This document summarizes a presentation about mobile application security. The presentation covered several key topics: (1) trends driving increased mobile usage and threats, (2) the OWASP Mobile Top 10 risks, (3) examples of real vulnerabilities found in enterprise mobile apps, (4) methods for assessing mobile app security like threat modeling, and (5) resources for development and QA teams to improve mobile app security. The goal is to help organizations understand mobile security challenges and integrate security practices into the mobile software development lifecycle.
The document discusses web application penetration testing services provided by Axoss. Axoss tests web applications to identify vulnerabilities using the same tools and techniques as hackers. The testing follows the OWASP methodology and aims to find security issues before they can be exploited. Axoss then provides a detailed report on vulnerabilities found along with recommendations to help clients eliminate security risks and better protect their web applications.
The document discusses cybersecurity threats like browser attacks and software vulnerabilities, noting that in 2011 there were over 946 million browser attacks reported and an average of 79 serious vulnerabilities found per website annually. It also examines common exploit types, countries with the most attacks, and best practices for vulnerability testing and mitigation using tools like Burp Suite.
This document provides a confidential product roadmap for Ixia's existing and prospective customers. The information is subject to change at Ixia's sole discretion and does not commit Ixia to any development or release timelines. Ixia is only obligated to provide deliverables specified in written agreements between Ixia and its customers.
This document provides information about the speaker, including their name, contact information, work experience, projects, and interests. They are a security researcher who previously worked as a VA and now works for HP Application Security Center. They enjoy talking about hacking and drinking beer and gin and tonics. The document also outlines an upcoming workshop they will be conducting on web hacking tools and techniques.
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...RootedCON
El documento describe una investigación realizada por el Grupo de Delitos Telemáticos tras un ciberataque a una compañía de telecomunicaciones en España. El ataque involucró malware descargado al hacer clic en un archivo adjunto malicioso en un correo electrónico. La investigación incluyó análisis de memoria RAM, paquetes de red, discos duros y otros dispositivos para identificar el malware y las conexiones de comando y control. Finalmente, la investigación vinculó el ataque con locutorios que vendían fraudulentamente servicios de tele
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...RootedCON
El documento presenta una introducción al algoritmo RSA, que cumple 36 años. Explica brevemente cómo funciona RSA y los ataques más comunes como la factorización de enteros y el cifrado cíclico. Luego, muestra demostraciones prácticas de varios ataques como la paradoja del cumpleaños y los ataques por canal lateral, que son una gran amenaza a pesar de no estar dirigidos específicamente a RSA.
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...RootedCON
Este documento resume una presentación sobre la seguridad y privacidad de Skype. Se explica que Skype ya no usa su propio cifrado propietario sino SSL, lo que lo hace vulnerable a ataques de intermediario. Además, al usar el almacén de certificados del sistema operativo, un atacante podría interceptar el tráfico inyectando un certificado malicioso. Finalmente, se concluye que Skype ha perdido gran parte de su privacidad original y que todo su tráfico ahora puede ser interceptado y descifrado.
Pactera Technologies North America (NA) Cybersecurity Consulting Services specializes in Cybersecurity Program Development, Application Vulnerability Assessment, Application Security Governance, Secure SDLC, Secure Coding Practice Training, and Third-party supplier security risk management and assessment. We only hire top security consultants that are most qualified for this job. We love to prove ourselves to you!
The document discusses web application penetration testing services provided by Axoss. Axoss tests web applications to identify vulnerabilities using the same tools and techniques as hackers. The testing follows the OWASP methodology and aims to find security issues before they can be exploited. Axoss then provides a detailed report on vulnerabilities found along with recommendations to help clients eliminate security risks and better protect their web applications.
The document discusses cybersecurity threats like browser attacks and software vulnerabilities, noting that in 2011 there were over 946 million browser attacks reported and an average of 79 serious vulnerabilities found per website annually. It also examines common exploit types, countries with the most attacks, and best practices for vulnerability testing and mitigation using tools like Burp Suite.
This document provides a confidential product roadmap for Ixia's existing and prospective customers. The information is subject to change at Ixia's sole discretion and does not commit Ixia to any development or release timelines. Ixia is only obligated to provide deliverables specified in written agreements between Ixia and its customers.
This document provides information about the speaker, including their name, contact information, work experience, projects, and interests. They are a security researcher who previously worked as a VA and now works for HP Application Security Center. They enjoy talking about hacking and drinking beer and gin and tonics. The document also outlines an upcoming workshop they will be conducting on web hacking tools and techniques.
