SlideShare a Scribd company logo
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile	
  Applica,on	
  Security	
  –	
  Effec,ve	
  
Methodology,	
  	
  
Effec,ve	
  Tes,ng!	
  
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Who Am I?
•  Hemil	
  Shah	
  –	
  hemil@blueinfy.net	
  
•  Co-­‐CEO	
  &	
  Director,	
  Blueinfy	
  Solu,ons	
  
•  Past	
  experience	
  	
  
–  eSphere	
  Security,	
  HBO,	
  KPMG,	
  IL&FS,	
  Net	
  Square	
  
•  Interest	
  
–  Web	
  and	
  mobile	
  security	
  research	
  
•  Published	
  research	
  
–  ArFcles	
  /	
  Papers	
  –	
  Packstroem,	
  etc.	
  
–  Web	
  Tools	
  –	
  wsScanner,	
  scanweb2.0,	
  AppMap,	
  AppCodeScan,	
  AppPrint	
  etc.	
  
–  Mobile	
  Tools	
  –	
  FSDroid,	
  iAppliScan,	
  DumpDroid	
  
hemil@blueinfy.com	
  
hRp://www.blueinfy.com	
  
Blog	
  –	
  hRp://blog.blueinfy.com/	
  
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
About
• Global	
  experience	
  worked	
  
clients	
  based	
  in	
  USA,	
  UAE,	
  
Europe	
  and	
  Asia-­‐pac.	
  
• Clients/Partners	
  include	
  
Fortune	
  100	
  companies.	
  
• Delivery	
  model	
  and	
  support	
  
• Blackbox	
  and	
  Whitebox	
  –	
  
Scanners	
  and	
  Code	
  Analyzers	
  
• Scanning	
  tools	
  and	
  technology	
  
(15	
  years)	
  
• Strong	
  and	
  tested	
  with	
  
Fortune	
  clients	
  
• Integrated	
  in	
  SDLC	
  
• Help	
  client	
  in	
  miFgaFng	
  or	
  
lowering	
  down	
  the	
  Risk	
  by	
  
improving	
  process	
  
• In	
  house	
  R&D	
  team	
  for	
  last	
  7	
  
years	
  
• Papers	
  and	
  PresentaFons	
  at	
  
conference	
  like	
  RSA,	
  Blackhat,	
  
HITB,	
  OWASP	
  etc.	
  
