SlideShare a Scribd company logo

Untitled 1

Download as PPTX, PDF
Sergey Kochergan
Sergey Kochergan
Technology
1 of 27
Security Testing of Mobile Applications (Android - BlackBerry - iOS)
Introduction to Android Security & AppUse Mobile application threat model - What makes mobile application security so different? • The Android linux OS security • The Dalvik VM • The Android security mechanisms • Application file system isolation • The permission model • Least privilege model • Database isolation • The Android emulator VS. physical device • The AppUse VM ("Android Pen-test Platform Unified Standalone Environment") • The Android Debug Bridge (ADB) • The logcat interface
Traffic Analysis and Manipulation • Intro to server side attacks - SQL injection, XSS • Insecure remote Authentication - client id, IMEI, etc. • Insecure session management • authorization • Traffic interception • Using proxies and sniffers • Importing SSL certificates & trusted CA's • Sensitive information transmission • Bypassing server certificate validations • Exposing insecure traffic
Insecure data K11storage • Exploring deployed application files at the /data/data directory • The file system security model • Insecure file system permissions • Insecure storage of sensitive data in files • The SDcard • The SQLite Database storage • Using sqlite browser • Application shared preferences storage • Storage of sensitive data at the server side • Secrets in code • Insecure log exposure • Bad cryptography
Reverse engineering the application binaries • The APK file package • APK extraction - Investigating layout, manifest, permissions and binaries • Extracting the content of the classes.dex file • Using smali/baksmali Dalvik assembler/disassembler • Using jasmin/jasper JVM assembler/disassembler • Decompilation • Using dex2jar • Identifying interesting API calls - file access, networking, SDcard access, SQLite, etc • Identifying insecure code - certificate validation bypass, insecure xml parsing, clipboard access, geo-location, address book, client xss and html injection, etc. • Finding hard coded secrets in code • Using Android Lint • Code patching and modification • Recreating and resigning the modified APK
Android application components security • Major component types - Activity, Service, Content provider, Broadcast receiver • The Intent message • Components and the manifest file • Using manifest explorer • Component permissions and visibility • Activating components • Accessing restricted screens • Attacking content providers and client side sql injection • Direct component invocation by unauthorized apps
Analyzing Runtime Analysis • Monitoring process activity • Observing file access • Monitoring network connectivity • Debugging • Setting breakpoints • Memory dumping and analysis • Analyzing logs using logcat
Android Platform Security Architecture Android seeks to be the most secure and usable operating system for mobile platforms by re-purpo  Protect user data  Protect system resources (including the network)  Provide application isolation To achieve these objectives, Android provides these key security features:  Robust security at the OS level through the Linux kernel  Mandatory application sandbox for all applications  Secure interprocess communication  Application signing  Application-defined and user-granted permissions The sections below describe these and other security features of the Android platform. Figure 1 summarizes the security components and considera
New Android's Feature will Regularly Scan Your Apps Recently Google has officially announced to increase the security of Android users by adding a new feature to android which will regularly scan all the The new feature by Google would be a part of Verify Apps feature which is already protecting android users from harmful apps installed by third party The feature will scan for spywares , malwares , sending unauthorized messages and in-app installations for changes in app activity after it is installed
The first comprehensive guide to discovering and preventing attacks on the Android OS As the Android operating system continues to increase its share of the smartphone market, smartphone hacking remains a growing threat. Written b If you are a mobile device administrator, security researcher, Android app developer, or consultant responsible for evaluating Android security, you w A crack team of leading Android security researchers explain Android security risks, security design and architecture, rooting, fuzz testing, and vulne Covers Android application building blocks and security as well as debugging and auditing Android apps Prepares mobile device administrators, security researchers, Android app developers, and security consultants to defend Android systems against a Android Hacker's Handbook is the first comprehensive resource for IT professionals charged with smartphone security.
IT Policy: -Primary policy for all protection mechanisms Access to Network/Resources/Settings Prohibited and Mandatory installations of apps Controlling third-party Java application permissions -Per-Handset + Global Policy stored on BES -Initial Policy is signed by master key at pairing Stored in NV RAM Future updates OTA must be signed by master key
Application Controls: - All applications run in the JVM - IT Policy controls how the applications interact -Developed with the user and company in mind Most restrictive overlap - I9 application control policy categories Cross Application Control -Hardware -Network domnains -PIM data/ applications -Inter-application communication -Browser -User Autherntication and Settings -Input Simulation -MDS
Code signing - Core BB applications must be RIM Signed - Class files verified for interface compliance - No user-defined class loaders -No Java Native Interface or user extensions -System classes cannot be overridden
Data Security -Java RMS offers various forms of crypto -Keys must be explicitly shared by apps -PIM protected by Blackberry Attachment Service Renders and decrypts data on the BES Sends rasterized information to display Avoids image exploits Manages PGP on BES
The iOS Security Model Apple has incorporated four layers of security in iOS to protect the user and their data. Device Security Techniques to prevent an unauthorized individual from using the device Data Security Techniques to protect the data stored on the device, even if the device is stolen Network Security Tools to encrypt data while it is in transit across a network Application Security Mechanisms to secure the operating system and isolate applications while they are running
Information gathering Observe application behavior Determine the application’s data states (at rest, in transit or on display) and sensitivity Identify access methods Identify what frameworks are in use Identify server side APIs that are in use Identify what protocols are in use Identify other applications or services with which the application interacts Decrypt Appstore binaries: the .ipa will be decrypted at runtime by the kernel’s mach loader. Cydia has several applications available: Crackulo Determine the architecture the application was compiled for: otool –f <app name> or lipo -info <app>. Get information about what functions, classes and methods are referenced in the application and in the dynamically loaded libraries. Use nm <a List the dynamic dependencies. Use otool –L <app name> Dump the load commands for the application. Use otool –l <app name> Dump the runtime information from the compiled application. Identify each class compiled into the program and its associated methods, instanc Dump the keychain using dump_keychain to reveal application specific credentials and passwords if stored in the keychain. Determine the security features in place: Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed Stack smashing protection - specify the –fstack-protector-all compiler flag. A “canary” is placed on the stack to protect the saved base pointer, s
iPhone Analyzer allows you to forensically examine or recover data from in iOS device. It principally works by importing backups produced from iTunes or third party software, and providing you with a rich interface to explore, analyze and recover data in human readable formats. Because it works from the backup files everything is forensically safe, and no changes are made to the data. IPhone Analyzer is now free for Personal use
If you’re an app developer with a solid foundation in Objective-C, this book is an absolute must—chances are very high that your company’s iOS app This guide illustrates several types of iOS attacks, as well as the tools and techniques that hackers use. You’ll learn best practices to help protect yo  Examine subtle vulnerabilities in real-world applications—and avoid the same problems in your apps  Learn how attackers infect apps with malware through code injection  Discover how attackers defeat iOS keychain and data-protection encryption  Use a debugger and custom code injection to manipulate the runtime Objective-C environment  Prevent attackers from hijacking SSL sessions and stealing traffic  Securely delete files and design your apps to prevent forensic data leakage  Avoid debugging abuse, validate the integrity of run-time classes, and make your code harder to trace
Top 10 Mobile Risks M1 : Weak Server Side Controls M2 : Insecure Data Storage M3 : Insufficient Transport Layer Protection M4 : Unintended Data Leakage M5 : Poor Authorization and Authentication M6 : Broken Cryptography M7 : Client Side Injection M8 : Security Decisions Via Untrusted Inputs M9 : Improper Session Handling M10: Lack of Binary Protections
What is the Heartbleed bug? It’s an OpenSSL vulnerability. OpenSSL is a security protocol that encrypts communications between your computer (or device) and a Web server. A Most websites, many operating systems, and many apps use OpenSSL. It’s everywhere, and one version of it has a critical bug that lets hackers exp Which operating systems are affected: iOS devices are safe. Windows Phone OS is likely safe. BlackBerry is “investigating.” Android is vulnerable if you have version 4.1.1, according to Google.
OWASP Mobile Security Project - MobiSec The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing m
Thank you!

