Mobile Application Security
Subho Halder
CoFounder & CTO Appknox
Appfest Edition
5
About Me
Co-Founder and CTO at Appknox, a
mobile security company that helps
developers and companies to build
secure mobile application. I have
presented many talks and
conducted workshops at
conferences like BlackHat, Defcon,
ToorCon, SysCan, ClubHack, NullCon,
OWASP AppSec, RSA Conference.
Subho Halder / CoFounder & CTO
 Securing Mobile Apps
Mobile Security Talk
Introduction
Why Mobile Security is Important ?
History of Mobile Hacks
Hackers vs Developers
Securing your Mobile Application
Top 10 Mobile Security Risks
Top 3 Mobile App Hacks in India !
Interactive Myths of Security
Android vs iOS
Questions? Contact Me :)
2
Securing Mobile Applications - Subho HalderAppfest 3
Introduction
 The Great Mobile Security Debate
!
"
#
x
$

ă
Ć
&
ą
r
5
8
1
ü
Ĉ
É
'
Ġ
Ä
c
h
l
[
j
Å
a
ä
n
‚
Z
:
è
s
o
@
û
ĥ
p
ö
y
Ç
9
é
e
W
e
B
ù
éë
0
01
Fragmented Applications
Multiple Applications for Multiple
Platform and Multiple Architectures
makes it difficult for App Developers
to keep-up with security concerns
03
Personal & Social Information
Mobile Devices holds your personal
and social information, and
applications has access to these
information
02
Fragmented Platforms
With multiple platforms and multiple
versions of Mobile Operating
System, the OEM faces challenges to
keep Security up-to-date
04
Businesses & Enterprise Data
With mobile getting adopted at
workplaces, sensitive information
are now accessible to applications
 While these devices offer us increased internet connectivity and day-to-day convenience,
they also carry considerable security risks
Why mobile Security is Important ?
Securing Mobile Applications - Subho HalderAppfest 5
Why Mobile Security Is Important ?
 More data could be more danger with mobile devices
ì
ì
ì
ì
ì
ì
Data Breaches
With more data accessible to applications, security becomes
more paramount.
Mobile Malwares
Gone are the days of computer malware, mobile malware are
now growing more sophisticated with access to more data
Businesses worry about smartphone risks
While the threat is universal, being protected doesn’t have to be
difficult. If anything, it is becoming increasingly important.
Cyberattacks on mobiles increasing
Cyberattacks on mobile devices, especially smartphones, have
become all too common. And over the last year alone, we’ve
seen cybercriminals deploy all sorts of effective strategies.
Privacy Leakages
Privacy has also been called into question, as so many of these
mobile apps collect huge quantities of data and store them.
Securing Mobile Applications - Subho HalderAppfest 6
Hackers vs Developers
 Fighting the good fight
Developers are one who creates a system
and wants the system to run as expected
Developers almost always doesn’t think
about attacking the app & wants to exploit
the app or the data
Developers are busy creating new features
and functionalities, often neglecting
security
Hackers are one who doesn’t
play by your rules
Hackers need only one opening,
one weakness.
Hackers almost always wins :)
They don’t care about functionalities, but
are looking for that one bug
HACKERS ARE NECESSARY
AND NOT EVIL :)
hackers and developers
represent duality
 The goal of this is to raise awareness about application security by
identifying some of the most critical risks facing organizations.
Securing Your Mobile Apps
Securing Mobile Applications - Subho HalderAppfest 8
Top 10 Mobile Security List
 The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations.
Poor Authorization and Authentication
Poor or missing authentication schemes allow an adversary to anonymously execute functionality
within the mobile app or backend server used by the mobile app.
ç
Unintended Data Leakage
Unintended data leakage occurs when a developer inadvertently places sensitive information or
data in a location on the mobile device that is easily accessible by other apps on the device.
‚
Insufficient Transport Layer Protection
If the application is coded poorly, threat agents can use techniques to view this sensitive data.
Unfortunately, mobile applications frequently do not protect network traffic
0
Insecure Data Storage
Many developers assume that storing data on client-side will restrict other users from having
access to this data.
:
Weak Server Side Controls
Most security experts might argue that server-side security falls outside of the area of mobile
application security threats. Till last year, it was the second most important mobile security threat.
Z
05
04
03
02
80%
43%
01
64%
72%
19%
Source: https://blog.appknox.com/category/owasp-top-10-mobile/
Securing Mobile Applications - Subho HalderAppfest 9
Top 10 Mobile Security List
 The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations.
06
07
 08
09
 10

