SlideShare une entreprise Scribd logo

Mobile Day - App (In)security

Software Guru
Software Guru

Presentado por Fernando Castañeda en Mobile Day Mexico 2017

Logiciels
1  sur  33
Télécharger pour lire hors ligne
INTRODUCTION MOBILE INSECURITY THE END Mobile Aplication (In)Security Fernando Castañeda G. 31 de octubre de 2017
INTRODUCTION MOBILE INSECURITY THE END #WHOAMI Penetration Tester or Pentester Professor Penetration Testing Operating Systems Computer Organization and Architecture C Programming Language (Next Semester) Development of Secure Mobile Applications (Lawless) Developer Malware Reverse Engineering and CTF aficionado
INTRODUCTION MOBILE INSECURITY THE END PRINCIPLES AND STUFF "Hacker’s Ethics" Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position
INTRODUCTION MOBILE INSECURITY THE END HISTORY 1908 -> Professor Albert Jahnke (First attempt to build a physical wireless phone) 1907 -> Lewis Baumer (Forecasts for 1907)
INTRODUCTION MOBILE INSECURITY THE END NOWADAYS... War and (true)Hackers changed (almost) everything... First there were the PDAs, then came the fusion with cellphones that evolved into our useful devices We have an incredible power of processing in our pockets We can do almost everything we used to do on a PC on the last decade or process through a mainframe on the 90s with a single touch
INTRODUCTION MOBILE INSECURITY THE END SEEMS OK BUT... We share a lot of personal data through our devices Pictures Financial Data Medical Information Biometrics Private or Sensitive Data And so on...
INTRODUCTION MOBILE INSECURITY THE END SEEMS OK BUT... We share a lot of personal data through our devices Pictures Financial Data Medical Information Biometrics Private or Sensitive Data And so on... And it’s far from being safe... :(
INTRODUCTION MOBILE INSECURITY THE END SOME PROOFS Perhaps the most important, Information Leakage...
INTRODUCTION MOBILE INSECURITY THE END SOME PROOFS Perhaps the most important, Information Leakage...
INTRODUCTION MOBILE INSECURITY THE END REMEMBER THE TRIAD (CIA) Confidentiality Integrity Availability
INTRODUCTION MOBILE INSECURITY THE END CORE PROBLEMS Assumptions on user’s behaviour Low or null knowledge of the platform (Mostly)Developed under pressure Disinterest for InfoSec (must be functional before secure)
INTRODUCTION MOBILE INSECURITY THE END OPEN WEB APPLICATION SECURITY PROJECT Start operations on 2001 Becomes a foundation in 2004, in order to get resources to their projects OWASP depends on donations and the fees to their associates, partners and companies
INTRODUCTION MOBILE INSECURITY THE END WHAT IS RELEVANT FOR US OWASP MOBILE TOP 10 Code Vulnerability M1 Improper Platform Usage M2 Insecure Data Storage M3 Insecure Communication M4 Insecure Authentication M5 Insufficient Cryptography M6 Insecure Authorization M7 Client Code Quality M8 Code Tampering M9 Reverse Engineering M10 Extraneous Functionality
INTRODUCTION MOBILE INSECURITY THE END M1. IMPROPER PLATFORM USAGE Android and iOS are Operating Systems
INTRODUCTION MOBILE INSECURITY THE END M1. IMPROPER PLATFORM USAGE Android and iOS are Operating Systems Mobile Applications are not Web Applications (at all)
INTRODUCTION MOBILE INSECURITY THE END M1. IMPROPER PLATFORM USAGE Android and iOS are Operating Systems Mobile Applications are not Web Applications (at all) OWASP TOP 10 (not mobile) SQLi XSS XSRF and so on...
INTRODUCTION MOBILE INSECURITY THE END M2. INSECURE DATA STORAGE A lot of information can be extracted from stolen phones Sensitive data should not be saved in plain text...
INTRODUCTION MOBILE INSECURITY THE END M2. INSECURE DATA STORAGE A lot of information can be extracted from stolen phones Sensitive data should not be saved in plain text... sensitive data should not be saved on client’s side Banking Apps asks for re authentication after some time of null activity, and that is perfect!
