Secure Android development involves understanding attack vectors, attack surfaces, and best security practices. The document outlines various attack vectors like buffer overflows and privilege escalation. It describes attack surfaces like the browser, system, phone/SMS, apps, and external networks. It recommends avoiding simple logic, testing third-party libraries, implementing anti-tamper techniques, securely storing sensitive data in RAM, and understanding secure deletion of data. Understanding these concepts is key to developing securely on Android.
This document summarizes a talk given by Dr. Markku-Juhani O. Saarinen on custom penetration testing (pentest) tools he developed called HAGRAT to simulate advanced persistent threats (APTs). Some key points:
- HAGRAT includes a Windows remote access tool (RAT) and Linux command and control server to remotely control Windows systems and conduct intelligence gathering.
- It was developed over 3 months for $30,000 specifically to test organizations' defenses against APTs in a safe, controlled manner.
- HAGRAT remains undetected after 18 months due to limited and controlled usage. It penetrates firewalls using HTTP and looks like normal browser traffic to avoid detection
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Attackers can use these tools along with techniques like ARP poisoning to conduct remote exploits or hack passwords on Windows systems.
Kunal - Introduction to backtrack - ClubHack2008ClubHack
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Common attack techniques explored include man-in-the-middle attacks using ARP poisoning, password cracking through tools like John the Ripper, and hacking web servers through techniques like Google hacking.
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsDigital Shadows
A recent indictment revealed how the GRU (Russia’s Military Intelligence agency) used both influence operations and network intrusions to achieve its policy aims. More precisely, the GRU weaponized the use of the network intrusions in its influence operations. We have used the MITRE ATT&CK framework as our methodology to play back the findings of the indictment. In doing so, we aim to provide key lessons organizations can take away from this indictment.
The document provides an overview of penetration testing basics from a presentation by The Internet Storm Center, SANS Institute, and GIAC Certification Program. It discusses the Internet Storm Center, SANS/GIAC training and certifications, common cyber threats, the methodology for penetration testing, tools used for various stages like reconnaissance, scanning, exploitation, and analysis, and the importance of reporting and mitigation strategies.
This document provides an overview of information security topics including security terminologies, authentication systems, cryptography, network and host security, wireless security, and how attackers exploit systems. It discusses concepts such as confidentiality, integrity and availability (CIA triad), authentication, authorization and accounting (AAA), vulnerabilities, threats and risks. Specific security controls are described for physical access, network segmentation, firewalls, intrusion detection systems, and firewall best practices.
This document discusses various web application security topics including SQL injection, cross-site request forgery (CSRF), cross-site scripting (XSS), session tokens, and cookies. It provides examples of each type of attack, how they work, their impact, and strategies for prevention. Specific topics covered include SQL injection examples using single quotes, comments, and dropping tables; CSRF examples using bank transfers and router configuration; and XSS examples using persistent, reflected, and DOM-based techniques.
This document summarizes a talk given by Dr. Markku-Juhani O. Saarinen on custom penetration testing (pentest) tools he developed called HAGRAT to simulate advanced persistent threats (APTs). Some key points:
- HAGRAT includes a Windows remote access tool (RAT) and Linux command and control server to remotely control Windows systems and conduct intelligence gathering.
- It was developed over 3 months for $30,000 specifically to test organizations' defenses against APTs in a safe, controlled manner.
- HAGRAT remains undetected after 18 months due to limited and controlled usage. It penetrates firewalls using HTTP and looks like normal browser traffic to avoid detection
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Attackers can use these tools along with techniques like ARP poisoning to conduct remote exploits or hack passwords on Windows systems.
Kunal - Introduction to backtrack - ClubHack2008ClubHack
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Common attack techniques explored include man-in-the-middle attacks using ARP poisoning, password cracking through tools like John the Ripper, and hacking web servers through techniques like Google hacking.
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for OrganizationsDigital Shadows
A recent indictment revealed how the GRU (Russia’s Military Intelligence agency) used both influence operations and network intrusions to achieve its policy aims. More precisely, the GRU weaponized the use of the network intrusions in its influence operations. We have used the MITRE ATT&CK framework as our methodology to play back the findings of the indictment. In doing so, we aim to provide key lessons organizations can take away from this indictment.
The document provides an overview of penetration testing basics from a presentation by The Internet Storm Center, SANS Institute, and GIAC Certification Program. It discusses the Internet Storm Center, SANS/GIAC training and certifications, common cyber threats, the methodology for penetration testing, tools used for various stages like reconnaissance, scanning, exploitation, and analysis, and the importance of reporting and mitigation strategies.
This document provides an overview of information security topics including security terminologies, authentication systems, cryptography, network and host security, wireless security, and how attackers exploit systems. It discusses concepts such as confidentiality, integrity and availability (CIA triad), authentication, authorization and accounting (AAA), vulnerabilities, threats and risks. Specific security controls are described for physical access, network segmentation, firewalls, intrusion detection systems, and firewall best practices.
This document discusses various web application security topics including SQL injection, cross-site request forgery (CSRF), cross-site scripting (XSS), session tokens, and cookies. It provides examples of each type of attack, how they work, their impact, and strategies for prevention. Specific topics covered include SQL injection examples using single quotes, comments, and dropping tables; CSRF examples using bank transfers and router configuration; and XSS examples using persistent, reflected, and DOM-based techniques.
This document discusses various security issues that can arise in source control systems. It describes buffer overflow attacks, where a program writes data past the end of a memory buffer. It also discusses citizen/casual programmers who may not follow proper security practices. Covert channels that can transfer data in violation of security policies are described. The document outlines controls and best practices around these issues like parameter checking, memory protection, and auditing and logging.
This document discusses various threats to information security, including denial of service attacks, buffer overflows, malware, password cracking, spoofing, sniffing, shoulder surfing, data remnants, social engineering, and theft. It provides details on how each threat works and potential ways to carry out attacks using different threats. The document is part of a CISSP certification training on understanding security threats and their impacts on confidentiality, integrity, and availability.
The document discusses various topics related to web application security including authenticating users, SSL protocol, padlock icons, user interface attacks, and Pretty Good Privacy (PGP). It provides details on cookie-based and token-based authentication, how SSL works to establish encrypted links, different padlock icons and what they indicate, types of user interface attacks like clickjacking and cursorjacking, and how PGP provides authentication, confidentiality, compression and compatibility for securing emails.
This document discusses security models for mobile platforms and detecting malware in the Google Play Store. It describes the security models of iOS and Android platforms, including sandboxing of apps, permissions, and code signing. It then covers different techniques for detecting malware in the Play Store, such as signature-based detection, behavior-based detection, permission analysis, and cloud-based scanning using services like Bouncer.