• Books	
  wriRen	
  and	
  used	
  as	
  
security	
  guides	
  
Know-­‐How	
  
Methods	
  &	
  
Approach	
  
Global	
  
Delivery	
  &	
  
Team	
  
Technology	
  
Ø BBC	
  
Ø Dark	
  Readings	
  
Ø Bank	
  Technology	
  
Ø SecurityWeek	
  
Ø MIT	
  Technology	
  Review	
  
ApplicaFon	
  Security	
  	
  
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Enterprise Technology Trend
•  2007. Web services would rocket from $1.6
billion in 2004 to $34 billion. [IDC]
•  2008. Web Services or Service-Oriented
Architecture (SOA) would surge ahead.
[Gartner]
•  2009. Enterprise 2.0 in action and
penetrating deeper into the corporate
environment
•  2010. Flex/HTML5/Cloud/API
•  2012. HTML5/Mobile era.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Past, Present and Future
Cloud
2010
Focus
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile Infrastructure
www mail
intranet
router
DMZ
Internet
VPN
Dial-up
Other
Office
s
Exchange
firewall
Database
RAS
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile App Environment
Web
Server
Static pages only
(HTML,HTM, etc.)Web
Client
Scripted
Web
Engine
Dynamic pages
(ASP,DHTML, PHP,
CGI, etc.)
ASP.NET on
.Net Framework,
J2EE App Server,
Web Services,
etc.
Application
Servers
And
Integrated
Framework
Internet DMZ Trusted
W
E
B
S
E
R
V
I
C
E
S
Mobile
SOAP/JSON etc.
DB
X
Internal/Corporate
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile Apps
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Gartner Statistics
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Gartner Statistics
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile Changes
•  Application Infrastructure
Changing dimension Web Mobile
(AI1) Protocols HTTP & HTTPS JSON, SOAP, REST etc. over
HTTP & HTTPS
(AI2) Information
structures
HTML transfer JSON, JS Objects, XML, etc.
(AI3) Technology Java, DotNet, PHP,
Python and so on
Cocoa, Java with Platform
SDKs, HTML5
(AI4) Information
Store/Process
Mainly on Server Side Client and Server Side
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile Changes
•  Security Threats
Changing dimension Web Mobile
(T1) Entry points Structured Scattered and multiple
(T2) Dependencies Limited • Multiple technologies
• Information sources
• Protocols
(T3) Vulnerabilities Server side [Typical
injections]
• Web services [Payloads]
• Client side [Local Storage]
(T4) Exploitation Server side exploitation Both server and client side
exploitation
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Black Review flow
Architecture Review
Scoping
Server Side Application Footprinting
Mobile Application Footprinting
Application Threat Modeling
Application Deployment Assessment
Application Enumeration and Profiling
Application Discovery
Vulnerability Assessment
Mitigation Strategies
Application Security – Authentication,
Access Controls/Authorization, API misuse, Path traversal,
Sensitive information leakage, Error handling, Session management,
Protocol abuse, Input validations, Cross Site Scripting (XSS),
Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto,
Denial of Services, Malicious Code Injection, SQL injection,
XPATH and LDAP injections, OS command injection,
Parameter manipulations, Bruteforce, Buffer Overflow,
Format string, HTTP response splitting, HTTP replay,
XML injection, Canonicalization, Logging and auditing.
Mobile and Device Security
• Insecure storage
• Insecure network Communication - Carriers network security & WiFi network attacks
• Unauthorized dialing & SMS
• UI Impersonation/Spoofing
• Activity monitoring and data retrieval
• Sensitive data leakage
• Hardcoded passwords/keys
• Language issues
• Timely application update
• Jail breaking/Physical device theft
• KeyBoard cache/ClipBoard issue
• Reading information from SQLite database
• Insecure Protocol Handler implementation
• And few other loopholes
Reporting
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Storage
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Storage
•  Why application needs to store data
– Ease of use for the user
– Popularity
– Competition
– Activity with single click
– Decrease Transaction time
– Post/Get information to/from Social Sites
•  9 out of 10 applications have this
vulnerability
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Storage
•  How attacker can gain access
– Wifi
– Default password after jail breaking (alpine)
– Physical Theft
– Temporary access to device
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Storage
•  What information we usually find
– Authentication Credentials
– Authorization tokens
– Financial Statements
– Credit card numbers
– Owner’s Information – Physical Address,
Name, Phone number
– Social Engineering Sites profile/habbits
– SQL Queries
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Local file access
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Network
Communication
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Network Channel
•  Easy to perform MiM attacks as Mobile
devices uses untrusted network i.e open/
Public WiFi, HotSpot, Carrier’s Network
•  Application deals with sensitive data i.e.
– Authentication credentials
– Authorization token
– PII Information (Privacy Violation) (Owner
Name, Phone number, UDID)
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Insecure Network Channel
•  Can sniff the traffic to get an access to
sensitive data
•  SSL is the best way to secure
communication channel
•  Common Issues
– Does not deprecate HTTP requests
– Allowing invalid certificates
– Sensitive information in GET requests
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Session token
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Unauthorized Dialing/SMS
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Unauthorized Dialing/SMS
•  Social Engineering using Mobile Devices
•  Attacker plays with user’s mind
•  User installs application
•  Application sends premium rate SMS or a
premium rate phone call to unknown
number
•  Used by Malware/Trojans
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
AndroidOS.FakePlayer
•  August 2010
•  Sends costly International SMS
•  One SMS Costs – 25 USD (INR 1250)
•  Application Sends SMS to –
– 3353 & 3354 numbers in Russia
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
GGTracker
•  June 2010
•  Another Application which sends
International SMS
•  One SMS Costs – 40 USD (INR 2000)
•  Application Sends Premium SMS to US
numbers
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
UI Impersonation
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
UI Impersonation
•  Attack has been there since long
•  On a mobile stack, known as UI
impersonation
•  Other names are Phishing Attack,
ClickJacking
•  Attacker plays with user’s mind and try to
impersonate as other user or other
application
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
UI Impersonation
•  Victim looses credit card information or
authentication credentials or secret
•  One application can create local PUSH
notification as it is created from apple
store
•  Flow in review process of AppStore –
Anyone can name anything to their
application
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
NetFlix
•  Oct -2011
•  Steals users “netflix” account information
•  Application shows error message to user
“Compatibility issues with the user’s
hardware” when user enters username
and password
•  Once error message, application uninstalls
