This document discusses securing mobile applications. It begins with an overview of threats to mobile platforms and how they have created opportunities for hackers. It then discusses understanding the risks with a mobile threat model showing different attack vectors. The key threats identified are insecure data storage, insufficient transport layer security, and client side injection. It provides examples of these threats and how they are commonly exploited. Finally, it discusses defending mobile applications with design principles and approaches like assuming the client is compromised, connecting to untrusted networks, and an untrusted operating system. It emphasizes the basics of secure development, testing, and ongoing monitoring and review.
Attacking and Defending Apple iOS DevicesTom Eston
IT loves to use Apple iPhones and iPads, but hates supporting them. For most environments, they represent the exception, and are not subject to standard corporate controls. The reason the exception is allowed is usually the fact that the CEO bought an iPhone and iPad the day they were released, and then quickly filled them with sensitive corporate data. With their portability and popularity, it is only a matter of time before one of these devices ends up missing. How worried should you be? This presentation will cover the latest real-world attack techniques for compromising Apple’s iOS devices, introduce a new assessment methodology that can be used by penetration testers, and discuss the latest defensive techniques for securely deploying iOS devices within your enterprise.
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
Breaking in is easy, real security is hard. Breaching the security of a Casino doesn't have to be as dramatic or dangerous as depicted in the Ocean's Eleven movies. In fact, by simply sitting in a hotel room of a Casino, hackers can find ways to breach the high security that Casino's have been known for. This type of attack has a simple goal: steal the Casino's money and cheat the system. All of this can be done without anyone seeing you and is much easier then walking directly into the Casino vault armed with guns and explosives.
In this presentation Tom Eston from SecureState walks us through some of the more interesting and exciting penetration tests his team have conducted. These include breaking into Casinos, Banks, Energy companies and other high security facilities (with permission of course). Tom's stories not only show how attackers break in but also show important lessons on how businesses can better secure their physical as well as network assets.
Attacking and Defending Apple iOS DevicesTom Eston
IT loves to use Apple iPhones and iPads, but hates supporting them. For most environments, they represent the exception, and are not subject to standard corporate controls. The reason the exception is allowed is usually the fact that the CEO bought an iPhone and iPad the day they were released, and then quickly filled them with sensitive corporate data. With their portability and popularity, it is only a matter of time before one of these devices ends up missing. How worried should you be? This presentation will cover the latest real-world attack techniques for compromising Apple’s iOS devices, introduce a new assessment methodology that can be used by penetration testers, and discuss the latest defensive techniques for securely deploying iOS devices within your enterprise.
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
Breaking in is easy, real security is hard. Breaching the security of a Casino doesn't have to be as dramatic or dangerous as depicted in the Ocean's Eleven movies. In fact, by simply sitting in a hotel room of a Casino, hackers can find ways to breach the high security that Casino's have been known for. This type of attack has a simple goal: steal the Casino's money and cheat the system. All of this can be done without anyone seeing you and is much easier then walking directly into the Casino vault armed with guns and explosives.
In this presentation Tom Eston from SecureState walks us through some of the more interesting and exciting penetration tests his team have conducted. These include breaking into Casinos, Banks, Energy companies and other high security facilities (with permission of course). Tom's stories not only show how attackers break in but also show important lessons on how businesses can better secure their physical as well as network assets.
Pentesting iPhone Applications - It mainly focuses on the techniques and the tools that will help security testers while assessing the security of iPhone applications.
Fore more info visit - http://www.securitylearn.net
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
This presentation is based on the security and encryption measures adopted by Apple for its iPhones.
It was submitted to RTU, Kota during final year seminars.
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
A workshop about the "dark side" of iOS, Objective-C and Xcode. Discussion about private API, why Apple doesn't want you to use it and how they enforce that. What information can you extract from a compiled binary? Let's take a look at the possibilities of reverse engineering including demos and showcases.
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
Apple iOS Apps are primarily developed in Objective-C, an object-oriented extension and strict superset of the C programming language. Objective-C supports the concepts of reflection, also known as introspection. This describes the ability to examine and modify the structure and behavior (specifically the values, meta-data, properties and functions) of an object at runtime.
This talk discusses the background, techniques, problems and solutions to Objective-C runtime analysis and manipulation. It will be discussed how running applications can be extended with additional debugging and runtime tracing capabilities, and how this can be used to modify instance variables and to execute or replace arbitrary object methods of an App.
Moreover, a new framework to assist dynamic analysis and security assessments of iOS Apps will be introduced and demonstrated.