This document discusses various techniques for sandboxing untrusted code, including chroot jails, system call interposition, virtual machines, and software fault isolation. It notes that completely isolating applications is often inappropriate, as they need controlled ways to communicate. The key challenges are implementing reference monitors to enforce isolation policies and specifying the right policy for each application to define what behavior is allowed.
This slide explains the design part as well as implementation part of the firewall. And also tells about the need of firewall and firewall capabilities.
This document summarizes a presentation on ethical hacking and penetration testing. It includes:
1. An overview of what ethical hacking and penetration testing are, which involves improving security by finding vulnerabilities before hackers do.
2. The issues organizations face from internal and external risks like employees' lack of security awareness or external hackers exploiting weaknesses.
3. The tools and techniques used in penetration testing, including automated vs manual methods, external vs internal testing, and examples like denial of service, social engineering, and Google hacking.
4. Both the benefits of strengthening security and limitations, like testing not being guaranteed to find all vulnerabilities or account for changing technologies.
This gives insight on how people manipulate online servers to do harm, *without* exposing security risks.This simply explains whats going on during this activity and how to protect yourself.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
This document defines and describes various methods of cybersecurity attacks. It discusses adware, backdoors, bots, brute force attacks, buffer overflows, clone phishing, crackers, denial-of-service attacks, exploit kits, firewalls, keystroke logging, logic bombs, malware, master program, phishing, phreakers, rootkits, shrink wrap code, social engineering, spam, spoofing, spyware, SQL injection, threats, and Trojans. The document provides a concise definition or description of each cybersecurity attack method in 1-2 sentences.
This document discusses techniques for footprinting, which is the initial information gathering stage of a cyber attack. It describes passive and active forms of footprinting, and lists many resources an attacker can use like search engines, website scraping tools, and people search sites to collect technical details, organizational structure, and personal information about a target before launching any attacks. Specific techniques mentioned include using DNS records, web server metadata, social media profiles, job postings, and analyzing source code for technical clues. The goal of footprinting is to understand as much as possible about a target before engaging in further hacking activities.
Cross-site scripting (XSS) is the most prevalent web application security vulnerability. XSS allows attackers to inject client-side scripts and compromise user data. Prevention methods include output encoding, input validation, and emerging defensive technologies. SQL injection is another common threat that allows attackers to execute malicious SQL statements and access sensitive data. Memory corruption vulnerabilities can also allow arbitrary code execution on a system. Cross-site request forgery and data breaches are additional security risks for web applications. Proper authentication, authorization, input validation, output encoding and other defenses are needed to help mitigate these threats.
This document discusses network penetration testing conducted by Information Security Group. Network penetration testing uncovers network weaknesses before malicious hackers can exploit them. It involves testing a network from both external and internal perspectives to identify vulnerabilities. The methodology involves information gathering, analysis and planning, vulnerability identification, exploitation, risk analysis and remediation suggestions, and reporting. Specific vulnerabilities examined include open ports and services, packet sniffing, denial of service attacks, authentication issues, and more.
This document provides an overview of zero-day vulnerabilities and techniques for discovering them, including source code auditing and fuzzing. It discusses identifying entry points, input validations, and vulnerable functions by analyzing source code. Fuzzing is introduced as providing invalid or unexpected data to test for crashes or failures. Common fuzzing methods and the fuzzing lifecycle are outlined. Specific tools for source code auditing like RIPS and fuzzing like JBroFuzz are also mentioned.
What are the most common application level attacks? To find out, take a look at these slides! Click here to learn how CASE can help you create secure applications: http://ow.ly/rARK50BVi4b
Network defenses include tools like firewalls, VPNs, and intrusion detection systems that help secure networks and protect them from cyber attacks. Firewalls act as barriers that control incoming and outgoing network traffic according to security policies. VPNs extend private networks over public networks through secure tunnels. Intrusion detection systems monitor network traffic and detect suspicious activity. Denial of service attacks aim to make network services unavailable by overwhelming them with malicious traffic. Distributed denial of service attacks use multiple compromised systems to launch large-scale attacks.
This document discusses the security implications of cloud computing and summarizes a presentation by Ben Masino of Alert Logic. It notes that web application attacks are now the number one source of data breaches, but less than 5% of security budgets are spent on application security. It also outlines some of the challenges in defending applications and workloads in the cloud, including a wide range of attacks at every layer of the stack and vulnerabilities introduced through rapidly changing code and third party tools. The document then provides an example of a data exfiltration attack against a textile company, where the attacker was able to access critical systems and steal financial and design data by exploiting known PHP flaws and leveraging captured credentials.
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
Web Application Penetration Testing Introductiongbud7
This document provides an overview of web application penetration testing. It discusses the goals of testing to evaluate security by simulating attacks. The testing process involves gathering information, understanding normal application behavior, and then applying targeted techniques to find weaknesses. The document outlines the reconnaissance, mapping, and active testing phases. It also demonstrates various tools like Burp Suite, W3AF, and SQL injection and cross-site scripting attacks.
Penetration testing is used to test the security of a website by simulating real attacks from outside. It identifies potential vulnerabilities to prevent harmful attacks. By understanding how attacks work, the IT team can fix issues and prevent larger attacks in the future. The presentation will demonstrate a penetration testing tool that checks the login page for security issues like authentication, redirects, and hidden code. Contact information is provided for any additional questions.
The document summarizes key points about web application security vulnerabilities and how to address them. It discusses common vulnerabilities like parameter manipulation, cross-site scripting, and SQL injection that occur due to improper validation of user input. It emphasizes the importance of validating all user input on the server-side to prevent attacks, and not storing sensitive values in cookies or hidden form fields that can be manipulated by attackers.
The document discusses various security threats and vulnerabilities related to mobile devices and wireless networks. It covers topics like mobile malware, attacks on authentication, services and protocols, and security issues with browsers, operating systems, software applications and network channels. Specific threats mentioned include cross-site scripting, injection flaws, buffer overflows, Trojan horses, denial-of-service attacks, and weaknesses in GSM network security. The document emphasizes that mobile device capabilities now far exceed security and that stolen or lost devices can reveal private user information.
This document discusses various security issues that can arise in source control systems. It describes buffer overflow attacks, where a program writes data past the end of a memory buffer. It also discusses citizen/casual programmers who may not follow proper security practices. Covert channels that can transfer data in violation of security policies are described. The document outlines controls and best practices around these issues like parameter checking, memory protection, and auditing and logging.
