Mobile App Security is an issue which isn’t given much priority while your app is in the development stage, as a result of which hackers are able to target your iOS app.
This talk will feature the most common security mistake developers do, and how to fix them easily. It will also cover different security & privacy enhancements provided by Apple such as SecKey API, Differential Privacy, Cryptographic Libraries, et cetera in iOS 10 which will enable developers to ship secure applications in the Appstore
Presentation I gave at ISSA DC on June 21, 2011. It introduces the OWASP Mobile Security Project, and covers at a high level: Overview of the Android platform, Mobile Top 10 Risks, Threat Modeling for Android.
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
Intense overview of most mobile security related issues
From Clust Education talk on Security Summit in Milan (Italy):
https://www.securitysummit.it/eventi/view/82
Presentation I gave at ISSA DC on June 21, 2011. It introduces the OWASP Mobile Security Project, and covers at a high level: Overview of the Android platform, Mobile Top 10 Risks, Threat Modeling for Android.
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
Intense overview of most mobile security related issues
From Clust Education talk on Security Summit in Milan (Italy):
https://www.securitysummit.it/eventi/view/82
Kaspersky Internet Security Multi-Device 2015Dejan Pogačnik
Kaspersky Internet Security Multi-Device 2015 antivirusni program za uporabnike doma in manjša podjetja. Ščiti vaš PC/MAC računalnik in tablico ali pametni telefon z Android OS sistemom.
Debunking the Top 5 Myths About Mobile AppSecNowSecure
Originally presented June 24, 2019
https://www.nowsecure.com/resource/debunking-the-top-5-myths-about-mobile-appsec/
It’s hard to believe that mobile app stores are more than a decade old yet some crazy misconceptions about mobile application security still linger.
Have you heard these before?
- Testing mobile apps is the same as web apps
- SAST is good enough for mobile, you don’t need DAST
- Mobile apps are secure because Apple and Google security test them
- Outsourcing a penetration test once per year is sufficient to mitigate risk
Sort fact from fiction and learn how to ensure your mobile appsec program is on the right track. You may discover some surprising things about modern mobile application security.
Don’t be a dummy. Provide enhanced mobile security for your business with Samsung KNOX. Learn how you can bring defense-grade mobile security to your workplace. http://www.samsung.com/us/business/security/knox/
The session will provide the risk of insecure mobile application development in various types with demonstration; Client-side, Communication channel and Server side. The presentation includes case study of insecure development practice which lead attacker to abuse the vulnerable application (e.g. Coin/Gem cheating on gaming app, Bypassing security control on client-side and server-side).
This presentation is based on the security and encryption measures adopted by Apple for its iPhones.
It was submitted to RTU, Kota during final year seminars.
Complete enterprise grade end point security solutions from K7. Please feel free to contact us for further details.
Email us at : info@primeinfoserv.com
Web : www.primeinfoserv.com
Phone : +91 33 6526-0279 / 4008-5677
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
This is an encore presentation of NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection” from RSA Conference 2017. You'll learn about:
+ Five security enhancements in the Android and iOS platforms that present obstacles to defenders and incident responders
+ Tips on overcoming those challenges
+ The open-source Mobile Triage toolset that facilitates the collection of mobile threat and vulnerability data
Building a Mobile App Pen Testing BlueprintNowSecure
Mobile penetration testing helps uncover app exploits and vulnerabilities and is a crucial component of risk assessment. However, many people fear the complexity and don’t know where to get started.
It all begins with a solid plan of attack. NowSecure veterans of hundreds of mobile app pen tests will walk you through the process of assembling a pen testing playbook to hack your app.
This webinar covers:
+Tips and tricks for targeting common issues
+The best tools for the job
+How to document findings to close the loop on vulnerabilities.
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems.
(Source: RSA USA 2016-San Francisco)
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
The Ultimate Security Checklist While Launching Your Android AppAppknox
As you build your app and work on your mobile strategy, it is essential to test your application across various parameters – Performance, Usability, Functionality, Compatibility, Load, Security, etc. Since time to market is essential, most businesses often neglect the security testing part. Here’s the ultimate security checklist of different tests to take care of before you launch your Android app.
