Tyler Shields, profile picture
Uploaded byTyler Shields
234 views

More Apps More Problems

The document discusses risk and defines it as the possibility of loss or injury. It then discusses crowd sourcing security testing and outlines some of the current inadequate solutions such as expensive security consultants, tools that don't scale, and developers who prioritize functionality over security. The document then summarizes the results of analyzing over 53,000 Android applications, finding most request GPS and contact permissions and lists the top third party libraries used. It concludes by proposing a whitelisting approach to security testing using static analysis and an unbiased third party.

Embed presentation

Risk - noun `risk The possibility of loss or injury
• • • • • • • • • • • • • • • • • • • • •
• • • • • • • • • • • • • • • • •
• • • • •
• • • • • •
• • • • •
• • • • • • •
• • • • • •
• • • •
• ‣ ‣ • ‣ ‣
• ‣ • ‣ ‣
• ‣ ‣ •
Crowd Sourced Current Solutions Inadequate Internal Teams Developers Dev Site A Dev Site B Security Consultants • Very expensive • In short supply iPhone • Time to results too long Dev Site C Apps Crowd Internal Sourcing Tools • Do not scale across sites Open 3rd Party • Very high noise ratio Source Open Software Software Vendors • Can not test 3rd party code Source SYMC MSFT • Separation of duties issue Outsourced Developers Offshore • Do not know how to write Oracle secure code Provider • Prioritize time-to-ship, functionality over security Processes • Difficult to implement Eastern China • Years to fine tune Europe India • Low adoption (< 1% of US Contractors companies CMMI Level 5 certified) Unknown Skills
53,000 Applications Analyzed  Android Market: ~48,000  3rd Party Markets: ~5,000 Permissions Requested  Average: 3  Most Requested: 117 Top “Interesting” Permissions  GPS information: 24% (11,929)  Read Contacts: 8% (3,626)  Send SMS: 4% (1,693)  Receive SMS: 3% (1262)  Record Audio: 2% (1100)  Read SMS: 2% (832)  Process Out Calls: 1% (323)  Use Credentials : 0.5% (248)
52,000 Applications Analyzed • Android Market: • 3rd Party Markets: Third Party Libraries • Total Third Party Libraries: • Top Shared Libraries - - - - - - - -
• • ‣ • •
• • •
Whitelisting • Conduct static analysis of candidate applications • Create a whitelist • Use an unbiased 3rd party • Enforcement via mobile policy
More Apps More Problems
More Apps More Problems

More Related Content

PDF
IT Hot Topics - Mobile Security Threats at Every Layer
byTyler Shields
 
PPT
Security Best Practices for Mobile Development @ Dreamforce 2013
byTom Gersic
 
PDF
CarolinaCon 2005 Web Application Hacking 101
byTyler Shields
 
PPTX
2011 celebration
bymhmayer
 
PPTX
Defending Behind the Mobile Device
byTyler Shields
 
PDF
Owasp Ireland - The State of Software Security
byTyler Shields
 
PDF
Shmoocon 2010 - The Monkey Steals the Berries
byTyler Shields
 
PDF
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
byTyler Shields
 
IT Hot Topics - Mobile Security Threats at Every Layer
byTyler Shields
 
Security Best Practices for Mobile Development @ Dreamforce 2013
byTom Gersic
 
CarolinaCon 2005 Web Application Hacking 101
byTyler Shields
 
2011 celebration
bymhmayer
 
Defending Behind the Mobile Device
byTyler Shields
 
Owasp Ireland - The State of Software Security
byTyler Shields
 
Shmoocon 2010 - The Monkey Steals the Berries
byTyler Shields
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
byTyler Shields
 

Similar to More Apps More Problems

PDF
Dirty Little Secret - Mobile Applications Invading Your Privacy
byTyler Shields
 
PPT
Challenges in adopting_mobility_v2
byBalaji Singh
 
PPT
Challenges in adopting_mobility_v2
byBalaji Singh
 
PDF
1st day 3 - agility vs risk
byLilian Schaffer
 
PPTX
Modern Apps and App Lifecycle
byMarc Hoppers
 
PPTX
OSSCube - Zend Webinar
byOSSCube
 
PPTX
Collaborative lifecycle development for Mobile Software
byIBM WebSphereIndia
 
PPTX
Collaborative lifecycle development for Mobile Software
byIBM Software India
 
PDF
Introduction to IBM Worklight: Building and connecting cross-platform mobile ...
byJeremy Siewert
 
PDF
Collaborative Lifecycle Managmenent - an Introduction
byStrongback Consulting
 
PDF
How to Introduce Continuous Delivery
byDr. Alexander Schwartz
 
PDF
Enterprise mobility solutions & systems
byInfosys
 
PPTX
Bug deBug Chennai 2012 Talk - Future of testing impact of mobile devices by S...
byRIA RUI Society
 
PPSX
Modern BPM for Process Innovation
byAppian
 
PDF
IBM Presentation for Mobile Developer Summit India
byLeigh Williamson
 
PDF
How to scale enterprise mobility and improve roi
byApperian
 
PDF
Pulse 2013: DevOps Review and Roadmap
byDaniel Berg
 
PPT
PCTY 2012, Developing for Mobile Enterprise Application Platform v. Peter Eibak
byIBM Danmark
 
PDF
Agile EE2011 holistic devployment
byPiotr Zolnierek
 
PPTX
Codestrong 2012 breakout session mobile platform and infrastructure
byAxway Appcelerator
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
byTyler Shields
 
Challenges in adopting_mobility_v2
byBalaji Singh
 
Challenges in adopting_mobility_v2
byBalaji Singh
 
1st day 3 - agility vs risk
byLilian Schaffer
 
Modern Apps and App Lifecycle
byMarc Hoppers
 
OSSCube - Zend Webinar
byOSSCube
 
Collaborative lifecycle development for Mobile Software
byIBM WebSphereIndia
 
Collaborative lifecycle development for Mobile Software
byIBM Software India
 
Introduction to IBM Worklight: Building and connecting cross-platform mobile ...
byJeremy Siewert
 
Collaborative Lifecycle Managmenent - an Introduction
byStrongback Consulting
 
How to Introduce Continuous Delivery
byDr. Alexander Schwartz
 
Enterprise mobility solutions & systems
byInfosys
 
Bug deBug Chennai 2012 Talk - Future of testing impact of mobile devices by S...
byRIA RUI Society
 
Modern BPM for Process Innovation
byAppian
 
IBM Presentation for Mobile Developer Summit India
byLeigh Williamson
 
How to scale enterprise mobility and improve roi
byApperian
 
Pulse 2013: DevOps Review and Roadmap
byDaniel Berg
 
PCTY 2012, Developing for Mobile Enterprise Application Platform v. Peter Eibak
byIBM Danmark
 
Agile EE2011 holistic devployment
byPiotr Zolnierek
 
Codestrong 2012 breakout session mobile platform and infrastructure
byAxway Appcelerator
 

More from Tyler Shields

PDF
The New Mobile Landscape - OWASP Ireland
byTyler Shields
 
PDF
Avoiding the Pandora Pitfall
byTyler Shields
 
PPTX
Social and Mobile and Cloud - OH MY!
byTyler Shields
 
PPTX
Social Media Basics: Security Loopholes with Twitter & Other Social Media
byTyler Shields
 
PDF
Survey of Rootkit Technologies and Their Impact on Digital Forensics
byTyler Shields
 
PDF
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
byTyler Shields
 
PDF
Source Boston 2010 - The Monkey Steals the Berries Part Deux
byTyler Shields
 
PDF
Software Developers Forum 2010 - The Monkey Steals the Berries
byTyler Shields
 