This document discusses various threats to information security, including denial of service attacks, buffer overflows, malware, password cracking, spoofing, sniffing, shoulder surfing, data remnants, social engineering, and theft. It provides details on how each threat works and potential ways to carry out attacks using different threats. The document is part of a CISSP certification training on understanding security threats and their impacts on confidentiality, integrity, and availability.
The document discusses various topics related to web application security including authenticating users, SSL protocol, padlock icons, user interface attacks, and Pretty Good Privacy (PGP). It provides details on cookie-based and token-based authentication, how SSL works to establish encrypted links, different padlock icons and what they indicate, types of user interface attacks like clickjacking and cursorjacking, and how PGP provides authentication, confidentiality, compression and compatibility for securing emails.
This document discusses security models for mobile platforms and detecting malware in the Google Play Store. It describes the security models of iOS and Android platforms, including sandboxing of apps, permissions, and code signing. It then covers different techniques for detecting malware in the Play Store, such as signature-based detection, behavior-based detection, permission analysis, and cloud-based scanning using services like Bouncer.
This document discusses various techniques for sandboxing untrusted code, including chroot jails, system call interposition, virtual machines, and software fault isolation. It notes that completely isolating applications is often inappropriate, as they need controlled ways to communicate. The key challenges are implementing reference monitors to enforce isolation policies and specifying the right policy for each application to define what behavior is allowed.
This slide explains the design part as well as implementation part of the firewall. And also tells about the need of firewall and firewall capabilities.
This document summarizes a presentation on ethical hacking and penetration testing. It includes:
1. An overview of what ethical hacking and penetration testing are, which involves improving security by finding vulnerabilities before hackers do.
2. The issues organizations face from internal and external risks like employees' lack of security awareness or external hackers exploiting weaknesses.
3. The tools and techniques used in penetration testing, including automated vs manual methods, external vs internal testing, and examples like denial of service, social engineering, and Google hacking.
4. Both the benefits of strengthening security and limitations, like testing not being guaranteed to find all vulnerabilities or account for changing technologies.
This gives insight on how people manipulate online servers to do harm, *without* exposing security risks.This simply explains whats going on during this activity and how to protect yourself.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
This document defines and describes various methods of cybersecurity attacks. It discusses adware, backdoors, bots, brute force attacks, buffer overflows, clone phishing, crackers, denial-of-service attacks, exploit kits, firewalls, keystroke logging, logic bombs, malware, master program, phishing, phreakers, rootkits, shrink wrap code, social engineering, spam, spoofing, spyware, SQL injection, threats, and Trojans. The document provides a concise definition or description of each cybersecurity attack method in 1-2 sentences.
This document discusses techniques for footprinting, which is the initial information gathering stage of a cyber attack. It describes passive and active forms of footprinting, and lists many resources an attacker can use like search engines, website scraping tools, and people search sites to collect technical details, organizational structure, and personal information about a target before launching any attacks. Specific techniques mentioned include using DNS records, web server metadata, social media profiles, job postings, and analyzing source code for technical clues. The goal of footprinting is to understand as much as possible about a target before engaging in further hacking activities.
Cross-site scripting (XSS) is the most prevalent web application security vulnerability. XSS allows attackers to inject client-side scripts and compromise user data. Prevention methods include output encoding, input validation, and emerging defensive technologies. SQL injection is another common threat that allows attackers to execute malicious SQL statements and access sensitive data. Memory corruption vulnerabilities can also allow arbitrary code execution on a system. Cross-site request forgery and data breaches are additional security risks for web applications. Proper authentication, authorization, input validation, output encoding and other defenses are needed to help mitigate these threats.
This document discusses network penetration testing conducted by Information Security Group. Network penetration testing uncovers network weaknesses before malicious hackers can exploit them. It involves testing a network from both external and internal perspectives to identify vulnerabilities. The methodology involves information gathering, analysis and planning, vulnerability identification, exploitation, risk analysis and remediation suggestions, and reporting. Specific vulnerabilities examined include open ports and services, packet sniffing, denial of service attacks, authentication issues, and more.
This document provides an overview of zero-day vulnerabilities and techniques for discovering them, including source code auditing and fuzzing. It discusses identifying entry points, input validations, and vulnerable functions by analyzing source code. Fuzzing is introduced as providing invalid or unexpected data to test for crashes or failures. Common fuzzing methods and the fuzzing lifecycle are outlined. Specific tools for source code auditing like RIPS and fuzzing like JBroFuzz are also mentioned.
What are the most common application level attacks? To find out, take a look at these slides! Click here to learn how CASE can help you create secure applications: http://ow.ly/rARK50BVi4b
Network defenses include tools like firewalls, VPNs, and intrusion detection systems that help secure networks and protect them from cyber attacks. Firewalls act as barriers that control incoming and outgoing network traffic according to security policies. VPNs extend private networks over public networks through secure tunnels. Intrusion detection systems monitor network traffic and detect suspicious activity. Denial of service attacks aim to make network services unavailable by overwhelming them with malicious traffic. Distributed denial of service attacks use multiple compromised systems to launch large-scale attacks.
This document discusses the security implications of cloud computing and summarizes a presentation by Ben Masino of Alert Logic. It notes that web application attacks are now the number one source of data breaches, but less than 5% of security budgets are spent on application security. It also outlines some of the challenges in defending applications and workloads in the cloud, including a wide range of attacks at every layer of the stack and vulnerabilities introduced through rapidly changing code and third party tools. The document then provides an example of a data exfiltration attack against a textile company, where the attacker was able to access critical systems and steal financial and design data by exploiting known PHP flaws and leveraging captured credentials.
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
Web Application Penetration Testing Introductiongbud7
This document provides an overview of web application penetration testing. It discusses the goals of testing to evaluate security by simulating attacks. The testing process involves gathering information, understanding normal application behavior, and then applying targeted techniques to find weaknesses. The document outlines the reconnaissance, mapping, and active testing phases. It also demonstrates various tools like Burp Suite, W3AF, and SQL injection and cross-site scripting attacks.
Penetration testing is used to test the security of a website by simulating real attacks from outside. It identifies potential vulnerabilities to prevent harmful attacks. By understanding how attacks work, the IT team can fix issues and prevent larger attacks in the future. The presentation will demonstrate a penetration testing tool that checks the login page for security issues like authentication, redirects, and hidden code. Contact information is provided for any additional questions.
The document summarizes key points about web application security vulnerabilities and how to address them. It discusses common vulnerabilities like parameter manipulation, cross-site scripting, and SQL injection that occur due to improper validation of user input. It emphasizes the importance of validating all user input on the server-side to prevent attacks, and not storing sensitive values in cookies or hidden form fields that can be manipulated by attackers.
