SlideShare une entreprise Scribd logo

Securing Mobile Apps

Greg Patton
Greg Patton

This document provides an overview of mobile application security. It begins with an introduction to the topic and why mobile security matters given the increasing ubiquity of mobile devices. It then covers common mobile vulnerabilities like those in the OWASP Mobile Top 10 list and examples like logic flaws, poor network security, insecure data storage, and privacy violations. The document concludes with recommendations on adopting an attacker mindset, leveraging resources, and thanks to sponsors.

Technologie
1  sur  42
0 Securing Your Mobile Applications Greg Patton HP Fortify on Demand
1 Welcome to Houston TechFest • Pleaseturn off allelectronicdevicesor set them to vibrate. • If you must take a phone call,please do so in the lobbyso as not to disturbothers. • Thanks to our Diamond Sponsors: Thank  you  for  being  a  part  of  the   9th Annual  Houston  TechFest!
2 Agenda • Introduction • Why mobile security matters • Common mobile vulnerabilities • Takeaways
3 Introduction Greg Patton StaticApplicationSecurity TestingManager HP Fortify onDemand - Managestaticapplication security testingteam - Previously managedgroup ofmobiletesters - 10yearsof applicationsecurity testingexperience - Based in Houston, TX hacker@hpe.com
4 Why Mobile Security Matters
5 Considerations: Mobile traffic increases • Global mobiledata traffic will increase 26-fold between 2010 and 2015 • There willbe nearly onemobiledeviceper capita by2015 (~7 billion) • Mobilepayments willexceed 984 Billionin2014 Data from Smart Insights, Yankee Group
6 Considerations: Mobile ubiquity • Mobileperformanceis becomingextraordinary • Usinga non-mobilecomputerwillbecome increasinglyrare • “Homecomputer”willcome tomean better input and displayoptionsfor yourmobilesystem • Applereplacingdesktop withmobile?
7 Considerations: Mobile ubiquity • 2014 is consideredthe year that mobileweb traffic will surpass non-mobilewebtraffic • Mobilecomputingwillsoonbe knownas “computing” • Computingsomewhereotherthanyour mobile devicewillbe the activitythat requires a name • Attackersfollowthe users
8 Considerations: Mobile insecurity • Mobiledevelopmentisthe hottest type of developmentrightnow. New surface area equals dangeroussurface area • If anyone’sgoingto putfeatures over security to get the productout the door, it’slikely to be a mobileteam • Many enterprise mobiledevelopershaven’t had the security trainingthat other types of developershave had • Many assume that because mobileback ends aren’t visiteddirectlythey are more secure (obscurityassumption)
9 Mobile security differences Q: What’s the difference between “regular” security and mobile security?
10 Mobile security differences Client ServerNetwork Approachtothick-clienttesting
11 Mobile security differences Client ServerNetwork Approachtothick-clienttesting • Credentialsinmemory • Credentialsonfilesystem • Datastoredonfilesystem • Poorcert management
12 Mobile security differences Client ServerNetwork Approachtothick-clienttesting • Credentialsinmemory • Credentialsonfilesystem • Datastoredonfilesystem • Poorcert management • Cleartextcredentials • Cleartextdata • Backdoor data • Dataleakage
13 Mobile security differences Client ServerNetwork Approachtothick-clienttesting • Credentialsinmemory • Credentialsonfilesystem • Datastoredonfilesystem • Poorcert management • Cleartextcredentials • Cleartextdata • Backdoor data • Dataleakage • Injectionflaws • Authentication • Sessionmanagement • Accesscontrol • Logicflaws
14 Mobile security differences Q: What’s the difference between this and mobile?
15 Mobile security differences Client ServerNetwork Approachtomobiletesting • Credentialsinmemory • Credentialsonfilesystem • Datastoredonfilesystem • Poorcert management • Cleartextcredentials • Cleartextdata • Backdoor data • Dataleakage • Injectionflaws • Authentication • Sessionmanagement • Accesscontrol • Logicflaws
16 TwoKeydifferences Magnifiednetworkvulnerability Magnifiedphysical vulnerability Yournetwork traffic is more likely to be visibleto others witha mobile devicethan at work or home As withmostother types of computing,oncetheattacker has physical access,it’s game over Mobile security differences
17 Common Mobile Vulnerabilities
18 OWASP Mobile Top 10 Risks M1: Weak Server Side Controls M6: Broken Cryptography M2: InsecureData Storage M7: ClientSide Injection M3: InsufficientTransport Layer Protection M8: SecurityDecisions Via UntrustedInputs M4: UnintendedData Leakage M9: ImproperSessionHandling M5: PoorAuthorizationand Authentication M10: Lack of Binary Protections
19 Common vulnerabilities: OWASP Open Web Application Security Project • Thoughtleader in websecurity • Runmany projectsdesignedto help industry secure their applications • OWASPTop10 • Risk RatingMethodology • VulnerabilityPreventionCheatsheets http://www.owasp.org/
20 Logicflawsare due to faulty developerassumptions,i.e. not thinking like an attacker • Changinganarbitrary user’s password • Bypassingmulti-step authentication • Free productbyskipping payment step • Product+refund bysubmitting negativenumber • Defeatinga businesslimit by enteringa highnegativenumber • Getting a bulk discountononly one itemby modifyingthecart manually afterwards Logic flaws
21 Logicflawsare avoided by performingexhaustive vulnerabilityassessments beforegoing to production • Fullyunderstand the anticipated flow of the application • Assumethe mindof the attacker • Identify places that developers likely madeassumptions • Attempttotake advantageof those assumptions • As a developer,think interms of abuse vs. just regular use Logic flaw defenses