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...RootedCON
El documento describe una investigación realizada por el Grupo de Delitos Telemáticos tras un ciberataque a una compañía de telecomunicaciones en España. El ataque involucró malware descargado al hacer clic en un archivo adjunto malicioso en un correo electrónico. La investigación incluyó análisis de memoria RAM, paquetes de red, discos duros y otros dispositivos para identificar el malware y las conexiones de comando y control. Finalmente, la investigación vinculó el ataque con locutorios que vendían fraudulentamente servicios de tele
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...RootedCON
El documento presenta una introducción al algoritmo RSA, que cumple 36 años. Explica brevemente cómo funciona RSA y los ataques más comunes como la factorización de enteros y el cifrado cíclico. Luego, muestra demostraciones prácticas de varios ataques como la paradoja del cumpleaños y los ataques por canal lateral, que son una gran amenaza a pesar de no estar dirigidos específicamente a RSA.
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...RootedCON
Este documento resume una presentación sobre la seguridad y privacidad de Skype. Se explica que Skype ya no usa su propio cifrado propietario sino SSL, lo que lo hace vulnerable a ataques de intermediario. Además, al usar el almacén de certificados del sistema operativo, un atacante podría interceptar el tráfico inyectando un certificado malicioso. Finalmente, se concluye que Skype ha perdido gran parte de su privacidad original y que todo su tráfico ahora puede ser interceptado y descifrado.
Pactera Technologies North America (NA) Cybersecurity Consulting Services specializes in Cybersecurity Program Development, Application Vulnerability Assessment, Application Security Governance, Secure SDLC, Secure Coding Practice Training, and Third-party supplier security risk management and assessment. We only hire top security consultants that are most qualified for this job. We love to prove ourselves to you!
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
This document provides an overview of assessing and securing iOS apps. It discusses setting up a testing environment by jailbreaking an iOS device to gain root access. Various tools are installed to analyze apps, including intercepting network traffic both passively and by acting as an HTTP proxy gateway. The document also covers monitoring local app data, binaries, and runtime analysis for black-box security testing of iOS apps.
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...RootedCON
Este documento describe los pasos para generar un APT (programa malicioso avanzado persistente) de forma legal con fines educativos. Explica cómo crear un perfil falso en redes sociales y un sitio web para recopilar información de usuarios vulnerables. Luego detalla técnicas como el phishing y el uso de exploits de navegadores para comprometer sistemas. El objetivo es demostrar las capacidades de un atacante para crear conciencia sobre la ciberseguridad.
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...RootedCON
Este documento describe la técnica de hooking y el proyecto WHF. El hooking permite interceptar eventos, mensajes y llamadas a funciones para modificar el comportamiento de aplicaciones y sistemas operativos. WHF provee ejemplos funcionales de hooks a nivel de sistema y proceso. Se detallan diferentes métodos de hooking como hooking de eventos, mensajes y funciones tanto en espacio de usuario como en espacio de kernel.
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]RootedCON
Este documento describe diferentes técnicas para realizar denegación de servicio de señales de telefonía móvil. Explica cómo señales especialmente diseñadas pueden inhibir las señales 2G, 3G y 4G de forma más efectiva que el ruido blanco. Para 2G, sugiere ocultar la información de sincronización de las celdas. Para 3G, propone atacar el canal piloto común. Para 4G, recomienda atacar las portadoras piloto.
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...RootedCON
Este documento presenta una charla sobre seguridad en aplicaciones de mensajería instantánea como WhatsApp y Snapchat. Los oradores discuten varios problemas de seguridad identificados en estas plataformas, incluida la falta de cifrado, la posibilidad de robar identidades y el almacenamiento inseguro de datos. También muestran cómo explotaron vulnerabilidades técnicas en el pasado para enviar mensajes no autorizados o robar conversaciones de usuarios.
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]RootedCON
El documento describe diferentes tipos de tarjetas como tarjetas inteligentes, RFID y de banda magnética, explicando cómo almacenan y protegen datos. También resume los posibles vectores de ataque y defensas contra tarjetas, así como los servicios y costos asociados con su uso.
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]RootedCON
Este documento resume las técnicas y herramientas utilizadas para interceptar comunicaciones a través de ataques de falsificación de DNS y redireccionamiento de tráfico, como SSLstrip. Describe cómo estas técnicas se han mejorado para capturar más información y evadir obstáculos como HSTS, a través del uso de herramientas como DNS2proxy y SSLstrip2. Finalmente, concluye que aunque estas técnicas pueden mejorarse más, existen limitaciones como la pérdida potencial de información y la necesidad de estudiar cada objetivo.
iOS Application Penetration Testing for BeginnersRyanISI
This document provides an overview of iOS application penetration testing for beginners. It covers setting up a pen testing environment, understanding the iOS filesystem and Objective-C runtime, techniques for runtime analysis and manipulation, insecure data storage, side channel data leakage, analyzing URL schemes and network traffic, and secure coding guidelines. The agenda includes jailbreaking a device, installing useful tools like Cycript and class-dump, understanding the application sandbox and filesystem structure, runtime concepts in Objective-C, manipulating running applications using Cycript, insecure storage techniques like plist and NSUserDefaults, side channels like logs, snapshots and pasteboard, URL schemes, and analyzing network traffic using a proxy like Burp.
