This document discusses security best practices for mobile development. It covers fundamental security principles like vulnerability, threat and mitigation. It details security measures in iOS like application sandboxing, permissions and encryption. It also discusses Android security concepts like application components and permissions. The document recommends practices like static analysis, encryption, jailbreak detection and the use of the Salesforce mobile SDK to help secure mobile apps and data.
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Description : Organizations have spent massive amounts of money to protect the perimeter of their networks, but if your business exists on the internet, there really is no perimeter. In this presentation, we'll discuss Digital Footprints in understanding your company’s external attack surface. We will discuss social, mobile, web attacks and analyze and review lessons learned recently publicized attacks (Polish banking institutions, Apache Struts Vulnerability or WannaCry ransomware. The speed of business and cybercrime isn't slowing down, so how can you be prepared to address and defend against these types of threats? Attend our session to find out how.
Reducing Your Digital Attack Surface and Mitigating External Threats - What, Why, How:
What is a Digital Footprint?
Breakdown of External Threats (Social, Mobile, Web)
What are blended attacks?
What is actually being targeting at your company?
How are your brands, customers, and employees being attack outside of your company?
How to become proactive in threat monitoring on the internet?
Considerations in External Threat solutions
Threat correspondence tracking considerations
Is legal cease and desist letters adequate in stopping attacks?
Examination of a phishing attack campaign
How phishing kits work
Analysis and lesson learned from recent published attacks
What are the most important capability in a digital risk monitoring solution?
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Description : Organizations have spent massive amounts of money to protect the perimeter of their networks, but if your business exists on the internet, there really is no perimeter. In this presentation, we'll discuss Digital Footprints in understanding your company’s external attack surface. We will discuss social, mobile, web attacks and analyze and review lessons learned recently publicized attacks (Polish banking institutions, Apache Struts Vulnerability or WannaCry ransomware. The speed of business and cybercrime isn't slowing down, so how can you be prepared to address and defend against these types of threats? Attend our session to find out how.
Reducing Your Digital Attack Surface and Mitigating External Threats - What, Why, How:
What is a Digital Footprint?
Breakdown of External Threats (Social, Mobile, Web)
What are blended attacks?
What is actually being targeting at your company?
How are your brands, customers, and employees being attack outside of your company?
How to become proactive in threat monitoring on the internet?
Considerations in External Threat solutions
Threat correspondence tracking considerations
Is legal cease and desist letters adequate in stopping attacks?
Examination of a phishing attack campaign
How phishing kits work
Analysis and lesson learned from recent published attacks
What are the most important capability in a digital risk monitoring solution?
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
Here Be Dragons: The Unexplored Land of Active Directory ACLsAndy Robbins
Presented by Andy Robbins, Rohan Vazarkar, and Will Schroeder at DerbyCon 7.0: Legacy, in Louisville, Kentucky, 2017.
See the video recording of the presentation here: https://www.youtube.com/watch?v=mfaFuXEiLF4
What is buffer overflow?
How a buffer overflow happens
How to avoid overrun?
Buffer overflow are responsible for many vulnerabilities in operating system as well as application programs.
It’s a quiet technical freaky , it includes program source code , assembler listing , and debugging usage , which almost scares away lot of people without solid programming knowledge.
Cause :
Buffer overflow attack have been there for a long time. It still exists partly because of the carelessness of the developer in the code.
Prevention :
Avoid writing bad codes
Tomcat, Undertow, Jetty, Nginx Unit: pros and consGeraldo Netto
A quick comparison between Tomcat, Undertow, Jetty, Nginx Unit regarding features, performance, scalability, security, maintainability and extensibility
Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more.
These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
PHP is the most commonly used server-side programming and deployed more than 80% in web server all over the world. However, PHP is a 'grown' language rather than deliberately engineered, making writing insecure PHP applications far too easy and common. If you want to use PHP securely, then you should be aware of all its pitfalls.
The presentation will give you an idea the secure coding practices. The points mentioned here, I would say is the minimum you should consider while developing an application
A guide for cyber security enthusiasts.
The Hacker Playbook is different as it walks the talk and details how to pull off the techniques.
The author explains techniques in simple-to-understand concepts while backing them up with real-life code.
You can choose to read with broad strokes to understand the techniques, and/or get granular with the code to execute the techniques.
Top 50 java ee 7 best practices [con5669]Ryan Cuprak
JavaOne 2016
This session provides 50 best practices for Java EE 7, with examples. The best practices covered focus primarily on JPA, CDI, JAX-WS, and JAX-RS. In addition, topics involving testing and deployment are covered. This presentation points out where best practices have changed, common misconceptions, and antipatterns that should be avoided. This is a fast-paced presentation with many code samples.
