SlideShare une entreprise Scribd logo

Designing Secure Mobile Apps

Denim Group
Denim Group

There are more ways to your mobile phone can be compromised than theft.

Technologie
1  sur  32
Télécharger pour lire hors ligne
Designing Secure Mobile Apps Guerilla Training Camp Security BSides Austin Dan Cornell © Copyright 2011 Denim Group - All Rights Reserved
My Background • Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and eLearning © Copyright 2011 Denim Group - All Rights Reserved 1
Agenda • Generic Mobile Application Threat Model • Mobile Application Design Concerns – Bypassing Platform Environment Restrictions – Application Permission Model – Local Storage and Encryption – Network Communication and Encryption – Native Code Execution – Browser Behavior • In-depth Look at Mobile Browser Content Handling • Questions © Copyright 2011 Denim Group - All Rights Reserved 2
Tradeoffs: Value versus Risk • Mobile applications can create tremendous value for organizations – New classes of applications utilizing mobile capabilities: GPS, camera, etc – Innovating applications for employees and customers • Mobile devices and mobile applications can create tremendous risks – Sensitive data inevitably stored on the device (email, contacts) – Connect to a lot of untrusted networks (carrier, WiFi) • Most developers are not trained to develop secure applications – Fact of life, but slowing getting better • Most developers are new to creating mobile applications – Different platforms have different security characteristics and capabilities © Copyright 2011 Denim Group - All Rights Reserved 3
Smart Phones, Dumb Apps • Lots of media focus on device and platform security – Important because successful attacks give tremendous attacker leverage • Most organizations: – Accept realities of device and platform security – Concerned about the security of their custom applications – Concerned about sensitive data on the device because of their apps – Concerned about network-available resources that support their apps • Who has smartphone application deployed for customers? • Who has had smartphone applications deployed without their knowledge? – *$!%$# marketing department… © Copyright 2011 Denim Group - All Rights Reserved 4
Secure Mobile Development Reference • Platform-specific recommendations • Key topic areas • Provide specific, proscriptive guidance to developers building mobile applications © Copyright 2011 Denim Group - All Rights Reserved 5
Specific Platforms • iOS (iPhone, iPad) • Android • Blackberry (in progress) • Windows Phone 7 (in progress) – Windows Mobile 6.5 (?) • Symbian (?) • Others (?) • Will be guided by demand, which is focused by new development activity © Copyright 2011 Denim Group - All Rights Reserved 6
Topics Areas • Topic Areas – Overview of Application Development – Overview of Secure Development – Defeating Platform Environment Restrictions – Installing Applications – Application Permissions Model – Local Storage – Encryption APIs – Network Communications – Protecting Network Communications – Native Code Execution – Application Licensing and Payments – Browser URL Handling © Copyright 2011 Denim Group - All Rights Reserved 7
Generic Mobile Application Threat Model © Copyright 2011 Denim Group - All Rights Reserved 8
Some Assumptions for Developers • Smartphone applications are essentially thick-client applications – That people carry in their pockets – And drop in toilets – And put on eBay when the new iPhone comes out – And leave on airplanes – And so on… • Attackers will be able to access: – Target user (victim) devices – Your application binaries • What else should you assume they know or will find out? © Copyright 2011 Denim Group - All Rights Reserved 9
Bypassing Platform Environment Restrictions • Mobile platforms, by default, make certain promises about their environment • Do not depend on these promises to keep your data and code safe – iPhone: devices can be jailbroken – Android: devices can be rooted • Impact: – Install arbitrary applications – Run applications in a debugger – Bypass file access restrictions • Malicious users will do this on purpose – Legitimate users might have it done without their knowledge © Copyright 2011 Denim Group - All Rights Reserved 10
Application Permissions Model • Mobile devices have access to all sorts of fun stuff: – GPS location, camera, microphone, emails, contacts, SMS, etc • How do you determine what an application can do? – iPhone: Prompts for access – Android: Permissions defined in the AndroidManifest.xml file • As a developer you should (obviously) know what your application should be able to do – Beware 3rd party code included in your application © Copyright 2011 Denim Group - All Rights Reserved 11
Local Storage and Encryption • Best solution: Just do not store anything sensitive on the device – Force the user to log in for every usage – no storage of usernames and passwords – Do not cache sensitive data like account numbers, etc • But I really want to… – Encrypt the data, but… – Realize that key management issues make this a reasonably futile pursuit • Example: iOS keyring – “Correct” way to store application secrets – http://www.sit.fraunhofer.de/en/forschungsbereiche/projekte/Lost_iPhone.jsp – Oops… – Android is even worse • Hope on the horizon? – http://www.engadget.com/2011/02/02/android-3-0-honeycomb-can-encrypt-all-your-data-needs-a-full/ © Copyright 2011 Denim Group - All Rights Reserved 12