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...RootedCON
La ponencia se centra en como hoy en día, cualquiera tiene a su alcance una GPU con una posibilidad de proceso paralelo importante, y de como pueden evolucionar tanto el malware, como las herramientas de hacking que puedan hacer uso de ello (bruteforcers, fuzzers, passwd crackers....). No se trata de lanzar threads tradicionales vía CPU...
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]RootedCON
Manu Quintans and Frank Ruiz will be giving a presentation on cybercrime trends observed between 2013 and 2014. They will discuss the evolution of cybercrime activities and infrastructure, including the rise of point of sale malware targeting payment card data, new mobile malware using TOR anonymity networks, and the growing use of cryptocurrencies. They will provide a detailed example of the 2013 Target breach that resulted in over 70 million customer records being stolen. The presentation will include a demonstration of malware samples.
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]RootedCON
The document discusses bypassing WiFi paywalls and typical solutions used for WiFi paywalls. It describes weaknesses in typical implementations, including spoofing MAC and IP addresses. It then presents a shell script to exploit these weaknesses by searching for authenticated hosts and testing internet access. Finally, it discusses porting this approach to Android and provides recommendations for mitigating these attacks, such as using proper layer 2 isolation and restricting MAC addresses.
The document provides an overview of Fortify on Demand (FoD) security assessments. It summarizes that FoD offers automated static and dynamic application security testing through their analysis tools and security experts. It provides concise summaries of their baseline, standard, and premium assessment levels that vary in coverage, user accounts tested, and inclusion of manual security testing. The document highlights some customer success stories and commonalities that organizations achieving success have in developing a secure software development lifecycle.
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...RootedCON
El documento describe cómo adaptar un exploit para una vulnerabilidad (CVE-2012-6096) en un programa (history.cgi) para que funcione en un sistema objetivo diferente. Explica cómo depurar el programa CGI, identificar la dirección de retorno y las direcciones de funciones como system() y exit(), y construir una secuencia de instrucciones ROP para ejecutar comandos con privilegios de sistema a pesar de las protecciones como ASLR y NX.
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]RootedCON
This document discusses manipulating the iOS update process without a BootROM exploit. It notes that iOS 5 introduced over-the-air software updates and backup via WiFi. The iOS OTA update process uses HTTP to download update files from Apple servers, including a plist file listing URLs for the iOS version files. The document explores if this update process could be manipulated without a new BootROM exploit.
Este documento resume la primera edición de Rooted Satellite en Valencia. Rooted Satellite tiene como objetivo llevar las conferencias de seguridad Rooted a otras ciudades para que más personas puedan asistir. El documento explica por qué se eligió Valencia y los próximos pasos para evaluar el éxito del evento y decidir sobre futuras ediciones.
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...RootedCON
Este documento contiene varios artículos sobre los artículos 197 y 264 del Código Penal de España relacionados con delitos informáticos como botnets, troyanos y daños a sistemas informáticos. Se discuten problemas prácticos y supuestos conflictivos en la aplicación de estos artículos, y se incluyen imágenes y viñetas ilustrativas.
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]RootedCON
Este documento presenta una guía sobre seguridad en entornos web. Explica conceptos como vulnerabilidades comunes como XSS, SQL Injection y referencias inseguras. Detalla buenas prácticas como filtrar adecuadamente los datos del usuario y usar versiones actualizadas de software. También recomienda herramientas para pruebas de vulnerabilidades y sitios para practicar. El objetivo es crear conciencia sobre seguridad entre desarrolladores web.
I Want More Ninja – iOS Security TestingJason Haddix
The document provides instructions for setting up an iOS application testing lab, including recommended hardware, software, and tools for both MacBooks and PCs. It discusses jailbreaking iOS devices to gain root access, installing useful packages and utilities, and exploring application directories and data stores to find vulnerabilities like insecure data storage or client-side injection issues.
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]RootedCON
Este documento presenta una introducción al Grupo de Delitos Telemáticos (GDT) de la policía en Valencia, España. El GDT investiga delitos cibernéticos y provee apoyo técnico a otras unidades policiales. El documento describe brevemente las funciones del GDT, que incluyen el análisis de evidencia digital, la investigación tecnológica y clásica, e identifica varios canales de comunicación del GDT.
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]RootedCON
Si tuvieras un Big Data con 4.3 millones de apps de Android con toda su información despiezada, indexada, catalogada y disponible para analizar… ¿Qué podrías hacer?
En esta sesión vamos a ver cómo se puede utilizar un Big Data de estas capacidades para hacer de él algo similar a Shodan o al Hacking con Buscadores.
Ejemplos y demos de cómo crear dorks para hacer pentesting de empresas y qué trucos de hacking se pueden explotar con esta información.