Are you aware of your apps vulnerabilities?
Find out where you stand using Appknox’s free Appgrader - https://www.appknox.com/app-grader/
An immersive workshop at General Assembly, SF. I typically teach this workshop at General Assembly, San Francisco. To see a list of my upcoming classes, visit https://generalassemb.ly/instructors/seth-familian/4813
I also teach this workshop as a private lunch-and-learn or half-day immersive session for corporate clients. To learn more about pricing and availability, please contact me at http://familian1.com
Kaspersky Internet Security Multi-Device 2015Dejan Pogačnik
Kaspersky Internet Security Multi-Device 2015 antivirusni program za uporabnike doma in manjša podjetja. Ščiti vaš PC/MAC računalnik in tablico ali pametni telefon z Android OS sistemom.
Debunking the Top 5 Myths About Mobile AppSecNowSecure
Originally presented June 24, 2019
https://www.nowsecure.com/resource/debunking-the-top-5-myths-about-mobile-appsec/
It’s hard to believe that mobile app stores are more than a decade old yet some crazy misconceptions about mobile application security still linger.
Have you heard these before?
- Testing mobile apps is the same as web apps
- SAST is good enough for mobile, you don’t need DAST
- Mobile apps are secure because Apple and Google security test them
- Outsourcing a penetration test once per year is sufficient to mitigate risk
Sort fact from fiction and learn how to ensure your mobile appsec program is on the right track. You may discover some surprising things about modern mobile application security.
Don’t be a dummy. Provide enhanced mobile security for your business with Samsung KNOX. Learn how you can bring defense-grade mobile security to your workplace. http://www.samsung.com/us/business/security/knox/
The session will provide the risk of insecure mobile application development in various types with demonstration; Client-side, Communication channel and Server side. The presentation includes case study of insecure development practice which lead attacker to abuse the vulnerable application (e.g. Coin/Gem cheating on gaming app, Bypassing security control on client-side and server-side).
This presentation is based on the security and encryption measures adopted by Apple for its iPhones.
It was submitted to RTU, Kota during final year seminars.
Complete enterprise grade end point security solutions from K7. Please feel free to contact us for further details.
Email us at : info@primeinfoserv.com
Web : www.primeinfoserv.com
Phone : +91 33 6526-0279 / 4008-5677
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
This is an encore presentation of NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection” from RSA Conference 2017. You'll learn about:
+ Five security enhancements in the Android and iOS platforms that present obstacles to defenders and incident responders
+ Tips on overcoming those challenges
+ The open-source Mobile Triage toolset that facilitates the collection of mobile threat and vulnerability data
Building a Mobile App Pen Testing BlueprintNowSecure
Mobile penetration testing helps uncover app exploits and vulnerabilities and is a crucial component of risk assessment. However, many people fear the complexity and don’t know where to get started.
It all begins with a solid plan of attack. NowSecure veterans of hundreds of mobile app pen tests will walk you through the process of assembling a pen testing playbook to hack your app.
This webinar covers:
+Tips and tricks for targeting common issues
+The best tools for the job
+How to document findings to close the loop on vulnerabilities.
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems.
(Source: RSA USA 2016-San Francisco)
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
The Ultimate Security Checklist While Launching Your Android AppAppknox
As you build your app and work on your mobile strategy, it is essential to test your application across various parameters – Performance, Usability, Functionality, Compatibility, Load, Security, etc. Since time to market is essential, most businesses often neglect the security testing part. Here’s the ultimate security checklist of different tests to take care of before you launch your Android app.
Are you aware of your apps vulnerabilities?
Find out where you stand using Appknox’s free Appgrader - https://www.appknox.com/app-grader/
An immersive workshop at General Assembly, SF. I typically teach this workshop at General Assembly, San Francisco. To see a list of my upcoming classes, visit https://generalassemb.ly/instructors/seth-familian/4813
I also teach this workshop as a private lunch-and-learn or half-day immersive session for corporate clients. To learn more about pricing and availability, please contact me at http://familian1.com
Vortrag auf der CeBIT 2017, der aufzeigt, wie Unternehmen durch die effiziente Nutzung von Daten in Echtzeit zu Gewinnern der digitalen Transformation werden.