Client side injection results in the execution of
malicious code on the client side which is the
mobile device, via the mobile app.
Client Side Injection
As the name suggests, this issue is because session
tokens are not handled in the best way.
Improper Session Handling
Broken Cryptography or insecure usage of
cryptography is mostly common in mobile apps
that leverage encryption.
Broken Cryptography
Developers generally use hidden fields and values
or any hidden functionality to distinguish higher
level users from lower level users.
Security Decisions Via Untrusted Inputs
A lack of binary protections within a mobile app
exposes the application and it’s owner to a large
variety of technical and business risks if the
underlying application is insecure or exposes
sensitive intellectual property.
Lack of Binary Protections
 Can you name the three which you have heard of ?
Top 3 Mobile App Hacks in India
Securing Mobile Applications - Subho HalderAppfest 11
Top 3 Business with Mobile Apps Hacks
 Always be Proactive towards Security
OLA Cabs
IMAGE PLACEHOLDER
10 Million User Details were
Stolen from gaana.com
IMAGE PLACEHOLDER
Zomato Hacked with 62.5
million users data on risk
Securing Mobile Applications - Subho HalderAppfest 12
4 Myths About Mobile Security
 “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” – Gartner
ĉ Ą
7 Ĉ
Public app stores are safe because they
have security filters
Data encryption is not required for mobile
devices
PCs are more secure than mobile phones
Two-factor authentication can be neglected
for mobile security
 Which is more Secured ?
Android vs iOS
Securing Mobile Applications - Subho HalderAppfest 14
Android vs iOS
 With the dominance of iOS and the rising popularity of Android devices in the mobile marketplace,
the security of these devices is a growing concern and focus for smartphone users.
IMAGE
0
25
50
75
100
Vulnerable Apps Malwares Device Vulnerability
Fragmentation
80
85
90
95
100
Vulnerable Apps Malwares Device Vulnerabilities
Fragmentation
Despite iOS being traditionally regarded as the safest
platform, there are a number of reasons why that
assumption may be becoming outdated. Firstly,
occurrences of ransomware, malware, rotten apps on
the iTunes store, and social engineering have been
coming into the news far more often in recent times.
The iOS Device Google’s Android platform has become a larger target
for mobile malware writers than Apple iOS. This could
be a result of Android’s popularity—with more than
1 million activations per day, Android smartphones
command a 59% market share worldwide.
The Android Device
Securing Mobile Applications - Subho HalderAppfest 15
Devknox
 A Developer Friendly Tool To Build Hackproof Apps
IMAGE PLACEHOLDER
Get your code checked for security flaws as you write it
ON EDIT ANNOTATIONS

Devknox understands the context of your code and
suggests one-click fixes
QUICK FIXES

Devknox takes care of security requirements and keeps it
up to date with global security standards
ALWAYS UP TO DATE

Devknox is supported on JetBrains IDE (private beta),
Android Studio (private beta)
MULTIPLE IDE SUPPORT