The document discusses the OWASP Mobile Top 10 security risks for 2014. It begins by introducing the OWASP Mobile Security Project and its goal of maintaining a list of the most critical risks for mobile applications. The document then lists the top 10 risks for both 2012 and 2014, providing more details on each of the 2014 risks, including weak server-side controls, insecure data storage, insufficient transport layer protection, unintended data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections. It also recommends some vulnerable mobile apps that can be used for hands-on practice.
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
Originally presented on January 23, 2018
A comprehensive analysis of iOS and Android apps found that a staggering 85% of those apps fail one or more of the OWASP Mobile Top 10 criteria. Given that the average mobile device has over 89 mobile apps on it, what are the odds your employees have one or more of the apps and what’s the real risk to your business?
Mobile apps power productivity in the modern business; don’t let a few bad apps bring it down.
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
This document provides an overview of assessing and securing iOS apps. It discusses setting up a testing environment by jailbreaking an iOS device to gain root access. Various tools are installed to analyze apps, including intercepting network traffic both passively and by acting as an HTTP proxy gateway. The document also covers monitoring local app data, binaries, and runtime analysis for black-box security testing of iOS apps.
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...RootedCON
Este documento describe los pasos para generar un APT (programa malicioso avanzado persistente) de forma legal con fines educativos. Explica cómo crear un perfil falso en redes sociales y un sitio web para recopilar información de usuarios vulnerables. Luego detalla técnicas como el phishing y el uso de exploits de navegadores para comprometer sistemas. El objetivo es demostrar las capacidades de un atacante para crear conciencia sobre la ciberseguridad.
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...RootedCON
Este documento describe la técnica de hooking y el proyecto WHF. El hooking permite interceptar eventos, mensajes y llamadas a funciones para modificar el comportamiento de aplicaciones y sistemas operativos. WHF provee ejemplos funcionales de hooks a nivel de sistema y proceso. Se detallan diferentes métodos de hooking como hooking de eventos, mensajes y funciones tanto en espacio de usuario como en espacio de kernel.
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]RootedCON
Este documento describe diferentes técnicas para realizar denegación de servicio de señales de telefonía móvil. Explica cómo señales especialmente diseñadas pueden inhibir las señales 2G, 3G y 4G de forma más efectiva que el ruido blanco. Para 2G, sugiere ocultar la información de sincronización de las celdas. Para 3G, propone atacar el canal piloto común. Para 4G, recomienda atacar las portadoras piloto.
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...RootedCON
Este documento presenta una charla sobre seguridad en aplicaciones de mensajería instantánea como WhatsApp y Snapchat. Los oradores discuten varios problemas de seguridad identificados en estas plataformas, incluida la falta de cifrado, la posibilidad de robar identidades y el almacenamiento inseguro de datos. También muestran cómo explotaron vulnerabilidades técnicas en el pasado para enviar mensajes no autorizados o robar conversaciones de usuarios.
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]RootedCON
El documento describe diferentes tipos de tarjetas como tarjetas inteligentes, RFID y de banda magnética, explicando cómo almacenan y protegen datos. También resume los posibles vectores de ataque y defensas contra tarjetas, así como los servicios y costos asociados con su uso.
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]RootedCON
Este documento resume las técnicas y herramientas utilizadas para interceptar comunicaciones a través de ataques de falsificación de DNS y redireccionamiento de tráfico, como SSLstrip. Describe cómo estas técnicas se han mejorado para capturar más información y evadir obstáculos como HSTS, a través del uso de herramientas como DNS2proxy y SSLstrip2. Finalmente, concluye que aunque estas técnicas pueden mejorarse más, existen limitaciones como la pérdida potencial de información y la necesidad de estudiar cada objetivo.
iOS Application Penetration Testing for BeginnersRyanISI
This document provides an overview of iOS application penetration testing for beginners. It covers setting up a pen testing environment, understanding the iOS filesystem and Objective-C runtime, techniques for runtime analysis and manipulation, insecure data storage, side channel data leakage, analyzing URL schemes and network traffic, and secure coding guidelines. The agenda includes jailbreaking a device, installing useful tools like Cycript and class-dump, understanding the application sandbox and filesystem structure, runtime concepts in Objective-C, manipulating running applications using Cycript, insecure storage techniques like plist and NSUserDefaults, side channels like logs, snapshots and pasteboard, URL schemes, and analyzing network traffic using a proxy like Burp.
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...RootedCON
La ponencia se centra en como hoy en día, cualquiera tiene a su alcance una GPU con una posibilidad de proceso paralelo importante, y de como pueden evolucionar tanto el malware, como las herramientas de hacking que puedan hacer uso de ello (bruteforcers, fuzzers, passwd crackers....). No se trata de lanzar threads tradicionales vía CPU...
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]RootedCON
Manu Quintans and Frank Ruiz will be giving a presentation on cybercrime trends observed between 2013 and 2014. They will discuss the evolution of cybercrime activities and infrastructure, including the rise of point of sale malware targeting payment card data, new mobile malware using TOR anonymity networks, and the growing use of cryptocurrencies. They will provide a detailed example of the 2013 Target breach that resulted in over 70 million customer records being stolen. The presentation will include a demonstration of malware samples.