INTRODUCTION MOBILE INSECURITY THE END M2. INSECURE DATA STORAGE A lot of information can be extracted from stolen phones Sensitive data should not be saved in plain text... sensitive data should not be saved on client’s side Banking Apps asks for re authentication after some time of null activity, and that is perfect!
INTRODUCTION MOBILE INSECURITY THE END M3, M5 = INSECURE COMMUNICATION, INSUFFICIENT CRYPTOGRAPHY SSL/TLS is not only for WebPages There is a general misconception of cryptography
INTRODUCTION MOBILE INSECURITY THE END M3, M5 = INSECURE COMMUNICATION, INSUFFICIENT CRYPTOGRAPHY Cryptography Is Not the Solution Cryptography Is Very Difficult Cryptography Is the Easy Part -Niels Fergusson, Bruce Schneier, Tayadoshi Kohno (Cryptography Engineering) Good implementations and understanding are needed...
INTRODUCTION MOBILE INSECURITY THE END HOW DOES INSECURE COMMUNICATION AFFECTS MY APP? A Man in the Middle attack is always possible If I am in your network, I can sniff your packets If I used a proxy, I could intercept your requests
INTRODUCTION MOBILE INSECURITY THE END M4, M6 = INSECURE AUTHENTICATION, INSECURE AUTHORIZATION Client Side Authentication (?) Bad Semantics or "the ID in the petition manages it all" No cookies or Token or anything to identify an user Remember the AAA Authentication Authorization Accounting
INTRODUCTION MOBILE INSECURITY THE END MN. THE REST OF THE TOP VULNERABILITIES Some frameworks are new, are cool and untested Some functions are deprecated Sometimes debugging is forgotten when activated Sometimes there are weird reactions to certain actions
INTRODUCTION MOBILE INSECURITY THE END POC Turn off your camera Thou shalt not speak about this PoC This will not be public for the good of this fellow... (me)
INTRODUCTION MOBILE INSECURITY THE END IMAGES AVAILABLE LIVE ONLY Sorry :)
INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY Know your Framework Know your platform Use well known cryptographic implementations Secure Channels please! (certbot might help you get free trusted certificates) Look for deprecated functions Care about debugging, but remember to disable it when you finish debugging
INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY II The apps that you use, you wouldn’t like to see them broken, exposing your information If information gets leaked, you may face your client’s anger (and the law...) Care about Information Security Do some penetration testing
INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY II The apps that you use, you wouldn’t like to see them broken, exposing your information If information gets leaked, you may face your client’s anger (and the law...) Care about Information Security Do some penetration testing Or hire a good pentester
INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY II The apps that you use, you wouldn’t like to see them broken, exposing your information If information gets leaked, you may face your client’s anger (and the law...) Care about Information Security Do some penetration testing Or hire a good pentester Train!
INTRODUCTION MOBILE INSECURITY THE END WHERE CAN I TRAIN? Never pay expensive training (unless you really want it), there are a lot of good free resources. Click these to follow the training... ANDROID -> InsecureBankingv2 iOS -> Damn Vulnerable iOS Application Others -> You should solve both... Devour the OWASP stuff
INTRODUCTION MOBILE INSECURITY THE END DUDAS? FYI: http://fcastaneda.herokuapp.com/f/c/g/mobileday.pdf @f99942 || @fcg99942 fernando.castaneda@cert.unam.mx 6665726e616e646f@gmail.com
INTRODUCTION MOBILE INSECURITY THE END DUDAS? FYI: http://fcastaneda.herokuapp.com/f/c/g/mobileday.pdf @f99942 || @fcg99942 fernando.castaneda@cert.unam.mx 6665726e616e646f@gmail.com GRACIAS!!!!!!!!!!