 Get your Free Beta Invite for Devknox
https://devknox.io

@sunnyrockzzs
sunny@appknox.com
devknox@appknox.com

Securing Mobile Apps - Appfest Version

  • 1.
    Mobile Application Security SubhoHalder CoFounder & CTO Appknox Appfest Edition 5
  • 2.
    About Me Co-Founder andCTO at Appknox, a mobile security company that helps developers and companies to build secure mobile application. I have presented many talks and conducted workshops at conferences like BlackHat, Defcon, ToorCon, SysCan, ClubHack, NullCon, OWASP AppSec, RSA Conference. Subho Halder / CoFounder & CTO  Securing Mobile Apps Mobile Security Talk Introduction Why Mobile Security is Important ? History of Mobile Hacks Hackers vs Developers Securing your Mobile Application Top 10 Mobile Security Risks Top 3 Mobile App Hacks in India ! Interactive Myths of Security Android vs iOS Questions? Contact Me :) 2
  • 3.
    Securing Mobile Applications- Subho HalderAppfest 3 Introduction  The Great Mobile Security Debate ! " # x $  ă Ć & ą r 5 8 1 ü Ĉ É ' Ġ Ä c h l [ j Å a ä n ‚ Z : è s o @ û ĥ p ö y Ç 9 é e W e B ù éë 0 01 Fragmented Applications Multiple Applications for Multiple Platform and Multiple Architectures makes it difficult for App Developers to keep-up with security concerns 03 Personal & Social Information Mobile Devices holds your personal and social information, and applications has access to these information 02 Fragmented Platforms With multiple platforms and multiple versions of Mobile Operating System, the OEM faces challenges to keep Security up-to-date 04 Businesses & Enterprise Data With mobile getting adopted at workplaces, sensitive information are now accessible to applications
  • 4.
     While thesedevices offer us increased internet connectivity and day-to-day convenience, they also carry considerable security risks Why mobile Security is Important ?
  • 5.
    Securing Mobile Applications- Subho HalderAppfest 5 Why Mobile Security Is Important ?  More data could be more danger with mobile devices ì ì ì ì ì ì Data Breaches With more data accessible to applications, security becomes more paramount. Mobile Malwares Gone are the days of computer malware, mobile malware are now growing more sophisticated with access to more data Businesses worry about smartphone risks While the threat is universal, being protected doesn’t have to be difficult. If anything, it is becoming increasingly important. Cyberattacks on mobiles increasing Cyberattacks on mobile devices, especially smartphones, have become all too common. And over the last year alone, we’ve seen cybercriminals deploy all sorts of effective strategies. Privacy Leakages Privacy has also been called into question, as so many of these mobile apps collect huge quantities of data and store them.
  • 6.
    Securing Mobile Applications- Subho HalderAppfest 6 Hackers vs Developers  Fighting the good fight Developers are one who creates a system and wants the system to run as expected Developers almost always doesn’t think about attacking the app & wants to exploit the app or the data Developers are busy creating new features and functionalities, often neglecting security Hackers are one who doesn’t play by your rules Hackers need only one opening, one weakness. Hackers almost always wins :) They don’t care about functionalities, but are looking for that one bug HACKERS ARE NECESSARY AND NOT EVIL :) hackers and developers represent duality
  • 7.
     The goalof this is to raise awareness about application security by identifying some of the most critical risks facing organizations. Securing Your Mobile Apps
  • 8.
    Securing Mobile Applications- Subho HalderAppfest 8 Top 10 Mobile Security List  The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations. Poor Authorization and Authentication Poor or missing authentication schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app. ç Unintended Data Leakage Unintended data leakage occurs when a developer inadvertently places sensitive information or data in a location on the mobile device that is easily accessible by other apps on the device. ‚ Insufficient Transport Layer Protection If the application is coded poorly, threat agents can use techniques to view this sensitive data. Unfortunately, mobile applications frequently do not protect network traffic 0 Insecure Data Storage Many developers assume that storing data on client-side will restrict other users from having access to this data. : Weak Server Side Controls Most security experts might argue that server-side security falls outside of the area of mobile application security threats. Till last year, it was the second most important mobile security threat. Z 05 04 03 02 80% 43% 01 64% 72% 19% Source: https://blog.appknox.com/category/owasp-top-10-mobile/
  • 9.
    Securing Mobile Applications- Subho HalderAppfest 9 Top 10 Mobile Security List  The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations. 06 07  08 09  10  Client side injection results in the execution of malicious code on the client side which is the mobile device, via the mobile app. Client Side Injection As the name suggests, this issue is because session tokens are not handled in the best way. Improper Session Handling Broken Cryptography or insecure usage of cryptography is mostly common in mobile apps that leverage encryption. Broken Cryptography Developers generally use hidden fields and values or any hidden functionality to distinguish higher level users from lower level users. Security Decisions Via Untrusted Inputs A lack of binary protections within a mobile app exposes the application and it’s owner to a large variety of technical and business risks if the underlying application is insecure or exposes sensitive intellectual property. Lack of Binary Protections
  • 10.
     Can youname the three which you have heard of ? Top 3 Mobile App Hacks in India
  • 11.
    Securing Mobile Applications- Subho HalderAppfest 11 Top 3 Business with Mobile Apps Hacks  Always be Proactive towards Security OLA Cabs IMAGE PLACEHOLDER 10 Million User Details were Stolen from gaana.com IMAGE PLACEHOLDER Zomato Hacked with 62.5 million users data on risk
  • 12.
    Securing Mobile Applications- Subho HalderAppfest 12 4 Myths About Mobile Security  “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” – Gartner ĉ Ą 7 Ĉ Public app stores are safe because they have security filters Data encryption is not required for mobile devices PCs are more secure than mobile phones Two-factor authentication can be neglected for mobile security
  • 13.
     Which ismore Secured ? Android vs iOS
  • 14.
    Securing Mobile Applications- Subho HalderAppfest 14 Android vs iOS  With the dominance of iOS and the rising popularity of Android devices in the mobile marketplace, the security of these devices is a growing concern and focus for smartphone users. IMAGE 0 25 50 75 100 Vulnerable Apps Malwares Device Vulnerability Fragmentation 80 85 90 95 100 Vulnerable Apps Malwares Device Vulnerabilities Fragmentation Despite iOS being traditionally regarded as the safest platform, there are a number of reasons why that assumption may be becoming outdated. Firstly, occurrences of ransomware, malware, rotten apps on the iTunes store, and social engineering have been coming into the news far more often in recent times. The iOS Device Google’s Android platform has become a larger target for mobile malware writers than Apple iOS. This could be a result of Android’s popularity—with more than 1 million activations per day, Android smartphones command a 59% market share worldwide. The Android Device
  • 15.
    Securing Mobile Applications- Subho HalderAppfest 15 Devknox  A Developer Friendly Tool To Build Hackproof Apps IMAGE PLACEHOLDER Get your code checked for security flaws as you write it ON EDIT ANNOTATIONS  Devknox understands the context of your code and suggests one-click fixes QUICK FIXES  Devknox takes care of security requirements and keeps it up to date with global security standards ALWAYS UP TO DATE  Devknox is supported on JetBrains IDE (private beta), Android Studio (private beta) MULTIPLE IDE SUPPORT 
  • 16.
     Get yourFree Beta Invite for Devknox
  • 17.
  • 18.