Pau Oliva – Bypassing wifi pay-walls with Android [Rooted CON 2014]RootedCON
The document discusses bypassing WiFi paywalls and typical solutions used for WiFi paywalls. It describes weaknesses in typical implementations, including spoofing MAC and IP addresses. It then presents a shell script to exploit these weaknesses by searching for authenticated hosts and testing internet access. Finally, it discusses porting this approach to Android and provides recommendations for mitigating these attacks, such as using proper layer 2 isolation and restricting MAC addresses.
The document provides an overview of Fortify on Demand (FoD) security assessments. It summarizes that FoD offers automated static and dynamic application security testing through their analysis tools and security experts. It provides concise summaries of their baseline, standard, and premium assessment levels that vary in coverage, user accounts tested, and inclusion of manual security testing. The document highlights some customer success stories and commonalities that organizations achieving success have in developing a secure software development lifecycle.
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...RootedCON
El documento describe cómo adaptar un exploit para una vulnerabilidad (CVE-2012-6096) en un programa (history.cgi) para que funcione en un sistema objetivo diferente. Explica cómo depurar el programa CGI, identificar la dirección de retorno y las direcciones de funciones como system() y exit(), y construir una secuencia de instrucciones ROP para ejecutar comandos con privilegios de sistema a pesar de las protecciones como ASLR y NX.
Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]RootedCON
This document discusses manipulating the iOS update process without a BootROM exploit. It notes that iOS 5 introduced over-the-air software updates and backup via WiFi. The iOS OTA update process uses HTTP to download update files from Apple servers, including a plist file listing URLs for the iOS version files. The document explores if this update process could be manipulated without a new BootROM exploit.
Este documento resume la primera edición de Rooted Satellite en Valencia. Rooted Satellite tiene como objetivo llevar las conferencias de seguridad Rooted a otras ciudades para que más personas puedan asistir. El documento explica por qué se eligió Valencia y los próximos pasos para evaluar el éxito del evento y decidir sobre futuras ediciones.
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...RootedCON
Este documento contiene varios artículos sobre los artículos 197 y 264 del Código Penal de España relacionados con delitos informáticos como botnets, troyanos y daños a sistemas informáticos. Se discuten problemas prácticos y supuestos conflictivos en la aplicación de estos artículos, y se incluyen imágenes y viñetas ilustrativas.
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]RootedCON
Este documento presenta una guía sobre seguridad en entornos web. Explica conceptos como vulnerabilidades comunes como XSS, SQL Injection y referencias inseguras. Detalla buenas prácticas como filtrar adecuadamente los datos del usuario y usar versiones actualizadas de software. También recomienda herramientas para pruebas de vulnerabilidades y sitios para practicar. El objetivo es crear conciencia sobre seguridad entre desarrolladores web.
I Want More Ninja – iOS Security TestingJason Haddix
The document provides instructions for setting up an iOS application testing lab, including recommended hardware, software, and tools for both MacBooks and PCs. It discusses jailbreaking iOS devices to gain root access, installing useful packages and utilities, and exploring application directories and data stores to find vulnerabilities like insecure data storage or client-side injection issues.
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]RootedCON
Este documento presenta una introducción al Grupo de Delitos Telemáticos (GDT) de la policía en Valencia, España. El GDT investiga delitos cibernéticos y provee apoyo técnico a otras unidades policiales. El documento describe brevemente las funciones del GDT, que incluyen el análisis de evidencia digital, la investigación tecnológica y clásica, e identifica varios canales de comunicación del GDT.
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]RootedCON
Si tuvieras un Big Data con 4.3 millones de apps de Android con toda su información despiezada, indexada, catalogada y disponible para analizar… ¿Qué podrías hacer?
En esta sesión vamos a ver cómo se puede utilizar un Big Data de estas capacidades para hacer de él algo similar a Shodan o al Hacking con Buscadores.
Ejemplos y demos de cómo crear dorks para hacer pentesting de empresas y qué trucos de hacking se pueden explotar con esta información.
The document discusses the OWASP Mobile Top 10 security risks for 2014. It begins by introducing the OWASP Mobile Security Project and its goal of maintaining a list of the most critical risks for mobile applications. The document then lists the top 10 risks for both 2012 and 2014, providing more details on each of the 2014 risks, including weak server-side controls, insecure data storage, insufficient transport layer protection, unintended data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections. It also recommends some vulnerable mobile apps that can be used for hands-on practice.
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
Originally presented on January 23, 2018
A comprehensive analysis of iOS and Android apps found that a staggering 85% of those apps fail one or more of the OWASP Mobile Top 10 criteria. Given that the average mobile device has over 89 mobile apps on it, what are the odds your employees have one or more of the apps and what’s the real risk to your business?
Mobile apps power productivity in the modern business; don’t let a few bad apps bring it down.