Recommended

Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devicesHCL Technologies
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile applicationVikrant Kansal
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Application security
Application securityApplication security
Application securityHagar Alaa el-din
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesSymantec
 

Recommended

Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devicesHCL Technologies
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Generic threats to mobile application
Generic threats to mobile applicationGeneric threats to mobile application
Generic threats to mobile applicationVikrant Kansal
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Application security
Application securityApplication security
Application securityHagar Alaa el-din
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New VulnerabilitiesSymantec
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing rajRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Chapter 4
Chapter 4Chapter 4
Chapter 4NorazlinaAbdullah4
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingAmmar WK
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)Arvind Bhardwaj [AB]
 
Owasp
Owasp Owasp
Owasp penetration Tester
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 ProjectMuhammad Shehata
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITTekRevol LLC
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and RisksInformation Technology
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp dotnetcode
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
IoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignIoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignPriyanka Aash
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_osbaroqueworksdev
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва it-people
 
Firebase
FirebaseFirebase
FirebaseTriState Technology
 

More Related Content

What's hot

Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingAmmar WK
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITTekRevol LLC
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp dotnetcode
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software developmentBill Ross
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurancebdemchak
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
IoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignIoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignPriyanka Aash
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 

What's hot (19)

Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Application Security Testing(AST)
Application Security Testing(AST)Application Security Testing(AST)
Application Security Testing(AST)
 
Owasp
Owasp Owasp
Owasp
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN ITWHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
WHAT IS APP SECURITY – THE COMPLETE PROCESS AND THE TOOLS & TESTS TO RUN IT
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
Security and information assurance
Security and information assuranceSecurity and information assurance
Security and information assurance
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
IoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control DesignIoT Hardware Teardown, Security Testing & Control Design
IoT Hardware Teardown, Security Testing & Control Design
 
Security testing
Security testingSecurity testing
Security testing
 

Viewers also liked

Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_osbaroqueworksdev
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва it-people
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Android security model
Android security modelAndroid security model
Android security modelrrand1
 
Introduction, Examples - Firebase
Introduction, Examples - Firebase Introduction, Examples - Firebase
Introduction, Examples - Firebase Eueung Mulyana
 
Introduction to Firebase with Android and Beyond...
Introduction to Firebase with Android and Beyond...Introduction to Firebase with Android and Beyond...
Introduction to Firebase with Android and Beyond...Kasper Loevborg Jensen
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Introduction to Firebase [Google I/O Extended Bangkok 2016]
Introduction to Firebase [Google I/O Extended Bangkok 2016]Introduction to Firebase [Google I/O Extended Bangkok 2016]
Introduction to Firebase [Google I/O Extended Bangkok 2016]Sittiphol Phanvilai
 

Viewers also liked (17)

Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_os
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
 
Firebase
FirebaseFirebase
Firebase
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Firebase Android
Firebase AndroidFirebase Android
Firebase Android
 
Android security model
Android security modelAndroid security model
Android security model
 
Introduction, Examples - Firebase
Introduction, Examples - Firebase Introduction, Examples - Firebase
Introduction, Examples - Firebase
 
Android system security
Android system securityAndroid system security
Android system security
 
Introduction to Firebase with Android and Beyond...
Introduction to Firebase with Android and Beyond...Introduction to Firebase with Android and Beyond...
Introduction to Firebase with Android and Beyond...
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Introduction to Firebase [Google I/O Extended Bangkok 2016]
Introduction to Firebase [Google I/O Extended Bangkok 2016]Introduction to Firebase [Google I/O Extended Bangkok 2016]
Introduction to Firebase [Google I/O Extended Bangkok 2016]
 
Android security
Android securityAndroid security
Android security
 

Similar to Untitled 1

CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
The Ultimate Security Checklist Before Launching Your Android App
The Ultimate Security Checklist Before Launching Your Android AppThe Ultimate Security Checklist Before Launching Your Android App
The Ultimate Security Checklist Before Launching Your Android AppAppknox
 
Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingTonex
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the EnterpriseWill Adams
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment Mykhailo Antonishyn
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...IBM Security
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsBitbar
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile securityJudy Ngure
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application PlatformNugroho Gito
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 

Similar to Untitled 1 (20)

CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Mobile security
Mobile securityMobile security
Mobile security
 
The Ultimate Security Checklist Before Launching Your Android App
The Ultimate Security Checklist Before Launching Your Android AppThe Ultimate Security Checklist Before Launching Your Android App
The Ultimate Security Checklist Before Launching Your Android App
 
Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security Training
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
 
OS-Project-Report-Team-8
OS-Project-Report-Team-8OS-Project-Report-Team-8
OS-Project-Report-Team-8
 
Top 6 Android Security Best Practices for App Development
Top 6 Android Security Best Practices for App DevelopmentTop 6 Android Security Best Practices for App Development
Top 6 Android Security Best Practices for App Development
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Standards and methodology for application security assessment
Standards and methodology for application security assessment Standards and methodology for application security assessment
Standards and methodology for application security assessment
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 

