SlideShare a Scribd company logo

Security as a top of mind issue for mobile application development

Download as PPTX, PDF
Ștefan Popa
Ștefan Popa

Mobile technologies bring to life new capabilities and opportunities for consumers all around the world. However, the advent of mobile has also resulted in new points of attack for hackers. This presentation it's about how to assess security vulnerabilities in the development process, and how to deliver high-performing applications that provide functionality with security in mind.

Mobile
1 of 61
2SECURITY AS A TOP OF MIND ISSUE FOR MOBILE APPLICATION DEVELOPMENT NOVEMBER 2017
3 AGENDA ▪ INTRODUCTION ▪ MOST COMMON MOBILE APPS SECURITY VULNERABILITIES ▪ TIPS FOR IMPROVING SECURITY IN MOBILE APPS ▪ Q&A
SMARTPHONES EVERYWHERE
5
6 THERE'S AN APP FOR EVERYTHING
7 SMARTPHONE ≈ YOUR PC WORKING WITH CHARTS
THE OVERVIEW https://www.statista.com/statistics/224131/number-of-new-mobile-vulnerabilities/
CYBERSECURITY PROBLEMS ARE EVERYWHERE
HOW BAD IS IT? Nissan LEAF https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
HOW BAD IS IT? https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
HOW BAD IS IT? The Intel Management Engine (ME) https://arstechnica.com/information-technology/2017/11/intel-warns-of-widespread-vulnerability-in-pc-server-device-firmware/ ME’s connection architecture showing communication between network and host OS
HOW BAD IS IT? https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine- 8668 “Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely.”
14 “If builders built houses the way programmers build programs, the first woodpecker to come along would destroy civilization.” — Weinberg's Second Law
EVERY PROGRAM IS A POTENTIAL TARGET ▪ LEGAL RESPONSIBILITY ▪ FINANCIAL DAMAGE ▪ REPUTATION RISKS
LEGAL RESPONSIBILITY GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) “Data protection by Design and by Default” “Article 25. Data protection by Design and by Default requires that data protection is designed into the development of business processes for products and services.” http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
LEGAL RESPONSIBILITY Legea Nr. 133 din 08.07.2011 privind protecţia datelor cu caracter personal “Articolul 30. Securitatea prelucrării datelor cu caracter pe "La prelucrarea datelor cu caracter personal, operatorul este obligat să ia măsurile organizatorice şi tehnice necesare pentru protecţia datelor cu caracter personal împotriva distrugerii, modificării, blocării, copierii, răspîndirii, precum şi împotriva altor acţiuni ilicite, măsuri menite să asigure un nivel de securitate adecvat în ceea ce priveşte riscurile prezentate de prelucrare şi caracterul datelor prelucrate." http://lex.justice.md/viewdoc.php?action=view&view=doc&id=340495&lang=1
IT WORKS != IT’S SECURE
19 WHERE ARE THE ANSWERS? “The answers you seek are within you.” LITERALLY
20 BIOMIMICRY
21 THE IMMUNE SYSTEM
22 THE LESSONS OF NATURE #1 SECURITY IT'S NOT AN OPTION, IT'S A NECESSITY
23 THE LESSONS OF NATURE #2 SECURITY IS A SYSTEM, NOT A SET OF METHODS
24 THE IMMUNE SYSTEM
25 THE LESSONS OF NATURE #3 WE LIVE IN A CONSTANTLY CHANGING WORLD, WE NEED TO REACT FAST AND ADAPT TO CHANGE
https://imgur.com/gallery/Hutlc
https://imgur.com/gallery/Hutlc
https://imgur.com/gallery/Hutlc
https://imgur.com/gallery/Hutlc
https://imgur.com/gallery/Hutlc
https://imgur.com/gallery/Hutlc
https://imgur.com/gallery/Hutlc
https://imgur.com/gallery/Hutlc
34 THE LESSONS OF NATURE #4 SECURITY ≈ RISK MANAGEMENT
35 MOST COMMON MOBILE APPS SECURITY VULNERABILITIES 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorization 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10.Extraneous Functionality Top 10 Mobile Risks - Final List 2016 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
36 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Improper Platform Usage misuse of a platform feature or failure to use platform security controls (Android intents, platform permissions, misuse of TouchID, the Keychain, other security control that is part of the mobile operating system) • SharedPreferences + MODE_PRIVATE • Explicit intents • Manifest android:exported="false" • file.getCanonicalPath() - YES file.getAbsolutePath() - NO (ln -s filename maliciousfilename) • webView.getSettings().setAllowFileAccess(false) • store session tokens, passwords, cryptography secrets in Keychain
37 TIPS FOR IMPROVING SECURITY IN MOBILE APPS There comes a time in most men’s lives where they feel the need to raise the Black Flag.
38 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Markdown editor (PlayStore Top 20)
39 TIPS FOR IMPROVING SECURITY IN MOBILE APPS
40 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Insecure Data Storage insecure data storage and unintended data leakage • Secure-preferences • Secure cache • Secure DB (SQLCipher, Encrypted Core Data, Realm+encryptionKey) • ! URL caching (both request and response) • ! Logging • ! Analytics data sent to 3rd parties
41 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Insecure Communication (poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc)
42 TIPS FOR IMPROVING SECURITY IN MOBILE APPS
43 TIPS FOR IMPROVING SECURITY IN MOBILE APPS
44 TIPS FOR IMPROVING SECURITY IN MOBILE APPS • SSL Pinning (TrustKit, OkHttp+CertificatePinner, and alert users through the UI if the mobile app detects an invalid certificate) • DNS Cache Poisoning Attacks • Use strong, industry standard cipher suites with appropriate key lengths. • Use certificates signed by a trusted CA provider. OkHttp: https://github.com/square/okhttp/wiki/HTTPS Alamofire: https://github.com/Alamofire/Alamofire#security
45 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Insecure Authentication authenticating the end user or bad session management • Failing to identify the user at all when that should be required • Failure to maintain the user's identity when it is required • Weaknesses in session management
46 TIPS FOR IMPROVING SECURITY IN MOBILE APPS • If client-side storage of data is required, the data will need to be encrypted using an encryption key that is securely derived from the user’s login credentials. • Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a user’s password on the device. • Mobile applications should utilize a device-specific authentication token that can be revoked within the mobile application by the user. • Authenticating a user locally can lead to client-side bypass vulnerabilities.
TIPS FOR IMPROVING SECURITY IN MOBILE APPS Insufficient Cryptography where cryptography was attempted, but it wasn't done correctly • Poor Key Management Processes • Creation and Use of Custom Encryption Protocols • Use of Insecure and/or Deprecated Algorithms
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
TIPS FOR IMPROVING SECURITY IN MOBILE APPS
TIPS FOR IMPROVING SECURITY IN MOBILE APPS Insecure Authorization (authorization decisions in the client side, forced browsing, etc.). Distinct from authentication issues (e.g., device enrolment, user identification, etc.) • Hidden Endpoints • User Role or Permission Transmissions(mobile app is transmitting the user's roles or permissions to a backend)
52 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Client Code Quality security decisions via untrusted inputs (catch-all for code-level implementation problems in the mobile client, things like buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device)
53 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Code Tampering (binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification) • Android Root Detection (rootbeer) • iOS Jailbreak Detection
54 TIPS FOR IMPROVING SECURITY IN MOBILE APPS
55 TIPS FOR IMPROVING SECURITY IN MOBILE APPS TRIADA
56 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Reverse Engineering (analysis of the final core binary to determine its source code, libraries, algorithms, and other assets) A good obfuscator will have the following abilities: • Narrow down what methods / code segments to obfuscate; • Tune the degree of obfuscation to balance performance impact; • Withstand de-obfuscation from tools like IDA Pro and Hopper; • Obfuscate string tables as well as methods
57 JADX
58 HOPPER
59 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Extraneous Functionality hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment (accidentally included password as a comment in a hybrid app, disabling of 2-factor authentication during testing) • Debug flag in configuration file • Administrative endpoint exposed • The backend description is written to the logs
60 ADDITIONAL READING Ephemeral keys https://github.com/cossacklabs/mobile-websocket-example Zero Knowledge Protocols https://hackernoon.com/eli5-zero-knowledge-proof-78a276db9eff End-to-end Encryption https://medium.com/@cossacklabs/eli5-end-to-end-encryption-ae46821db74f
Q & A

Recommended

Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
In search of unique behaviour
In search of unique behaviourIn search of unique behaviour
In search of unique behaviourDefCamp
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonksRohit Kapoor
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
Diginotar Hack - Black-tulip
Diginotar Hack - Black-tulipDiginotar Hack - Black-tulip
Diginotar Hack - Black-tulipTheMindSmith
 
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint TechnologyQualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint TechnologyFIDO Alliance
 
Connected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongConnected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongOnBoard Security, Inc. - a Qualcomm Company
 

Recommended

Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
In search of unique behaviour
In search of unique behaviourIn search of unique behaviour
In search of unique behaviourDefCamp
 
LoginCat from TekMonks
LoginCat from TekMonksLoginCat from TekMonks
LoginCat from TekMonksRohit Kapoor
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
Diginotar Hack - Black-tulip
Diginotar Hack - Black-tulipDiginotar Hack - Black-tulip
Diginotar Hack - Black-tulipTheMindSmith
 
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint TechnologyQualcomm ® Snapdragon Sense ™ ID 3D Fingerprint Technology
Qualcomm ® Snapdragon Sense ™ ID 3D Fingerprint TechnologyFIDO Alliance
 
Connected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongConnected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongOnBoard Security, Inc. - a Qualcomm Company
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0Shah Sheikh
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for SecurityGabrielle Knowles
 
Rise of the Hacking Machines
Rise of the Hacking MachinesRise of the Hacking Machines
Rise of the Hacking MachinesPriyanka Aash
 
Fighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case StudyFighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case StudyPriyanka Aash
 
Evolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityEvolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityDESMOND YUEN
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Secure Channels Presentation
Secure Channels PresentationSecure Channels Presentation
Secure Channels PresentationRichard Blech
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?Ramin Farajpour Cami
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions Dragos, Inc.
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalPriyanka Aash
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
LASCON 2015
LASCON 2015LASCON 2015
LASCON 2015Clare Nelson, CISSP, CIPP-E
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitecturePriyanka Aash
 
Qark DefCon 23
Qark DefCon 23Qark DefCon 23
Qark DefCon 23☠Tony Trummer☠
 
SRE and Security: Natural Force Multipliers
SRE and Security: Natural Force MultipliersSRE and Security: Natural Force Multipliers
SRE and Security: Natural Force MultipliersCory Scott
 

More Related Content

What's hot

DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0Shah Sheikh
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
Rise of the Hacking Machines
Rise of the Hacking MachinesRise of the Hacking Machines
Rise of the Hacking MachinesPriyanka Aash
 
Fighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case StudyFighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case StudyPriyanka Aash
 
Evolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityEvolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityDESMOND YUEN
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale funJan Seidl
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Secure Channels Presentation
Secure Channels PresentationSecure Channels Presentation
Secure Channels PresentationRichard Blech
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh
 
How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions Dragos, Inc.
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalPriyanka Aash
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitecturePriyanka Aash
 

What's hot (20)

DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
 
Rise of the Hacking Machines
Rise of the Hacking MachinesRise of the Hacking Machines
Rise of the Hacking Machines
 
Fighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case StudyFighting Malware with Graph Analytics: An End-to-End Case Study
Fighting Malware with Graph Analytics: An End-to-End Case Study
 
Evolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-securityEvolution of-ai-bots-for-real-time-adaptive-security
Evolution of-ai-bots-for-real-time-adaptive-security
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale fun
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Secure Channels Presentation
Secure Channels PresentationSecure Channels Presentation
Secure Channels Presentation
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive MalwareShah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
 
How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
LASCON 2015
LASCON 2015LASCON 2015
LASCON 2015
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
 

Similar to Security as a top of mind issue for mobile application development

SRE and Security: Natural Force Multipliers
SRE and Security: Natural Force MultipliersSRE and Security: Natural Force Multipliers
SRE and Security: Natural Force MultipliersCory Scott
 
GDPR Part 4: Better Together Quest & SonicWall
GDPR Part 4: Better Together Quest & SonicWallGDPR Part 4: Better Together Quest & SonicWall
GDPR Part 4: Better Together Quest & SonicWallAdrian Dumitrescu
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile ApplicationsGreg Patton
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseJason Bloomberg
 
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Enterprise Management Associates
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
 
Improving Mobile Authentication for Public Safety and First Responders
Improving Mobile Authentication for Public Safety and First RespondersImproving Mobile Authentication for Public Safety and First Responders
Improving Mobile Authentication for Public Safety and First RespondersPriyanka Aash
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT SuccessElectric Imp
 
Cyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfCyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfNaveenKumar470500
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Internet of Things (IOT) Cloud Security by Dr. Anton Ravindran
Internet of Things (IOT) Cloud Security by Dr. Anton Ravindran Internet of Things (IOT) Cloud Security by Dr. Anton Ravindran
Internet of Things (IOT) Cloud Security by Dr. Anton Ravindran GSTF
 
Big Data Security: Facing the challenge
Big Data Security: Facing the challengeBig Data Security: Facing the challenge
Big Data Security: Facing the challengeStratio
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYSylvain Martinez
 
Dawn of the Intelligence Age by Dr. Anton Ravindran
Dawn of the Intelligence Age by Dr. Anton RavindranDawn of the Intelligence Age by Dr. Anton Ravindran
Dawn of the Intelligence Age by Dr. Anton RavindranGSTF
 

Similar to Security as a top of mind issue for mobile application development (20)

Qark DefCon 23
Qark DefCon 23Qark DefCon 23
Qark DefCon 23
 
SRE and Security: Natural Force Multipliers
SRE and Security: Natural Force MultipliersSRE and Security: Natural Force Multipliers
SRE and Security: Natural Force Multipliers
 
GDPR Part 4: Better Together Quest & SonicWall
GDPR Part 4: Better Together Quest & SonicWallGDPR Part 4: Better Together Quest & SonicWall
GDPR Part 4: Better Together Quest & SonicWall
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile Applications
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
 
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
Improving Mobile Authentication for Public Safety and First Responders
Improving Mobile Authentication for Public Safety and First RespondersImproving Mobile Authentication for Public Safety and First Responders
Improving Mobile Authentication for Public Safety and First Responders
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success[Webinar] Why Security Certification is Crucial for IoT Success
[Webinar] Why Security Certification is Crucial for IoT Success
 
Cyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfCyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdf
 
Cyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfCyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdf
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Internet of Things (IOT) Cloud Security by Dr. Anton Ravindran
Internet of Things (IOT) Cloud Security by Dr. Anton Ravindran Internet of Things (IOT) Cloud Security by Dr. Anton Ravindran
Internet of Things (IOT) Cloud Security by Dr. Anton Ravindran
 
Big Data Security: Facing the challenge
Big Data Security: Facing the challengeBig Data Security: Facing the challenge
Big Data Security: Facing the challenge
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
 
Dawn of the Intelligence Age by Dr. Anton Ravindran
Dawn of the Intelligence Age by Dr. Anton RavindranDawn of the Intelligence Age by Dr. Anton Ravindran
Dawn of the Intelligence Age by Dr. Anton Ravindran
 

Recently uploaded

CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceanilsa9823
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPsychicRuben LoveSpells
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7Pooja Nehwal
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Pooja Nehwal
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceanilsa9823
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRnishacall1
 

Recently uploaded (7)

CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 

Security as a top of mind issue for mobile application development

  • 1.
  • 2. 2SECURITY AS A TOP OF MIND ISSUE FOR MOBILE APPLICATION DEVELOPMENT NOVEMBER 2017
  • 3. 3 AGENDA ▪ INTRODUCTION ▪ MOST COMMON MOBILE APPS SECURITY VULNERABILITIES ▪ TIPS FOR IMPROVING SECURITY IN MOBILE APPS ▪ Q&A
  • 5. 5
  • 6. 6 THERE'S AN APP FOR EVERYTHING
  • 7. 7 SMARTPHONE ≈ YOUR PC WORKING WITH CHARTS
  • 10. HOW BAD IS IT? Nissan LEAF https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
  • 11. HOW BAD IS IT? https://www.troyhunt.com/controlling-vehicle-features-of-nissan/
  • 12. HOW BAD IS IT? The Intel Management Engine (ME) https://arstechnica.com/information-technology/2017/11/intel-warns-of-widespread-vulnerability-in-pc-server-device-firmware/ ME’s connection architecture showing communication between network and host OS
  • 13. HOW BAD IS IT? https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine- 8668 “Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely.”
  • 14. 14 “If builders built houses the way programmers build programs, the first woodpecker to come along would destroy civilization.” — Weinberg's Second Law
  • 15. EVERY PROGRAM IS A POTENTIAL TARGET ▪ LEGAL RESPONSIBILITY ▪ FINANCIAL DAMAGE ▪ REPUTATION RISKS
  • 16. LEGAL RESPONSIBILITY GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) “Data protection by Design and by Default” “Article 25. Data protection by Design and by Default requires that data protection is designed into the development of business processes for products and services.” http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
  • 17. LEGAL RESPONSIBILITY Legea Nr. 133 din 08.07.2011 privind protecţia datelor cu caracter personal “Articolul 30. Securitatea prelucrării datelor cu caracter pe "La prelucrarea datelor cu caracter personal, operatorul este obligat să ia măsurile organizatorice şi tehnice necesare pentru protecţia datelor cu caracter personal împotriva distrugerii, modificării, blocării, copierii, răspîndirii, precum şi împotriva altor acţiuni ilicite, măsuri menite să asigure un nivel de securitate adecvat în ceea ce priveşte riscurile prezentate de prelucrare şi caracterul datelor prelucrate." http://lex.justice.md/viewdoc.php?action=view&view=doc&id=340495&lang=1
  • 18. IT WORKS != IT’S SECURE
  • 19. 19 WHERE ARE THE ANSWERS? “The answers you seek are within you.” LITERALLY
  • 22. 22 THE LESSONS OF NATURE #1 SECURITY IT'S NOT AN OPTION, IT'S A NECESSITY
  • 23. 23 THE LESSONS OF NATURE #2 SECURITY IS A SYSTEM, NOT A SET OF METHODS
  • 25. 25 THE LESSONS OF NATURE #3 WE LIVE IN A CONSTANTLY CHANGING WORLD, WE NEED TO REACT FAST AND ADAPT TO CHANGE
  • 34. 34 THE LESSONS OF NATURE #4 SECURITY ≈ RISK MANAGEMENT
  • 35. 35 MOST COMMON MOBILE APPS SECURITY VULNERABILITIES 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorization 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10.Extraneous Functionality Top 10 Mobile Risks - Final List 2016 https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  • 36. 36 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Improper Platform Usage misuse of a platform feature or failure to use platform security controls (Android intents, platform permissions, misuse of TouchID, the Keychain, other security control that is part of the mobile operating system) • SharedPreferences + MODE_PRIVATE • Explicit intents • Manifest android:exported="false" • file.getCanonicalPath() - YES file.getAbsolutePath() - NO (ln -s filename maliciousfilename) • webView.getSettings().setAllowFileAccess(false) • store session tokens, passwords, cryptography secrets in Keychain
  • 37. 37 TIPS FOR IMPROVING SECURITY IN MOBILE APPS There comes a time in most men’s lives where they feel the need to raise the Black Flag.
  • 38. 38 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Markdown editor (PlayStore Top 20)
  • 39. 39 TIPS FOR IMPROVING SECURITY IN MOBILE APPS
  • 40. 40 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Insecure Data Storage insecure data storage and unintended data leakage • Secure-preferences • Secure cache • Secure DB (SQLCipher, Encrypted Core Data, Realm+encryptionKey) • ! URL caching (both request and response) • ! Logging • ! Analytics data sent to 3rd parties
  • 41. 41 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Insecure Communication (poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc)
  • 42. 42 TIPS FOR IMPROVING SECURITY IN MOBILE APPS
  • 43. 43 TIPS FOR IMPROVING SECURITY IN MOBILE APPS
  • 44. 44 TIPS FOR IMPROVING SECURITY IN MOBILE APPS • SSL Pinning (TrustKit, OkHttp+CertificatePinner, and alert users through the UI if the mobile app detects an invalid certificate) • DNS Cache Poisoning Attacks • Use strong, industry standard cipher suites with appropriate key lengths. • Use certificates signed by a trusted CA provider. OkHttp: https://github.com/square/okhttp/wiki/HTTPS Alamofire: https://github.com/Alamofire/Alamofire#security
  • 45. 45 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Insecure Authentication authenticating the end user or bad session management • Failing to identify the user at all when that should be required • Failure to maintain the user's identity when it is required • Weaknesses in session management
  • 46. 46 TIPS FOR IMPROVING SECURITY IN MOBILE APPS • If client-side storage of data is required, the data will need to be encrypted using an encryption key that is securely derived from the user’s login credentials. • Persistent authentication (Remember Me) functionality implemented within mobile applications should never store a user’s password on the device. • Mobile applications should utilize a device-specific authentication token that can be revoked within the mobile application by the user. • Authenticating a user locally can lead to client-side bypass vulnerabilities.
  • 47. TIPS FOR IMPROVING SECURITY IN MOBILE APPS Insufficient Cryptography where cryptography was attempted, but it wasn't done correctly • Poor Key Management Processes • Creation and Use of Custom Encryption Protocols • Use of Insecure and/or Deprecated Algorithms
  • 48. TIPS FOR IMPROVING SECURITY IN MOBILE APPS
  • 49. TIPS FOR IMPROVING SECURITY IN MOBILE APPS
  • 50. TIPS FOR IMPROVING SECURITY IN MOBILE APPS
  • 51. TIPS FOR IMPROVING SECURITY IN MOBILE APPS Insecure Authorization (authorization decisions in the client side, forced browsing, etc.). Distinct from authentication issues (e.g., device enrolment, user identification, etc.) • Hidden Endpoints • User Role or Permission Transmissions(mobile app is transmitting the user's roles or permissions to a backend)
  • 52. 52 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Client Code Quality security decisions via untrusted inputs (catch-all for code-level implementation problems in the mobile client, things like buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device)
  • 53. 53 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Code Tampering (binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification) • Android Root Detection (rootbeer) • iOS Jailbreak Detection
  • 54. 54 TIPS FOR IMPROVING SECURITY IN MOBILE APPS
  • 55. 55 TIPS FOR IMPROVING SECURITY IN MOBILE APPS TRIADA
  • 56. 56 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Reverse Engineering (analysis of the final core binary to determine its source code, libraries, algorithms, and other assets) A good obfuscator will have the following abilities: • Narrow down what methods / code segments to obfuscate; • Tune the degree of obfuscation to balance performance impact; • Withstand de-obfuscation from tools like IDA Pro and Hopper; • Obfuscate string tables as well as methods
  • 59. 59 TIPS FOR IMPROVING SECURITY IN MOBILE APPS Extraneous Functionality hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment (accidentally included password as a comment in a hybrid app, disabling of 2-factor authentication during testing) • Debug flag in configuration file • Administrative endpoint exposed • The backend description is written to the logs
  • 60. 60 ADDITIONAL READING Ephemeral keys https://github.com/cossacklabs/mobile-websocket-example Zero Knowledge Protocols https://hackernoon.com/eli5-zero-knowledge-proof-78a276db9eff End-to-end Encryption https://medium.com/@cossacklabs/eli5-end-to-end-encryption-ae46821db74f
  • 61. Q & A