itself
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Activity Monitoring
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Activity Monitoring
•  Sending a blind carbon copy of each
email to attacker
•  Listening all phone calls
•  Email contact list, pictures to attacker
•  Read all emails stored on the device
•  Usual intension of Spyware/Trojans
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Activity Monitoring
•  Attacker can monitor –
– Audio Files
– Video
– Pictures
– Location
– Contact List
– Call/Browser/SMS History
– Data files
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Android.Pjapps
•  Early 2010
•  Steal/Change users information
•  Application –
– Send and monitor incoming SMS messages
– Read/write to the user's browsing history and
bookmarks
– Install packages and Open Sockets
– Write to external storage
– Read the phone's state
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
System Modification
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
System Modification
•  Application will attempt to modify system
configuration to hide itself (Historically this
is known as ROOTKIT)
•  Configuration changes makes certain
attack possible i.e. –
– Modifying device proxy to get user’s activity
monitoring
– Configure BCC email sending to attacker
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
iKee – iPhone Worm
•  “ikee” iPhone Worm
–  Change root password
–  Change wallpaper to Ricky Martin.
After infected by “ikee“
iPhone look like this
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
PII Information Leakage
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
PII Information Leakage
•  Application usually have access to user’s
private information i.e. Owner Name,
Location, Physical Address, AppID,
Phone Number
•  This information needs to be handled very
carefully as per the law in some countries
•  Storing this information in plain text is not
allowed in some countries
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
PII Information
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Hardcoded Secrets
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Hardcoded Secrets
•  Easiest way for developer to solve
complex issues/functionality
•  Attacker can get this information by either
reverse engineering application or by
checking local storage
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Keychain Dumper
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Language Specific Issues
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Language Specific Issues
•  Application in iOS are developed in
Objective-C language which is derived
from classic C language
•  Along with this derivation, it also derives
security issues in C language i.e. overflow
attacks
•  Using Dex2jar, source code of android
application can be accessed
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
dexdump
Convert dump .dex files:
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
SQL Injection in Local database
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
SQL Injection in Local database
•  Most Mobile platforms uses SQLite as
database to store information on the
device
•  Using any SQLite Database Browser, it is
possible to access database logs which
has queries and other sensitive database
information
•  In case application is not filtering input,
SQL Injection on local database is
possible
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Injection…
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Information in Common
Services
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Common Services
•  KeyBoard, Clipboard are shared amongst
all the applications.
•  Information stored in clipboard can be
accessed by all the application
•  Sensitive information should not be
allowed to copy/paste in the application
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Server Side Issues
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Server Side Issues
•  Most Application makes server side calls
to either web services or some other
component. Security of server side
component is equally important as client
side
•  Controls to be tested on the server side –
Security Control Categories for Server
Side Application– Authentication, Access
Controls/Authorization, API misuse, Path
traversal, Sensitive information leakage,
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Server Side Issues
Error handling, Session management,
Protocol abuse, Input validations, XSS,
CSRF, Logic bypass, Insecure crypto, DoS,
Malicious Code Injection, SQL injection,
XPATH and LDAP injections, OS command
injection, Parameter manipulations,
BruteForce, Buffer Overflow, HTTP
response splitting, HTTP replay, XML
injection, Canonicalization, Logging and
auditing.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Binary auditing
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Using GDB
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Mobile Top 10 - OWASP
•  Insecure Data Storage
•  Weak Server Side Controls
•  Insufficient Transport Layer Protection
•  Client Side Injection
•  Poor Authorization and Authentication
•  Improper Session Handling
•  Security Decisions Via Untrusted Inputs
•  Side Channel Data Leakage
•  Broken Cryptography
•  Sensitive Information Disclosure
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
(iOS Applications)
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
•  Fuzz all possible Inputs to the application
and validate output (Query String, POST
data, external HTML, RSS Feed or
database feed)
•  Audit traditional memory unsafe methods
(strcpy, memcpy)
•  Watch out for format string vulnerabilities
•  Look for hard coded credentials / secrets
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
•  Check network connection (grep for
NSURL, CFStream, NSStream)
•  Check Database connection and queries
(grep SQL strings and SQLLite queries)
•  Check only trusted certificate are allowed
(Look for setAllowsAnyHTTPSCertificate
and didReceiveAuthenticationChallenge)
•  Check what is logged (grep NSLog)
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
•  Check implementation of URLSchemes in
handleOpenURL
•  Check what is stored in keychain
(kSecAttrAccessibleWhenUnlocked or
kSecAttrAccessibleAfterFirstUnlock
attributes when calling SecItemAdd or
SecItemUpdate) and the file system
(NSDataWritingFileProtectionComplete).
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
•  Check how critical data is stored
(NSUserDefaults should not be used to
store critical data)
•  Check Server Side controls
•  Decrypt the binary and run strings to find
sensitive information
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
•  Check whether application uses
UIWebView (How application loads HTLM
and where it is rendered from? Is URL
visible?)
•  Check whether copy-paste functionality is
enabled in sensitive fields (PII fields)
•  Install your favorite proxy to monitor +
fuzz web traffic
•  Run the app using disassemble to monitor
calls
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Pen testing Check list
•  Check whether critical data fields are
hidden in applicationWillTerminate and
applicationWillEnterBackground to
prevent screenshot caching
•  Check how application handles PII
information
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
Conclusion/Ques,ons	
  