PDF
Raleigh ISSA 2010 - The Monkey Steals the Berries
byTyler Shields
 
PDF
Static Detection of Application Backdoors
byTyler Shields
 
PDF
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
byTyler Shields
 
PDF
Anti-Debugging - A Developers View
byTyler Shields
 
PDF
Praetorian Veracode Webinar - Mobile Privacy
byTyler Shields
 
PDF
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
byTyler Shields
 
PDF
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
byTyler Shields
 
PPTX
IQT 2010 - The App Does That!?
byTyler Shields
 
PDF
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
byTyler Shields
 
PDF
GovCert.NL - The Monkey Steals The Berries
byTyler Shields
 
PPTX
Intelligence on the Intractable Problem of Software Security
byTyler Shields
 
PDF
The Coming Wave of Smartphone Attacks - Texas DIR
byTyler Shields
 
The New Mobile Landscape - OWASP Ireland
byTyler Shields
 
Avoiding the Pandora Pitfall
byTyler Shields
 
Social and Mobile and Cloud - OH MY!
byTyler Shields
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
byTyler Shields
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
byTyler Shields
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
byTyler Shields
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
byTyler Shields
 
Software Developers Forum 2010 - The Monkey Steals the Berries
byTyler Shields
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
byTyler Shields
 
Static Detection of Application Backdoors
byTyler Shields
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
byTyler Shields
 
Anti-Debugging - A Developers View
byTyler Shields
 
Praetorian Veracode Webinar - Mobile Privacy
byTyler Shields
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
byTyler Shields
 
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
byTyler Shields
 
IQT 2010 - The App Does That!?
byTyler Shields
 
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
byTyler Shields
 
GovCert.NL - The Monkey Steals The Berries
byTyler Shields
 
Intelligence on the Intractable Problem of Software Security
byTyler Shields
 
The Coming Wave of Smartphone Attacks - Texas DIR
byTyler Shields
 

Recently uploaded

PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
final.pdf
byomarbishtawi04
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
final.pdf
byomarbishtawi04
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
apidays New York 2025 | AI in Application Security
byapidays
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 

More Apps More Problems

  • 4.
    Risk - noun`risk The possibility of loss or injury
  • 5.
    • • • • • • • • • • • • • • • • • • • •
  • 6.
    • • • • • • • • • • • • • • • •
  • 10.
  • 11.
  • 12.
  • 13.
  • 17.
    • • • • •
  • 18.
  • 19.
    ‣ ‣ • ‣ ‣
  • 20.
    ‣ • ‣ ‣
  • 26.
    ‣ ‣ •
  • 30.
    Crowd Sourced Current Solutions Inadequate Internal Teams Developers Dev Site A Dev Site B Security Consultants • Very expensive • In short supply iPhone • Time to results too long Dev Site C Apps Crowd Internal Sourcing Tools • Do not scale across sites Open 3rd Party • Very high noise ratio Source Open Software Software Vendors • Can not test 3rd party code Source SYMC MSFT • Separation of duties issue Outsourced Developers Offshore • Do not know how to write Oracle secure code Provider • Prioritize time-to-ship, functionality over security Processes • Difficult to implement Eastern China • Years to fine tune Europe India • Low adoption (< 1% of US Contractors companies CMMI Level 5 certified) Unknown Skills
  • 31.
    53,000 Applications Analyzed Android Market: ~48,000  3rd Party Markets: ~5,000 Permissions Requested  Average: 3  Most Requested: 117 Top “Interesting” Permissions  GPS information: 24% (11,929)  Read Contacts: 8% (3,626)  Send SMS: 4% (1,693)  Receive SMS: 3% (1262)  Record Audio: 2% (1100)  Read SMS: 2% (832)  Process Out Calls: 1% (323)  Use Credentials : 0.5% (248)
  • 33.
    52,000 Applications Analyzed •Android Market: • 3rd Party Markets: Third Party Libraries • Total Third Party Libraries: • Top Shared Libraries - - - - - - - -
  • 35.
    • • ‣ • •
  • 36.
  • 37.
    Whitelisting • Conduct static analysis of candidate applications • Create a whitelist • Use an unbiased 3rd party • Enforcement via mobile policy