implement anti tampering techniques such as checksums, digital signatures and other validation mechanisms to help detect file tampering <CodeRed> Talks
  • 13. Reverse Engineering Analysis of a final binary to determine its source code, libraries, algorithms and more. Real World Example: Hackers decompiled mobile app and recompiled it so they dint have to pay for premium content. What to Do? • Increase code complexity and use obfuscation <CodeRed> Talks
  • 14. Extraneous Functionality • Developers frequently include hidden backdoors or security controls they do not plan on releasing into production • This error creates risk when a feature is released to the wild that was never intended to be shared Real World example: What to do? • Carefully manage debug logs • Clean coding practices <CodeRed> Talks