Recommandé

Sw assignment week12
Sw assignment week12Sw assignment week12
Sw assignment week12
you-ly05
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
viaForensics
 
Confraria Security & IT - Mobile Security
Confraria Security & IT - Mobile SecurityConfraria Security & IT - Mobile Security
Confraria Security & IT - Mobile Security
Vitor Domingos
 
Phone for Enterprises Business Corporations Governments
Phone for Enterprises Business Corporations GovernmentsPhone for Enterprises Business Corporations Governments
Phone for Enterprises Business Corporations Governments
John Adam
 
NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2
Charles Klondike
 
Smartphone security issues
Smartphone security issuesSmartphone security issues
Smartphone security issues
Aleksandra Gavrilovska
 
The Evolution of Mobile Security
The Evolution of Mobile SecurityThe Evolution of Mobile Security
The Evolution of Mobile Security
Samsung Business USA
 
Secure Messenger
Secure MessengerSecure Messenger
Secure Messenger
Innovecs
 

Recommandé

Sw assignment week12
Sw assignment week12Sw assignment week12
Sw assignment week12
you-ly05
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
viaForensics
 
Confraria Security & IT - Mobile Security
Confraria Security & IT - Mobile SecurityConfraria Security & IT - Mobile Security
Confraria Security & IT - Mobile Security
Vitor Domingos
 
Phone for Enterprises Business Corporations Governments
Phone for Enterprises Business Corporations GovernmentsPhone for Enterprises Business Corporations Governments
Phone for Enterprises Business Corporations Governments
John Adam
 
NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2
Charles Klondike
 
Smartphone security issues
Smartphone security issuesSmartphone security issues
Smartphone security issues
Aleksandra Gavrilovska
 
The Evolution of Mobile Security
The Evolution of Mobile SecurityThe Evolution of Mobile Security
The Evolution of Mobile Security
Samsung Business USA
 
Secure Messenger
Secure MessengerSecure Messenger
Secure Messenger
Innovecs
 
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAYTHUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
rccglp25giictwin
 
Hacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesHacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile Phones
David Rogers
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit Arya
Garvit Arya
 
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and CountermeasureI.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
Indonesia Honeynet Chapter
 
Mobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirtMobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirt
IGN MANTRA
 
Technical Overview of FIDO Solution
Technical Overview of FIDO SolutionTechnical Overview of FIDO Solution
Technical Overview of FIDO Solution
ForgeRock
 
SecuSUITE for Enterprise Brochure
SecuSUITE for Enterprise BrochureSecuSUITE for Enterprise Brochure
SecuSUITE for Enterprise Brochure
BlackBerry
 
SYPHERSAFE
SYPHERSAFESYPHERSAFE
SYPHERSAFE
Mustafa Kuğu
 
Bluejacking
BluejackingBluejacking
Bluejacking
Komal Singh
 
Mobilesecurity unit4-converted
Mobilesecurity unit4-convertedMobilesecurity unit4-converted
Mobilesecurity unit4-converted
DileepEsther
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
Novizul Evendi
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
Subho Halder
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Subho Halder
 
Security services company
Security services companySecurity services company
Security services company
AnsecHR Pune
 
Ambient Intelligence - Parham Beheshti
Ambient Intelligence - Parham BeheshtiAmbient Intelligence - Parham Beheshti
Ambient Intelligence - Parham Beheshti
WithTheBest
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
Fabio Pietrosanti
 
Mobile (in)security ?
Mobile (in)security ?Mobile (in)security ?
Mobile (in)security ?
Cláudio André
 
Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14 Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14
Mobile Edge Event
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
IJERA Editor
 
Digital spectacle by using cloud computing
Digital spectacle by using cloud computingDigital spectacle by using cloud computing
Digital spectacle by using cloud computing
Mandar Pathrikar
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011
Filip Maertens
 

