Soumettre la recherche
Mettre en ligne
Designing Secure Mobile Apps
•
4 j'aime
•
3,319 vues
Denim Group
Suivre
There are more ways to your mobile phone can be compromised than theft.
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 32
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
Android App
Android App
OnlineUser4
Mobile Browser Content Handling
Mobile Browser Content Handling
Denim Group
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
Denim Group
Building secure mobile apps
Building secure mobile apps
Martin Vigo
Mobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings
Symantec
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
Vince Verbeke
Recommandé
Android App
Android App
OnlineUser4
Mobile Browser Content Handling
Mobile Browser Content Handling
Denim Group
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
Denim Group
Building secure mobile apps
Building secure mobile apps
Martin Vigo
Mobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings
Symantec
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
Vince Verbeke
Mobile Security
Mobile Security
Xavier Mertens
Mobile Application Security
Mobile Application Security
Dirk Nicol
Security testing of mobile applications
Security testing of mobile applications
GTestClub
Mobile security
Mobile security
priyanka pandey
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
SISA Information Security Pvt.Ltd
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
IBM Danmark
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
IBM Mobile Analyzer Saves the Day
IBM Mobile Analyzer Saves the Day
IBM Security
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
Hamilton Turner
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
Sam Bowne
Security Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
Mobile security - Intense overview
Mobile security - Intense overview
PrivateWave Italia SpA
Mobile Device Security
Mobile Device Security
John Rhoton
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Security
Chapter 4
Chapter 4
NorazlinaAbdullah4
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
Subho Halder
How to Hack a Cryptographic Key
How to Hack a Cryptographic Key
IBM Security
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
David Rogers
Android application design
Android application design
Uday Sharma
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoT
Sukumar Nayak
Contenu connexe
Tendances
Mobile Security
Mobile Security
Xavier Mertens
Mobile Application Security
Mobile Application Security
Dirk Nicol
Security testing of mobile applications
Security testing of mobile applications
GTestClub
Mobile security
Mobile security
priyanka pandey
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
SISA Information Security Pvt.Ltd
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
IBM Danmark
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
IBM Mobile Analyzer Saves the Day
IBM Mobile Analyzer Saves the Day
IBM Security
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
Hamilton Turner
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
Sam Bowne
Security Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
Mobile security - Intense overview
Mobile security - Intense overview
PrivateWave Italia SpA
Mobile Device Security
Mobile Device Security
John Rhoton
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Security
Chapter 4
Chapter 4
NorazlinaAbdullah4
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
Subho Halder
How to Hack a Cryptographic Key
How to Hack a Cryptographic Key
IBM Security
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
David Rogers
Tendances
(20)
Mobile Security
Mobile Security
Mobile Application Security
Mobile Application Security
Security testing of mobile applications
Security testing of mobile applications
Mobile security
Mobile security
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Mobile Analyzer Saves the Day
IBM Mobile Analyzer Saves the Day
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
Security Testing Mobile Applications
Security Testing Mobile Applications
Mobile security - Intense overview
Mobile security - Intense overview
Mobile Device Security
Mobile Device Security
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
Chapter 4
Chapter 4
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
How to Hack a Cryptographic Key
How to Hack a Cryptographic Key
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
En vedette
Android application design
Android application design
Uday Sharma
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoT
Sukumar Nayak
Cloud-powered Cross-platform Mobile Apps on AWS
Cloud-powered Cross-platform Mobile Apps on AWS
Danilo Poccia
[Vietnam Mobile Day 2013] - Designing input form for smartphone application
[Vietnam Mobile Day 2013] - Designing input form for smartphone application
AiTi Education
Designing for Android - Anjan Shrestha
Designing for Android - Anjan Shrestha
MobileNepal
Android training day 3
Android training day 3
Vivek Bhusal
Information Warfare
Information Warfare
dibyendupaul
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Denim Group
Mobile Application Security
Mobile Application Security
Ishan Girdhar
Designing an Android App from Idea to Market
Designing an Android App from Idea to Market
Tony Hillerson
Android ppt
Android ppt
blogger at indiandswad
En vedette
(11)
Android application design
Android application design
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoT
Cloud-powered Cross-platform Mobile Apps on AWS
Cloud-powered Cross-platform Mobile Apps on AWS
[Vietnam Mobile Day 2013] - Designing input form for smartphone application
[Vietnam Mobile Day 2013] - Designing input form for smartphone application
Designing for Android - Anjan Shrestha
Designing for Android - Anjan Shrestha
Android training day 3
Android training day 3
Information Warfare
Information Warfare
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Mobile Application Security
Mobile Application Security
Designing an Android App from Idea to Market
Designing an Android App from Idea to Market
Android ppt
Android ppt
Similaire à Designing Secure Mobile Apps
Smart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
Denim Group
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
Evaluating iOS Applications
Evaluating iOS Applications
iphonepentest
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
Bitbar
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
Vince Verbeke
Pentesting iPhone applications
Pentesting iPhone applications
Satish b
Android Security Humla Part 1
Android Security Humla Part 1
Nikhil Kulkarni
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
Mobile application development4
Mobile application development4
Appin Kulti Branch
Mobile application development
Mobile application development
Appin Hisar
Mobile application development2
Mobile application development2
Appin Ara
Mobile application development2
Mobile application development2
Appin Vijayanagar
Secured Mobile Application Development in Android, Blackberry & iOS
Secured Mobile Application Development in Android, Blackberry & iOS
Appin Delhi
iOS application (in)security
iOS application (in)security
iphonepentest
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
Symantec
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Webinar on Enterprise Security & android
Webinar on Enterprise Security & android
Endeavour Software Technologies
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Sam Bowne
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
Similaire à Designing Secure Mobile Apps
(20)
Smart Phones Dumb Apps
Smart Phones Dumb Apps
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Evaluating iOS Applications
Evaluating iOS Applications
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
Pentesting iPhone applications
Pentesting iPhone applications
Android Security Humla Part 1
Android Security Humla Part 1
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
Mobile application development4
Mobile application development4
Mobile application development
Mobile application development
Mobile application development2
Mobile application development2
Mobile application development2
Mobile application development2
Secured Mobile Application Development in Android, Blackberry & iOS
Secured Mobile Application Development in Android, Blackberry & iOS
iOS application (in)security
iOS application (in)security
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Webinar on Enterprise Security & android
Webinar on Enterprise Security & android
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Plus de Denim Group
Long-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
Plus de Denim Group
(20)
Long-term Impact of Log4J
Long-term Impact of Log4J
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Dernier
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
Lonnie McRorey
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
Sri Ambati
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Precisely
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Alan Dix
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
How to write a Business Continuity Plan
How to write a Business Continuity Plan
Databarracks
Dernier
(20)
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
How to write a Business Continuity Plan
How to write a Business Continuity Plan
Designing Secure Mobile Apps
1.
Designing Secure Mobile
Apps Guerilla Training Camp Security BSides Austin Dan Cornell © Copyright 2011 Denim Group - All Rights Reserved
2.
My Background •
Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and eLearning © Copyright 2011 Denim Group - All Rights Reserved 1
3.
Agenda • Generic
Mobile Application Threat Model • Mobile Application Design Concerns – Bypassing Platform Environment Restrictions – Application Permission Model – Local Storage and Encryption – Network Communication and Encryption – Native Code Execution – Browser Behavior • In-depth Look at Mobile Browser Content Handling • Questions © Copyright 2011 Denim Group - All Rights Reserved 2
4.
Tradeoffs: Value versus
Risk • Mobile applications can create tremendous value for organizations – New classes of applications utilizing mobile capabilities: GPS, camera, etc – Innovating applications for employees and customers • Mobile devices and mobile applications can create tremendous risks – Sensitive data inevitably stored on the device (email, contacts) – Connect to a lot of untrusted networks (carrier, WiFi) • Most developers are not trained to develop secure applications – Fact of life, but slowing getting better • Most developers are new to creating mobile applications – Different platforms have different security characteristics and capabilities © Copyright 2011 Denim Group - All Rights Reserved 3
5.
Smart Phones, Dumb
Apps • Lots of media focus on device and platform security – Important because successful attacks give tremendous attacker leverage • Most organizations: – Accept realities of device and platform security – Concerned about the security of their custom applications – Concerned about sensitive data on the device because of their apps – Concerned about network-available resources that support their apps • Who has smartphone application deployed for customers? • Who has had smartphone applications deployed without their knowledge? – *$!%$# marketing department… © Copyright 2011 Denim Group - All Rights Reserved 4
6.
Secure Mobile Development
Reference • Platform-specific recommendations • Key topic areas • Provide specific, proscriptive guidance to developers building mobile applications © Copyright 2011 Denim Group - All Rights Reserved 5
7.
Specific Platforms •
iOS (iPhone, iPad) • Android • Blackberry (in progress) • Windows Phone 7 (in progress) – Windows Mobile 6.5 (?) • Symbian (?) • Others (?) • Will be guided by demand, which is focused by new development activity © Copyright 2011 Denim Group - All Rights Reserved 6
8.
Topics Areas •
Topic Areas – Overview of Application Development – Overview of Secure Development – Defeating Platform Environment Restrictions – Installing Applications – Application Permissions Model – Local Storage – Encryption APIs – Network Communications – Protecting Network Communications – Native Code Execution – Application Licensing and Payments – Browser URL Handling © Copyright 2011 Denim Group - All Rights Reserved 7
9.
Generic Mobile Application
Threat Model © Copyright 2011 Denim Group - All Rights Reserved 8
10.
Some Assumptions for
Developers • Smartphone applications are essentially thick-client applications – That people carry in their pockets – And drop in toilets – And put on eBay when the new iPhone comes out – And leave on airplanes – And so on… • Attackers will be able to access: – Target user (victim) devices – Your application binaries • What else should you assume they know or will find out? © Copyright 2011 Denim Group - All Rights Reserved 9
11.
Bypassing Platform Environment
Restrictions • Mobile platforms, by default, make certain promises about their environment • Do not depend on these promises to keep your data and code safe – iPhone: devices can be jailbroken – Android: devices can be rooted • Impact: – Install arbitrary applications – Run applications in a debugger – Bypass file access restrictions • Malicious users will do this on purpose – Legitimate users might have it done without their knowledge © Copyright 2011 Denim Group - All Rights Reserved 10
12.
Application Permissions Model
• Mobile devices have access to all sorts of fun stuff: – GPS location, camera, microphone, emails, contacts, SMS, etc • How do you determine what an application can do? – iPhone: Prompts for access – Android: Permissions defined in the AndroidManifest.xml file • As a developer you should (obviously) know what your application should be able to do – Beware 3rd party code included in your application © Copyright 2011 Denim Group - All Rights Reserved 11
13.
Local Storage and
Encryption • Best solution: Just do not store anything sensitive on the device – Force the user to log in for every usage – no storage of usernames and passwords – Do not cache sensitive data like account numbers, etc • But I really want to… – Encrypt the data, but… – Realize that key management issues make this a reasonably futile pursuit • Example: iOS keyring – “Correct” way to store application secrets – http://www.sit.fraunhofer.de/en/forschungsbereiche/projekte/Lost_iPhone.jsp – Oops… – Android is even worse • Hope on the horizon? – http://www.engadget.com/2011/02/02/android-3-0-honeycomb-can-encrypt-all-your-data-needs-a-full/ © Copyright 2011 Denim Group - All Rights Reserved 12
14.
Network Communication and
Encryption • Data returned from calls to network endpoints should be treated as untrusted – Make sure to inform your static analysis tool… • Mobile devices connect to a variety of networks – Carrier, trusted wifi, untrusted wifi, bluetooth • Encrypt your network traffic – And verify server certificates… – (Android has a helper class that WORKS AROUND THIS PROTECTION) • SSLCertificateSocketFactory © Copyright 2011 Denim Group - All Rights Reserved 13
15.
Native Code Execution
• iOS: Objective C compiled down to ARM machine code – All native, all the time • Android: Java compiled to DEX bytecode – Can make native calls via the Native Development Kit (NDK) • Windows Phone 7: – No access to native code – Unless you are among a handful of ISVs like Adobe © Copyright 2011 Denim Group - All Rights Reserved 14
16.
Browser Behavior •
Many mobile application are a combination of “apps” and web content • Keep track of WebKit vulnerabilities: – http://www.webkit.org/ • Most mobile browsers aggressively cache and might ignore standard cache behavior © Copyright 2011 Denim Group - All Rights Reserved 15
17.
In-Depth: Mobile Browser
Content Handling • Many mobile platforms allow you to designate applications to handle content found in web pages – By URI protocol – By content type • Provide a “premium” experience for users who have the target app installed • Examples: – tel:// URLs initiating phone calls – maps:// URLs to display maps © Copyright 2011 Denim Group - All Rights Reserved 16
18.
iPhone/iPad URL Schemes
• iOS applications can be set up to “handle” certain URL schemes • Defined in the application’s Info.plist • Binary format: annoying © Copyright 2011 Denim Group - All Rights Reserved 17
19.
Decoding plist Files
• plutil -convert xml1 Info.plist • Much nicer © Copyright 2011 Denim Group - All Rights Reserved 18
20.
iOS URL Handlers
• XPath: Look for: /plist/dict/array/dict[key='CFBundleURLSchemes']/array/string • Now you know the URL Schemes the app handles • SANS blog post on this issue in iOS: – http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes- apples- ios/?utm_source%253Drss%2526utm_medium%253Drss%2526utm_campaign%2 53Dinsecure-handling-url-schemes-apples-ios – Too long to type? http://bit.ly/ezqdK9 © Copyright 2011 Denim Group - All Rights Reserved 19
21.
Android Intents •
Intents are facilities for late-binding messaging between applications – http://developer.android.com/guide/topics/intents/intents-filters.html • One use is to allow applications to register to receive messages from the Browser when certain types of content are received – Like iOS URL Schemes but an even more comprehensive IPC mechanism © Copyright 2011 Denim Group - All Rights Reserved 20
22.
What’s Up With
My XML Files? • Binary encoding • Use axml2xml.pl to convert them to text http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl © Copyright 2011 Denim Group - All Rights Reserved 21
23.
Much Better •
Now we see: – Screens in application – Permissions required by the application – Intents applications is registered to consume – And so on © Copyright 2011 Denim Group - All Rights Reserved 22
24.
Intent Filter Example
<intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="danco" /> </intent-filter> • Action: What to do? • Data: Scheme is URI “protocol” to handle • Category BROWSABLE: Allow this Action to be initiated by the browser © Copyright 2011 Denim Group - All Rights Reserved 23
25.
Intent Filter Demo
– Manual Launch, HTML Page © Copyright 2011 Denim Group - All Rights Reserved 24
26.
Intent Filter Demo
– Anchor Launch, IFrame Launch © Copyright 2011 Denim Group - All Rights Reserved 25
27.
I’m a Security
Tester. Why Do I Care? • URL handlers are remotely-accessible attack surface • This is a way for you to “reach out and touch” applications installed on a device if you can get a user to navigate to a malicious page • Send in arbitrary URLs via links or (easier) embedded IFRAMEs • Example: iOS Skype application used to automatically launch the Skype application and initiate a call when it encountered a skype:// URL – Apple’s native Phone handle for tel:// URLs would confirm before a call was made © Copyright 2011 Denim Group - All Rights Reserved 26
28.
I’m a Developer.
Why Do I Care? • See the previous slide. Bad guys care. So should you. Please. • Content passed in via these handlers must be treated as untrusted – Positively validate – Enforce proper logic restrictions • All: – Should a malicious web page be able to cause this behavior? • Make phone call, transmit location, take photo, start audio recording, etc • iOS: – Validate inputs to handleOpenURL: message • Android: – Validate data brought in from Action.getIntent() method © Copyright 2011 Denim Group - All Rights Reserved 27
29.
So What Should
Developers Do? • Threat model your smartphone applications – More complicated architectures -> more opportunities for problems • Watch what you store on the device – May have PCI, HIPAA implications • Be careful consuming 3rd party services – Who do you love? Who do you trust? • Be careful deploying enterprise web services – Very attractive target for bad guys – Often deployed “under the radar” © Copyright 2011 Denim Group - All Rights Reserved 28
30.
So What Should
Security People Do? • Find out about smartphone projects – Not always done by your usual development teams – R&D, “Office of the CTO,” Marketing • Assess the security implications of smartphone applications – What data is stored on the device? – What services are you consuming? – Are new enterprise services being deployed to support the application? © Copyright 2011 Denim Group - All Rights Reserved 29
31.
Online • Code,
slides and videos online: www.smartphonesdumbapps.com © Copyright 2011 Denim Group - All Rights Reserved 30
32.
Questions? Dan Cornell
dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 31
Télécharger maintenant