The document discusses various security threats and vulnerabilities related to mobile devices and wireless networks. It covers topics like mobile malware, attacks on authentication, services and protocols, and security issues with browsers, operating systems, software applications and network channels. Specific threats mentioned include cross-site scripting, injection flaws, buffer overflows, Trojan horses, denial-of-service attacks, and weaknesses in GSM network security. The document emphasizes that mobile device capabilities now far exceed security and that stolen or lost devices can reveal private user information.
The document provides guidelines for secure coding. It discusses the evolution of software markets and increased security threats. Common web attacks like injection, broken authentication, and sensitive data exposure are explained. The OWASP Top 10 list of vulnerabilities is reviewed. The document emphasizes the importance of secure coding practices like input validation, output encoding, and using components with no known vulnerabilities. Following a secure coding lifestyle can help developers write more secure code and protect against attacks.
The document discusses how to conduct a software exploitation attack using Metasploit Framework against a Windows XP system with Snort installed. It describes exploiting the Microsoft Graphics Rendering Engine vulnerability from 2006 using Metasploit to gain remote system access on the target. Snort's logs show it detected the attack as it occurred. The goal was to see how Snort would react to the attack.
The document discusses vulnerability assessment and penetration testing (VAPT). It defines vulnerability assessment as systematically finding security issues in a network or system through scanning, and penetration testing as exploiting vulnerabilities to prove they can cause damage. The document outlines the types of VAPT testing, steps in the process, common tools used like Nmap and ZAP, and top vulnerabilities like SQL injection and XSS. It provides examples of specific vulnerabilities found like outdated themes and XML-RPC access, and their potential impacts and solutions.
The document discusses various cybersecurity threats and vulnerabilities including trojans, viruses, sniffing, SQL injection, intrusion detection systems, firewalls, and honeypots. It provides definitions and explanations of each topic over multiple paragraphs. Trojans and viruses are defined as malicious programs that can steal data, encrypt files, or allow unauthorized access. Sniffing involves monitoring network traffic using tools like Wireshark. SQL injection is an attack that exploits vulnerabilities to execute malicious SQL statements. Intrusion detection systems detect intrusions while intrusion prevention systems can block attacks. Firewalls regulate network connections and block unauthorized access. Honeypots are decoy systems that aim to study cyber attackers.
This document discusses security challenges for enterprise mobile applications and provides recommendations to address them. It notes that 60% of corporate employees access content through public networks using mobile devices. This creates security risks as corporate data is accessed outside the firewall. The document outlines various attacks including device-based issues like lost/stolen devices, network/server attacks like spoofing and denial of service, and recommends practices for securing mobile applications and networks. These include encrypting data, using VPNs, disabling unnecessary device components, and implementing firewalls and intrusion prevention.
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Common attack techniques explored include man-in-the-middle attacks using ARP poisoning, password cracking through tools like John the Ripper, and "Google hacking" to find sensitive information online.
The document discusses vulnerability scanning and OpenVAS. Vulnerability scanning involves using a scanner to identify security weaknesses. OpenVAS is an open source vulnerability scanning framework that consists of several services and tools for vulnerability scanning and management. At the center is the OpenVAS scanner which executes Network Vulnerability Tests (NVTs) from an NVT database that is regularly updated. The OpenVAS Manager receives tasks from the administrator and keeps a history of past scans.
Tools and Mechanisms for Network Security in an Organization.
Physical Security, Administrative Security and Technical Security measures have been described.
Security Testing Tools are Nessus, THC Hydra, Kismet, Nikto, WireShark and NMAP.
This document discusses the creation of a backdoor to gain unauthorized access to a Windows computer. It begins with an abstract that outlines creating an advanced backdoor file that works like normal files but allows an attacker to retain access and make changes. The document then covers how backdoors work by bypassing authentication, different types of backdoors like Trojans and web shells, an overview of the proposed backdoor system using Python sockets and commands, and requirements for the system.
The document provides an overview of web application security. It discusses what web application security entails, which is achieving an acceptable level of security for a web application solution. It explains why web application security is important given increased reliance on web apps and their global accessibility. It outlines some common security risks like browser hijacking, cookie theft, and denial of service attacks. It also discusses how security problems should be addressed earlier in the development lifecycle to reduce costs. The document then delves into specific vulnerabilities like hidden field manipulation, cookie poisoning, buffer overflows, and cross-site scripting attacks. Examples are provided to illustrate how attackers can exploit these vulnerabilities.
Protecting location privacy in sensor networks against a global eavesdropperShakas Technologies
The document discusses techniques for providing location privacy in sensor networks against a global eavesdropper. It proposes four techniques - periodic collection, source simulation, sink simulation, and backbone flooding - to provide location privacy for monitored objects (source location privacy) and data sinks (sink location privacy). These techniques provide trade-offs between privacy, communication cost, and latency. Analysis and simulation demonstrate that the proposed techniques are efficient and effective for providing source and sink location privacy in sensor networks.
The document provides information on vulnerability assessment and penetration testing. It defines vulnerability assessment as a systematic approach to finding security issues in a network or system through manual and automated scanning. Penetration testing involves exploring and exploiting any vulnerabilities that are found to confirm their existence and potential damage. The document outlines the types of testing as blackbox, graybox, and whitebox. It also lists some common tools used for testing like Nmap, ZAP, Nikto, WPScan, and HostedScan. Finally, it provides examples of specific vulnerabilities found and their solutions, such as outdated themes/plugins, backup files being accessible, and SQL injection issues.
Computer Network Case Study - bajju.pptxShivamBajaj36
This document discusses various computer network attacks and vulnerabilities. It covers topics like ransomware, IoT attacks, social engineering, man-in-the-middle attacks, denial of service attacks, distributed denial of service attacks, SQL injection, SSL stripping, URL misinterpretation, directory browsing, input validation vulnerabilities, and vulnerabilities in each layer of the OSI model. The goal is to provide an overview of common network attacks and how they can be carried out.
Catch Me If You Can - Finding APTs in your networkDefCamp
Adrian Tudor & Leo Neagu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
This document discusses various application security topics such as downloading files securely, handling secrets and temporary tokens, implementing third-party sites securely, privacy risks of third-party monitoring and analytics on sensitive pages, push notifications versus SMS, securely using FFmpeg and ImageMagick, serving user content securely, implementing cryptography securely, and applying rate limits. It provides advice on how to address each topic securely, such as only allowing certain schemes, ports and domains for file downloads, short expiration times for temporary tokens, sandboxing or isolating third-party components, and not implementing one's own crypto.
1. The document discusses various techniques for managing ideas and the creative process, including brainstorming and idea management. It provides tips for forming creative teams, generating ideas, developing ideas, and implementing ideas effectively.
2. Some of the key points covered include understanding brainstorming principles, avoiding things that can undermine brainstorming, formulating clear goals, mixing up creative teams, using doodles to visualize ideas, evaluating ideas against selection criteria, and ensuring proper support for implementation.
3. The overall message is that managing ideas like a process and following best practices at each stage can help teams be more innovative and successful at transforming ideas into reality.
The Android Open Accessory protocol allows communication between Android devices and USB accessories. It defines how Android apps declare support for accessories and how data is transferred over USB. Accessories identify themselves by sending strings to the Android device, then enter accessory mode to allow two-way communication over a USB interface using intents and file descriptors.
The document summarizes the lifecycle of a pixel from capturing light with a sensor to final storage as a JPEG file. It discusses how light is converted to electrical signals via photochemistry, thermal physics, or photophysics. A CMOS sensor array captures this data as pixels organized into rows and columns. A Bayer filter arranges RGB colors on the sensor. The raw pixel data is converted to RGB and compressed to JPEG format. JPEG uses discrete cosine transform (DCT) and quantization to remove high frequency data and compress the file, resulting in some loss of quality but much smaller file size.
The document describes the Java Virtual Machine (JVM), Dalvik virtual machine, and Android Runtime (ART). It explains that the JVM interprets Java bytecode, Dalvik was developed for Android and compiles .class files to .dex files, and ART replaced Dalvik by compiling Dalvik bytecode to native instructions for improved performance. It then provides an example of Java bytecode for a sample method and step-by-step interpretation of the bytecode instructions.
Binder is what differentiates Android from Linux, it is most important internal building block of Android, it is a subject every Android programmer should be familiar with
The document discusses several Java and Android internals topics:
1. How ArrayList and StringBuilder work internally using arrays and memory copying as the size increases. This can lead to inefficient memory usage.
2. How inner classes are implemented by compilers by generating additional accessor methods, increasing method count and affecting optimizations.
3. How the Android zygote process improves startup and memory usage by loading the framework once and sharing it across apps.
4. How the CPU cache works and how optimizing code to improve cache locality can significantly increase performance despite doing less work.
5. Issues like memory fragmentation that can occur if the Android garbage collector and compactor are unable to run due to the app being
Kotlin is a concise, safe, and statically typed programming language that compiles to JVM bytecode and JavaScript. It focuses on interoperability with Java and solves many Java pitfalls. Kotlin removes verbosity like semicolons and replaces "extends" and "implement" with a colon. Functions are defined with the "fun" keyword and return types follow. Properties are treated like fields. Kotlin avoids null references through null safety features like the safe call operator and non-null assertion operator. When expressions replace switch statements. Extension functions can extend existing classes without subclassing.
DDS Security Version 1.2 was adopted in 2024. This revision strengthens support for long runnings systems adding new cryptographic algorithms, certificate revocation, and hardness against DoS attacks.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Takashi Kobayashi and Hironori Washizaki, "SWEBOK Guide and Future of SE Education," First International Symposium on the Future of Software Engineering (FUSE), June 3-6, 2024, Okinawa, Japan
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
What is Augmented Reality Image Trackingpavan998932
Augmented Reality (AR) Image Tracking is a technology that enables AR applications to recognize and track images in the real world, overlaying digital content onto them. This enhances the user's interaction with their environment by providing additional information and interactive elements directly tied to physical images.
Odoo ERP software
Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth.
The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently.
This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfUndress Baby
The quest for the best AI face swap solution is marked by an amalgamation of technological prowess and artistic finesse, where cutting-edge algorithms seamlessly replace faces in images or videos with striking realism. Leveraging advanced deep learning techniques, the best AI face swap tools meticulously analyze facial features, lighting conditions, and expressions to execute flawless transformations, ensuring natural-looking results that blur the line between reality and illusion, captivating users with their ingenuity and sophistication.
Web:- https://undressbaby.com/
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
SOCRadar's Aviation Industry Q1 Incident Report is out now!
The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers.
SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.
3. Attack Vector
Definition: Attack Vector is a method malicious code uses
to propagate itself or infect a computer
● Example 1: sending an MMS with attached video that triggers StageFright
multimedia framework buffer overflow when processing video metadata
● Example 2: triggering adb sessions in loop until max_pid limit is reached
for user, thus obtaining a root shell, as adbd does not check setuid ret
● Example 3: WebKit javascript parseFloat bug which can trigger malicious
code, even get root shell when browsing to a web page
4. Attack Surface
Definition: Sum of attack vectors in a software environment
where attacker can try to enter data or extract data from a
computer
● Example 1: WebKit, exposed both to apps and to outside world (servers)
● Example 2: Baseband, exposed to apps via telephony framework, and
outside world via MMS, SMS and phone calls
● Example 3: StageFright, exposed to local apps, to MMS attacks
(processing of metadata when building MMS notification), outside servers
5. Mobile Attack Surface: the device
● Browser: phishing, Framing, clickjacking, man in the middle, buffer
overflow, data caching
● System: passcode, rooting, OS data caching, keystore, bloatware,
encryption
● Phone/SMS/MMS: baseband attacks, SMishing, MMSishing
● Apps: sensitive data storage, encryption, SSL validation, config
manipulation, dynamic runtime inspection, unintended permissions,
escalated privileges
● INSTALLED MALWARE!!!