Network Communication and Encryption • Data returned from calls to network endpoints should be treated as untrusted – Make sure to inform your static analysis tool… • Mobile devices connect to a variety of networks – Carrier, trusted wifi, untrusted wifi, bluetooth • Encrypt your network traffic – And verify server certificates… – (Android has a helper class that WORKS AROUND THIS PROTECTION) • SSLCertificateSocketFactory © Copyright 2011 Denim Group - All Rights Reserved 13
Native Code Execution • iOS: Objective C compiled down to ARM machine code – All native, all the time • Android: Java compiled to DEX bytecode – Can make native calls via the Native Development Kit (NDK) • Windows Phone 7: – No access to native code – Unless you are among a handful of ISVs like Adobe © Copyright 2011 Denim Group - All Rights Reserved 14
Browser Behavior • Many mobile application are a combination of “apps” and web content • Keep track of WebKit vulnerabilities: – http://www.webkit.org/ • Most mobile browsers aggressively cache and might ignore standard cache behavior © Copyright 2011 Denim Group - All Rights Reserved 15
In-Depth: Mobile Browser Content Handling • Many mobile platforms allow you to designate applications to handle content found in web pages – By URI protocol – By content type • Provide a “premium” experience for users who have the target app installed • Examples: – tel:// URLs initiating phone calls – maps:// URLs to display maps © Copyright 2011 Denim Group - All Rights Reserved 16
iPhone/iPad URL Schemes • iOS applications can be set up to “handle” certain URL schemes • Defined in the application’s Info.plist • Binary format: annoying © Copyright 2011 Denim Group - All Rights Reserved 17
Decoding plist Files • plutil -convert xml1 Info.plist • Much nicer © Copyright 2011 Denim Group - All Rights Reserved 18
iOS URL Handlers • XPath: Look for: /plist/dict/array/dict[key='CFBundleURLSchemes']/array/string • Now you know the URL Schemes the app handles • SANS blog post on this issue in iOS: – http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes- apples- ios/?utm_source%253Drss%2526utm_medium%253Drss%2526utm_campaign%2 53Dinsecure-handling-url-schemes-apples-ios – Too long to type? http://bit.ly/ezqdK9 © Copyright 2011 Denim Group - All Rights Reserved 19
Android Intents • Intents are facilities for late-binding messaging between applications – http://developer.android.com/guide/topics/intents/intents-filters.html • One use is to allow applications to register to receive messages from the Browser when certain types of content are received – Like iOS URL Schemes but an even more comprehensive IPC mechanism © Copyright 2011 Denim Group - All Rights Reserved 20
What’s Up With My XML Files? • Binary encoding • Use axml2xml.pl to convert them to text http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl © Copyright 2011 Denim Group - All Rights Reserved 21
Much Better • Now we see: – Screens in application – Permissions required by the application – Intents applications is registered to consume – And so on © Copyright 2011 Denim Group - All Rights Reserved 22
Intent Filter Example <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="danco" /> </intent-filter> • Action: What to do? • Data: Scheme is URI “protocol” to handle • Category BROWSABLE: Allow this Action to be initiated by the browser © Copyright 2011 Denim Group - All Rights Reserved 23
Intent Filter Demo – Manual Launch, HTML Page © Copyright 2011 Denim Group - All Rights Reserved 24
Intent Filter Demo – Anchor Launch, IFrame Launch © Copyright 2011 Denim Group - All Rights Reserved 25
I’m a Security Tester. Why Do I Care? • URL handlers are remotely-accessible attack surface • This is a way for you to “reach out and touch” applications installed on a device if you can get a user to navigate to a malicious page • Send in arbitrary URLs via links or (easier) embedded IFRAMEs • Example: iOS Skype application used to automatically launch the Skype application and initiate a call when it encountered a skype:// URL – Apple’s native Phone handle for tel:// URLs would confirm before a call was made © Copyright 2011 Denim Group - All Rights Reserved 26
I’m a Developer. Why Do I Care? • See the previous slide. Bad guys care. So should you. Please. • Content passed in via these handlers must be treated as untrusted – Positively validate – Enforce proper logic restrictions • All: – Should a malicious web page be able to cause this behavior? • Make phone call, transmit location, take photo, start audio recording, etc • iOS: – Validate inputs to handleOpenURL: message • Android: – Validate data brought in from Action.getIntent() method © Copyright 2011 Denim Group - All Rights Reserved 27
So What Should Developers Do? • Threat model your smartphone applications – More complicated architectures -> more opportunities for problems • Watch what you store on the device – May have PCI, HIPAA implications • Be careful consuming 3rd party services – Who do you love? Who do you trust? • Be careful deploying enterprise web services – Very attractive target for bad guys – Often deployed “under the radar” © Copyright 2011 Denim Group - All Rights Reserved 28
So What Should Security People Do? • Find out about smartphone projects – Not always done by your usual development teams – R&D, “Office of the CTO,” Marketing • Assess the security implications of smartphone applications – What data is stored on the device? – What services are you consuming? – Are new enterprise services being deployed to support the application? © Copyright 2011 Denim Group - All Rights Reserved 29
Online • Code, slides and videos online: www.smartphonesdumbapps.com © Copyright 2011 Denim Group - All Rights Reserved 30
Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 31

Recommandé

Android App
Android AppAndroid App
Android AppOnlineUser4
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content HandlingDenim Group
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersDenim Group
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile appsMartin Vigo
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key FindingsSymantec
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsVince Verbeke
 

Recommandé

Android App
Android AppAndroid App
Android AppOnlineUser4
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content HandlingDenim Group
 
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersHow is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to OthersDenim Group
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile appsMartin Vigo
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key FindingsSymantec
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsVince Verbeke
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityXavier Mertens
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityDirk Nicol
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileNew trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileSISA Information Security Pvt.Ltd
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USIBM Danmark
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkIBM Security
 
IBM Mobile Analyzer Saves the Day
IBM Mobile Analyzer Saves the DayIBM Mobile Analyzer Saves the Day
IBM Mobile Analyzer Saves the DayIBM Security
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointHamilton Turner
 
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystemCNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystemSam Bowne
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overviewPrivateWave Italia SpA
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device SecurityJohn Rhoton
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Security
 
Chapter 4
Chapter 4Chapter 4
Chapter 4NorazlinaAbdullah4
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
How to Hack a Cryptographic Key
How to Hack a Cryptographic KeyHow to Hack a Cryptographic Key
How to Hack a Cryptographic KeyIBM Security
 
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud ComputingDark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud ComputingDavid Rogers
 
Android application design
Android application designAndroid application design
Android application designUday Sharma
 
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSukumar Nayak
 

Contenu connexe

Tendances

Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityDirk Nicol
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USIBM Danmark
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkIBM Security
 
IBM Mobile Analyzer Saves the Day
IBM Mobile Analyzer Saves the DayIBM Mobile Analyzer Saves the Day
IBM Mobile Analyzer Saves the DayIBM Security
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointHamilton Turner
 
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystemCNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystemSam Bowne
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device SecurityJohn Rhoton
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Security
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
How to Hack a Cryptographic Key
How to Hack a Cryptographic KeyHow to Hack a Cryptographic Key
How to Hack a Cryptographic KeyIBM Security
 
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud ComputingDark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud ComputingDavid Rogers
 

Tendances (20)

Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Mobile security
Mobile securityMobile security
Mobile security
 
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileNew trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
 
IBM Mobile Analyzer Saves the Day
IBM Mobile Analyzer Saves the DayIBM Mobile Analyzer Saves the Day
IBM Mobile Analyzer Saves the Day
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
 
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystemCNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overview
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
How to Hack a Cryptographic Key
How to Hack a Cryptographic KeyHow to Hack a Cryptographic Key
How to Hack a Cryptographic Key
 
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud ComputingDark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
 

En vedette

Android application design
Android application designAndroid application design
Android application designUday Sharma
 
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSukumar Nayak
 
Cloud-powered Cross-platform Mobile Apps on AWS
Cloud-powered Cross-platform Mobile Apps on AWSCloud-powered Cross-platform Mobile Apps on AWS
Cloud-powered Cross-platform Mobile Apps on AWSDanilo Poccia
 
[Vietnam Mobile Day 2013] - Designing input form for smartphone application
[Vietnam Mobile Day 2013] - Designing input form for smartphone application[Vietnam Mobile Day 2013] - Designing input form for smartphone application
[Vietnam Mobile Day 2013] - Designing input form for smartphone applicationAiTi Education
 