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
Tom Eston has spent quite a bit of time evaluating mobile applications. In this presentation he will provide the audience with a high level understanding of what the risks are, how to evaluate mobile applications and provide examples of how things have been done wrong. Tom has used a variety of the top 25 applications downloaded from the Apple App Store and Google Play to provide real world examples of the problems applications face. Tom has mapped out how these applications are vulnerable to the OWASP Mobile Top 10 security issues.
Pentesting iPhone Applications - It mainly focuses on the techniques and the tools that will help security testers while assessing the security of iPhone applications.
Fore more info visit - http://www.securitylearn.net
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
This presentation is based on the security and encryption measures adopted by Apple for its iPhones.
It was submitted to RTU, Kota during final year seminars.
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
A workshop about the "dark side" of iOS, Objective-C and Xcode. Discussion about private API, why Apple doesn't want you to use it and how they enforce that. What information can you extract from a compiled binary? Let's take a look at the possibilities of reverse engineering including demos and showcases.
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
Apple iOS Apps are primarily developed in Objective-C, an object-oriented extension and strict superset of the C programming language. Objective-C supports the concepts of reflection, also known as introspection. This describes the ability to examine and modify the structure and behavior (specifically the values, meta-data, properties and functions) of an object at runtime.
This talk discusses the background, techniques, problems and solutions to Objective-C runtime analysis and manipulation. It will be discussed how running applications can be extended with additional debugging and runtime tracing capabilities, and how this can be used to modify instance variables and to execute or replace arbitrary object methods of an App.
Moreover, a new framework to assist dynamic analysis and security assessments of iOS Apps will be introduced and demonstrated.
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
Tom Eston has spent quite a bit of time evaluating mobile applications. In this presentation he will provide the audience with a high level understanding of what the risks are, how to evaluate mobile applications and provide examples of how things have been done wrong. Tom has used a variety of the top 25 applications downloaded from the Apple App Store and Google Play to provide real world examples of the problems applications face. Tom has mapped out how these applications are vulnerable to the OWASP Mobile Top 10 security issues.
OTA : Mettre à jour un device Android, ok mais comment ça marche ? Sidereo
Présentation donnée à la Droidcon Paris 2015
Constructeur, opérateur, grosse entreprise avec une flotte d'objets connectés ou tout simplement curieux, Pierre-Olivier soulève le capot et vous explique comment une OTA fonctionne de A à Z :
- le recovery
- le paquet de mise à jour
- le service de mise à jour
- les chinois
- etc.
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
Arxan Technologies, FS-ISAC, and IBM joined forces to deliver a presentation on how to protect your applications and data from emerging risks. This session will cover:
- The threat landscape regarding mobile payments
- How cybercriminals can hack your applications
- Comprehensive prevention and protection techniques
This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
As an active security researcher with immense professional expertise in application security, Jason Haddix joins us to explain the common attack vectors that face today’s mobile applications -- from a hacker’s perspective.
Symosis mobile application security risks presentation at ISACA SV. The presentation top 3 covers mobile application security risks and helps you prioritize your risk remediation efforts
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Transforming any apps into self-defending apps Blueboxer2014
According to Gartner, 75 percent of mobile applications will fail basic security tests through 2015. The explosive growth of BYOA raises the question of, “Are you at risk?" Take a look at our latest webinar with Sean Frazier, senior sales engineer, to learn how to transform any mobile app into a self-defending app to best protect your enterprise from mobile threats.
Download the full recording here: http://offers.bluebox.com/resource-webinar-transform-risky-mobile-apps.html
Cyber Security presentation given by Luke Schneider, Chief Executive Officer of Medicine Bow Technologies at the 2016 Wyoming Hospital Association Annual Conference
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
Presentation I gave at BriForum 2012 where I discuss Mobile Security Risks, BYOD and mobile privacy issues. Lastly, I wrap up with a discussion of Document Rights Management and mobile.
The Mobile Security Risks as adapted and updated from the Veracode Top 10 Mobile Security issues (With permission from Chris Wysopal)
Mobile Apps and Security Attacks: An IntroductionNagarro
A general overview of why the security of your mobile device is important, what are the possible threats to mobile devices, and how you can detect the threats.
Similar to Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Case Studies (20)
2. Introduction
About Me
• Michael Gianarakis
• Senior Security Consultant
• Working in application security for seven years
• Focus on mobile application security
5. Overview
Mobile platforms have presented many
opportunities for businesses and online
retailers….
BUT
It’s also created a lucrative target for
hackers.
15. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
16. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
18. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
19. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
20. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
21. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
22. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
23. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
24. Mobile
Device
Understanding the Risks – Mobile
Threat Model
Mobile
Applica,on
3rd
Party
Applica,ons
User
Back
End
Web
Service
3rd
Party
Web
Service
27. Identify the Threats
• Focus on the most prevalent risks
and how they can be exploited
• Insecure data storage
• Insufficient transport layer protection
(communication security)
• Client side injection
28. Identify the Threats – Insecure
Data Storage
• Improperly secured data stored
on the device is very common
• I have come across all kinds of
sensitive information stored in
clear text including:
• Usernames and passwords
• Encryption keys
• Personal information
• Location data
29. Identify the Threats – Insecure
Data Storage
• Two main types of insecure data
storage:
1. Sensitive data stored on the device by
the application that was not secured
appropriately by the developer
2. Data stored by the operating system
automatically
30. Identify the Threats – Insecure
Data Storage
• Sensitive data not appropriately
secured by the developer
includes:
• Unencrypted databases
• Storing sensitive information in
preference files
• Encrypting data but storing the
encryption key in a clear text file
• Logging sensitive information to the
device logs
35. Identify the Threats – Insecure
Data Storage
• Sensitive data stored by the
operating system
• Back grounding screenshots (iOS)
• Caches (browser caching, autocorrect
etc.)
• Pasteboard
• Oftentimes developers do not
realise that the OS is storing
this information
38. Identify the Threats – Insufficient
Transport Layer Security
• Most users will connect their
devices to untrusted networks
• It is common to find insecurely
implemented communication
security:
• Lack of SSL validation
• Unencrypted communications
40. Identify the Threats – Client Side
Injection
• In web applications injection
issues such as XSS and SQL
Injection are a big problem
• Still found in mobile
applications
• Can be worse in mobile
application - runtime
manipulation can lead to
significant security issues
44. Defending Mobile Applications
• Challenges
• Devices are easily lost, stolen or
compromised
• Multiple attack vectors outside of your
control
• Once the security of the device is
compromised ‘all bets are off’
• Platform is constantly evolving
• Customer expectation of rapid
iteration
• Developer inexperience with
platforms (although this is improving)
45. Defending Mobile Applications
• First of all focus on the basics
• Define the risk profile of the application
• Secure development practices
• Thorough security testing
• Monitoring and review
• Effective information security is a
process for managing business risk,
not a product. Beware of “silver
bullet” solutions.
• The security of your application is
your responsibility - not Apple, or
Google or Microsoft
46. Defending Mobile Applications
• Mobile application security
design principles
• Assume the client is
compromised
• Assume the application will
connect to untrusted networks
• Assume that the underlying
operating system is
compromised
47. Defending Mobile Applications
• Assume the client is
compromised
• Do not store sensitive
information on the device
• Do not implement sensitive
functionality in the client –
always implement on the server
• Do not trust user input
48. Defending Mobile Applications
• Assume the application will
connect to untrusted
networks
• Do not transmit sensitive
information unencrypted
• Do not use weak encryption
• Establish and validate certificate
chain
49. Defending Mobile Applications
• Assume the underlying
operating system is
compromised
• Genuine users will jailbreak their
devices
• Attackers will jailbreak target
devices
• Do not assume that physical access
to the device is necessary for an
attacker to compromise the device
50. Defending Mobile Applications
• Assume the underlying
operating system is
compromised
• Genuine users will jailbreak their
devices
• Attackers will jailbreak target
devices
• Do not assume that physical access
to the device is necessary for an
attacker to compromise the device
51. Defending Mobile Applications
• Data Security
• Preference is to not store sensitive
data
• Be realistic about requirements to
actually store data (remember these
devices are always connected)
• Be conscious of inadvertent data
leakage by the operating system
• If storing sensitive data – encyrpt but
be aware of key management
difficulties
52. Defending Mobile Applications
• Communication Security
• Encrypt all traffic
• ALWAYS validate certificates
• Certificate pinning
• Be aware of lax controls in
development environments filtering
through to production
• Do not use weak protocols (SSLv2,
BEAST, CRIME etc)
53. Defending Mobile Applications
• Injection and Runtime Security
• Don’t trust user input
• Although hard to implement consider
runtime security mechanisms
• Anti-debugging
• Jailbreak detection
• Tamper response
54. Defending Mobile Applications
• Unfortunately it is impossible to
completely secure mobile
applications
• Anybody with a copy of the application and
a debugger can compromise the security of
the application
• The aim is to make it significantly
harder for the attacker such that
the economic benefits of
attacking the application are
outweighed by the difficulty of
the attack.