Hemil Shah
hemil@blueinfy.net
+91 99790 55100

More Related Content

What's hot

XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
Shreeraj Shah
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
Shreeraj Shah
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
CA API Management
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
Shreeraj Shah
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Shreeraj Shah
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
CA API Management
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
Shreeraj Shah
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
Stormpath
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
Stormpath
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
Stormpath
 
Api security
Api security Api security
Api security
teodorcotruta
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
Sam Bowne
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CloudIDSummit
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
Shreeraj Shah
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
Shreeraj Shah
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CloudIDSummit
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 

What's hot (20)

XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
 
Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack Protecting Your APIs Against Attack & Hijack
Protecting Your APIs Against Attack & Hijack
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrong
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Token Authentication for Java Applications
Token Authentication for Java ApplicationsToken Authentication for Java Applications
Token Authentication for Java Applications
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Api security
Api security Api security
Api security
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
 
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-OnCIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
CIS13: Bootcamp: Ping Identity SAML in Action with PingFederate Hands-On
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 

Viewers also liked

Brief History of the Soviet Jewry Movement
Brief History of the Soviet Jewry MovementBrief History of the Soviet Jewry Movement
Brief History of the Soviet Jewry Movement
philipspiegel
 
new resume
new resumenew resume
new resume
OMPRAKASH JOSHI
 
Karen White – Becoming a more powerful observer
Karen White – Becoming a more powerful observerKaren White – Becoming a more powerful observer
Karen White – Becoming a more powerful observer
SACAP
 
resume
resumeresume
resume
Shihao Jin
 
Control Dynamics
Control DynamicsControl Dynamics
Control Dynamics
Steven Casey
 
Casa-1000 project
Casa-1000 projectCasa-1000 project
Casa-1000 project
Zumra Cheema
 
LeasePlan UK Lease Accounting Standard
LeasePlan UK Lease Accounting Standard LeasePlan UK Lease Accounting Standard
LeasePlan UK Lease Accounting Standard
Rebecca Whittaker
 
SF Express
SF ExpressSF Express
SF Express
Viacheslav Savin
 

Viewers also liked (8)

Brief History of the Soviet Jewry Movement
Brief History of the Soviet Jewry MovementBrief History of the Soviet Jewry Movement
Brief History of the Soviet Jewry Movement
 
new resume
new resumenew resume
new resume
 
Karen White – Becoming a more powerful observer
Karen White – Becoming a more powerful observerKaren White – Becoming a more powerful observer
Karen White – Becoming a more powerful observer
 
resume
resumeresume
resume
 
Control Dynamics
Control DynamicsControl Dynamics
Control Dynamics
 
Casa-1000 project
Casa-1000 projectCasa-1000 project
Casa-1000 project
 
LeasePlan UK Lease Accounting Standard
LeasePlan UK Lease Accounting Standard LeasePlan UK Lease Accounting Standard
LeasePlan UK Lease Accounting Standard
 
SF Express
SF ExpressSF Express
SF Express
 

Similar to Mobile Application Scan and Testing

Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing!   hem...Mobile application security – effective methodology, efficient testing!   hem...
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
Con8896 securely enabling mobile access for business transformation - final
Con8896  securely enabling mobile access for business transformation - finalCon8896  securely enabling mobile access for business transformation - final
Con8896 securely enabling mobile access for business transformation - final
OracleIDM
 
CA Security - Deloitte IAM Summit - Vasu
CA Security - Deloitte IAM Summit  - VasuCA Security - Deloitte IAM Summit  - Vasu
CA Security - Deloitte IAM Summit - Vasu
Vasu Surabhi
 
IBM MobileFirst Reference Architecture 1512 v3 2015
IBM MobileFirst Reference Architecture 1512 v3 2015IBM MobileFirst Reference Architecture 1512 v3 2015
IBM MobileFirst Reference Architecture 1512 v3 2015
Sreeni Pamidala
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
Patrick Harding
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817   api management - enable your infrastructure for secure mobile and c...Con8817   api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
 
Exploring Oracle Enterprise Mobility using Oracle Mobile Solutions
Exploring Oracle Enterprise Mobility using Oracle Mobile SolutionsExploring Oracle Enterprise Mobility using Oracle Mobile Solutions
Exploring Oracle Enterprise Mobility using Oracle Mobile Solutions
Wise Men
 
Enterprise Mobility @ Neev
Enterprise Mobility @ NeevEnterprise Mobility @ Neev
Enterprise Mobility @ Neev
Neev Technologies
 
SSO Agility Made Possible - November 2014
SSO Agility Made Possible  -  November 2014SSO Agility Made Possible  -  November 2014
SSO Agility Made Possible - November 2014
Andrew Ames
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
mycroftinc
 
CODETRU IT Consulting & IT Services Capabilities
CODETRU IT Consulting & IT Services CapabilitiesCODETRU IT Consulting & IT Services Capabilities
CODETRU IT Consulting & IT Services Capabilities
CODETRU Software Solutions
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
Đỗ Duy Trung
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
Neev mobile offerings
Neev mobile offeringsNeev mobile offerings
Neev mobile offerings
Neev Technologies
 
Wise Men Oracle Mobility Webinar- 11-December-2014
Wise Men Oracle Mobility Webinar- 11-December-2014Wise Men Oracle Mobility Webinar- 11-December-2014
Wise Men Oracle Mobility Webinar- 11-December-2014
Wise Men
 
How Oracle Digital Assistants / ChatBots can revolutionize your Oracle Legacy...
How Oracle Digital Assistants / ChatBots can revolutionize your Oracle Legacy...How Oracle Digital Assistants / ChatBots can revolutionize your Oracle Legacy...
How Oracle Digital Assistants / ChatBots can revolutionize your Oracle Legacy...
AuraPlayer
 
CV-NeerajSaxena
CV-NeerajSaxenaCV-NeerajSaxena
CV-NeerajSaxena
Neeraj Saxena
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication   sa...kicking your enterprise security up a notch with adaptive authentication   sa...
kicking your enterprise security up a notch with adaptive authentication sa...
Sagara Gunathunga
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
Mike Schwartz
 

Similar to Mobile Application Scan and Testing (20)

Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing!   hem...Mobile application security – effective methodology, efficient testing!   hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Con8896 securely enabling mobile access for business transformation - final
Con8896  securely enabling mobile access for business transformation - finalCon8896  securely enabling mobile access for business transformation - final
Con8896 securely enabling mobile access for business transformation - final
 