Contenu connexe

Tendances

THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAYTHUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
rccglp25giictwin
 

Tendances (15)

THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAYTHUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
THUMBS ON – ACCESS ALL YOUR ACCOUNTS SAME WAY, SAFEST WAY
 
Hacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesHacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile Phones
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit Arya
 
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and CountermeasureI.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
I.G.N. Mantra - Mobile Security, Mobile Malware,and Countermeasure
 
Mobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirtMobile security mobile malware countermeasure academic csirt
Mobile security mobile malware countermeasure academic csirt
 
Technical Overview of FIDO Solution
Technical Overview of FIDO SolutionTechnical Overview of FIDO Solution
Technical Overview of FIDO Solution
 
SecuSUITE for Enterprise Brochure
SecuSUITE for Enterprise BrochureSecuSUITE for Enterprise Brochure
SecuSUITE for Enterprise Brochure
 
SYPHERSAFE
SYPHERSAFESYPHERSAFE
SYPHERSAFE
 
Bluejacking
BluejackingBluejacking
Bluejacking
 
Mobilesecurity unit4-converted
Mobilesecurity unit4-convertedMobilesecurity unit4-converted
Mobilesecurity unit4-converted
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
Security services company
Security services companySecurity services company
Security services company
 
Ambient Intelligence - Parham Beheshti
Ambient Intelligence - Parham BeheshtiAmbient Intelligence - Parham Beheshti
Ambient Intelligence - Parham Beheshti
 

Similaire à Mobile Day - App (In)security

OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
AngelGomezRomero
 
Portfolio Omerta Information Security - Engels
Portfolio Omerta Information Security - EngelsPortfolio Omerta Information Security - Engels
Portfolio Omerta Information Security - Engels
Remo Hardeman
 

Similaire à Mobile Day - App (In)security (20)

2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
 
Mobile (in)security ?
Mobile (in)security ?Mobile (in)security ?
Mobile (in)security ?
 
Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14 Mobile (in)security? @ Mobile Edge '14
Mobile (in)security? @ Mobile Edge '14
 
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
OpenSouthCode '19 - Application Security Fundamentals [2019-May-25]
 
Cn35499502
Cn35499502Cn35499502
Cn35499502
 
Digital spectacle by using cloud computing
Digital spectacle by using cloud computingDigital spectacle by using cloud computing
Digital spectacle by using cloud computing
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
Mobile protection
Mobile protection Mobile protection
Mobile protection
 
The new era of mega trends securtity
The new era of mega trends securtityThe new era of mega trends securtity
The new era of mega trends securtity
 
Securing Your Wearable Tech Brand
Securing Your Wearable Tech BrandSecuring Your Wearable Tech Brand
Securing Your Wearable Tech Brand
 
A Quick Guide On What Is IoT Security_.pptx
A Quick Guide On What Is IoT Security_.pptxA Quick Guide On What Is IoT Security_.pptx
A Quick Guide On What Is IoT Security_.pptx
 
Portfolio Omerta Information Security - Engels
Portfolio Omerta Information Security - EngelsPortfolio Omerta Information Security - Engels
Portfolio Omerta Information Security - Engels
 
Xpose- #1 Parental Control Application
Xpose- #1 Parental Control ApplicationXpose- #1 Parental Control Application
Xpose- #1 Parental Control Application
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
Agile Chennai 2022 - Shyam Sundar | Everything there is to know about Cyber s...
 