Recently uploaded

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseWSO2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 

Recently uploaded (20)

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 

Untitled 1

  • 1. Security Testing of Mobile Applications (Android - BlackBerry - iOS)
  • 2. Introduction to Android Security & AppUse Mobile application threat model - What makes mobile application security so different? • The Android linux OS security • The Dalvik VM • The Android security mechanisms • Application file system isolation • The permission model • Least privilege model • Database isolation • The Android emulator VS. physical device • The AppUse VM ("Android Pen-test Platform Unified Standalone Environment") • The Android Debug Bridge (ADB) • The logcat interface
  • 3. Traffic Analysis and Manipulation • Intro to server side attacks - SQL injection, XSS • Insecure remote Authentication - client id, IMEI, etc. • Insecure session management • authorization • Traffic interception • Using proxies and sniffers • Importing SSL certificates & trusted CA's • Sensitive information transmission • Bypassing server certificate validations • Exposing insecure traffic
  • 4. Insecure data K11storage • Exploring deployed application files at the /data/data directory • The file system security model • Insecure file system permissions • Insecure storage of sensitive data in files • The SDcard • The SQLite Database storage • Using sqlite browser • Application shared preferences storage • Storage of sensitive data at the server side • Secrets in code • Insecure log exposure • Bad cryptography
  • 5. Reverse engineering the application binaries • The APK file package • APK extraction - Investigating layout, manifest, permissions and binaries • Extracting the content of the classes.dex file • Using smali/baksmali Dalvik assembler/disassembler • Using jasmin/jasper JVM assembler/disassembler • Decompilation • Using dex2jar • Identifying interesting API calls - file access, networking, SDcard access, SQLite, etc • Identifying insecure code - certificate validation bypass, insecure xml parsing, clipboard access, geo-location, address book, client xss and html injection, etc. • Finding hard coded secrets in code • Using Android Lint • Code patching and modification • Recreating and resigning the modified APK
  • 6. Android application components security • Major component types - Activity, Service, Content provider, Broadcast receiver • The Intent message • Components and the manifest file • Using manifest explorer • Component permissions and visibility • Activating components • Accessing restricted screens • Attacking content providers and client side sql injection • Direct component invocation by unauthorized apps
  • 7. Analyzing Runtime Analysis • Monitoring process activity • Observing file access • Monitoring network connectivity • Debugging • Setting breakpoints • Memory dumping and analysis • Analyzing logs using logcat
  • 8. Android Platform Security Architecture Android seeks to be the most secure and usable operating system for mobile platforms by re-purpo  Protect user data  Protect system resources (including the network)  Provide application isolation To achieve these objectives, Android provides these key security features:  Robust security at the OS level through the Linux kernel  Mandatory application sandbox for all applications  Secure interprocess communication  Application signing  Application-defined and user-granted permissions The sections below describe these and other security features of the Android platform. Figure 1 summarizes the security components and considera
  • 9.
  • 10. New Android's Feature will Regularly Scan Your Apps Recently Google has officially announced to increase the security of Android users by adding a new feature to android which will regularly scan all the The new feature by Google would be a part of Verify Apps feature which is already protecting android users from harmful apps installed by third party The feature will scan for spywares , malwares , sending unauthorized messages and in-app installations for changes in app activity after it is installed
  • 11. The first comprehensive guide to discovering and preventing attacks on the Android OS As the Android operating system continues to increase its share of the smartphone market, smartphone hacking remains a growing threat. Written b If you are a mobile device administrator, security researcher, Android app developer, or consultant responsible for evaluating Android security, you w A crack team of leading Android security researchers explain Android security risks, security design and architecture, rooting, fuzz testing, and vulne Covers Android application building blocks and security as well as debugging and auditing Android apps Prepares mobile device administrators, security researchers, Android app developers, and security consultants to defend Android systems against a Android Hacker's Handbook is the first comprehensive resource for IT professionals charged with smartphone security.
  • 12.
  • 13. IT Policy: -Primary policy for all protection mechanisms Access to Network/Resources/Settings Prohibited and Mandatory installations of apps Controlling third-party Java application permissions -Per-Handset + Global Policy stored on BES -Initial Policy is signed by master key at pairing Stored in NV RAM Future updates OTA must be signed by master key
  • 14. Application Controls: - All applications run in the JVM - IT Policy controls how the applications interact -Developed with the user and company in mind Most restrictive overlap - I9 application control policy categories Cross Application Control -Hardware -Network domnains -PIM data/ applications -Inter-application communication -Browser -User Autherntication and Settings -Input Simulation -MDS
  • 15. Code signing - Core BB applications must be RIM Signed - Class files verified for interface compliance - No user-defined class loaders -No Java Native Interface or user extensions -System classes cannot be overridden
  • 16. Data Security -Java RMS offers various forms of crypto -Keys must be explicitly shared by apps -PIM protected by Blackberry Attachment Service Renders and decrypts data on the BES Sends rasterized information to display Avoids image exploits Manages PGP on BES
  • 17. The iOS Security Model Apple has incorporated four layers of security in iOS to protect the user and their data. Device Security Techniques to prevent an unauthorized individual from using the device Data Security Techniques to protect the data stored on the device, even if the device is stolen Network Security Tools to encrypt data while it is in transit across a network Application Security Mechanisms to secure the operating system and isolate applications while they are running
  • 18.
  • 19. Information gathering Observe application behavior Determine the application’s data states (at rest, in transit or on display) and sensitivity Identify access methods Identify what frameworks are in use Identify server side APIs that are in use Identify what protocols are in use Identify other applications or services with which the application interacts Decrypt Appstore binaries: the .ipa will be decrypted at runtime by the kernel’s mach loader. Cydia has several applications available: Crackulo Determine the architecture the application was compiled for: otool –f <app name> or lipo -info <app>. Get information about what functions, classes and methods are referenced in the application and in the dynamically loaded libraries. Use nm <a List the dynamic dependencies. Use otool –L <app name> Dump the load commands for the application. Use otool –l <app name> Dump the runtime information from the compiled application. Identify each class compiled into the program and its associated methods, instanc Dump the keychain using dump_keychain to reveal application specific credentials and passwords if stored in the keychain. Determine the security features in place: Locate the PIE (Position Independent Executable) - an app compiled without PIE (using the “–fPIE –pie” flag) will load the executable at a fixed Stack smashing protection - specify the –fstack-protector-all compiler flag. A “canary” is placed on the stack to protect the saved base pointer, s
  • 20. iPhone Analyzer allows you to forensically examine or recover data from in iOS device. It principally works by importing backups produced from iTunes or third party software, and providing you with a rich interface to explore, analyze and recover data in human readable formats. Because it works from the backup files everything is forensically safe, and no changes are made to the data. IPhone Analyzer is now free for Personal use
  • 21. If you’re an app developer with a solid foundation in Objective-C, this book is an absolute must—chances are very high that your company’s iOS app This guide illustrates several types of iOS attacks, as well as the tools and techniques that hackers use. You’ll learn best practices to help protect yo  Examine subtle vulnerabilities in real-world applications—and avoid the same problems in your apps  Learn how attackers infect apps with malware through code injection  Discover how attackers defeat iOS keychain and data-protection encryption  Use a debugger and custom code injection to manipulate the runtime Objective-C environment  Prevent attackers from hijacking SSL sessions and stealing traffic  Securely delete files and design your apps to prevent forensic data leakage  Avoid debugging abuse, validate the integrity of run-time classes, and make your code harder to trace
  • 22. Top 10 Mobile Risks M1 : Weak Server Side Controls M2 : Insecure Data Storage M3 : Insufficient Transport Layer Protection M4 : Unintended Data Leakage M5 : Poor Authorization and Authentication M6 : Broken Cryptography M7 : Client Side Injection M8 : Security Decisions Via Untrusted Inputs M9 : Improper Session Handling M10: Lack of Binary Protections
  • 23. What is the Heartbleed bug? It’s an OpenSSL vulnerability. OpenSSL is a security protocol that encrypts communications between your computer (or device) and a Web server. A Most websites, many operating systems, and many apps use OpenSSL. It’s everywhere, and one version of it has a critical bug that lets hackers exp Which operating systems are affected: iOS devices are safe. Windows Phone OS is likely safe. BlackBerry is “investigating.” Android is vulnerable if you have version 4.1.1, according to Google.
  • 24.
  • 25. OWASP Mobile Security Project - MobiSec The MobiSec Live Environment Mobile Testing Framework project is a live environment for testing m
  • 26.