Сергей Харюк (Украина). Проверка безопасности приложений на платформе iOSKazHackStan
This document outlines a presentation on testing the security of iOS applications. It discusses the iOS security architecture including the kernel, secure enclave, and application sandboxing. It then covers tools for analyzing apps like dumpdecrypted, IDA, Hopper, Frida, and idb. The document lists the OWASP top 10 mobile risks and provides examples of vulnerabilities found in various mobile apps during security research, including issues with insecure communication, data storage, authorization and cryptography. Case studies are presented on vulnerabilities discovered in apps like MyPay, HomeBank, KolesaKz and others.
MBFuzzer : MITM Fuzzing for Mobile ApplicationsFatih Ozavci
MBFuzzer is a mobile application fuzzer that aims to find security vulnerabilities by simulating man-in-the-middle attacks and injecting corrupt responses. It works by setting up as a proxy to intercept traffic between mobile apps and servers, parsing responses, and fuzzing responses in real-time by manipulating variables, data types, and file formats. The goal is to uncover memory corruptions, SQL injections, cross-site scripting flaws, and other issues. An initial proof of concept released on June 1, 2013 with plans to expand functionality by adding fake service emulation, flow manipulation tests, and fuzzing for additional issues.
this is a short awareness talk in one of OWASP MEETUP sessions in University Kuala Lumpur, Malaysia, discussing about Android application penetration testing and how to discover potential vulnerabilities
The document summarizes the key findings of a report analyzing 126 popular mobile health and finance apps. It found that while consumers and executives believe their apps are secure, 90% of apps tested had at least two of the top 10 mobile security risks as defined by OWASP. Specifically, 98% lacked binary protections and 83% had insufficient transport layer protection. The document then outlines the 10 most critical mobile security risks according to OWASP, including improper platform usage, insecure data storage, insecure communication, and extraneous functionality.
Mobilination Ntymoshyk Personal Mobile Security Final PublicTjylen Veselyj
Your mobile device contains a vast amount of personal information and is vulnerable to many security threats. Major mobile threats include resource abuse attacks, social engineering attacks, and mobile malware that can spy on phone calls, read messages and emails, track location, and more. Weaknesses in application permissions, hardware design with poor screens and controls, SMS security, and mobile browsers also pose risks. Staying safe requires controlling your wireless environment, password protecting your device and changing passwords regularly, using antivirus and anti-malware software, and regularly updating your device and applications. It is important to be aware of security risks and take personal responsibility for protecting corporate information.
The OWASP Top 10 for Mobile Apps is highly focused on security checks for your mobile apps.
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.
This document summarizes the top 10 mobile security risks according to the OWASP Mobile Security Project. It introduces the mobile threat model and discusses each of the top 10 risks, including weak server-side controls, insecure data storage, insufficient transport layer protection, unintentional data leakage, poor authentication and authorization, broken cryptography, client-side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections. Best practices for addressing these risks are also provided.
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
The document summarizes the top 10 mobile security risks according to the OWASP Mobile Security Project. It introduces the mobile threat model and discusses each of the top 10 risks, including weak server-side controls, insecure data storage, insufficient transport layer protection, unintentional data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections. Best practices for addressing these risks are also provided.
The document discusses security risks in SAP systems and how cryptographic solutions can address them. It describes how technologies like secure single sign-on (SSO), encryption of data communications through Secure Network Communication (SNC), and digital signatures of documents through SAP's Secure Signature Framework (SSF) can authenticate users, encrypt data transmissions, and digitally sign files. The presentation provides examples of how these cryptographic methods have been implemented for SAP systems to facilitate secure access, communications, and document signing.
Symosis mobile application security risks presentation at ISACA SV. The presentation top 3 covers mobile application security risks and helps you prioritize your risk remediation efforts
This document discusses security risks associated with mobile apps. It begins with an introduction to the presenters and an overview of the growth of mobile apps and associated security concerns. It then identifies the top 3 risks as side channel data leakage, insecure transport and server controls, and insecure data storage. Examples are provided for each. The document recommends countermeasures like secure programming practices, encryption of data, and secure design principles. It also discusses strategies for mobile security including mobile information management, mobile application management, and mobile device management and the challenges associated with each.
Hwee Ming Ng, Red Hat, Abhilash Vijayakumary, Red Hat
Telco over Cloud is rapidly changing the telecommunications industry landscape by introducing cloud computing, virtualization paradigms and software approaches already in use and mature in traditional IT environments. While designing the cloud solutions for telco infrastructure understanding its information security risks and mitigation strategies are critical. Legacy approaches are inadequate, this session intends to help the operators to build and approach a telco cloud solution with the right cloud security knowledge.
In this session we intend to explain the principle technologies of telco cloud based systems and strategies for safeguarding/classifying data, ensuring privacy and ensuring compliance with regulatory agencies for telco operators. We will also describe the role of encryption in protecting data and specific strategies for key management as well as how to select an appropriate solution to specific business requirements which are in well alignment with cloud based business continuity / disaster recovery strategies. We will also compare baseline and industry standard best practices by doing risk assessments of existing and proposed cloud-based environments.
Additionally, presentation will focus on specific technologies like virtual firewalls, security zones, virtual tenant networks and their mapping to various use cases/challenges which an operator faces while designing the telco cloud.
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
As an active security researcher with immense professional expertise in application security, Jason Haddix joins us to explain the common attack vectors that face today’s mobile applications -- from a hacker’s perspective.
Nowadays, like the technology itself, hacking activities against mobile phone is growing very rapidly, both for mobile devices (operating system) or mobile applications, some applications providers even dedicate a penetration testing activity for applications that they created right before it gets released to the public, while others open a bug bounty programs, and sadly the rest just watch and do nothing.
On the other side, malware developer arround the world also already move their main target and has been developing malware to take over the mobile devices which surely keep all our personal/private and our work, some of it even make us to pay for getting it back.
This talks will be focusing more on the trend of mobile device security lately, mobile security penetration testing activity, also in practice, showing several types of common weaknesses/vulnerabiliies within the mobile applications and how the exploitation is done by the attacker, malware is created and planted, until it is successfully to take over the target mobile device.
This document summarizes a presentation on mobile application security risks given by Mennouchi Islam Azeddine. The presentation covered the OWASP Mobile Security Project, a mobile threat model, and the top 10 mobile risks. It discussed each risk in the top 10 list, including insecure data storage, weak server-side controls, insufficient transport layer protection, client-side injection, poor authorization and authentication, improper session handling, security decisions via untrusted inputs, side channel data leakage, broken cryptography, and sensitive information disclosure. For each risk, examples were provided and prevention tips were outlined.
This document discusses mobile security and provides an overview of attacks and defenses. It begins with an introduction to common mobile security issues like weak storage of sensitive data. Examples are given covering threats to mobile e-commerce, banking, and social applications. The document also outlines the mobile threat landscape, including attacks that don't require jailbreaking, and privacy risks. It concludes with a discussion of technology trends in mobile architectures and the complexity of securing the mobile environment.
Similar to Mobile Malfeasance - Exploring Dangerous Mobile Vulnerabilities (20)
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
2. About the Presenter
• Jason Haddix (@jhaddix)
• Director of Penetration Testing at HP/Fortify on their ShadowLabs team.
• Previously worked in HP’s Professional Services as a security consultant,
and an engineer & pen tester for Redspin.
• Frequent attender, presenter, & CTF participant at security cons such as
Defcon, BlackHat, Brucon, DerbyCon, etc.
• Contributor/columnist to PentesterScripting.com, Ethicalhacker.net, and
Hakin9 magazine.
3. Overview
• Trends and the need for mobile appsec
• Overview of threat landscape
• Classifying vulnerabilities and exploring metrics
• Threat modeling and risk profiling mobile apps
• Exploring a few high risk areas
• The mobile app SDLC
• Fortify on Demand’s Testing Methods for QA and Security Groups
• Resources for development and QA teams facing mobile security
Data from Smart Insights, 2011
4. Trends and Threats | Adoption
• Global mobile data traffic will
increase 26-fold between 2010 and
2015
• Two-thirds of the world’s mobile data
traffic will be video by 2015
• There will be nearly one mobile
device per capita by 2015 (~6 billion)
Data from Smart Insights, 2011
5.
6. Why do we care?
Your critical business Regulations and More than 60% of
applications face the Standards (PCI, applications have
Internet HIPAA, SOX, etc) serious flaws
9. Same Old Server
Information
Operations Software
Security Services
9
10. Mobile Application Security Challenges
• Difficult to train and retain staff - very
difficult to keep skills up-to-date
• Constantly changing environment
• New attacks constantly emerge
• Compliance Requirements
• Too many tools for various results
• Apps are getting launched on a daily basis
with Security not being involved.
• Junior Developers are typically the ones
creating the apps.
11. How you see your world
Get Sales Data
Get the username
Get the password
Edit my account
Remember the User
Generate Reports
12. How an attacker sees your world
Insufficient Data Storage
SQL Injection
Data Leakage
Cross Site Scripting
Sensitive Information Disclosure
Improper Session Handling
Weak Server Side Controls
Client Side Injection
14. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
15. OWASP Mobile Top 10 Risks
SQLite
M1 – Insecure Data Storage Logging M6 – Improper Session Handling
Plist Files
Manifest Files
Binary data stores
M2 – Weak Server Side Controls SD Card Storgage M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
16. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
EVERYTHING in the
OWASP Top 10
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
17. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
Insecure SSL
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
Encryption
Unsigned and
Unforced Certificate
M4 – Client Side Injection M9 – Broken Cryptography
Validation
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
18. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
SQLite Injection
M4 – Client Side Injection M9 – Broken Cryptography
XSS via Webview
LFI
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
Etc
19. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
Poor Password
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
Complexity
Account disclosure
via Login or Forgot
M4 – Client Side Injection M9 – Broken Cryptography
Password
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
20. OWASP Mobile Top 10 Risks
Indefinite Sessions
Weak cookie
M1 – Insecure Data Storage M6 – Improper Session Handling
“hashing”
home rolled session
management
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
Using phone ID as
part of session
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
21. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
Inter-process
communication
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
Android intents
iOs URL schemes
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
22. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
Keystroke logging
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
Screenshot caching
Logs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
Temp files
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
23. OWASP Mobile Top 10 Risks
Rolling your own
crypto
M1 – Insecure Data Storage M6 – Improper Session Handling
Antiquated crypto
libraries
M2 – Weak Server Side ControlsEncoding != M7 – Security Decisions via Untrusted Inputs
encryption
Obfuscation !=
encryption
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
Serialization !=
encryption
M4 – Client Side Injection M9 – Broken Cryptography
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
24. OWASP Mobile Top 10 Risks
M1 – Insecure Data Storage M6 – Improper Session Handling
M2 – Weak Server Side Controls M7 – Security Decisions via Untrusted Inputs
M3 – Insufficient Transport Layer Protection M8 – Side Channel Data Leakage
Hardcoded secrets!
API keys, server-side
M4 – Client Side Injection M9 – Broken Cryptography
database passwords,
etc
M5 – Poor Authorization and Authentication M10 – Sensitive Information Disclosure
26. Vulnerabilities by Risk
• Case study of 120 Mobile 90
applications for 1 Enterprise 80
client
70
• 234 vulnerabilities 60
50
• 66% of applications contained
a critical or high vulnerability 40
that: 30
• Disclosed 1 or more users 20
personal data
10
• Exposed multiple users
personal data 0
• Compromised the Critical High Medium Low Informational
applications server
27. Vulnerabilities by OWASP Top 10 Category
80
70 M1: Insecure Data Storage
M2: Weak Server Side Controls
60 M3: Insufficient Transport Layer
Protection
50 M4: Client Side Injection
M5: Poor Authorization and
40
Authentication
M6: Improper Session Handling
30
M7: Security Decisions Via Untrusted
20
Inputs
M8: Side Channel Data Leakage
10 M9: Broken Cryptography
M10: Sensitive Information Disclosure
0
M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 Other
28. Other?
• Poor Code Quality and Applications
Hardening
• Unreleased Resources
• No ASLR or Memory
Management frameworks
enabled.
• Privacy Leaks
• UUID, Wifi, device
names, geolocations, etc, leaked
to Ad Agencies
30. Mobile SDLC
Security Foundations – Mobile Applications
Architecture
Plan Requirements Build Test Production
& Design
Mobile Security Application Specific Mobile Secure Coding Mobile Application Security Assessment
Development Threat Modeling and Training (Static, Dynamic, Server, Network, Client)
Standards Analysis
Mobile Secure Coding Mobile Firewall
Mobile Application Threat Modeling CBT Standards Wiki
Security Process for Developers MDM
Design Static Analysis
Mobile Risk Dictionary
Mobile Security
Policies
31. How do we get started?
1. Find your published apps
2. Threat model them based on the information they handle
3. Assess and fix published apps
4. Give resources to developers to write secure code
32. Threat Modeling a Mobile App
Identify business objectives: Types of data at risk with a mobile app:
• Identify the data the application will use • Usernames & Passwords
• PII vs Non-PII • UDID
• Credentials & access • Geolocation/address/zip
• Where is it stored? • DoB
• Payment information? • Device Name
• Network Connection Name
• Credit Card Data or Account Data
• Updates to Social media
• Chat logs
• Cookies
• Etc…
41. Other Resources for QA, Security Managers, and Devs
• Fortify’s 7 Ways to Hang Yourself with Android Presentation
• Fortify on Demand’s iOS Penetration Testing Presentation
• Fortify’s VulnCAT
42.
43. Other Resources
• OWASP Top 10 Mobile Risks Page
• OWASP IOS Developer Cheat Sheet
• Google Androids Developer Security Topics 1
• Google Androids Developer Security Topics 2
• Apple's Introduction to Secure Coding
45. Parting Thoughts
• Remember that mobile sites face the Internet as well; obscurity != security
• Web teams and mobile teams often not the same; mobile development teams are
often behind in security training
• Track the data flow; threat modeling / risk assessment
• Start with Risk Profiling and exposure (deployed apps)
• It all starts with the code; coding standards are pivotal
46. Parting Thoughts II
• Give developers prescriptive guidance, show with examples
• Don’t store it (PII) at all if you don’t need to
• If you have a 3rd party dev team deploy a contract that enforces coding based on
secure mobile dev standards
• Mobile Device Management (MDM) is not a substitute for secure code
• Finally, don’t be intimidated by “mobile”; the same fundamentals are still in play