CA Security - Deloitte IAM Summit - Vasu
CA Security - Deloitte IAM Summit  - VasuCA Security - Deloitte IAM Summit  - Vasu
CA Security - Deloitte IAM Summit - Vasu
 
IBM MobileFirst Reference Architecture 1512 v3 2015
IBM MobileFirst Reference Architecture 1512 v3 2015IBM MobileFirst Reference Architecture 1512 v3 2015
IBM MobileFirst Reference Architecture 1512 v3 2015
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817   api management - enable your infrastructure for secure mobile and c...Con8817   api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
Exploring Oracle Enterprise Mobility using Oracle Mobile Solutions
Exploring Oracle Enterprise Mobility using Oracle Mobile SolutionsExploring Oracle Enterprise Mobility using Oracle Mobile Solutions
Exploring Oracle Enterprise Mobility using Oracle Mobile Solutions
 
Enterprise Mobility @ Neev
Enterprise Mobility @ NeevEnterprise Mobility @ Neev
Enterprise Mobility @ Neev
 
SSO Agility Made Possible - November 2014
SSO Agility Made Possible  -  November 2014SSO Agility Made Possible  -  November 2014
SSO Agility Made Possible - November 2014
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
 
CODETRU IT Consulting & IT Services Capabilities
CODETRU IT Consulting & IT Services CapabilitiesCODETRU IT Consulting & IT Services Capabilities
CODETRU IT Consulting & IT Services Capabilities
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Neev mobile offerings
Neev mobile offeringsNeev mobile offerings
Neev mobile offerings
 
Wise Men Oracle Mobility Webinar- 11-December-2014
Wise Men Oracle Mobility Webinar- 11-December-2014Wise Men Oracle Mobility Webinar- 11-December-2014
Wise Men Oracle Mobility Webinar- 11-December-2014
 
How Oracle Digital Assistants / ChatBots can revolutionize your Oracle Legacy...
How Oracle Digital Assistants / ChatBots can revolutionize your Oracle Legacy...How Oracle Digital Assistants / ChatBots can revolutionize your Oracle Legacy...
How Oracle Digital Assistants / ChatBots can revolutionize your Oracle Legacy...
 
CV-NeerajSaxena
CV-NeerajSaxenaCV-NeerajSaxena
CV-NeerajSaxena
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication   sa...kicking your enterprise security up a notch with adaptive authentication   sa...
kicking your enterprise security up a notch with adaptive authentication sa...
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 

More from Blueinfy Solutions

Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
Blueinfy Solutions
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
Blueinfy Solutions
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
Blueinfy Solutions
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
Blueinfy Solutions
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
Blueinfy Solutions
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
Blueinfy Solutions
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
Blueinfy Solutions
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
Blueinfy Solutions
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
Blueinfy Solutions
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
Blueinfy Solutions
 

More from Blueinfy Solutions (12)

Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
XPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal InjectionXPATH, LDAP and Path Traversal Injection
XPATH, LDAP and Path Traversal Injection
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
 
Application fuzzing
Application fuzzingApplication fuzzing
Application fuzzing
 
SQL injection basics
SQL injection basicsSQL injection basics
SQL injection basics
 
Assessment methodology and approach
Assessment methodology and approachAssessment methodology and approach
Assessment methodology and approach
 
HTTP protocol and Streams Security
HTTP protocol and Streams SecurityHTTP protocol and Streams Security
HTTP protocol and Streams Security
 
Advanced applications-architecture-threats
Advanced applications-architecture-threatsAdvanced applications-architecture-threats
Advanced applications-architecture-threats
 

Recently uploaded

Building API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructureBuilding API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructure
confluent
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Vince Scalabrino
 
Cost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App DevelopmentCost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App Development
Softradix Technologies
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
Jhone kinadey
 
Going AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applicationsGoing AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applications
Alina Yurenko
 
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
campbellclarkson
 
Hyperledger Besu 빨리 따라하기 (Private Networks)
Hyperledger Besu 빨리 따라하기 (Private Networks)Hyperledger Besu 빨리 따라하기 (Private Networks)
Hyperledger Besu 빨리 따라하기 (Private Networks)
wonyong hwang
 
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Ortus Solutions, Corp
 
What’s new in VictoriaMetrics - Q2 2024 Update
What’s new in VictoriaMetrics - Q2 2024 UpdateWhat’s new in VictoriaMetrics - Q2 2024 Update
What’s new in VictoriaMetrics - Q2 2024 Update
VictoriaMetrics
 
Folding Cheat Sheet #5 - fifth in a series
Folding Cheat Sheet #5 - fifth in a seriesFolding Cheat Sheet #5 - fifth in a series
Folding Cheat Sheet #5 - fifth in a series
Philip Schwarz
 
Streamlining End-to-End Testing Automation
Streamlining End-to-End Testing AutomationStreamlining End-to-End Testing Automation
Streamlining End-to-End Testing Automation
Anand Bagmar
 
What is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdfWhat is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdf
kalichargn70th171
 
Refactoring legacy systems using events commands and bubble contexts
Refactoring legacy systems using events commands and bubble contextsRefactoring legacy systems using events commands and bubble contexts
Refactoring legacy systems using events commands and bubble contexts
Michał Kurzeja
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
Paul Brebner
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
Pedro J. Molina
 
The Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdfThe Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdf
mohitd6
 
How GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdfHow GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdf
Zycus
 
Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)
alowpalsadig
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 

Recently uploaded (20)

Building API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructureBuilding API data products on top of your real-time data infrastructure
Building API data products on top of your real-time data infrastructure
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
 
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery FleetStork Product Overview: An AI-Powered Autonomous Delivery Fleet
Stork Product Overview: An AI-Powered Autonomous Delivery Fleet
 
Cost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App DevelopmentCost-Effective Strategies For iOS App Development
Cost-Effective Strategies For iOS App Development
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
 
Going AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applicationsGoing AOT: Everything you need to know about GraalVM for Java applications
Going AOT: Everything you need to know about GraalVM for Java applications
 
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
 
Hyperledger Besu 빨리 따라하기 (Private Networks)
Hyperledger Besu 빨리 따라하기 (Private Networks)Hyperledger Besu 빨리 따라하기 (Private Networks)
Hyperledger Besu 빨리 따라하기 (Private Networks)
 
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
Strengthening Web Development with CommandBox 6: Seamless Transition and Scal...
 
What’s new in VictoriaMetrics - Q2 2024 Update
What’s new in VictoriaMetrics - Q2 2024 UpdateWhat’s new in VictoriaMetrics - Q2 2024 Update
What’s new in VictoriaMetrics - Q2 2024 Update
 
Folding Cheat Sheet #5 - fifth in a series
Folding Cheat Sheet #5 - fifth in a seriesFolding Cheat Sheet #5 - fifth in a series
Folding Cheat Sheet #5 - fifth in a series
 
Streamlining End-to-End Testing Automation
Streamlining End-to-End Testing AutomationStreamlining End-to-End Testing Automation
Streamlining End-to-End Testing Automation
 
What is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdfWhat is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdf
 
Refactoring legacy systems using events commands and bubble contexts
Refactoring legacy systems using events commands and bubble contextsRefactoring legacy systems using events commands and bubble contexts
Refactoring legacy systems using events commands and bubble contexts
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
 
The Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdfThe Role of DevOps in Digital Transformation.pdf
The Role of DevOps in Digital Transformation.pdf
 
How GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdfHow GenAI Can Improve Supplier Performance Management.pdf
How GenAI Can Improve Supplier Performance Management.pdf
 
Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 

Mobile Application Scan and Testing

  • 1. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile  Applica,on  Security  –  Effec,ve   Methodology,     Effec,ve  Tes,ng!  
  • 2. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Who Am I? •  Hemil  Shah  –  hemil@blueinfy.net   •  Co-­‐CEO  &  Director,  Blueinfy  Solu,ons   •  Past  experience     –  eSphere  Security,  HBO,  KPMG,  IL&FS,  Net  Square   •  Interest   –  Web  and  mobile  security  research   •  Published  research   –  ArFcles  /  Papers  –  Packstroem,  etc.   –  Web  Tools  –  wsScanner,  scanweb2.0,  AppMap,  AppCodeScan,  AppPrint  etc.   –  Mobile  Tools  –  FSDroid,  iAppliScan,  DumpDroid   hemil@blueinfy.com   hRp://www.blueinfy.com   Blog  –  hRp://blog.blueinfy.com/  
  • 3. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon About • Global  experience  worked   clients  based  in  USA,  UAE,   Europe  and  Asia-­‐pac.   • Clients/Partners  include   Fortune  100  companies.   • Delivery  model  and  support   • Blackbox  and  Whitebox  –   Scanners  and  Code  Analyzers   • Scanning  tools  and  technology   (15  years)   • Strong  and  tested  with   Fortune  clients   • Integrated  in  SDLC   • Help  client  in  miFgaFng  or   lowering  down  the  Risk  by   improving  process   • In  house  R&D  team  for  last  7   years   • Papers  and  PresentaFons  at   conference  like  RSA,  Blackhat,   HITB,  OWASP  etc.   • Books  wriRen  and  used  as   security  guides   Know-­‐How   Methods  &   Approach   Global   Delivery  &   Team   Technology   Ø BBC   Ø Dark  Readings   Ø Bank  Technology   Ø SecurityWeek   Ø MIT  Technology  Review   ApplicaFon  Security    
  • 4. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Enterprise Technology Trend •  2007. Web services would rocket from $1.6 billion in 2004 to $34 billion. [IDC] •  2008. Web Services or Service-Oriented Architecture (SOA) would surge ahead. [Gartner] •  2009. Enterprise 2.0 in action and penetrating deeper into the corporate environment •  2010. Flex/HTML5/Cloud/API •  2012. HTML5/Mobile era.
  • 5. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Past, Present and Future Cloud 2010 Focus
  • 6. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile Infrastructure www mail intranet router DMZ Internet VPN Dial-up Other Office s Exchange firewall Database RAS
  • 7. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile App Environment Web Server Static pages only (HTML,HTM, etc.)Web Client Scripted Web Engine Dynamic pages (ASP,DHTML, PHP, CGI, etc.) ASP.NET on .Net Framework, J2EE App Server, Web Services, etc. Application Servers And Integrated Framework Internet DMZ Trusted W E B S E R V I C E S Mobile SOAP/JSON etc. DB X Internal/Corporate
  • 8. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile Apps
  • 9. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Gartner Statistics
  • 10. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Gartner Statistics
  • 11. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile Changes •  Application Infrastructure Changing dimension Web Mobile (AI1) Protocols HTTP & HTTPS JSON, SOAP, REST etc. over HTTP & HTTPS (AI2) Information structures HTML transfer JSON, JS Objects, XML, etc. (AI3) Technology Java, DotNet, PHP, Python and so on Cocoa, Java with Platform SDKs, HTML5 (AI4) Information Store/Process Mainly on Server Side Client and Server Side
  • 12. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile Changes •  Security Threats Changing dimension Web Mobile (T1) Entry points Structured Scattered and multiple (T2) Dependencies Limited • Multiple technologies • Information sources • Protocols (T3) Vulnerabilities Server side [Typical injections] • Web services [Payloads] • Client side [Local Storage] (T4) Exploitation Server side exploitation Both server and client side exploitation
  • 13. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Black Review flow Architecture Review Scoping Server Side Application Footprinting Mobile Application Footprinting Application Threat Modeling Application Deployment Assessment Application Enumeration and Profiling Application Discovery Vulnerability Assessment Mitigation Strategies Application Security – Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage, Error handling, Session management, Protocol abuse, Input validations, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Logic bypass, Insecure crypto, Denial of Services, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, Bruteforce, Buffer Overflow, Format string, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing. Mobile and Device Security • Insecure storage • Insecure network Communication - Carriers network security & WiFi network attacks • Unauthorized dialing & SMS • UI Impersonation/Spoofing • Activity monitoring and data retrieval • Sensitive data leakage • Hardcoded passwords/keys • Language issues • Timely application update • Jail breaking/Physical device theft • KeyBoard cache/ClipBoard issue • Reading information from SQLite database • Insecure Protocol Handler implementation • And few other loopholes Reporting
  • 14. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Storage
  • 15. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Storage •  Why application needs to store data – Ease of use for the user – Popularity – Competition – Activity with single click – Decrease Transaction time – Post/Get information to/from Social Sites •  9 out of 10 applications have this vulnerability
  • 16. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Storage •  How attacker can gain access – Wifi – Default password after jail breaking (alpine) – Physical Theft – Temporary access to device
  • 17. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Storage •  What information we usually find – Authentication Credentials – Authorization tokens – Financial Statements – Credit card numbers – Owner’s Information – Physical Address, Name, Phone number – Social Engineering Sites profile/habbits – SQL Queries
  • 18. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Local file access
  • 19. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Network Communication
  • 20. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Network Channel •  Easy to perform MiM attacks as Mobile devices uses untrusted network i.e open/ Public WiFi, HotSpot, Carrier’s Network •  Application deals with sensitive data i.e. – Authentication credentials – Authorization token – PII Information (Privacy Violation) (Owner Name, Phone number, UDID)
  • 21. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Insecure Network Channel •  Can sniff the traffic to get an access to sensitive data •  SSL is the best way to secure communication channel •  Common Issues – Does not deprecate HTTP requests – Allowing invalid certificates – Sensitive information in GET requests
  • 22. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Session token
  • 23. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Unauthorized Dialing/SMS
  • 24. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Unauthorized Dialing/SMS •  Social Engineering using Mobile Devices •  Attacker plays with user’s mind •  User installs application •  Application sends premium rate SMS or a premium rate phone call to unknown number •  Used by Malware/Trojans
  • 25. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon AndroidOS.FakePlayer •  August 2010 •  Sends costly International SMS •  One SMS Costs – 25 USD (INR 1250) •  Application Sends SMS to – – 3353 & 3354 numbers in Russia
  • 26. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon GGTracker •  June 2010 •  Another Application which sends International SMS •  One SMS Costs – 40 USD (INR 2000) •  Application Sends Premium SMS to US numbers
  • 27. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon UI Impersonation
  • 28. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon UI Impersonation •  Attack has been there since long •  On a mobile stack, known as UI impersonation •  Other names are Phishing Attack, ClickJacking •  Attacker plays with user’s mind and try to impersonate as other user or other application