¿QUÉ ES Y QUÉ SE ENTIENDE POR GOBIERNO ABIERTO?. Análisis de la percepción e ...eraser Juan José Calderón
¿QUÉ ES Y QUÉ SE ENTIENDE POR GOBIERNO ABIERTO?
Análisis de la percepción e implementación del Gobierno Abierto en el ámbito local español.
J. Ignacio Criado y Edgar A. Ruvalcaba Gómez
Departamento de Ciencia Política y Relaciones
Internacionales
NovaGob.Lab. Laboratorio de Gobierno para la
Innovación Pública en Iberoamérica
Universidad Autónoma de Madrid
Phygital : Comment tirer profit des technologies data et digitales ?
L’arrivée à maturité du digital et du Big Data, doublée d’une volonté d’optimiser le potentiel des réseaux physiques, permet d’offrir des services innovants, un nouveau parcours client omnicanal et de développer de nouveaux leviers de croissance.
Quelles sont ces technologies et leur apport ? Comment le Big Data participe au renouveau des réseaux physiques et à la différenciation des marques ? Comment la puissance du Web s’applique-t-elle au Off line, et contribue-t-elle à son renforcement ?
Les innovations technologiques (objets connectés, chatbot, geofencing, capteurs, store tracking ...) couplées aux technologies matures (Clienteling, bornes, beacons…) permettent d’augmenter la fréquence de recueil et la quantité d’informations.
Les méthodes de Data Science et l’utilisation de solutions de Big Data transforment ces données en connaissance actionnable pour optimiser l’expérience utilisateur (anticipation des files d’attente, paiement facilité, …), proposer des opérations marketing mutualisées on et off line (valorisation d’offres ou services en real time) et améliorer le time to market.
La multiplicité de ces « capteurs » et la puissance d’analyse ouvrent de nouveaux horizons dans de nombreux secteurs tels que la banque, le retail, la santé ou l’énergie, en BtoC et en BtoB.
Au travers de uses cases, ce séminaire vise à présenter ces innovations digitales et data, leur valeur ajoutée, leur complémentarité avec le online puis à partager les facteurs de réussite de ces nouveaux projets.
2018 State of the Union Address: Rediscovering the American way: USA XXI: Fut...Azamat Abdoullaev
The United States of America the world in need
The United States is the world’s superpower. The US president is referred to as the most powerful person in the world.
But is all that enough to hold a global leadership?
In many parts of the world, notably Russia, the Middle East and big parts of Asia, the US has a big reputation problem.
Which America does the world in need?
United States of America
America
US
U.S.
USA
U.S.A.
Future World
Great Powers
Smart Planet
Great superpowers
Smart America
Green America
Innovation America
Sustainable America
i-USA, Intelligent, Innovative, Interconnected and Instrumented America
What is needed to become a smart superpower
Digital Influence (Leading the Future Internet, digital MNCs, developing Intelligent Digital National Infrastructure and Smart Governance Platform, as i-America, i-Europe, i-China or i-Russia)
Geographic Influence (large territory, space/sea area, large population, large natural resources, large renewables)
Economic Influence (leading GDP, sustainable economic growth, income equality, lhigh quality of life, arge MNCs and innovative start-ups), economic self-sufficiency, largest circular economy, leading smart economy globalization)
Military Influence (nuclear power, large land, sea and air armies, capacity to extend military power over the globe)
Political influence (controlling major global political institutions and intergovernmental organizations, as the UN, G7, G20, OECD, NATO)
Financial influence (controlling the world currency, global financial institutions, as World Bank and the IMF, international trading blocs, as NAFTA)
Cultural Influence (intelligent Americanization, strong cultural influence over the world, controlling social networks and world digital media)
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
In the final installment of our mobile penetration testing trilogy, we dive deep to find security flaws in mobile apps by dissecting the code with reverse-engineering and code analysis.