Designing for Android - Anjan Shrestha
Designing for Android - Anjan ShresthaDesigning for Android - Anjan Shrestha
Designing for Android - Anjan ShresthaMobileNepal
 
Android training day 3
Android training day 3Android training day 3
Android training day 3Vivek Bhusal
 
Information Warfare
Information WarfareInformation Warfare
Information Warfaredibyendupaul
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Designing an Android App from Idea to Market
Designing an Android App from Idea to MarketDesigning an Android App from Idea to Market
Designing an Android App from Idea to MarketTony Hillerson
 

En vedette (11)

Android application design
Android application designAndroid application design
Android application design
 
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoT
 
Cloud-powered Cross-platform Mobile Apps on AWS
Cloud-powered Cross-platform Mobile Apps on AWSCloud-powered Cross-platform Mobile Apps on AWS
Cloud-powered Cross-platform Mobile Apps on AWS
 
[Vietnam Mobile Day 2013] - Designing input form for smartphone application
[Vietnam Mobile Day 2013] - Designing input form for smartphone application[Vietnam Mobile Day 2013] - Designing input form for smartphone application
[Vietnam Mobile Day 2013] - Designing input form for smartphone application
 
Designing for Android - Anjan Shrestha
Designing for Android - Anjan ShresthaDesigning for Android - Anjan Shrestha
Designing for Android - Anjan Shrestha
 
Android training day 3
Android training day 3Android training day 3
Android training day 3
 
Information Warfare
Information WarfareInformation Warfare
Information Warfare
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Designing an Android App from Idea to Market
Designing an Android App from Idea to MarketDesigning an Android App from Idea to Market
Designing an Android App from Idea to Market
 
Android ppt
Android ppt Android ppt
Android ppt
 

Similaire à Designing Secure Mobile Apps

Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsBitbar
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)Vince Verbeke
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1Nikhil Kulkarni
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Mobile application development4
Mobile application development4Mobile application development4
Mobile application development4Appin Kulti Branch
 
Mobile application development
Mobile application developmentMobile application development
Mobile application developmentAppin Hisar
 
Mobile application development2
Mobile application development2Mobile application development2
Mobile application development2Appin Ara
 
Mobile application development2
Mobile application development2Mobile application development2
Mobile application development2Appin Vijayanagar
 
Secured Mobile Application Development in Android, Blackberry & iOS
Secured Mobile Application Development in Android, Blackberry & iOSSecured Mobile Application Development in Android, Blackberry & iOS
Secured Mobile Application Development in Android, Blackberry & iOSAppin Delhi
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 

Similaire à Designing Secure Mobile Apps (20)

Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Mobile application development4
Mobile application development4Mobile application development4
Mobile application development4
 
Mobile application development
Mobile application developmentMobile application development
Mobile application development
 
Mobile application development2
Mobile application development2Mobile application development2
Mobile application development2
 
Mobile application development2
Mobile application development2Mobile application development2
Mobile application development2
 
Secured Mobile Application Development in Android, Blackberry & iOS
Secured Mobile Application Development in Android, Blackberry & iOSSecured Mobile Application Development in Android, Blackberry & iOS
Secured Mobile Application Development in Android, Blackberry & iOS
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 

Plus de Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 

Plus de Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Dernier

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Dernier (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Designing Secure Mobile Apps

  • 1. Designing Secure Mobile Apps Guerilla Training Camp Security BSides Austin Dan Cornell © Copyright 2011 Denim Group - All Rights Reserved
  • 2. My Background • Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and eLearning © Copyright 2011 Denim Group - All Rights Reserved 1
  • 3. Agenda • Generic Mobile Application Threat Model • Mobile Application Design Concerns – Bypassing Platform Environment Restrictions – Application Permission Model – Local Storage and Encryption – Network Communication and Encryption – Native Code Execution – Browser Behavior • In-depth Look at Mobile Browser Content Handling • Questions © Copyright 2011 Denim Group - All Rights Reserved 2
  • 4. Tradeoffs: Value versus Risk • Mobile applications can create tremendous value for organizations – New classes of applications utilizing mobile capabilities: GPS, camera, etc – Innovating applications for employees and customers • Mobile devices and mobile applications can create tremendous risks – Sensitive data inevitably stored on the device (email, contacts) – Connect to a lot of untrusted networks (carrier, WiFi) • Most developers are not trained to develop secure applications – Fact of life, but slowing getting better • Most developers are new to creating mobile applications – Different platforms have different security characteristics and capabilities © Copyright 2011 Denim Group - All Rights Reserved 3
  • 5. Smart Phones, Dumb Apps • Lots of media focus on device and platform security – Important because successful attacks give tremendous attacker leverage • Most organizations: – Accept realities of device and platform security – Concerned about the security of their custom applications – Concerned about sensitive data on the device because of their apps – Concerned about network-available resources that support their apps • Who has smartphone application deployed for customers? • Who has had smartphone applications deployed without their knowledge? – *$!%$# marketing department… © Copyright 2011 Denim Group - All Rights Reserved 4
  • 6. Secure Mobile Development Reference • Platform-specific recommendations • Key topic areas • Provide specific, proscriptive guidance to developers building mobile applications © Copyright 2011 Denim Group - All Rights Reserved 5
  • 7. Specific Platforms • iOS (iPhone, iPad) • Android • Blackberry (in progress) • Windows Phone 7 (in progress) – Windows Mobile 6.5 (?) • Symbian (?) • Others (?) • Will be guided by demand, which is focused by new development activity © Copyright 2011 Denim Group - All Rights Reserved 6
  • 8. Topics Areas • Topic Areas – Overview of Application Development – Overview of Secure Development – Defeating Platform Environment Restrictions – Installing Applications – Application Permissions Model – Local Storage – Encryption APIs – Network Communications – Protecting Network Communications – Native Code Execution – Application Licensing and Payments – Browser URL Handling © Copyright 2011 Denim Group - All Rights Reserved 7
  • 9. Generic Mobile Application Threat Model © Copyright 2011 Denim Group - All Rights Reserved 8
  • 10. Some Assumptions for Developers • Smartphone applications are essentially thick-client applications – That people carry in their pockets – And drop in toilets – And put on eBay when the new iPhone comes out – And leave on airplanes – And so on… • Attackers will be able to access: – Target user (victim) devices – Your application binaries • What else should you assume they know or will find out? © Copyright 2011 Denim Group - All Rights Reserved 9
  • 11. Bypassing Platform Environment Restrictions • Mobile platforms, by default, make certain promises about their environment • Do not depend on these promises to keep your data and code safe – iPhone: devices can be jailbroken – Android: devices can be rooted • Impact: – Install arbitrary applications – Run applications in a debugger – Bypass file access restrictions • Malicious users will do this on purpose – Legitimate users might have it done without their knowledge © Copyright 2011 Denim Group - All Rights Reserved 10
  • 12. Application Permissions Model • Mobile devices have access to all sorts of fun stuff: – GPS location, camera, microphone, emails, contacts, SMS, etc • How do you determine what an application can do? – iPhone: Prompts for access – Android: Permissions defined in the AndroidManifest.xml file • As a developer you should (obviously) know what your application should be able to do – Beware 3rd party code included in your application © Copyright 2011 Denim Group - All Rights Reserved 11
  • 13. Local Storage and Encryption • Best solution: Just do not store anything sensitive on the device – Force the user to log in for every usage – no storage of usernames and passwords – Do not cache sensitive data like account numbers, etc • But I really want to… – Encrypt the data, but… – Realize that key management issues make this a reasonably futile pursuit • Example: iOS keyring – “Correct” way to store application secrets – http://www.sit.fraunhofer.de/en/forschungsbereiche/projekte/Lost_iPhone.jsp – Oops… – Android is even worse • Hope on the horizon? – http://www.engadget.com/2011/02/02/android-3-0-honeycomb-can-encrypt-all-your-data-needs-a-full/ © Copyright 2011 Denim Group - All Rights Reserved 12
  • 14. Network Communication and Encryption • Data returned from calls to network endpoints should be treated as untrusted – Make sure to inform your static analysis tool… • Mobile devices connect to a variety of networks – Carrier, trusted wifi, untrusted wifi, bluetooth • Encrypt your network traffic – And verify server certificates… – (Android has a helper class that WORKS AROUND THIS PROTECTION) • SSLCertificateSocketFactory © Copyright 2011 Denim Group - All Rights Reserved 13