  • 29. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon UI Impersonation •  Victim looses credit card information or authentication credentials or secret •  One application can create local PUSH notification as it is created from apple store •  Flow in review process of AppStore – Anyone can name anything to their application
  • 30. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon NetFlix •  Oct -2011 •  Steals users “netflix” account information •  Application shows error message to user “Compatibility issues with the user’s hardware” when user enters username and password •  Once error message, application uninstalls itself
  • 31. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Activity Monitoring
  • 32. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Activity Monitoring •  Sending a blind carbon copy of each email to attacker •  Listening all phone calls •  Email contact list, pictures to attacker •  Read all emails stored on the device •  Usual intension of Spyware/Trojans
  • 33. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Activity Monitoring •  Attacker can monitor – – Audio Files – Video – Pictures – Location – Contact List – Call/Browser/SMS History – Data files
  • 34. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Android.Pjapps •  Early 2010 •  Steal/Change users information •  Application – – Send and monitor incoming SMS messages – Read/write to the user's browsing history and bookmarks – Install packages and Open Sockets – Write to external storage – Read the phone's state
  • 35. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon System Modification
  • 36. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon System Modification •  Application will attempt to modify system configuration to hide itself (Historically this is known as ROOTKIT) •  Configuration changes makes certain attack possible i.e. – – Modifying device proxy to get user’s activity monitoring – Configure BCC email sending to attacker
  • 37. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon iKee – iPhone Worm •  “ikee” iPhone Worm –  Change root password –  Change wallpaper to Ricky Martin. After infected by “ikee“ iPhone look like this
  • 38. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon PII Information Leakage
  • 39. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon PII Information Leakage •  Application usually have access to user’s private information i.e. Owner Name, Location, Physical Address, AppID, Phone Number •  This information needs to be handled very carefully as per the law in some countries •  Storing this information in plain text is not allowed in some countries
  • 40. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon PII Information
  • 41. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Hardcoded Secrets
  • 42. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Hardcoded Secrets •  Easiest way for developer to solve complex issues/functionality •  Attacker can get this information by either reverse engineering application or by checking local storage
  • 43. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Keychain Dumper
  • 44. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Language Specific Issues
  • 45. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Language Specific Issues •  Application in iOS are developed in Objective-C language which is derived from classic C language •  Along with this derivation, it also derives security issues in C language i.e. overflow attacks •  Using Dex2jar, source code of android application can be accessed
  • 46. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon dexdump Convert dump .dex files:
  • 47. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon SQL Injection in Local database
  • 48. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon SQL Injection in Local database •  Most Mobile platforms uses SQLite as database to store information on the device •  Using any SQLite Database Browser, it is possible to access database logs which has queries and other sensitive database information •  In case application is not filtering input, SQL Injection on local database is possible
  • 49. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Injection…
  • 50. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Information in Common Services
  • 51. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Common Services •  KeyBoard, Clipboard are shared amongst all the applications. •  Information stored in clipboard can be accessed by all the application •  Sensitive information should not be allowed to copy/paste in the application
  • 52. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Server Side Issues
  • 53. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Server Side Issues •  Most Application makes server side calls to either web services or some other component. Security of server side component is equally important as client side •  Controls to be tested on the server side – Security Control Categories for Server Side Application– Authentication, Access Controls/Authorization, API misuse, Path traversal, Sensitive information leakage,
  • 54. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Server Side Issues Error handling, Session management, Protocol abuse, Input validations, XSS, CSRF, Logic bypass, Insecure crypto, DoS, Malicious Code Injection, SQL injection, XPATH and LDAP injections, OS command injection, Parameter manipulations, BruteForce, Buffer Overflow, HTTP response splitting, HTTP replay, XML injection, Canonicalization, Logging and auditing.
  • 55. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Binary auditing
  • 56. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Using GDB
  • 57. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Mobile Top 10 - OWASP •  Insecure Data Storage •  Weak Server Side Controls •  Insufficient Transport Layer Protection •  Client Side Injection •  Poor Authorization and Authentication •  Improper Session Handling •  Security Decisions Via Untrusted Inputs •  Side Channel Data Leakage •  Broken Cryptography •  Sensitive Information Disclosure
  • 58. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list (iOS Applications)
  • 59. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list •  Fuzz all possible Inputs to the application and validate output (Query String, POST data, external HTML, RSS Feed or database feed) •  Audit traditional memory unsafe methods (strcpy, memcpy) •  Watch out for format string vulnerabilities •  Look for hard coded credentials / secrets
  • 60. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list •  Check network connection (grep for NSURL, CFStream, NSStream) •  Check Database connection and queries (grep SQL strings and SQLLite queries) •  Check only trusted certificate are allowed (Look for setAllowsAnyHTTPSCertificate and didReceiveAuthenticationChallenge) •  Check what is logged (grep NSLog)
  • 61. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list •  Check implementation of URLSchemes in handleOpenURL •  Check what is stored in keychain (kSecAttrAccessibleWhenUnlocked or kSecAttrAccessibleAfterFirstUnlock attributes when calling SecItemAdd or SecItemUpdate) and the file system (NSDataWritingFileProtectionComplete).
  • 62. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list •  Check how critical data is stored (NSUserDefaults should not be used to store critical data) •  Check Server Side controls •  Decrypt the binary and run strings to find sensitive information
  • 63. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list •  Check whether application uses UIWebView (How application loads HTLM and where it is rendered from? Is URL visible?) •  Check whether copy-paste functionality is enabled in sensitive fields (PII fields) •  Install your favorite proxy to monitor + fuzz web traffic •  Run the app using disassemble to monitor calls
  • 64. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Pen testing Check list •  Check whether critical data fields are hidden in applicationWillTerminate and applicationWillEnterBackground to prevent screenshot caching •  Check how application handles PII information
  • 65. OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon Conclusion/Ques,ons   Hemil Shah hemil@blueinfy.net +91 99790 55100