Mobile security
Mobile securityMobile security
Mobile security
 
Security Strategies for UC
Security Strategies for UCSecurity Strategies for UC
Security Strategies for UC
 
Tt 06-ck
Tt 06-ckTt 06-ck
Tt 06-ck
 

Plus de Software Guru

Plus de Software Guru (20)

Hola Mundo del Internet de las Cosas
Hola Mundo del Internet de las CosasHola Mundo del Internet de las Cosas
Hola Mundo del Internet de las Cosas
 
Estructuras de datos avanzadas: Casos de uso reales
Estructuras de datos avanzadas: Casos de uso realesEstructuras de datos avanzadas: Casos de uso reales
Estructuras de datos avanzadas: Casos de uso reales
 
Building bias-aware environments
Building bias-aware environmentsBuilding bias-aware environments
Building bias-aware environments
 
El secreto para ser un desarrollador Senior
El secreto para ser un desarrollador SeniorEl secreto para ser un desarrollador Senior
El secreto para ser un desarrollador Senior
 
Cómo encontrar el trabajo remoto ideal
Cómo encontrar el trabajo remoto idealCómo encontrar el trabajo remoto ideal
Cómo encontrar el trabajo remoto ideal
 
Automatizando ideas con Apache Airflow
Automatizando ideas con Apache AirflowAutomatizando ideas con Apache Airflow
Automatizando ideas con Apache Airflow
 
How thick data can improve big data analysis for business:
How thick data can improve big data analysis for business:How thick data can improve big data analysis for business:
How thick data can improve big data analysis for business:
 
Introducción al machine learning
Introducción al machine learningIntroducción al machine learning
Introducción al machine learning
 
Democratizando el uso de CoDi
Democratizando el uso de CoDiDemocratizando el uso de CoDi
Democratizando el uso de CoDi
 
Gestionando la felicidad de los equipos con Management 3.0
Gestionando la felicidad de los equipos con Management 3.0Gestionando la felicidad de los equipos con Management 3.0
Gestionando la felicidad de los equipos con Management 3.0
 
Taller: Creación de Componentes Web re-usables con StencilJS
Taller: Creación de Componentes Web re-usables con StencilJSTaller: Creación de Componentes Web re-usables con StencilJS
Taller: Creación de Componentes Web re-usables con StencilJS
 
El camino del full stack developer (o como hacemos en SERTI para que no solo ...
El camino del full stack developer (o como hacemos en SERTI para que no solo ...El camino del full stack developer (o como hacemos en SERTI para que no solo ...
El camino del full stack developer (o como hacemos en SERTI para que no solo ...
 
¿Qué significa ser un programador en Bitso?
¿Qué significa ser un programador en Bitso?¿Qué significa ser un programador en Bitso?
¿Qué significa ser un programador en Bitso?
 
Colaboración efectiva entre desarrolladores del cliente y tu equipo.
Colaboración efectiva entre desarrolladores del cliente y tu equipo.Colaboración efectiva entre desarrolladores del cliente y tu equipo.
Colaboración efectiva entre desarrolladores del cliente y tu equipo.
 
Pruebas de integración con Docker en Azure DevOps
Pruebas de integración con Docker en Azure DevOpsPruebas de integración con Docker en Azure DevOps
Pruebas de integración con Docker en Azure DevOps
 
Elixir + Elm: Usando lenguajes funcionales en servicios productivos
Elixir + Elm: Usando lenguajes funcionales en servicios productivosElixir + Elm: Usando lenguajes funcionales en servicios productivos
Elixir + Elm: Usando lenguajes funcionales en servicios productivos
 
Así publicamos las apps de Spotify sin stress
Así publicamos las apps de Spotify sin stressAsí publicamos las apps de Spotify sin stress
Así publicamos las apps de Spotify sin stress
 
Achieving Your Goals: 5 Tips to successfully achieve your goals
Achieving Your Goals: 5 Tips to successfully achieve your goalsAchieving Your Goals: 5 Tips to successfully achieve your goals
Achieving Your Goals: 5 Tips to successfully achieve your goals
 
Acciones de comunidades tech en tiempos del Covid19
Acciones de comunidades tech en tiempos del Covid19Acciones de comunidades tech en tiempos del Covid19
Acciones de comunidades tech en tiempos del Covid19
 