6. External Attack Surfaces
● The Network: Wi-Fi encryption, rogue access point, sniffing, Man in the
Middle, session hacking, DNS poisoning, SSL strip, fake SSL certificate
● Web Server: platform vulnerabilities, misconfiguration, XSS (cross site
scripting), CSRF/XSRF (Cross site request forgery), weak input validation,
brute force attacks
● Database: SQL injection, privilege escalation, data dumping, OS command
execution
7. Browser based attacks
● Phising - acquiring personal data by masquerading as trusted entity
● Framing - delivering a Web/WAP site in an iFrame, which can enable clickjacking
● Clickjacking - taking control of users device or forcing him to reveal confidential
information when a user clicks a link or a button via embedded code
● Drive-by downloading - web site causes download without users knowledge
● Main in the mobile (MitMo) - malware circumventing identity verification
systems using SMS
8. Phone/SMS based attacks
● Baseband attacks - exploit vulnerabilities in GSM/3gpp baseband processor
● SMSiShing - similar to phishing, uses SMS/MMS to prompt users to visit
illegitimate sites
● RF Attacks (Bluejacking, NFC, and other exploits) - using vulnerabilities in various
peripheral communication channels that are typically used in nearby device-to-
device communication
9. Application based attacks
● Sensitive data storage - 83% of popular apps store data insecurely
● Encryption - apps allow transfer of weakly encrypted or unencrypted sensitive data
● Improper SSL validation - bugs in SSL validation may allow data breaches
● Config manipulation - gaining unauthorized access to administration interfaces
● Dynamic runtime injection - manipulation and abuse of application runtime to
bypass security locks
● Unintended permissions - misconfigured apps can open door to attacker by
granting unintended permissions
● Escalated privilege - uses a bug to gain access to resources protected from app or
user
10. OS based attacks
● No passcode - users do not set, or set a weak passcode or pin
● Rooting - allow users to alter or replace applications or settings by
acquiring privileged account access
● Passwords and data accessible - exploiting vulnerabilities in crypto
mechanisms and keystores to get passwords and certificates
● Bloatware - pre-installed software can contain security flaws
● Zero-day exploits - attacks occur between the day vulnerability is
discovered and patch is released
11. Network based attacks
● Wi-Fi - apps failing to implement encryption when used on public Wi-Fi run risk of
being intercepted, when connected to LAN, you not protected by firewall
● Rogue access points - installing unauthorized wireless access point
● Packet sniffing - intruder captures and analyzes network traffic
● Man in the middle (MITM) - sniffing, intercepting and modifying sent
data/responses
● SLStrip - MITM that exploits weaness in SSL/TLS on web sites
● Session hijacking - exploitation of a session key to gain unauthorized access
● DNS poisoning - DNS can be used to direct users to a fake server
● Fake SSL certs - MITM that involves issuing fake SSL certs that allow interception
12. Server based attacks
● Platform vulnerabilities - vulnerabilities on server OS, software or app modules
● Misconfiguration - poorly configured server may allow unauthorized access
● Cross-site scripting (XSS) - attack that involves injecting JS into a website
● Cross-site Request Forgery (CSRF) - tricking a browser in executing requests, used
when attacker gained control of user's session via XSS, social engineering, etc
● Weak input validation - servers trust apps to validate user submitted data, hacker
can forge communications, or exploit the app into unintended behavior
● Brute force attacks - guessing valid inputs, often using dictionaries, most common
usage is password guessing
13. Database attacks
● QL injection - when user input is not validated, it can cause to modify SQL
query being made
● OS command execution - similar to injection, some databases can provide
means of executing OS-level commands
● Privilege escalation - attacker leverages some exploit to gain greater
access, thus exposing/stealing sensitive data
● Data dumping - attacker causes database to dump some or all data within
the database, exposing sensitive records
14. Notable Hacking Techniques
● Brute force/dictionary attacks - attacker uses a dictionary to try to guess user
inputs, usually passwords
● Fuzzing - attacker scripts random calls to exposed interfaces to the app, marking
results, crash or freeze often indicates an exploitable interface
● Heap spraying - filling heap with malicious executable code in hope that badly
written code will pick it up and execute it
● Stack overflowing - writing too much data to a stack array, thus overwriting
variables and return addresses on the application stack
● Return oriented programming (ROP) - technique where attacker maps snippets of
executable code in memory (gadgets), builds a chain of them to execute an attack
15. Notable Anti-Hacking Features
● XN (execute never, or NX) - feature in processors that mark memory as executable
or not executable, if it is not executable and instruction pointer points to it, it will
cause access violation exception, and kernel will terminate program (prevents
execution of code in data memory, forces hackers to do ROP)
● Stack cookies - random integer added to start and end of stack entry, upon exiting
code block (stack pop), values are compared (anti stack overflowing)
● ASLR (address randomization) - libraries are loaded in random addresses (gadgets
need to be re-found every time app runs)
● RELRO - executable data sections are reordered, so that process data precedes user
data (stack overflowing is harder)
● Bind now - lib symbols are lazy resolved, loaded only when used (less gadgets)
16. Code complexity and obfuscation
● Increasing code complexity makes it harder to understand how application operates
when reverse engineering
● Obfuscation hides method and variable names, thus hiding their real purpose
● Restricting debuggers prevents hacker from examining the running app’s flow and
stack, using ptrace(PT_DENY_ATTACH, …) system call
● Trace checking - app can check weather a debugger is attached via /proc/self
● Optimizations hide mathematical computations and other types of complex logic
● Stripping native binaries increases time and skill required to reverse your app,
compile without debug data, disable stack unwinding, if possible disable C++
exceptions to prevent fuzzing from revealing too much
18. Avoid simple logics
Using simple logic makes your application more susceptible to attack. Code
such as this introduces a single point of failure:
if(sessionIsTrusted) { …
Consider a better programming paradigm, where privileges are enforced by
server, encrypting sensitive data, or determining if session is trusted by
challenge/response, OTP, or other form of authentication
19. Test Third-Party Libraries
Third-Party libraries need to be security-audited to the same level as application
code. Upgrading a library or OS version should be treated as upgrade of version of
your app.
Do not fully trust even the on-device framework, as it can be modified by an attacker.
Example: when using ART, Android devices compile framework dex files to OAT files
when ever framework is upgraded and saved in /data/dalvik-cache directory which is
writable. Compiler, dex2oat exists on the device, and attacker can re-compile the
framework where he supplies his malicious version of the code. See “Hiding behind
ART 2015 BlackHat talk.
20. Implement anti-tamper techniques
Attackers can tamper with an app, re-sign it and publish it to marketplaces.
Use checksums, signatures, and other validation mechanisms, and validate
them against a server before assuming secure environment.
Example: when validating session with the server, include application signature
in the protocol, which can be checked against database of released versions.
Similar check can be implemented locally
21. Securely Store Sensitive Data in RAM
Android applications store data in RAM even after use, until memory is
reclaimed.
Do not keep sensitive data such as encryption keys and passwords in RAM
longer than necessary. Avoid using immutable objects for them such as
java.lang.String, and use char array instead. If possible, overwrite the
data when you are done with it.
22. Understand Secure Deletion of Data
Deleting a file only detaches its pointer, data is not overwritten, and can be
recovered. Overwriting the data is not recommended as it wears out NAND
flash.
Whenever possible, avoid storing sensitive data on device. If it is not possible,
store it encrypted.
23. Avoid Query Strings for Sensitive Data
HTTP GET query parameters are visible and can be cached.
Use HTTP POST with XSRF token protection. Weather using POST or GET,
temporary session cookies should be used. Encrypting data using a non-zero
initialization vector and temporary session keys can also help.
24. Implement Secure Data Storage
Storing data securely on a mobile device requires proper techniques.
Whenever possible, do not store/cache data. Transmit and display, but do not
persist in memory or storage. When done with sensitive data, zero the memory
where it was stored. If storing data is unavoidable, add a layer of verified third
party encryption. Be careful with built in encryption, for example, AES defaults
to less secure AES-ECB, it is better to specify AES-CBC or AES-GCM with 256
bit key. Also, framework could be compromised.
25. Use SECURE Setting For Cookies
Cookie not marked as secure may be transmitted over an insecure connection.
Set-Cookie headers should use “Secure” and “HTTPOnly” settings.
26. Fully Validate SSL/TLS
Many apps do not implement proper validation of certificates. Make sure to
properly implement X509TrustManager checkClientTrusted and
checkServerTrusted. Do not setHostVerifier to
SSLSocektFactory.ALLOW_ALL_HOSTNAME_VERIFIER
27. Fully Validate SSL/TLS: good practice
InputStream in = resources.openRawResource(certificateRawResource);
keyStore = KeyStore.getInstance("BKS");
keyStore.load(resourceStream, password);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("https", new SSLSocketFactory(keyStore), 443));
ThreadSafeClientConnManager clientMan =
new ThreadSafeClientConnManager(httpParams, schemeRegistry);
httpClient = new DefaultHttpClient(clientMan, httpParams);
28. Protect Against SSL Downgrade
Form of MITM, attacker bypases SSL/TLS by hijacking HTTP traffic, monitoring
for HTTPS requests and eliminating SSL/TLS.
Serve all traffic on TLS, even non-sensitive. Attacker needs an entry point to
accomplish his attack. Validate that TLS is active. From Marshmellow, new
application attribute was added to manifest. Make sure it is defined:
android:usesCleartextTraffic=”false”
29. Limit Use of UUID
Using UUID, IMEI or similar for user identification is a privacy concern, and after
resetting the phone, next user will gain access to previous user’s data.
Recommended is to create app-unique device factor at time of registration,
installation or first execution.
30. Treat Geolocation Data Carefully
Mishandling GPS data is a privacy concern, as it may reveal user’s present and
past locations. Apps with access to gallery can access geolocation data from
EXIF tags of pictures.
Unless required, do not access or store location data, and if possible use more
coarse data. When working in secure locations, remember that GPS data may
be reported by various applications to their servers. Do not activate GPS in
applications that will run in secure locations.
31. Institute local session timeout
Mobile devices are frequently lost or stolen, attacker can use active session to
access sensitive data, execute transactions, or perform reconnaissance on
device owner’s accounts.
When app is not used for 5 minutes, terminate the session and redirect user to
login screen, ensure that no app data is visible, and require the user to re-enter
login or credentials to access the app. Also, after timeout, clear all memory
associated with user data, including master keys used to decrypt. And make
sure that timeout occurs on both server and client.
32. Implement Enhanced / Two-Factor
Authentication
Weak or non-existent authentication can grant an attacker unauthorized access
to an app.
A password should not be simplistic. It’s best to require, if not at least support,
complex passwords, including length of at least six alphanumeric characters
(more characters is always stronger). Requiring the selection of a secret word
or icon (which the user does not create themselves) as part of the log-in
process can help protect users' accounts in the event they re-use passwords
and their password was exposed as part of another data compromise.
33. Protect Application Settings
Developers often store settings in a shared preferences XML file or SQLite
databases, which are not encrypted by default and can be read or even
modified with root permissions, or using backup procedures.
Compile settings into the code when possible. Configuration inside app code
which requires more time and skill for attackers to modify. Don’t store any
critical settings in dictionaries or other files unless encrypted first. Ideally,
encrypt all configuration files using a master key encrypted with a passphrase
that is supplied by the user, or with a key provided remotely when a user logs
into a system.
34. Hide Account Numbers and Use Tokens
Many apps store complete account numbers in various screens.
Given the widespread use of mobile apps in public places, displaying partial
numbers (e.g. *9881) can help ensure maximum privacy for this information.
Unless there is a need to store the complete number on the device, store the
partially hidden numbers.
35. Implement Secure Network Transmission Of
Sensitive Data
Unlike web browsers, mobile devices typically do not disclose whether or not
an app uses SSL/TLS to secure the transmission of data, and so app users
simply have to trust that the app’s developer has implemented network
encryption.
Use SSL/TLS either with standard trust validation, or, for increased security,
implement certificate pinning (see also best practice “Fully Validate SSL/TLS”
and the OWASP “Pinning Cheat Sheet”). To prevent leak via compromised
SSL/TLS connection, encrypt super sensitive data like logins, passwords, CC
numbers, with AES with key with length of 256.
36. Validate Input From Client
Even if data is is generated from your app, it is possible for this data to have
been intercepted and manipulated. This could include attacks that cause the
app to crash (generating a key crash log), buffer overflows, SQL Injection, and
other attacks.
As with proper web application security, all input from the client should be must
be treated as untrusted. Services must thoroughly filter and validate input from
the app and user. Proper sanitization includes all user input before transmitting
and during receipt.
37. Avoid Storing App Data in Backups
Performing a backup of the data on an Android or iOS device can potentially
also back-up sensitive information stored within an app’s private directory.
By default, the allowBackup flag within an Android app’s Manifest file is set as
true. This results in an Android backup file (backup.ab) including all of
subdirectories and files contained within an app’s private directory on the
device’s file system. Therefore, explicitly declare the allowBackup flag as false.
38. Avoid Caching App Data
Data can be captured in a variety of artifacts – many unintended. Developers
often overlook some of the ways data can be stored including log/debug files,
cookies, web history, web cache, property lists, files and SQLite databases.
Storing data securely on a mobile device requires proper technique. Whenever
possible, simply do not store/cache data. This is the most sure way to avoid
data compromise on the device.
Prevent HTTP caching. Developers can configure Android to not cache web
data, particularly HTTPS traffic. In addition, we recommend that steps be taken
to avoid caching of URL history and page data for any Web process such as
39. Avoid Crash Logs
There are several frameworks for tracking user usage and collect crash logs for
iOS and Android, both are useful tools for development, but it is important to
find a balance between enough debug information for the developers and
reduced information for attackers.
Ensure released apps are built without warnings and are thoroughly tested to
avoid crashes. This is certainly always the goal and worth mentioning due to
the value of a crash log. In addition, if the app is obfuscated and stripped, the
developer will need keep an address-to-symbol database in order to recover
meaningful backtraces in crashlogs, making attacker's life harder because of
the lack of understandable names in functions.
40. Carefully Manage Debug Logs
Debug logs are generally designed to be used to detect and correct flaws in an
application. These logs can leak sensitive information that may help an
attacker create a more powerful attack.
Developers should consider the risk that debug logs may pose in a production
setting. Generally we recommend that they are disabled in production. It is
mode secured if logging calls are stripped in obfuscation/minifying process
rather than using a variable that is evaluated in runtime.
SET THE “ANDROID:DEBUGGABLE” FLAG TO “FALSE” IN PRODUCTION BUILDS!
41. Be Aware of the Keyboard Cache
Keyboard logs what users type in order to provide features such as customized
auto-correct and form completion, but sensitive data may also be stored.
Android contains a user dictionary, where words entered by a user can be
saved for future auto-correction. This user dictionary is available to any app
without special permissions. For increased security, consider implementing a
custom keyboard (and potentially PIN entry), which can disable caching and
provide additional protection against malware.
42. Be Aware of Copy and Paste
Sensitive data may be stored, recoverable, or could be modified from the
clipboard in clear text, regardless of whether the source of the data was initially
encrypted.
Where appropriate, disable copy/paste for areas handling sensitive data.
Eliminating the option to copy can help avoid data exposure. On Android the
clipboard can be accessed by any application and so it is recommended that
appropriately configured Content Providers be used to transfer complex
sensitive data.
43. Prevent Framing and Clickjacking in
Webviews
Framing involves delivery of a Web/WAP site within an iFrame. This attack can
enable the “wrapper” site to execute a clickjacking attack. Clickjacking is a very
real threat that has been exploited on high-profile services (e.g., Facebook) to
steal information or redirect users to attacker controlled sites.
The best way to prevent this practice is to not use WebViews.
44. Protect Against CSRF with Form Tokens
CSRF (Cross-site Request Forgery) relies on known or predictable form values
and a logged-in browser session.
Each form submission should contain a token which was loaded with the form
or at the beginning of a user session. Check this token on the server when
receiving POST requests to ensure the user originated it. This capability is
provided with major web platforms and can be implemented on forms with
minimal custom development.
45. Implement File Permissions Carefully
World readable files can act as a vector for your program to leak sensitive
information. World writeable files may expose your app by letting an attacker
influence its behavior by overwriting data that is read by your app from storage.
Examples include settings files and stored login information.
Do not create files with permissions of MODEWORLD_READABLE or
MODE_WORLD_WRITABLE if possible. Do not use modes such as 0666, 0777,
and 0664 with the chmod binary or syscalls.
46. Check Activities
An Activity can be invoked by any application if it is exported and enabled. This
could allow an attacker to load UI elements in a way the developer may not
intend, such as jumping past a password lock screen to access data or
functionality. By default Activities are not exported, however, if you define an
Intent filter for an Activity it will be exported by the system.
Have all components that do not have to be exposed set to
android:exported=false in Manifest. Data received by public components
cannot be trusted and must be scrutinized. Avoid intent filters on Activities if
they are private, instead use explicit intent.
47. Use Broadcasts Carefully
If no permission is set when sending a broadcast Intent, then any unprivileged
app can receive the Intent unless it has an explicit destination.
Use permissions to protect Intents in your application. Keep in mind that when
sending information via a broadcast Intent to a third party component, that
component could have been replaced by a malicious install.
48. Protect Application Services
Services are typically used for background processing. Like BroadcastReceivers
and application activities, application services can be invoked by external
applications and so should be protected by permissions and export flags.
A service may have more than one method which can be invoked from an
external caller. It is possible to define arbitrary permissions for each method
and check if the calling package has the corresponding permission by using
checkPermission(). Alternatively, one could define separate services and secure
access through the use of permissions defined in the AndroidManifest.
49. Avoid Intent Sniffing
When an activity is initiated by another application using a broadcast intent, the
data passed in the intent can be read by a malicious app.
When another application initiates activity by sending a broadcast intent,
malicious apps can read the data included in the intent. The malicious app can
also read a list of recent intents for an application. For example, if an app
invokes and passes a URL to the Android web browser, an attacker could sniff
that URL.
50. Implement Content Providers Carefully
Content providers allow apps to share data using a URI-addressing scheme and
relational database model. They can also be used to access files via the URI
scheme.
Content providers can declare permissions and separate read and write
access. Do not give a content provider write access unless it's absolutely
necessary. Make sure to set permissions so that unprivileged apps cannot read
the ContentProvider instance unless required. Do sanitation of SQL queries, file
paths, etc, you get from outside. Limit access to minimum required for
operation.
51. Follow WebView Best Practices (if you must)
WebViews can introduce a number of security concerns and should be
implemented carefully. In particular, a number of exploitable vulnerabilities
arising from the use of the addJavscriptInterface API have been discovered.
Disable JavaScript and Plugin support if they are not needed. Disallow the
loading of content from third-party hosts. This can be difficult to achieve from
within the app. However, a developer can override shouldOverrideUrlLoading
and shouldInterceptRequest to intercept, inspect, and validate most requests
initiated from within a WebView. See GIST for a snippet of code that includes
some WebView security best practices.
52. Avoid Storing Cached Camera Images
Remote-check-deposit apps allow a person to take a picture of a check with
their mobile phone's camera and then send the image to their financial
institution for deposit into their account.
Many of these apps will retain the check image (or part of it) in the mobile
device's NAND memory even after it is deleted. Do not transmit a check image
using non-volatile storage on the device where check image artifacts may be
left behind. Use Camera.PictureCallback.onPictureTaken(byte[] bytes, Camera
camera)
53. Avoid GUI Objects Caching
Android retains application screens in memory, and multitasking can result in
the retention of an entire application in memory. This allows an attacker that
finds or steals a device to navigate directly to retained screens.
Quit the app entirely when the user logs out. Any time an activity is initiated or a
screen is accessed, execute a check to determine whether the user is in a
logged-in state. If the user is not logged in, present the log-in screen. Nullify the
data on a GUI screen before leaving the screen or logging out.
54. Sign Android APKs
APKs should be signed correctly with a non-expired certificate.
Sign a production app with a production certificate, not a debug certificate.
Make sure the certificate includes a sufficient validity period (i.e., won't expire
during the expected lifespan of the app). Google recommends that your
certificate use at least 2048-bit encryption. Make sure the keystore containing
the signing key is properly protected. Restrict access to the keystore to only
those people that absolutely require it.