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
Webinar: Technical Introduction to Native Encryption on MongoDBMongoDB
The new encrypted storage engine in MongoDB 3.2 allows you to more easily build secure applications that handle sensitive data. Attend this webinar to learn how the internals work and discover all of the options available to you for securing your data.
In the enterprise, mobile devices and mobile apps need to be secure. A lost or stolen phone or tablet can mean your company data falling into the wrong hands. Join us to explore the security features available on iOS and Android. Learn how app data can be compromised and learn best practices for the development of secure enterprise apps on both platforms.
What is buffer overflow?
How a buffer overflow happens
How to avoid overrun?
Buffer overflow are responsible for many vulnerabilities in operating system as well as application programs.
It’s a quiet technical freaky , it includes program source code , assembler listing , and debugging usage , which almost scares away lot of people without solid programming knowledge.
Cause :
Buffer overflow attack have been there for a long time. It still exists partly because of the carelessness of the developer in the code.
Prevention :
Avoid writing bad codes
Tomcat, Undertow, Jetty, Nginx Unit: pros and consGeraldo Netto
A quick comparison between Tomcat, Undertow, Jetty, Nginx Unit regarding features, performance, scalability, security, maintainability and extensibility
Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more.
These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
PHP is the most commonly used server-side programming and deployed more than 80% in web server all over the world. However, PHP is a 'grown' language rather than deliberately engineered, making writing insecure PHP applications far too easy and common. If you want to use PHP securely, then you should be aware of all its pitfalls.
The presentation will give you an idea the secure coding practices. The points mentioned here, I would say is the minimum you should consider while developing an application
A guide for cyber security enthusiasts.
The Hacker Playbook is different as it walks the talk and details how to pull off the techniques.
The author explains techniques in simple-to-understand concepts while backing them up with real-life code.
You can choose to read with broad strokes to understand the techniques, and/or get granular with the code to execute the techniques.
Top 50 java ee 7 best practices [con5669]Ryan Cuprak
JavaOne 2016
This session provides 50 best practices for Java EE 7, with examples. The best practices covered focus primarily on JPA, CDI, JAX-WS, and JAX-RS. In addition, topics involving testing and deployment are covered. This presentation points out where best practices have changed, common misconceptions, and antipatterns that should be avoided. This is a fast-paced presentation with many code samples.
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
Webinar: Technical Introduction to Native Encryption on MongoDBMongoDB
The new encrypted storage engine in MongoDB 3.2 allows you to more easily build secure applications that handle sensitive data. Attend this webinar to learn how the internals work and discover all of the options available to you for securing your data.
In the enterprise, mobile devices and mobile apps need to be secure. A lost or stolen phone or tablet can mean your company data falling into the wrong hands. Join us to explore the security features available on iOS and Android. Learn how app data can be compromised and learn best practices for the development of secure enterprise apps on both platforms.
This talk will be focused on how to develop secure mobile apps. We will look into specifics regarding mobile development and what are the best practices.
We will make an emphasis on all issues affecting the mobile platform such as protocols, secure storage, secrets, caching, logging, etc.
When building apps for the Salesforce AppExchange, having a well-designed API around your application will draw in the developer audience and make your app more successful. Join us as step-by-step, we'll explore the principles of good API design, including security, ease of use, integration, and adaptability. We'll also give examples of API documentation and specific Force.com guidelines for APIs.
When building apps for the Salesforce AppExchange, having a well-designed API around your application will draw in the developer audience and make your app more successful. Join us as step-by-step, we'll explore the principles of good API design, including security, ease of use, integration, and adaptability. We'll also give examples of API documentation and specific Force.com guidelines for APIs.
Secure Salesforce: Hardened Apps with the Mobile SDKMartin Vigo
As frameworks and languages have evolved, creating a mobile app has never been easier. But can an easy mobile app be secure? Join our mobile security experts to discuss the Salesforce Mobile SDK and learn everything you need to know about hardening your mobile apps. We will discuss some common mobile vulnerabilities and mistakes, then dive deep into how the Salesforce Mobile SDK makes following our security best practices easy and painless!
Salesforce Platform Mobile Services provides developers with tools to easily create mobile applications while leveraging existing skill sets like Visualforce, JavaScript and HTML 5. The open-source Salesforce Platform Mobile SDKs give you the flexibility to build native, web and hybrid apps for iOS and Android. This webinar is the second in a series focusing on the new Mobile SDK 2.0 features, and will demonstrate how to create your own native iOS mobile applications that interface with the Salesforce Platform. The webinar walks you through the development of a simple native iOS application that retrieves records from Salesforce Platform and displays them in a master-detail view. You will then implement the means to update a record’s details and send the updated results back to the service.
Key Takeaways:
Learn how to build iOS apps quickly with the Mobile SDK 2.0
See how to interact securely with Salesforce API’s using Objective-C
Intended Audience:
Developers experienced with Salesforce Platform and have a working understanding of Objective-C
As frameworks and languages have evolved, creating a mobile app has never been easier. But can an easy mobile app be secure? Join our mobile security experts to discuss the Salesforce Mobile SDK and learn everything you need to know about hardening your mobile apps. We will discuss some common mobile vulnerabilities and mistakes, then dive deep into how the Salesforce Mobile SDK makes following our security best practices easy and painless!
Location-aware Mobile Apps with Chatter & iBeaconjohngifford
iBeacon, the Bluetooth low energy-based indoor proximity system, adds a new dimension to the mobile user experience. Join us to learn what iBeacon technology is, how to communicate with it via your mobile device, and watch as we build an app that connects this great new technology with Salesforce Chatter.
Many Apex developers ignore security, particularly when doing consulting projects. But security is not difficult if you consider it when designing your code. Join us to learn some simple design patterns to help ensure your code respects configured security settings, and some more sophisticated architectures you can use when your requirements call on you to override configured security settings.
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...IBM Security
Mainframes host mission critical corporate information and production applications for many financial, healthcare, government and retail companies requiring highly secure systems and regulatory compliance. Demonstrating compliance for your industry can be complex and failure to comply can result in vulnerabilities, audit failures, loss of reputation, security breaches, and even system shut down. How can you simplify enforcement of security policy and best practices? How can you automate security monitoring, threat detection, remediation and compliance reporting? How can you demonstrate governance, risk and compliance on your mainframe? Learn how your modern mainframe can help you to comply with industry regulations, reduce costs and protect your enterprise while supporting cloud, mobile, social and big data environments.
View the full on-demand webcast: https://www2.gotomeeting.com/en_US/island/webinar/registration.tmpl?Action=rgoto&_sf=14
Similar to Security Best Practices for Mobile Development @ Dreamforce 2013 (20)
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
Security Best Practices for Mobile Development @ Dreamforce 2013
1. Security Best Practices for Mobile
Development
Tom Gersic, Salesforce.com
Director, Mobile Services Delivery
@tomgersic
2. Safe harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties
materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results
expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be
deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other
financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any
statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new
functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our
operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any
litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our
relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of
our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to
larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is
included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent
fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor
Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently
available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions
based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these
forward-looking statements.
4. Agenda
• Fundamental Principles
• What iOS and Android Share
• iOS Specific Characteristics
• Android Specific Characteristics
• Salesforce Mobile Offerings
19. Libtiff Image Exploit / Jailbreak
• iPhone 1 – patched in 1.1.2
• Tiff buffer overflow
• Nothing to prevent executing code on the heap
• Gained root access from viewing an image on the web
25. Concatenated SMS Exploit
• Takes 519 SMS messages – all but 1 is invisible
• Send message -1 of X to underflow the array buffer
• Can’t be stopped by the user
• Used to write an entire binary executable to the heap, and run
it, taking over the phone.
28. Data Security – Hardware Encryption
Requires PIN/Passcode on both iOS and Android
On iOS, apps opt-in
Supported on
iPhone 3GS w/ iOS v4+ (AES 256 bit)
Android Honeycomb+ (AES 128 bit)
• Some manufacturers increase to AES 256 bit (Samsung SAFE)
SD Card encryption on Android is manufacturer specific.
33. iOS Sandbox
• All apps (Apple’s and App Store) run as “mobile” user.
• Sandboxing is bolted on -- handled via XNU Sandbox
“Seatbelt” kernel extension.
• Applications run in separate subdirectories of
/private/var/mobile/Applications
• Any app in this directory is loaded with “container”
(sandboxed) profile.
34. Android Sandbox
• Uses underlying Linux security model
• Every app runs as a separate user
• Apps signed by the same developer can run as the same user, if
desired (not the default, though)
• Every app runs in its own instance of the Android Runtime (Dalvik
Virtual Machine)
• Like iOS, every app has its own directory structure
• SD Card, though, is generally public – accessible to all apps and
unencrypted unless manufacturer has added encryption (Samsung
SAFE)
51. Enable ASLR in your app
• ASLR: Address Space Layout Randomization
52. Stack Canaries
• AKA Stack Smashing Protection
• Protect against buffer overflows
• Places random known value (canary) before local variables
• Use Apple LLVM – won’t work with LLVM GCC
No system is perfectly secure
Security is all about managing risk
Something that allows an attack to take place.
To use credit cards, we frequently have to let them out of our sight
Someone we give our credit card to could skim it
Reduces the severity of one (or more) of the three
Laws and credit card company policies limit our liability to $50 (by law) or frequently $0 (by policy)
The vulnerability and threat still exist, but the consequence is nullified (for the consumer, anyway)
Separation of Concerns: Apps, modules, etc. are separated – each module has a specific function
Principle of Least Privilege – Each of these modules has only the permissions necessary to do its legitimate function
CIA applies to:
Application Security – Up to the developer
Operating System Security – Sandboxing, permissions
Device Security – PIN, Hardware Encryption
Infrastructure Security – Codesigning, app store reviews, etc.
Would not be possible today because of DEP
ASLR: Address Space Layout Randomization
DEP: Data Execution Protection
Ref: http://books.google.com/books?id=1kDcjKcz9GwC&pg=PT10&lpg=PT10&dq=libtiff+iphone+dep&source=bl&ots=9KcFvBCd0n&sig=qjQdCSJWyWOnzsKmeVuw1psrCmU&hl=en&sa=X&ei=Yn8TUOiHLaeviQfvkICoBw&ved=0CFwQ6AEwAQ#v=onepage&q=libtiff%20iphone%20dep&f=false
Ref: http://365.rsaconference.com/servlet/JiveServlet/previewBody/3488-102-1-4589/MBS-402.pdf
Ref: http://en.wikipedia.org/wiki/Data_Execution_Prevention
Ref: http://en.wikipedia.org/wiki/Address_space_layout_randomization
iOS 4.3+, Android ICS (broken), Jelly Bean (fixed)
ASLR: Address Space Layout Randomization
DEP: Data Execution Protection
META-INF checksums – keep would-be hackers from modifying files in the APK after it’s been signed
Files of the same name
Checks first, installs last
http://nakedsecurity.sophos.com/2013/07/10/anatomy-of-a-security-hole-googles-android-master-key-debacle-explained/
http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/
http://nakedsecurity.sophos.com/2013/08/09/android-master-key-vulnerability-more-malware-found-exploiting-code-verification-bypass/
2009
SMS is an excellent attack vector – no way to turn it off, no way to firewall it. It’s used to make the phone ring in addition to text messages, so it’s a wide open port on all phones
Attack exploited the fact that the start of a concatenated SMS message tells the phone how many individual 140 byte messages to expect – no messages are displayed until all are received
Ref: http://www.docstoc.com/docs/52434984/iPhone-SMS-Fuzzing-and-Exploitation
Ref: http://www.youtube.com/watch?gl=US&hl=en&client=mv-google&v=hUr4ilw0AeI&nomobile=1
Ref: https://community.rapid7.com/community/metasploit/blog/2007/10/11/cracking-the-iphone-part-1
Ref: https://community.rapid7.com/community/metasploit/blog/2007/10/14/cracking-the-iphone-part-2
Ref: https://community.rapid7.com/community/metasploit/blog/2007/10/16/cracking-the-iphone-part-21
Ref: https://community.rapid7.com/community/metasploit/blog/2007/10/21/cracking-the-iphone-part-3
Another Charlie Miller exploit – presented at Black Hat, July 25 2012
NFC tag can launch any URL in the browser – makes use of known WebKit exploit to take over the phone.
Doesn’t require user to give permission to launch the URL
Biggest threat is someone placing a rogue NFC tag on/near a legitimate NFC reader
http://www.forbes.com/sites/andygreenberg/2012/07/25/darpa-funded-researcher-can-take-over-android-and-nokia-phones-by-merely-waving-another-device-near-them/
But my phone’s encrypted!
128 bit / 256 bit really only makes a difference if password is greater than 16 characters (16*8=128)
With a PIN/Passcode, Email, Attachments, and some other system files are encrypted while device is locked
Any other app is storing the keys with the lock unless app specifies NSFileProtectionComplete
Sources:
http://source.android.com/tech/encryption/android_crypto_implementation.html
http://www.wilderssecurity.com/showthread.php?t=320996
http://www.ubergizmo.com/2012/06/samsungs-safe-initiative-will-make-the-galaxy-s3-enterprise-friendly/
on official App Store / Marketplace, all apps are digitally signed by the developer – ties malware back to an individual or company
-- With iOS, Apple is the Certificate Authority. With Android, self-signed certificates are acceptable.
applications are limited in what they can access with regards to other applications or system resources
limits damage that can be done by exploiting any one app
What’s new in iOS 7: https://developer.apple.com/library/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS7.html
App States and Multitasking: https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/ManagingYourApplicationsFlow/ManagingYourApplicationsFlow.html#//apple_ref/doc/uid/TP40007072-CH4
One of the biggest security concerns people have with Android is that they know apps can run in the background, and they can interact with other apps
Activities
Service
Content Provider
Broadcast Receiver
Intent
“Except passwords”?
Android apps need to specify which system resources they need access to
Users accept these when they install the app
Some things you can do, but none are 100% reliable.