22 Many mobileapps do not properly securenetwork traffic Many mobileapps allow SSL communicationwithany host • Trustingany certificate it sees • Allowsexpiredcertificates • Allowstrivial MiTMattacks • Canconnectto HTTPS once,and then fall back • Oncein the middle,attackers can model yourapp’s functionality enrouteto breakingit Poor network implementations
23 TLS protectionhas multiple levelsof security • Ensure HTTPSisalwaysenabled • Attempttomatch the name of the remote certificate • Certificatepinning* • Recognizethatnothingisfool- proof, andadjust accordingto yourapp’s specificneeds • Rememberthat pinningwasa defense against compromised CAs,not againstMiTM Network recommendations
24 Perhaps the most abused functionalityisclient-side storage • Storageof credentials inplist files, SQLitedatabases • Failure to use KeyChaintostore credentials • Storageof sensitiveapplication data on filesystem • Apps(e.g.: banks) storingtheir imagesin the publicfolder rather than in their sandbox • Applicationsloggingtothe system log,but sendingsensitive app data along withit Promiscuous client-side storage
25 Abusecase • Applicationprotectedbyvoice password • Passwordcheckedserver side • File wasstored locally • Retrievedthe file from the file system • Playedthe file back to itself • Gainedaccess Promiscuous client-side storage
26 Be cautious of anything you save—anywhere—including on the client-side • Ensureyou’reusingthe platform-recommendedsolution to store credentials • Ensureyou use the Data ProtectionAPItostoreany sensitivedata • Ensureyou are storing everythingfrom yourapp into the app sandboxso it cannot be read byother applications • Checkall loggingfunctionality and notewhat you’resending • Observe yourlog files withinthe XCodelogviewerandensure you are not storinganything sensitive Client-side storage recommendations
27 There area number of binary defenses that developers are not implementing • ASLRPIE (memory randomization) • Stack SmashingProtection Enabled(Canary-based) • AutomaticReferenceCounting (memory resources) • Binary debugnotdisabled– User path informationdisclosure • Developersare often contractors, andhave customer names inpaths Failure to harden binaries
28 AbuseCase • Founddevelopername inpath • Wasno longer withcompany • CheckedGithub • Had all source available for apps • Mobileand backend • Lead tocompletecompromiseof server Failure to harden binaries
29 Use alldefenses possibleto harden your binaries before release • Ensurebinary protectionsare in place • Someare notsecurity-specific, but improvetheoverall quality of yourapplications • Ensureno informationdisclosure is present Binary protections
30 Many applicationsviolate privacy withoutdevelopers being aware • Doesthe applicationaccess GeoLocationdata? • Doesthe applicationaccessthe AddressBook? • Doesthe applicationaccessyour Photos? • If so, what isyour app doingwith this data? • Doesyour applicationuse analytics engines? • If so, what doesit send there? (UUID, appdata?) Privacy violations
31 Go with an absoluteleast- privilegeapproach • Don’taccessany data that could be consideredprivateif youdon’t need it • There are applications outthere that can evaluate what a given binary accesses(HP Fortify MobileReputation) Privacy violations
32 A massivenumber of applicationswesee and compromiseare compromised due to backend vulnerabilities • Promiscuouswebservices • Full SQLstatements right inweb service calls (saved money on MSSQLServerManager) • Blatant SQLi,XSS,CSRF,File Includes, etc. • Many developersassume “who’s cominghere?” • The data stores are oftenshared! • Sharedhostingmeans compromiseofmultiple customers Assumption of web obscurity
33 Harden your web backend as if the mobileapp didn’t even exist • Rememberhow easy it is to MiTM a mobileapp • Assumeeveryone cansee your traffic • Thismeans they can see all the paths and parameters for your backend • Assumeattackers willcome knocking • Considerthe risks of shared hosting,as others mightnotbe taking these steps—evenif you did Assumption of web obscurity
34 Takeaways
35 It is an interestingtimefor mobilesecurity • Everyone’sheadingtomobile, and the attackers are following • Mobileis on the leadingedgeof development,so mobileprojects are especially susceptibleto security shortcuts • Most applicationshave major vulnerabilities that are easily found Takeaways
36 Adoptthe attacker mindset • Don’tbe afraid tolook at your ownapps • Thinklike an attackerand follow some basicsteps to help you evaluate yourownapplications • Assumethe attacker has access to the deviceand visibilityofall traffic goingtoand from the server, andcode accordingly • Track your sensitivedata through yourapp, fromuser to deviceto network to server; where is it vulnerable? • Don’tstoresensitive data if you don’thave to Takeaways
37 Leverageavailableresources • Industry best-practicesare available o https://www.owasp.org • Use the tools youalready have o HTTP proxies, debuggers, source code analyzers,etc. o HP Enterprise Security Products • Connectlocally o Local OWASP Chapter o HoustonSecurity Conference (HouSecCon) Takeaways
Houston Security Conference http://www.houstonseccon.com/v6/
39 HP Fortify on Demand • Cloud-basedapplicationsecurity testing • Bothstatic and dynamictesting, usingautomatedand manual techniques • Integrates withyourSDLC and buildenvironmenttoprovide critical security checkpoints • Singleportal for codeuploads and reviewingresults • http://www.hp.com/go/fod HP Fortify on Demand
40 Please Leave Feedback During Q&A If you leave session feedback and provide contact information in the survey,you will be qualified for a prize Scan the QR Code to the right or go to http://bit.ly/1K1Hvi5
41 Thanks to all our Sponsors!

Recommandé

How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Federation for Identity and Cross-Credentialing Systems (FiXs)
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
Lisa Guess - Embracing the Cloud
Lisa Guess - Embracing the CloudLisa Guess - Embracing the Cloud
Lisa Guess - Embracing the Cloudcentralohioissa
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is HereLancope, Inc.
 

Recommandé

How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threatsZscaler
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Federation for Identity and Cross-Credentialing Systems (FiXs)
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
Lisa Guess - Embracing the Cloud
Lisa Guess - Embracing the CloudLisa Guess - Embracing the Cloud
Lisa Guess - Embracing the Cloudcentralohioissa
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
The Internet of Everything is Here
The Internet of Everything is HereThe Internet of Everything is Here
The Internet of Everything is HereLancope, Inc.
 
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...dsapps
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...NCCOMMS
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPFidelis Cybersecurity
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...Rachel Wandishin
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for CybersecurityThe 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for Cybersecuritynathan-axonius
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
Login cat tekmonks - v3
Login cat tekmonks - v3Login cat tekmonks - v3
Login cat tekmonks - v3TEKMONKS
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSFidelis Cybersecurity
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2
 
GTB Technologies Datasheet 2014
GTB Technologies Datasheet 2014GTB Technologies Datasheet 2014
GTB Technologies Datasheet 2014Ravindran Vasu
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Sean Whalen
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)Ahmed Banafa
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelCristian Garcia G.
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9Arvind Tiwary
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 
Modulo de Young
Modulo de YoungModulo de Young
Modulo de YoungJADSM11
 
gianluigi
gianluigigianluigi
gianluigiGianluigi Bertol
 

Contenu connexe

Tendances

API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...dsapps
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...NCCOMMS
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPFidelis Cybersecurity
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...Rachel Wandishin
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for CybersecurityThe 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for Cybersecuritynathan-axonius
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
Login cat tekmonks - v3
Login cat tekmonks - v3Login cat tekmonks - v3
Login cat tekmonks - v3TEKMONKS
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSFidelis Cybersecurity
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2
 
GTB Technologies Datasheet 2014
GTB Technologies Datasheet 2014GTB Technologies Datasheet 2014
GTB Technologies Datasheet 2014Ravindran Vasu
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Sean Whalen
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)Ahmed Banafa
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelCristian Garcia G.
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9Arvind Tiwary
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
 

Tendances (20)

API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLP
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloud
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for CybersecurityThe 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for Cybersecurity
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Login cat tekmonks - v3
Login cat tekmonks - v3Login cat tekmonks - v3
Login cat tekmonks - v3
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
 
GTB Technologies Datasheet 2014
GTB Technologies Datasheet 2014GTB Technologies Datasheet 2014
GTB Technologies Datasheet 2014
 
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
 
Forrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust modelForrester no more chewy centers- the zero trust model
Forrester no more chewy centers- the zero trust model
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 

En vedette

Modulo de Young
Modulo de YoungModulo de Young
Modulo de YoungJADSM11
 
Submission between men and women
Submission between men and womenSubmission between men and women
Submission between men and womenottawacoc
 
Canterbury Benefits Intro Packet.advisor
Canterbury Benefits Intro Packet.advisorCanterbury Benefits Intro Packet.advisor
Canterbury Benefits Intro Packet.advisorBeverly Langford
 
Commerce Resources Corp. Achieves Key Milestones for the Ashram Rare Earth Pr...
Commerce Resources Corp. Achieves Key Milestones for the Ashram Rare Earth Pr...Commerce Resources Corp. Achieves Key Milestones for the Ashram Rare Earth Pr...
Commerce Resources Corp. Achieves Key Milestones for the Ashram Rare Earth Pr...Commerce Resources Corp. (TSXv:CCE)
 
Deixa o céu descer aqui
Deixa o céu descer aquiDeixa o céu descer aqui
Deixa o céu descer aquiNeemias Moraes
 
Pseudocodigo
PseudocodigoPseudocodigo
PseudocodigoTensor
 
Tecnicas de comunicación grupal
Tecnicas de comunicación grupalTecnicas de comunicación grupal
Tecnicas de comunicación grupalpgoris
 

En vedette (14)

Modulo de Young
Modulo de YoungModulo de Young
Modulo de Young
 
gianluigi
gianluigigianluigi
gianluigi
 
Brochure back
Brochure backBrochure back
Brochure back
 
Submission between men and women
Submission between men and womenSubmission between men and women
Submission between men and women
 
ref ltr
ref ltrref ltr
ref ltr
 
Canterbury Benefits Intro Packet.advisor
Canterbury Benefits Intro Packet.advisorCanterbury Benefits Intro Packet.advisor
Canterbury Benefits Intro Packet.advisor
 
Viene el Neuromarketing
Viene el NeuromarketingViene el Neuromarketing
Viene el Neuromarketing
 
Media
MediaMedia
Media
 
Least Squares
Least SquaresLeast Squares
Least Squares
 
Commerce Resources Corp. Achieves Key Milestones for the Ashram Rare Earth Pr...
Commerce Resources Corp. Achieves Key Milestones for the Ashram Rare Earth Pr...Commerce Resources Corp. Achieves Key Milestones for the Ashram Rare Earth Pr...
Commerce Resources Corp. Achieves Key Milestones for the Ashram Rare Earth Pr...
 
Deixa o céu descer aqui
Deixa o céu descer aquiDeixa o céu descer aqui
Deixa o céu descer aqui
 
Pseudocodigo
PseudocodigoPseudocodigo
Pseudocodigo
 
Silabuss
SilabussSilabuss
Silabuss
 
Tecnicas de comunicación grupal
Tecnicas de comunicación grupalTecnicas de comunicación grupal
Tecnicas de comunicación grupal
 

Similaire à Securing Mobile Apps

Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsAbbie Hosta
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...Ulf Mattsson
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationTejaswi Agarwal
 
Cyber Security Overview for Small Businesses
Cyber Security Overview for Small BusinessesCyber Security Overview for Small Businesses
Cyber Security Overview for Small BusinessesCharles Cline
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iPrecisely
 
Data Governance and Management in Cloud pak nam
Data Governance and Management in Cloud pak namData Governance and Management in Cloud pak nam
Data Governance and Management in Cloud pak namPT Datacomm Diangraha
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to executionAlgoSec
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxtmbainjr131
 
Cyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfCyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfNaveenKumar470500
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
Lecture27 cc-security2
Lecture27 cc-security2Lecture27 cc-security2
Lecture27 cc-security2Ankit Gupta
 
Myths of validation
Myths of validationMyths of validation
Myths of validationJeff Thomas
 

Similaire à Securing Mobile Apps (20)

Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Securing Your Digital Files from Legal Threats
Securing Your Digital Files from Legal ThreatsSecuring Your Digital Files from Legal Threats
Securing Your Digital Files from Legal Threats
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risks
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference Publication
 
Cyber Security Overview for Small Businesses
Cyber Security Overview for Small BusinessesCyber Security Overview for Small Businesses
Cyber Security Overview for Small Businesses
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
 
Data Governance and Management in Cloud pak nam
Data Governance and Management in Cloud pak namData Governance and Management in Cloud pak nam
Data Governance and Management in Cloud pak nam
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series Breakfast
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
 
Re-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptxRe-Thinking BYOD Policy.pptx
Re-Thinking BYOD Policy.pptx
 
Cyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfCyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdf
 
Cyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdfCyber_Security_CyberPact.pdf
Cyber_Security_CyberPact.pdf
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
Lecture27 cc-security2
Lecture27 cc-security2Lecture27 cc-security2
Lecture27 cc-security2
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 

Dernier

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 

Dernier (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 

Securing Mobile Apps

  • 1. 0 Securing Your Mobile Applications Greg Patton HP Fortify on Demand
  • 2. 1 Welcome to Houston TechFest • Pleaseturn off allelectronicdevicesor set them to vibrate. • If you must take a phone call,please do so in the lobbyso as not to disturbothers. • Thanks to our Diamond Sponsors: Thank  you  for  being  a  part  of  the   9th Annual  Houston  TechFest!
  • 3. 2 Agenda • Introduction • Why mobile security matters • Common mobile vulnerabilities • Takeaways
  • 4. 3 Introduction Greg Patton StaticApplicationSecurity TestingManager HP Fortify onDemand - Managestaticapplication security testingteam - Previously managedgroup ofmobiletesters - 10yearsof applicationsecurity testingexperience - Based in Houston, TX hacker@hpe.com
  • 6. 5 Considerations: Mobile traffic increases • Global mobiledata traffic will increase 26-fold between 2010 and 2015 • There willbe nearly onemobiledeviceper capita by2015 (~7 billion) • Mobilepayments willexceed 984 Billionin2014 Data from Smart Insights, Yankee Group
  • 7. 6 Considerations: Mobile ubiquity • Mobileperformanceis becomingextraordinary • Usinga non-mobilecomputerwillbecome increasinglyrare • “Homecomputer”willcome tomean better input and displayoptionsfor yourmobilesystem • Applereplacingdesktop withmobile?
  • 8. 7 Considerations: Mobile ubiquity • 2014 is consideredthe year that mobileweb traffic will surpass non-mobilewebtraffic • Mobilecomputingwillsoonbe knownas “computing” • Computingsomewhereotherthanyour mobile devicewillbe the activitythat requires a name • Attackersfollowthe users
  • 9. 8 Considerations: Mobile insecurity • Mobiledevelopmentisthe hottest type of developmentrightnow. New surface area equals dangeroussurface area • If anyone’sgoingto putfeatures over security to get the productout the door, it’slikely to be a mobileteam • Many enterprise mobiledevelopershaven’t had the security trainingthat other types of developershave had • Many assume that because mobileback ends aren’t visiteddirectlythey are more secure (obscurityassumption)
  • 10. 9 Mobile security differences Q: What’s the difference between “regular” security and mobile security?
  • 11. 10 Mobile security differences Client ServerNetwork Approachtothick-clienttesting
  • 12. 11 Mobile security differences Client ServerNetwork Approachtothick-clienttesting • Credentialsinmemory • Credentialsonfilesystem • Datastoredonfilesystem • Poorcert management
  • 13. 12 Mobile security differences Client ServerNetwork Approachtothick-clienttesting • Credentialsinmemory • Credentialsonfilesystem • Datastoredonfilesystem • Poorcert management • Cleartextcredentials • Cleartextdata • Backdoor data • Dataleakage
  • 14. 13 Mobile security differences Client ServerNetwork Approachtothick-clienttesting • Credentialsinmemory • Credentialsonfilesystem • Datastoredonfilesystem • Poorcert management • Cleartextcredentials • Cleartextdata • Backdoor data • Dataleakage • Injectionflaws • Authentication • Sessionmanagement • Accesscontrol • Logicflaws
  • 15. 14 Mobile security differences Q: What’s the difference between this and mobile?
  • 16. 15 Mobile security differences Client ServerNetwork Approachtomobiletesting • Credentialsinmemory • Credentialsonfilesystem • Datastoredonfilesystem • Poorcert management • Cleartextcredentials • Cleartextdata • Backdoor data • Dataleakage • Injectionflaws • Authentication • Sessionmanagement • Accesscontrol • Logicflaws
  • 17. 16 TwoKeydifferences Magnifiednetworkvulnerability Magnifiedphysical vulnerability Yournetwork traffic is more likely to be visibleto others witha mobile devicethan at work or home As withmostother types of computing,oncetheattacker has physical access,it’s game over Mobile security differences
  • 19. 18 OWASP Mobile Top 10 Risks M1: Weak Server Side Controls M6: Broken Cryptography M2: InsecureData Storage M7: ClientSide Injection M3: InsufficientTransport Layer Protection M8: SecurityDecisions Via UntrustedInputs M4: UnintendedData Leakage M9: ImproperSessionHandling M5: PoorAuthorizationand Authentication M10: Lack of Binary Protections
  • 20. 19 Common vulnerabilities: OWASP Open Web Application Security Project • Thoughtleader in websecurity • Runmany projectsdesignedto help industry secure their applications • OWASPTop10 • Risk RatingMethodology • VulnerabilityPreventionCheatsheets http://www.owasp.org/
  • 21. 20 Logicflawsare due to faulty developerassumptions,i.e. not thinking like an attacker • Changinganarbitrary user’s password • Bypassingmulti-step authentication • Free productbyskipping payment step • Product+refund bysubmitting negativenumber • Defeatinga businesslimit by enteringa highnegativenumber • Getting a bulk discountononly one itemby modifyingthecart manually afterwards Logic flaws
  • 22. 21 Logicflawsare avoided by performingexhaustive vulnerabilityassessments beforegoing to production • Fullyunderstand the anticipated flow of the application • Assumethe mindof the attacker • Identify places that developers likely madeassumptions • Attempttotake advantageof those assumptions • As a developer,think interms of abuse vs. just regular use Logic flaw defenses
  • 23. 22 Many mobileapps do not properly securenetwork traffic Many mobileapps allow SSL communicationwithany host • Trustingany certificate it sees • Allowsexpiredcertificates • Allowstrivial MiTMattacks • Canconnectto HTTPS once,and then fall back • Oncein the middle,attackers can model yourapp’s functionality enrouteto breakingit Poor network implementations
  • 24. 23 TLS protectionhas multiple levelsof security • Ensure HTTPSisalwaysenabled • Attempttomatch the name of the remote certificate • Certificatepinning* • Recognizethatnothingisfool- proof, andadjust accordingto yourapp’s specificneeds • Rememberthat pinningwasa defense against compromised CAs,not againstMiTM Network recommendations
  • 25. 24 Perhaps the most abused functionalityisclient-side storage • Storageof credentials inplist files, SQLitedatabases • Failure to use KeyChaintostore credentials • Storageof sensitiveapplication data on filesystem • Apps(e.g.: banks) storingtheir imagesin the publicfolder rather than in their sandbox • Applicationsloggingtothe system log,but sendingsensitive app data along withit Promiscuous client-side storage
  • 26. 25 Abusecase • Applicationprotectedbyvoice password • Passwordcheckedserver side • File wasstored locally • Retrievedthe file from the file system • Playedthe file back to itself • Gainedaccess Promiscuous client-side storage
  • 27. 26 Be cautious of anything you save—anywhere—including on the client-side • Ensureyou’reusingthe platform-recommendedsolution to store credentials • Ensureyou use the Data ProtectionAPItostoreany sensitivedata • Ensureyou are storing everythingfrom yourapp into the app sandboxso it cannot be read byother applications • Checkall loggingfunctionality and notewhat you’resending • Observe yourlog files withinthe XCodelogviewerandensure you are not storinganything sensitive Client-side storage recommendations
  • 28. 27 There area number of binary defenses that developers are not implementing • ASLRPIE (memory randomization) • Stack SmashingProtection Enabled(Canary-based) • AutomaticReferenceCounting (memory resources) • Binary debugnotdisabled– User path informationdisclosure • Developersare often contractors, andhave customer names inpaths Failure to harden binaries
  • 29. 28 AbuseCase • Founddevelopername inpath • Wasno longer withcompany • CheckedGithub • Had all source available for apps • Mobileand backend • Lead tocompletecompromiseof server Failure to harden binaries
  • 30. 29 Use alldefenses possibleto harden your binaries before release • Ensurebinary protectionsare in place • Someare notsecurity-specific, but improvetheoverall quality of yourapplications • Ensureno informationdisclosure is present Binary protections
  • 31. 30 Many applicationsviolate privacy withoutdevelopers being aware • Doesthe applicationaccess GeoLocationdata? • Doesthe applicationaccessthe AddressBook? • Doesthe applicationaccessyour Photos? • If so, what isyour app doingwith this data? • Doesyour applicationuse analytics engines? • If so, what doesit send there? (UUID, appdata?) Privacy violations
  • 32. 31 Go with an absoluteleast- privilegeapproach • Don’taccessany data that could be consideredprivateif youdon’t need it • There are applications outthere that can evaluate what a given binary accesses(HP Fortify MobileReputation) Privacy violations
  • 33. 32 A massivenumber of applicationswesee and compromiseare compromised due to backend vulnerabilities • Promiscuouswebservices • Full SQLstatements right inweb service calls (saved money on MSSQLServerManager) • Blatant SQLi,XSS,CSRF,File Includes, etc. • Many developersassume “who’s cominghere?” • The data stores are oftenshared! • Sharedhostingmeans compromiseofmultiple customers Assumption of web obscurity
  • 34. 33 Harden your web backend as if the mobileapp didn’t even exist • Rememberhow easy it is to MiTM a mobileapp • Assumeeveryone cansee your traffic • Thismeans they can see all the paths and parameters for your backend • Assumeattackers willcome knocking • Considerthe risks of shared hosting,as others mightnotbe taking these steps—evenif you did Assumption of web obscurity
  • 36. 35 It is an interestingtimefor mobilesecurity • Everyone’sheadingtomobile, and the attackers are following • Mobileis on the leadingedgeof development,so mobileprojects are especially susceptibleto security shortcuts • Most applicationshave major vulnerabilities that are easily found Takeaways
  • 37. 36 Adoptthe attacker mindset • Don’tbe afraid tolook at your ownapps • Thinklike an attackerand follow some basicsteps to help you evaluate yourownapplications • Assumethe attacker has access to the deviceand visibilityofall traffic goingtoand from the server, andcode accordingly • Track your sensitivedata through yourapp, fromuser to deviceto network to server; where is it vulnerable? • Don’tstoresensitive data if you don’thave to Takeaways
  • 38. 37 Leverageavailableresources • Industry best-practicesare available o https://www.owasp.org • Use the tools youalready have o HTTP proxies, debuggers, source code analyzers,etc. o HP Enterprise Security Products • Connectlocally o Local OWASP Chapter o HoustonSecurity Conference (HouSecCon) Takeaways
  • 40. 39 HP Fortify on Demand • Cloud-basedapplicationsecurity testing • Bothstatic and dynamictesting, usingautomatedand manual techniques • Integrates withyourSDLC and buildenvironmenttoprovide critical security checkpoints • Singleportal for codeuploads and reviewingresults • http://www.hp.com/go/fod HP Fortify on Demand
  • 41. 40 Please Leave Feedback During Q&A If you leave session feedback and provide contact information in the survey,you will be qualified for a prize Scan the QR Code to the right or go to http://bit.ly/1K1Hvi5
  • 42. 41 Thanks to all our Sponsors!