  • 15. Native Code Execution • iOS: Objective C compiled down to ARM machine code – All native, all the time • Android: Java compiled to DEX bytecode – Can make native calls via the Native Development Kit (NDK) • Windows Phone 7: – No access to native code – Unless you are among a handful of ISVs like Adobe © Copyright 2011 Denim Group - All Rights Reserved 14
  • 16. Browser Behavior • Many mobile application are a combination of “apps” and web content • Keep track of WebKit vulnerabilities: – http://www.webkit.org/ • Most mobile browsers aggressively cache and might ignore standard cache behavior © Copyright 2011 Denim Group - All Rights Reserved 15
  • 17. In-Depth: Mobile Browser Content Handling • Many mobile platforms allow you to designate applications to handle content found in web pages – By URI protocol – By content type • Provide a “premium” experience for users who have the target app installed • Examples: – tel:// URLs initiating phone calls – maps:// URLs to display maps © Copyright 2011 Denim Group - All Rights Reserved 16
  • 18. iPhone/iPad URL Schemes • iOS applications can be set up to “handle” certain URL schemes • Defined in the application’s Info.plist • Binary format: annoying © Copyright 2011 Denim Group - All Rights Reserved 17
  • 19. Decoding plist Files • plutil -convert xml1 Info.plist • Much nicer © Copyright 2011 Denim Group - All Rights Reserved 18
  • 20. iOS URL Handlers • XPath: Look for: /plist/dict/array/dict[key='CFBundleURLSchemes']/array/string • Now you know the URL Schemes the app handles • SANS blog post on this issue in iOS: – http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes- apples- ios/?utm_source%253Drss%2526utm_medium%253Drss%2526utm_campaign%2 53Dinsecure-handling-url-schemes-apples-ios – Too long to type? http://bit.ly/ezqdK9 © Copyright 2011 Denim Group - All Rights Reserved 19
  • 21. Android Intents • Intents are facilities for late-binding messaging between applications – http://developer.android.com/guide/topics/intents/intents-filters.html • One use is to allow applications to register to receive messages from the Browser when certain types of content are received – Like iOS URL Schemes but an even more comprehensive IPC mechanism © Copyright 2011 Denim Group - All Rights Reserved 20
  • 22. What’s Up With My XML Files? • Binary encoding • Use axml2xml.pl to convert them to text http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl © Copyright 2011 Denim Group - All Rights Reserved 21
  • 23. Much Better • Now we see: – Screens in application – Permissions required by the application – Intents applications is registered to consume – And so on © Copyright 2011 Denim Group - All Rights Reserved 22
  • 24. Intent Filter Example <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="danco" /> </intent-filter> • Action: What to do? • Data: Scheme is URI “protocol” to handle • Category BROWSABLE: Allow this Action to be initiated by the browser © Copyright 2011 Denim Group - All Rights Reserved 23
  • 25. Intent Filter Demo – Manual Launch, HTML Page © Copyright 2011 Denim Group - All Rights Reserved 24
  • 26. Intent Filter Demo – Anchor Launch, IFrame Launch © Copyright 2011 Denim Group - All Rights Reserved 25
  • 27. I’m a Security Tester. Why Do I Care? • URL handlers are remotely-accessible attack surface • This is a way for you to “reach out and touch” applications installed on a device if you can get a user to navigate to a malicious page • Send in arbitrary URLs via links or (easier) embedded IFRAMEs • Example: iOS Skype application used to automatically launch the Skype application and initiate a call when it encountered a skype:// URL – Apple’s native Phone handle for tel:// URLs would confirm before a call was made © Copyright 2011 Denim Group - All Rights Reserved 26
  • 28. I’m a Developer. Why Do I Care? • See the previous slide. Bad guys care. So should you. Please. • Content passed in via these handlers must be treated as untrusted – Positively validate – Enforce proper logic restrictions • All: – Should a malicious web page be able to cause this behavior? • Make phone call, transmit location, take photo, start audio recording, etc • iOS: – Validate inputs to handleOpenURL: message • Android: – Validate data brought in from Action.getIntent() method © Copyright 2011 Denim Group - All Rights Reserved 27
  • 29. So What Should Developers Do? • Threat model your smartphone applications – More complicated architectures -> more opportunities for problems • Watch what you store on the device – May have PCI, HIPAA implications • Be careful consuming 3rd party services – Who do you love? Who do you trust? • Be careful deploying enterprise web services – Very attractive target for bad guys – Often deployed “under the radar” © Copyright 2011 Denim Group - All Rights Reserved 28
  • 30. So What Should Security People Do? • Find out about smartphone projects – Not always done by your usual development teams – R&D, “Office of the CTO,” Marketing • Assess the security implications of smartphone applications – What data is stored on the device? – What services are you consuming? – Are new enterprise services being deployed to support the application? © Copyright 2011 Denim Group - All Rights Reserved 29
  • 31. Online • Code, slides and videos online: www.smartphonesdumbapps.com © Copyright 2011 Denim Group - All Rights Reserved 30
  • 32. Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 31