Unicom Conference - Mobile Application SecuritySubho Halder
Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices. The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations during development. We will be covering from basic OWASP top 10 security issues to live demos on different use-case scenarios on how a hacker can hack your application, and how to prevent them.
Presentation on conducting mobile device forensics without the use of expensive commercial tools, instead utilising FOSS alternatives. Conducting manual analysis makes you a better forensic analyst as well as helps to discover more potential evidence. From acquisition, to analysis, to malware disassembly, this presentation will provide a primer on all facets of mobile forensics.
Presentation by Saurabh Harit att he mobile security summit in johannesburg 2011.
This presentation is about security on the iPhone and Android platforms. The presentation begins with a discussion on decrypting iPhone apps and its implications. The Android security model is discussed. The presentation ends with a series of discussions on practical Android attacks.
To some extent comparing Android and Apple in this regard is misleading. Android OS is software, designed to run on a multitude of compliant, but separate, hardware. iOS is both the software and the hardware of the iPhone. The two are inseparable. This difference cannot be overstated and its ramifications are what truly separates Apple from other computer corporations, for better and worse.
When it comes to raw numbers, iOS seems to be more secure compared to Android. This can be partially correct because Apple including their App store completely controls iOS. For Android, the story is a little different. Anyone can download the whole operating system and find loopholes and hack into apps easily. However, Android has drastically improved their security performance in the recent years with the release of Android O. It has stringent security guidelines and offers better security control over the past Android OS.
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)Vince Verbeke
Are security concerns for mobile devices, like smartphones and tablets, real? Or, are claims of exponential growth in malware simply FUD? We will explore the major mobile operating systems and security concerns with each. This session will provide tips that can be shared to help your users protect their personal info and data when viewed from a mobile device. Information on mobile security programs will be shared, as well, including a look at whether free or commercial offerings provide better protection.
Mobile Security for Smartphones and TabletsVince Verbeke
Are security concerns for mobile devices, like smartphones and tablets, real? Or, are claims of exponential growth in malware simply FUD? We will explore the major mobile operating systems and security concerns with each. This session will provide tips that can be shared to help your users protect their personal info and data when viewed from a mobile device. Information on mobile security programs will be shared, as well, including a look at whether free or commercial offerings provide better protection.
The fundamentals of Android and iOS app securityNowSecure
Looking for a high-intensity bootcamp covering the basics of secure mobile development? This slideshare was originally presented by mobile security expert and NowSecure CEO Andrew Hoog for a 60-minute workshop at Security by Design covering the following topics:
+ Introduction to identifying security flaws in mobile apps (and how to avoid them)
+ Examples of secure and insecure mobile apps and how to secure them
+ Overview of secure mobile development based on the NowSecure Secure Mobile Development Best Practices
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
2. Securing iOS Mobile Apps
Mobile Security Talk
Introduction
Android vs iOS
Securing Your Mobile Apps
Secured Pasteboard
Application Snapshots
iOS Dataprotection API
Juice Jacking - Slurrp
Top 10 Mobile Security List
4 Myths About Mobile Security
Questions? Contact Me :)
2
About Me
Co-Founder and CTO at ,
a mobile security company that
helps developers and companies to
build secure mobile application. I
have presented many talks and
conducted workshops at
conferences like BlackHat, Defcon,
ToorCon, SysCan, ClubHack, NullCon,
OWASP AppSec, RSA Conference.
Subho Halder / CoFounder & CTO
3. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 3
Introduction
The Great Mobile Security Debate
!
"
#
x
$
ă
Ć
&
ą
r
5
8
1
ü
Ĉ
É
'
Ġ
Ä
c
h
l
[
j
Å
a
ä
n
‚
Z
:
è
s
o
@
û
ĥ
p
ö
y
Ç
9
é
e
W
e
B
ù
éë
0
01
Fragmented Applications
Multiple Applications for Multiple
Platform and Multiple Architectures
makes it difficult for App Developers
to keep-up with security concerns
03
Personal & Social Information
Mobile Devices holds your personal
and social information, and
applications has access to these
information
02
Fragmented Platforms
With multiple platforms and multiple
versions of Mobile Operating
System, the OEM faces challenges to
keep Security up-to-date
04
Businesses & Enterprise Data
With mobile getting adopted at
workplaces, sensitive information
are now accessible to applications
4. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 4
Android vs iOS
With the dominance of iOS and the rising popularity of Android devices in the mobile marketplace,
the security of these devices is a growing concern and focus for smartphone users.
IMAGE
0
20
40
60
80
0
25
50
75
100
Vulnerable Apps Malwares
Device Vulnerability Fragmentation
0
25
50
75
100
0
25
50
75
100
Vulnerable Apps Malwares
Device Vulnerabilities Fragmentation
Despite iOS being traditionally regarded as the safest
platform, there are a number of reasons why that
assumption may be becoming outdated. Firstly,
occurrences of ransomware, malware, rotten apps on
the iTunes store, and social engineering have been
coming into the news far more often in recent times.
The iOS Device Google’s Android platform has become a larger target
for mobile malware writers than Apple iOS. This could
be a result of Android’s popularity—with more than
1 million activations per day, Android smartphones
command a 59% market share worldwide.
The Android Device
5. The goal of this is to raise awareness about application security by
identifying some of the most critical risks facing organizations.
Securing Your Mobile Apps
6. Do you think Pasteboard can be used to steal information ?
Secured Pasteboard
7. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 7
Secured Pasteboard Vulnerabilities
Universal Clipboard changes for iOS 10 and macOS Sierra
With the changes to the UIPasteboard
iOS 10 API that introduce Universal
Clipboard, it also opens a slight security
vulnerability in that an end user could
copy a sensitive piece of data and
inadvertently make it available across all
their devices
Understanding the Clipboard Contents
As a developer, you can either:
1. Flag a piece of data as “local only” in
which it will not appear in the Universal
Clipboard across devices, and
2. Set an expiration date on a piece of data
such that it isn’t available after that date.
8. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 8
Secured Pasteboard Vulnerabilities
Flag a piece of data as “local only” in which it will not appear in the Universal Clipboard across devices
a In one line, you set the item in the UIPasteboard with an
option localOnly as true.
9. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 9
Secured Pasteboard Vulnerabilities
Set an expiration date on a piece of data such that it isn’t available after that date
a Again, in one line you get to pass an expiration date for when the
UIPasteboard item should expire. You can also use these together
10. If an application goes into background, can the data be hacked ?
Application Snapshot Vulnerability
11. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition
IMAGE
11
Application Snapshots
These screenshots can be accessed without jailbreaking
iOS caches a screenshot of the last
screen of the application and when you
click on it the application resumes. This
caching technique provides the user with
the impression that their application has
resumed immediately. This “feature” on
its own is not vulnerability, and does
exactly what it is supposed to do.
So when does a feature become a vulnerability?
As a developer, you can:
blank out or blur the screen before it is
minimized. This will prevent sensitive data
from being captured in a screenshot
These screenshots can be accessed without
jailbreaking using any free tool like ‘ifunbox’
12. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 12
Application Snapshots
blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot
a Need to write the code in Application life cycle methods, here we are
putting an imageView while the app animate to background
13. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 13
Application Snapshots
blank out or blur the screen before it is minimized. This will prevent sensitive data from being captured in a screenshot
a Here is the code to remove the imageView when the
application comes to foreground
14. Have you ever used this to secure your data ?
iOS Dataprotection API:
NSDataWritingFileProtection
15. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 15
iOS Dataprotection API: NSFileProtection
Have you ever used this to secure your data ?
NSFileProtectionNone
NSDataWritingFileProtectionNone
The file is not protected and
can be read or written at any
time. This is the default
value.
iOS provides hardware-level encryption of files. Files marked for protection are encrypted using a per-device key, which is encrypted using the
user’s password or PIN. Ten seconds after the device is locked, the unencrypted per-device key is removed from memory. When the user unlocks the
device, the password or personal identification number (PIN) is used to decrypt the per-device key again, which is then used to decrypt the files.
NSFileProtectionComplete
NSDataWritingFileProtectionComplete
Any file with this setting is protected ten
seconds after the device is locked. Files with
this setting may not be available when your
program is running in the background. When
the device is unlocked, these files are
unprotected.
16. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 16
iOS Dataprotection API: NSFileProtection
Have you ever used this to secure your data ?
iOS provides hardware-level encryption of files. Files marked for protection are encrypted using a per-device key, which is encrypted using the
user’s password or PIN. Ten seconds after the device is locked, the unencrypted per-device key is removed from memory. When the user unlocks the
device, the password or personal identification number (PIN) is used to decrypt the per-device key again, which is then used to decrypt the files.
NSFileProtectionCompleteUnlessOpen
NSDataWritingFileProtectionCompleteUnlessOpen
Files with this setting are protected ten
seconds after the device is locked unless
they’re currently open. This allows your
program to continue accessing the file while
running in the background. When the file is
closed, it will be protected if the device is
locked.
NSFileProtectionCompleteUntilFirstUserAuthentication
NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication
Files with this setting are protected only between the time
the device boots and the first time the user unlocks the
device. The files are unprotected from that point until the
device is rebooted. This allows your application to open
existing files while running in the background.
17. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 17
iOS Dataprotection API: NSFileProtection
Have you ever used this to secure your data ?
Sample usages with NSData
Sample usages with NSFileManager
18.
File protection is very easy, simple and
hardware-optimised, you should use this in
every project of yours, unless you have a
good reason to not to.
19. Juice jacking is a term used to describe a cyber attack where wherein a smart phone,
tablet or other computer device using a charging port that doubles as a
data connection, typically over USB.
Juice Jacking - Slurrp
20. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 20
Juice Jacking - Slurrp
A smart phone, tablet or other computer device using a charging port that doubles as a data connection, typically over USB.
Sample charging Kiosks in Public Places
Would you trust this Public USB Kiosk to
charge your iPhone?
21. The goal of this is to raise awareness about application security by identifying
some of the most critical risks facing organizations.
Top 10 Mobile Security List
22. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 22
Top 10 Mobile Security List
The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations.
Poor Authorization and Authentication
Poor or missing authentication schemes allow an adversary to anonymously execute functionality
within the mobile app or backend server used by the mobile app.
ç
Unintended Data Leakage
Unintended data leakage occurs when a developer inadvertently places sensitive information or
data in a location on the mobile device that is easily accessible by other apps on the device.
‚
Insufficient Transport Layer Protection
If the application is coded poorly, threat agents can use techniques to view this sensitive data.
Unfortunately, mobile applications frequently do not protect network traffic
0
Insecure Data Storage
Many developers assume that storing data on client-side will restrict other users from having
access to this data.
:
Weak Server Side Controls
Most security experts might argue that server-side security falls outside of the area of mobile
application security threats. Till last year, it was the second most important mobile security threat.
Z
05
04
03
02
80%
43%
01
64%
72%
19%
Source: https://blog.appknox.com/category/owasp-top-10-mobile/
23. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 23
Top 10 Mobile Security List
The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations.
06
07
08
09
10
Client side injection results in the execution of
malicious code on the client side which is the
mobile device, via the mobile app.
Client Side Injection
As the name suggests, this issue is because session
tokens are not handled in the best way.
Improper Session Handling
Broken Cryptography or insecure usage of
cryptography is mostly common in mobile apps
that leverage encryption.
Broken Cryptography
Developers generally use hidden fields and values
or any hidden functionality to distinguish higher
level users from lower level users.
Security Decisions Via Untrusted Inputs
A lack of binary protections within a mobile app
exposes the application and it’s owner to a large
variety of technical and business risks if the
underlying application is insecure or exposes
sensitive intellectual property.
Lack of Binary Protections
24. Securing iOS Mobile Applications - Subho HalderiOS Conf SG Edition 24
4 Myths About Mobile Security
“Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” – Gartner
ĉ Ą
7 Ĉ
Public app stores are safe because they
have security filters
Data encryption is not required for mobile
devices
PCs are more secure than mobile phones
Two-factor authentication can be neglected
for mobile security