De lo operativo a lo estratégico: un modelo de management de diseño
De lo operativo a lo estratégico: un modelo de management de diseñoDe lo operativo a lo estratégico: un modelo de management de diseño
De lo operativo a lo estratégico: un modelo de management de diseño
 

Dernier

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 

Dernier (20)

%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 

Mobile Day - App (In)security

  • 1. INTRODUCTION MOBILE INSECURITY THE END Mobile Aplication (In)Security Fernando Castañeda G. 31 de octubre de 2017
  • 2. INTRODUCTION MOBILE INSECURITY THE END #WHOAMI Penetration Tester or Pentester Professor Penetration Testing Operating Systems Computer Organization and Architecture C Programming Language (Next Semester) Development of Secure Mobile Applications (Lawless) Developer Malware Reverse Engineering and CTF aficionado
  • 3. INTRODUCTION MOBILE INSECURITY THE END PRINCIPLES AND STUFF "Hacker’s Ethics" Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position
  • 4. INTRODUCTION MOBILE INSECURITY THE END HISTORY 1908 -> Professor Albert Jahnke (First attempt to build a physical wireless phone) 1907 -> Lewis Baumer (Forecasts for 1907)
  • 5. INTRODUCTION MOBILE INSECURITY THE END NOWADAYS... War and (true)Hackers changed (almost) everything... First there were the PDAs, then came the fusion with cellphones that evolved into our useful devices We have an incredible power of processing in our pockets We can do almost everything we used to do on a PC on the last decade or process through a mainframe on the 90s with a single touch
  • 6. INTRODUCTION MOBILE INSECURITY THE END SEEMS OK BUT... We share a lot of personal data through our devices Pictures Financial Data Medical Information Biometrics Private or Sensitive Data And so on...
  • 7. INTRODUCTION MOBILE INSECURITY THE END SEEMS OK BUT... We share a lot of personal data through our devices Pictures Financial Data Medical Information Biometrics Private or Sensitive Data And so on... And it’s far from being safe... :(
  • 8. INTRODUCTION MOBILE INSECURITY THE END SOME PROOFS Perhaps the most important, Information Leakage...
  • 9. INTRODUCTION MOBILE INSECURITY THE END SOME PROOFS Perhaps the most important, Information Leakage...
  • 10. INTRODUCTION MOBILE INSECURITY THE END REMEMBER THE TRIAD (CIA) Confidentiality Integrity Availability
  • 11. INTRODUCTION MOBILE INSECURITY THE END CORE PROBLEMS Assumptions on user’s behaviour Low or null knowledge of the platform (Mostly)Developed under pressure Disinterest for InfoSec (must be functional before secure)
  • 12. INTRODUCTION MOBILE INSECURITY THE END OPEN WEB APPLICATION SECURITY PROJECT Start operations on 2001 Becomes a foundation in 2004, in order to get resources to their projects OWASP depends on donations and the fees to their associates, partners and companies
  • 13. INTRODUCTION MOBILE INSECURITY THE END WHAT IS RELEVANT FOR US OWASP MOBILE TOP 10 Code Vulnerability M1 Improper Platform Usage M2 Insecure Data Storage M3 Insecure Communication M4 Insecure Authentication M5 Insufficient Cryptography M6 Insecure Authorization M7 Client Code Quality M8 Code Tampering M9 Reverse Engineering M10 Extraneous Functionality
  • 14. INTRODUCTION MOBILE INSECURITY THE END M1. IMPROPER PLATFORM USAGE Android and iOS are Operating Systems
  • 15. INTRODUCTION MOBILE INSECURITY THE END M1. IMPROPER PLATFORM USAGE Android and iOS are Operating Systems Mobile Applications are not Web Applications (at all)
  • 16. INTRODUCTION MOBILE INSECURITY THE END M1. IMPROPER PLATFORM USAGE Android and iOS are Operating Systems Mobile Applications are not Web Applications (at all) OWASP TOP 10 (not mobile) SQLi XSS XSRF and so on...
  • 17. INTRODUCTION MOBILE INSECURITY THE END M2. INSECURE DATA STORAGE A lot of information can be extracted from stolen phones Sensitive data should not be saved in plain text...
  • 18. INTRODUCTION MOBILE INSECURITY THE END M2. INSECURE DATA STORAGE A lot of information can be extracted from stolen phones Sensitive data should not be saved in plain text... sensitive data should not be saved on client’s side Banking Apps asks for re authentication after some time of null activity, and that is perfect!
  • 19. INTRODUCTION MOBILE INSECURITY THE END M2. INSECURE DATA STORAGE A lot of information can be extracted from stolen phones Sensitive data should not be saved in plain text... sensitive data should not be saved on client’s side Banking Apps asks for re authentication after some time of null activity, and that is perfect!
  • 20. INTRODUCTION MOBILE INSECURITY THE END M3, M5 = INSECURE COMMUNICATION, INSUFFICIENT CRYPTOGRAPHY SSL/TLS is not only for WebPages There is a general misconception of cryptography
  • 21. INTRODUCTION MOBILE INSECURITY THE END M3, M5 = INSECURE COMMUNICATION, INSUFFICIENT CRYPTOGRAPHY Cryptography Is Not the Solution Cryptography Is Very Difficult Cryptography Is the Easy Part -Niels Fergusson, Bruce Schneier, Tayadoshi Kohno (Cryptography Engineering) Good implementations and understanding are needed...
  • 22. INTRODUCTION MOBILE INSECURITY THE END HOW DOES INSECURE COMMUNICATION AFFECTS MY APP? A Man in the Middle attack is always possible If I am in your network, I can sniff your packets If I used a proxy, I could intercept your requests
  • 23. INTRODUCTION MOBILE INSECURITY THE END M4, M6 = INSECURE AUTHENTICATION, INSECURE AUTHORIZATION Client Side Authentication (?) Bad Semantics or "the ID in the petition manages it all" No cookies or Token or anything to identify an user Remember the AAA Authentication Authorization Accounting
  • 24. INTRODUCTION MOBILE INSECURITY THE END MN. THE REST OF THE TOP VULNERABILITIES Some frameworks are new, are cool and untested Some functions are deprecated Sometimes debugging is forgotten when activated Sometimes there are weird reactions to certain actions
  • 25. INTRODUCTION MOBILE INSECURITY THE END POC Turn off your camera Thou shalt not speak about this PoC This will not be public for the good of this fellow... (me)
  • 26. INTRODUCTION MOBILE INSECURITY THE END IMAGES AVAILABLE LIVE ONLY Sorry :)
  • 27. INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY Know your Framework Know your platform Use well known cryptographic implementations Secure Channels please! (certbot might help you get free trusted certificates) Look for deprecated functions Care about debugging, but remember to disable it when you finish debugging
  • 28. INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY II The apps that you use, you wouldn’t like to see them broken, exposing your information If information gets leaked, you may face your client’s anger (and the law...) Care about Information Security Do some penetration testing
  • 29. INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY II The apps that you use, you wouldn’t like to see them broken, exposing your information If information gets leaked, you may face your client’s anger (and the law...) Care about Information Security Do some penetration testing Or hire a good pentester
  • 30. INTRODUCTION MOBILE INSECURITY THE END A WORD ON MOBILE INSECURITY II The apps that you use, you wouldn’t like to see them broken, exposing your information If information gets leaked, you may face your client’s anger (and the law...) Care about Information Security Do some penetration testing Or hire a good pentester Train!
  • 31. INTRODUCTION MOBILE INSECURITY THE END WHERE CAN I TRAIN? Never pay expensive training (unless you really want it), there are a lot of good free resources. Click these to follow the training... ANDROID -> InsecureBankingv2 iOS -> Damn Vulnerable iOS Application Others -> You should solve both... