SlideShare a Scribd company logo

Null singapore - Mobile Security Essentials

S
Sven Schleier

This document summarizes a presentation on mobile security testing given by Sven Schleier and Ryan Teoh. It discusses the OWASP Mobile Security Project, including the Mobile Application Security Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG). The MASVS defines security best practices for mobile apps, while the MSTG provides a manual for testing mobile app security. The presentation demonstrates techniques for bypassing SSL pinning and extracting Android keys using Frida during dynamic analysis. It highlights challenges around assessing anti-reversing defenses and the need for practical reverse engineering skills in mobile security testing.

Software
1 of 57
Download to read offline
Mobile Security Essentials Null Singapore 31.07.2018 Sven Schleier, Ryan Teoh
Agenda • OWASP Mobile Security Project • Mobile AppSec Verification Standard (MASVS) • Automation of the MASVS • Mobile Security Testing Guide (MSTG) • Reverse Engineering of Mobile Apps
# /usr/bin/whoami • Hi everyone, my name is Sven • Managing Principal Consultant at Vantage Point Security • Professional Penetration tester since 2010 • Security Architect for Web and Mobile Apps during SDLC • One of the project leaders for: • OWASP Mobile Security Testing Guide (MSTG) and • Mobile AppSec Verification Standard (MASVS)
Why Mobile Application Security? Application Physical Network HTTP(s) Attack Surface • It all started with Network & Physical Security • Protecting the perimeter • Ensuring endpoints are secure • Application Security plays an important part • But, different skills are required to support Mobile Applications Security
Why Mobile Application Security? Mobile Applications are different compared to Web Apps: Different Attack Surface (examples) Interaction with the OS through APIs or other apps through IPC Local Storage Local Authentication (scanning fingerprint/face/iris) Reverse Engineering
Why Mobile Application Security? Mobile Applications are different compared to Web Apps:
Why Mobile Application Security? Mobile Applications are different compared to Web Apps: Different Vulnerabilities (examples) Disclosure of sensitive data on the mobile device, through • Storing data in cleartext • Logging • Exposing in memory Build settings and code quality What about CSRF? What about XSS? Don't blindly trust your scanning tool's output!
Why Mobile Application Security? Mobile Applications are different compared to Web Apps: https://twitter.com/natashenka/status/941737682803159040
OWASP Mobile Security Project – Our “Products” Mobile Security Testing Guide Around 550+ pages Free Ebook https://leanpub.com/mobile- security-testing-guide Hardcopy, Printed Book (soon)! Mobile AppSec Verification Standard PDF Download Mobile AppSec Checklist Excel L https://github.com/OWASP/owasp- mstg/tree/master/Checklists https://github.com/OWASP/ owasp-masvs/releases
OWASP Mobile Application Security Verification Standard (MASVS)
OWASP Mobile Application Security Verification Standard (MASVS) • Started as a fork of the OWASP ASVS • Formalizes best practices • Mobile-specific, high-level, OS-agnostic
OWASP Mobile Application Security Verification Standard (MASVS) V2: Data Storage and Privacy Requirements
OWASP Mobile Application Security Verification Standard (MASVS) Opinions, opinons, opinions…
Why Mobile Application Security? Mobile Applications are different compared to Web Apps:
OWASP Mobile Application Security Verification Standard (MASVS) https://github.com/OWASP/owasp-masvs/issues/117 Opinions, opinons, opinions…
OWASP Mobile Application Security Verification Standard (MASVS) Our Philosophy 44Security Requirements (Level 1) 18 Defense-in-Depth Measures (Level 2) 12Anti-Reversing Controls Covered in 8domains
OWASP Mobile Application Security Verification Standard (MASVS) Keeping Things Flexible: Requirement “Levels”
OWASP Mobile Application Security Verification Standard (MASVS) MASVS-Level 1 (L1): Security best practices applicable to all mobile apps. Example:
OWASP Mobile Application Security Verification Standard (MASVS) MASVS-Level 2 (L2): Defense-in-depth controls for sensitive apps (e.g. financial transactions). Example:
OWASP Mobile Application Security Verification Standard (MASVS) MASVS- Resiliency Against Reverse Engineering and Tampering (R): The app has state-of-the-art security, and is also resilient against specific, clearly defined client-side attacks such as tampering, modding, or reverse engineering to extract sensitive code or data.
OWASP Mobile Application Security Verification Standard (MASVS) Ok, so why are security requirements so important? To avoid this: Pentesters after turning a report in...
OWASP Mobile Application Security Verification Standard (MASVS) How to use the MASVS (or how to shift left and build security in) During early stages of development: • Basis for (future) design decisions and enhancements • Helps building internal baselines for Mobile Security and Coding Guidelines • To determine security requirements early on. For example: While Implementing: • Track the security requirements during development • Redefine security requirements when business requirements are changing During Penetration Test: • Share the status of your security requirements with the tester
OWASP MASVS – Automation with BDD • MASVS is becoming the standard de facto for mobile security testing • All the checks are currently performed manually by pentesters, security engineers, developers etc. • Well described test cases and detailed using a simple descriptive language • We can automate some of them • Testing need to adapt to Agile WOW • Having these tests integrated in the CI/CD would benefit development Disclaimer: Research by Davide Cioccia https://www.owasp.org/images/f/fb/V2_-_OWASP_Buscharest_Davide_Cioccia.pdf
OWASP MASVS – Automation with BDD Requirements Design Code Build Test Release Security Requirements Threat modeling (abuse case generation) Threat based security controls & test specification Implement BDD standardized security tests Implement BDD application specific security tests Test against acceptance environment MSTG Test cases MASVS Checklist Manual PT Identify the flaw Patch the flaw
OWASP MASVS – Automation with BDD Requirements Design Code Build Test Release Security Requirements Threat modeling (abuse case generation) Threat based security controls & test specification Implement BDD standardized security tests Implement BDD application specific security tests Test against acceptance environment MSTG Test cases MASVS Checklist Manual PT Identify the flaw Patch the flaw
OWASP MASVS – Automation Test scripts APK .features steps.rb Emulator / Device
OWASP MASVS – Automation with BDD .features • A feature file is an entry point to the Cucumber tests. This is a file where you will describe your tests in Descriptive language (Like English). • It’s described in Gherkin Syntax* • Contains: – Feature: describes the feature we are going to test – Scenario(s): describe the behavior of the test * https://github.com/cucumber/cucumber/wiki/Gherkin
OWASP MASVS – Automation Steps • Implementation of the Gherkin syntax • Ruby function with parameters in input • We are going to use the android tools to perform analysis on the device
OWASP MASVS – Automation Demo
OWASP MASVS – Automation BDD Mobile security testing with OWASP MASVS, OWASP MSTG and Calabash by Davide Cioccia https://www.owasp.org/images/f/fb/V2_-_OWASP_Buscharest_Davide_Cioccia.pdf Github Repo: https://github.com/ing-bank/bdd-mobile-security-automation-framework/
We are getting Mainstream J https://t.co/a6XztoKHz8 OWASP Mobile Application Security Verification Standard (MASVS)
OWASP Mobile Application Security Verification Standard (MASVS) Version 1.1 was released last week! ü Download it ü Read it ü Use it ü Give Feedback! Create an issue: https://github.com/OWASP/owasp-masvs/issues MASVS Github - https://goo.gl/YMCC8B Gitbook - https://goo.gl/cLqTQE ePub - https://goo.gl/P7b9Lm Export as Doc - https://goo.gl/ySSbLJ We also have translations into Spanish and Russian! Interested in doing a Chinese version? Ping me J
OWASP Mobile Security Testing Guide Standard (MSTG)
OWASP Mobile Security Testing Guide Standard (MSTG) • Manual for testing security maturity of mobile Apps • Maps directly to the MASVS requirements • Focusing on iOS and Android native applications • Goal is to ensure completeness of mobile app security testing through a consistent testing methodology • For security checks of the endpoint the OWASP Web Application Testing Guide should be used What is the Mobile Security Testing Guide (MSTG)?
OWASP Mobile Security Testing Guide Standard (MSTG) Structure • General Testing Guide • Android Testing Guide • iOS Testing Guide Gitbook: https://mobile-security.gitbook.io/mobile-security-testing-guide/ ePub Download: https://leanpub.com/mobile-security-testing-guide
OWASP Mobile Security Testing Guide Standard (MSTG) How does a penetration tester usually test iOS Apps? Jailbroken device Dynamic instrumentation on non-jailbroken device Cydia Full Root Access Repackage the app with a dynamic library called Frida X See also: https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing- guide/tampering-and-reverse-engineering-on-ios#dynamic-analysis-on-non-jailbroken-devices
OWASP Mobile Security Testing Guide Standard (MSTG) Truststore What is SSL Pinning again? CA (Certificate Authority) or Root CA Server Intermediate Certificate TLS (Leaf) Certificate X.509 v3 Digital Certificate:
OWASP Mobile Security Testing Guide Standard (MSTG) Dynamic Instrumentation - Bypassing SSL Pinning Snapchat DEMO
OWASP Mobile Security Testing Guide Standard (MSTG) Where can I get it? MSTG Github - https://goo.gl/k5z9Fs Gitbook - https://goo.gl/SH6bK3 ePub - https://goo.gl/oNCFCJ Export as Doc - https://goo.gl/FvTftn ü Download it ü Read it ü Use it ü Give Feedback! Create an issue https://github.com/OWASP/owasp-mstg/issues
OWASP Mobile Security Testing Guide Standard (MSTG) What’s next? • Q3/2018 publish the book as hard copy • Training at OWASP AppSec USA 2018 (https://goo.gl/yf61nG) So then it’s done, right? No… • Updates for iOS 11/12 • Updates for Android O/P • Mobile Application Frameworks are missing (Apache Cordova, PhoneGap..) • Code samples for Kotlin, Swift • Check our project page - https://github.com/OWASP/owasp-mstg/projects/2
82 Contributors to the MSTG according to GitHub! Thanks for all the hard and great work to make this project a success! Authors Co-Authors Top Contributors Reviewers Editors Bernhard Mueller Sven Schleier Romuald Szkudlarek Jeroen Willemsen Pawel Rzepa Francesco Stillavato Andreas Happe Alexander Anthuk Henry Hoggard Wen Bin Kong Abdessamad Temmar Bolot Kerimbaev Slawomir Kosowski Sjoerd Langkemper Anant Shrivastava Heaven Hodges Caitlin Andrews Nick Epson Anita Diamond Anna Szkudlarek Be part of an awesome journey and contribute to the MSTG! We are searching for additional authors, reviewers and editors. https://github.com/OWASP/owasp-mstg#contributions-feature-requests-and-feedback The full list of contributors is available on GitHub: https://github.com/OWASP/owasp-mstg/graphs/contributors
Reverse Engineering in the MSTG
# /usr/bin/whoami • Ryan Teoh • Security Engineer @ Grab • Anything mobile security
OWASP Mobile Security Testing Guide Standard (MSTG) Reverse Engineering in the MSTG Security Testers have no good way of dealing with mobile software protections
OWASP Mobile Security Testing Guide Standard (MSTG) Pentesters and Developers are confused Report with security issue: « Lack of Obfuscation » What are the developers supposed to do? • MinifyEnabled = true? • Maybe encrypt strings? • Apply complex control flow obfuscation? • Maybe use some whitebox crypto? The MSTG offers a proper assessment methodology.
OWASP Mobile Security Testing Guide Standard (MSTG) Skills Needed For Assessing Anti-Reversing Schemes Determine whether using software protections are used appropriately • Every software protection scheme can be defeated • Never to be used as a replacement for security controls • Viable uses: IP protection, DRM, preventing modding / cheating, hardening against code injection / instrumentation
OWASP Mobile Security Testing Guide Standard (MSTG) Testing Anti-Reversing Defenses • Root Detection • Anti-Debugging • Detecting Reverse Engineering Tools • Emulator Detection / Anti-Emulation • File and Memory Integrity Checks • Device Binding • Obfuscation
OWASP Mobile Security Testing Guide Standard (MSTG) Reverse Engineering Content • Building a reverse engineering environment for free • Static and dynamic analysis
OWASP Mobile Security Testing Guide Standard (MSTG) Reverse Engineering Content • Tampering, patching and runtime instrumentation
Demo Target: MSTG Hacking Playground - Android Case #1: SSL Pinning Objective: Demonstrate SSL Pinning using Frida Case #2: Android keys extraction Objective: Key extraction using Frida
SSL Pinning • Understand the Decompile code • Identify Class • Identify Methods • Identify argument and retval • Instrument the methods
SSL Pinning • Understand the Decompile code • bytecode-viewer • Identify Class • “OMTG_NETW_004_SSL_Pinning_Certificate.class” • Identify Methods • HTTPSssLPinning() • Identify argument and retval • “java.io.InputStream” • Instrument the methods • Replacing multiple methods
Android Keys • “Key material never enters the application process. If the app's process is compromised, the attacker may be able to use the app's keys but will not be able to extract their key material.” • Depending on devices Key material may be bound to Secure hardware (e.g Trusted Execution Environment(TEE) or Secure Element(SE)) • Lets check if we are able to extract the key material using Frida.
Key Extraction • Hook decryptString() function • Hook Cipher.init() function • Print Different message based on opcode • Print Public key • Print Private key • Bypass isEngineBased checks • Cast it to OpenSSLPrivateKe
Conclusion • Private key can be extract when we cast it into OpenSSLRSAPrivateKey • After inspection, we still cannot find methods to get the privateExponent. As there is no method we can hook to even try get it :( Frida Scripts used in Demos: https://github.com/ryantzj/null-frida-script/tree/master
OWASP Mobile Security Testing Guide Standard (MSTG) Practical Challenges! « UnCrackable Mobile Apps » https://github.com/OWASP/owasp-mstg/tree/master/Crackmes Kudos to Bernhard Mueller (@bernhardm) who mainly did the Reverse Engineering Chapters and Crackmes
sven.schleier@owasp.org @bsd_daemon Download Slides here: https://goo.gl/BCWJed me@ryantzj.com @ryantzj

Recommended

Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
SecDevOps
SecDevOpsSecDevOps
SecDevOpsPeter Lamar
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 

Recommended

Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsKevin Fealey
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
SecDevOps
SecDevOpsSecDevOps
SecDevOpsPeter Lamar
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDevSecCon
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersDevOps.com
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveAbhay Bhargav
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17Luis A. Solís
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
Automated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementAutomated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementPerforce
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldKarun Chennuri
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}opsSteven Carlson
 

More Related Content

What's hot

DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveAbhay Bhargav
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous DeliveryTom Stiehm
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architectureOWASP
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileOleg Gryb
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Armyconjur_inc
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16Rich Mills
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
Automated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementAutomated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementPerforce
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldKarun Chennuri
 

What's hot (20)

DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
Merging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec PerspectiveMerging Security with DevOps - An AppSec Perspective
Merging Security with DevOps - An AppSec Perspective
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTG
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Owasp masvs spain 17
Owasp masvs spain 17Owasp masvs spain 17
Owasp masvs spain 17
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
 
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...What Good is this Tool? A Guide to Choosing the Right Application Security Te...
What Good is this Tool? A Guide to Choosing the Right Application Security Te...
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16DevSecOps: essential tooling to enable continuous security 2019-09-16
DevSecOps: essential tooling to enable continuous security 2019-09-16
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery World
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
Automated Testing in Continuous Change Management
Automated Testing in Continuous Change ManagementAutomated Testing in Continuous Change Management
Automated Testing in Continuous Change Management
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps World
 

Similar to Null singapore - Mobile Security Essentials

Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesMichael Man
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps.com
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps for Enterprise Systems
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...Agile Testing Alliance
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesAvi Networks
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAmazon Web Services
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsDevOps.com
 

Similar to Null singapore - Mobile Security Essentials (20)

Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from ScratchHouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Extract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling SlidesExtract Oct 2019: DSO-LG Rolling Slides
Extract Oct 2019: DSO-LG Rolling Slides
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...
 
Web Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery PipelinesWeb Application Security for Continuous Delivery Pipelines
Web Application Security for Continuous Delivery Pipelines
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
 

Recently uploaded

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 

Recently uploaded (20)

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 

Null singapore - Mobile Security Essentials

  • 1. Mobile Security Essentials Null Singapore 31.07.2018 Sven Schleier, Ryan Teoh
  • 2. Agenda • OWASP Mobile Security Project • Mobile AppSec Verification Standard (MASVS) • Automation of the MASVS • Mobile Security Testing Guide (MSTG) • Reverse Engineering of Mobile Apps
  • 3. # /usr/bin/whoami • Hi everyone, my name is Sven • Managing Principal Consultant at Vantage Point Security • Professional Penetration tester since 2010 • Security Architect for Web and Mobile Apps during SDLC • One of the project leaders for: • OWASP Mobile Security Testing Guide (MSTG) and • Mobile AppSec Verification Standard (MASVS)
  • 4. Why Mobile Application Security? Application Physical Network HTTP(s) Attack Surface • It all started with Network & Physical Security • Protecting the perimeter • Ensuring endpoints are secure • Application Security plays an important part • But, different skills are required to support Mobile Applications Security
  • 5. Why Mobile Application Security? Mobile Applications are different compared to Web Apps: Different Attack Surface (examples) Interaction with the OS through APIs or other apps through IPC Local Storage Local Authentication (scanning fingerprint/face/iris) Reverse Engineering
  • 6. Why Mobile Application Security? Mobile Applications are different compared to Web Apps:
  • 7. Why Mobile Application Security? Mobile Applications are different compared to Web Apps: Different Vulnerabilities (examples) Disclosure of sensitive data on the mobile device, through • Storing data in cleartext • Logging • Exposing in memory Build settings and code quality What about CSRF? What about XSS? Don't blindly trust your scanning tool's output!
  • 8. Why Mobile Application Security? Mobile Applications are different compared to Web Apps: https://twitter.com/natashenka/status/941737682803159040
  • 9. OWASP Mobile Security Project – Our “Products” Mobile Security Testing Guide Around 550+ pages Free Ebook https://leanpub.com/mobile- security-testing-guide Hardcopy, Printed Book (soon)! Mobile AppSec Verification Standard PDF Download Mobile AppSec Checklist Excel L https://github.com/OWASP/owasp- mstg/tree/master/Checklists https://github.com/OWASP/ owasp-masvs/releases
  • 10. OWASP Mobile Application Security Verification Standard (MASVS)
  • 11. OWASP Mobile Application Security Verification Standard (MASVS) • Started as a fork of the OWASP ASVS • Formalizes best practices • Mobile-specific, high-level, OS-agnostic
  • 12. OWASP Mobile Application Security Verification Standard (MASVS) V2: Data Storage and Privacy Requirements
  • 13. OWASP Mobile Application Security Verification Standard (MASVS) Opinions, opinons, opinions…
  • 14. Why Mobile Application Security? Mobile Applications are different compared to Web Apps:
  • 15. OWASP Mobile Application Security Verification Standard (MASVS) https://github.com/OWASP/owasp-masvs/issues/117 Opinions, opinons, opinions…
  • 16. OWASP Mobile Application Security Verification Standard (MASVS) Our Philosophy 44Security Requirements (Level 1) 18 Defense-in-Depth Measures (Level 2) 12Anti-Reversing Controls Covered in 8domains
  • 17. OWASP Mobile Application Security Verification Standard (MASVS) Keeping Things Flexible: Requirement “Levels”
  • 18. OWASP Mobile Application Security Verification Standard (MASVS) MASVS-Level 1 (L1): Security best practices applicable to all mobile apps. Example:
  • 19. OWASP Mobile Application Security Verification Standard (MASVS) MASVS-Level 2 (L2): Defense-in-depth controls for sensitive apps (e.g. financial transactions). Example:
  • 20. OWASP Mobile Application Security Verification Standard (MASVS) MASVS- Resiliency Against Reverse Engineering and Tampering (R): The app has state-of-the-art security, and is also resilient against specific, clearly defined client-side attacks such as tampering, modding, or reverse engineering to extract sensitive code or data.
  • 21. OWASP Mobile Application Security Verification Standard (MASVS) Ok, so why are security requirements so important? To avoid this: Pentesters after turning a report in...
  • 22. OWASP Mobile Application Security Verification Standard (MASVS) How to use the MASVS (or how to shift left and build security in) During early stages of development: • Basis for (future) design decisions and enhancements • Helps building internal baselines for Mobile Security and Coding Guidelines • To determine security requirements early on. For example: While Implementing: • Track the security requirements during development • Redefine security requirements when business requirements are changing During Penetration Test: • Share the status of your security requirements with the tester
  • 23. OWASP MASVS – Automation with BDD • MASVS is becoming the standard de facto for mobile security testing • All the checks are currently performed manually by pentesters, security engineers, developers etc. • Well described test cases and detailed using a simple descriptive language • We can automate some of them • Testing need to adapt to Agile WOW • Having these tests integrated in the CI/CD would benefit development Disclaimer: Research by Davide Cioccia https://www.owasp.org/images/f/fb/V2_-_OWASP_Buscharest_Davide_Cioccia.pdf
  • 24. OWASP MASVS – Automation with BDD Requirements Design Code Build Test Release Security Requirements Threat modeling (abuse case generation) Threat based security controls & test specification Implement BDD standardized security tests Implement BDD application specific security tests Test against acceptance environment MSTG Test cases MASVS Checklist Manual PT Identify the flaw Patch the flaw
  • 25. OWASP MASVS – Automation with BDD Requirements Design Code Build Test Release Security Requirements Threat modeling (abuse case generation) Threat based security controls & test specification Implement BDD standardized security tests Implement BDD application specific security tests Test against acceptance environment MSTG Test cases MASVS Checklist Manual PT Identify the flaw Patch the flaw
  • 26. OWASP MASVS – Automation Test scripts APK .features steps.rb Emulator / Device
  • 27. OWASP MASVS – Automation with BDD .features • A feature file is an entry point to the Cucumber tests. This is a file where you will describe your tests in Descriptive language (Like English). • It’s described in Gherkin Syntax* • Contains: – Feature: describes the feature we are going to test – Scenario(s): describe the behavior of the test * https://github.com/cucumber/cucumber/wiki/Gherkin
  • 28. OWASP MASVS – Automation Steps • Implementation of the Gherkin syntax • Ruby function with parameters in input • We are going to use the android tools to perform analysis on the device
  • 29. OWASP MASVS – Automation Demo
  • 30. OWASP MASVS – Automation BDD Mobile security testing with OWASP MASVS, OWASP MSTG and Calabash by Davide Cioccia https://www.owasp.org/images/f/fb/V2_-_OWASP_Buscharest_Davide_Cioccia.pdf Github Repo: https://github.com/ing-bank/bdd-mobile-security-automation-framework/
  • 31. We are getting Mainstream J https://t.co/a6XztoKHz8 OWASP Mobile Application Security Verification Standard (MASVS)
  • 32. OWASP Mobile Application Security Verification Standard (MASVS) Version 1.1 was released last week! ü Download it ü Read it ü Use it ü Give Feedback! Create an issue: https://github.com/OWASP/owasp-masvs/issues MASVS Github - https://goo.gl/YMCC8B Gitbook - https://goo.gl/cLqTQE ePub - https://goo.gl/P7b9Lm Export as Doc - https://goo.gl/ySSbLJ We also have translations into Spanish and Russian! Interested in doing a Chinese version? Ping me J
  • 33. OWASP Mobile Security Testing Guide Standard (MSTG)
  • 34. OWASP Mobile Security Testing Guide Standard (MSTG) • Manual for testing security maturity of mobile Apps • Maps directly to the MASVS requirements • Focusing on iOS and Android native applications • Goal is to ensure completeness of mobile app security testing through a consistent testing methodology • For security checks of the endpoint the OWASP Web Application Testing Guide should be used What is the Mobile Security Testing Guide (MSTG)?
  • 35. OWASP Mobile Security Testing Guide Standard (MSTG) Structure • General Testing Guide • Android Testing Guide • iOS Testing Guide Gitbook: https://mobile-security.gitbook.io/mobile-security-testing-guide/ ePub Download: https://leanpub.com/mobile-security-testing-guide
  • 36. OWASP Mobile Security Testing Guide Standard (MSTG) How does a penetration tester usually test iOS Apps? Jailbroken device Dynamic instrumentation on non-jailbroken device Cydia Full Root Access Repackage the app with a dynamic library called Frida X See also: https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing- guide/tampering-and-reverse-engineering-on-ios#dynamic-analysis-on-non-jailbroken-devices
  • 37. OWASP Mobile Security Testing Guide Standard (MSTG) Truststore What is SSL Pinning again? CA (Certificate Authority) or Root CA Server Intermediate Certificate TLS (Leaf) Certificate X.509 v3 Digital Certificate:
  • 38. OWASP Mobile Security Testing Guide Standard (MSTG) Dynamic Instrumentation - Bypassing SSL Pinning Snapchat DEMO
  • 39. OWASP Mobile Security Testing Guide Standard (MSTG) Where can I get it? MSTG Github - https://goo.gl/k5z9Fs Gitbook - https://goo.gl/SH6bK3 ePub - https://goo.gl/oNCFCJ Export as Doc - https://goo.gl/FvTftn ü Download it ü Read it ü Use it ü Give Feedback! Create an issue https://github.com/OWASP/owasp-mstg/issues
  • 40. OWASP Mobile Security Testing Guide Standard (MSTG) What’s next? • Q3/2018 publish the book as hard copy • Training at OWASP AppSec USA 2018 (https://goo.gl/yf61nG) So then it’s done, right? No… • Updates for iOS 11/12 • Updates for Android O/P • Mobile Application Frameworks are missing (Apache Cordova, PhoneGap..) • Code samples for Kotlin, Swift • Check our project page - https://github.com/OWASP/owasp-mstg/projects/2
  • 41. 82 Contributors to the MSTG according to GitHub! Thanks for all the hard and great work to make this project a success! Authors Co-Authors Top Contributors Reviewers Editors Bernhard Mueller Sven Schleier Romuald Szkudlarek Jeroen Willemsen Pawel Rzepa Francesco Stillavato Andreas Happe Alexander Anthuk Henry Hoggard Wen Bin Kong Abdessamad Temmar Bolot Kerimbaev Slawomir Kosowski Sjoerd Langkemper Anant Shrivastava Heaven Hodges Caitlin Andrews Nick Epson Anita Diamond Anna Szkudlarek Be part of an awesome journey and contribute to the MSTG! We are searching for additional authors, reviewers and editors. https://github.com/OWASP/owasp-mstg#contributions-feature-requests-and-feedback The full list of contributors is available on GitHub: https://github.com/OWASP/owasp-mstg/graphs/contributors
  • 43. # /usr/bin/whoami • Ryan Teoh • Security Engineer @ Grab • Anything mobile security
  • 44. OWASP Mobile Security Testing Guide Standard (MSTG) Reverse Engineering in the MSTG Security Testers have no good way of dealing with mobile software protections
  • 45. OWASP Mobile Security Testing Guide Standard (MSTG) Pentesters and Developers are confused Report with security issue: « Lack of Obfuscation » What are the developers supposed to do? • MinifyEnabled = true? • Maybe encrypt strings? • Apply complex control flow obfuscation? • Maybe use some whitebox crypto? The MSTG offers a proper assessment methodology.
  • 46. OWASP Mobile Security Testing Guide Standard (MSTG) Skills Needed For Assessing Anti-Reversing Schemes Determine whether using software protections are used appropriately • Every software protection scheme can be defeated • Never to be used as a replacement for security controls • Viable uses: IP protection, DRM, preventing modding / cheating, hardening against code injection / instrumentation
  • 47. OWASP Mobile Security Testing Guide Standard (MSTG) Testing Anti-Reversing Defenses • Root Detection • Anti-Debugging • Detecting Reverse Engineering Tools • Emulator Detection / Anti-Emulation • File and Memory Integrity Checks • Device Binding • Obfuscation
  • 48. OWASP Mobile Security Testing Guide Standard (MSTG) Reverse Engineering Content • Building a reverse engineering environment for free • Static and dynamic analysis
  • 49. OWASP Mobile Security Testing Guide Standard (MSTG) Reverse Engineering Content • Tampering, patching and runtime instrumentation
  • 50. Demo Target: MSTG Hacking Playground - Android Case #1: SSL Pinning Objective: Demonstrate SSL Pinning using Frida Case #2: Android keys extraction Objective: Key extraction using Frida
  • 51. SSL Pinning • Understand the Decompile code • Identify Class • Identify Methods • Identify argument and retval • Instrument the methods
  • 52. SSL Pinning • Understand the Decompile code • bytecode-viewer • Identify Class • “OMTG_NETW_004_SSL_Pinning_Certificate.class” • Identify Methods • HTTPSssLPinning() • Identify argument and retval • “java.io.InputStream” • Instrument the methods • Replacing multiple methods
  • 53. Android Keys • “Key material never enters the application process. If the app's process is compromised, the attacker may be able to use the app's keys but will not be able to extract their key material.” • Depending on devices Key material may be bound to Secure hardware (e.g Trusted Execution Environment(TEE) or Secure Element(SE)) • Lets check if we are able to extract the key material using Frida.
  • 54. Key Extraction • Hook decryptString() function • Hook Cipher.init() function • Print Different message based on opcode • Print Public key • Print Private key • Bypass isEngineBased checks • Cast it to OpenSSLPrivateKe
  • 55. Conclusion • Private key can be extract when we cast it into OpenSSLRSAPrivateKey • After inspection, we still cannot find methods to get the privateExponent. As there is no method we can hook to even try get it :( Frida Scripts used in Demos: https://github.com/ryantzj/null-frida-script/tree/master
  • 56. OWASP Mobile Security Testing Guide Standard (MSTG) Practical Challenges! « UnCrackable Mobile Apps » https://github.com/OWASP/owasp-mstg/tree/master/Crackmes Kudos to Bernhard Mueller (@bernhardm) who mainly did the Reverse Engineering Chapters and Crackmes
  • 57. sven.schleier@owasp.org @bsd_daemon Download Slides here: https://goo.gl/BCWJed me@ryantzj.com @ryantzj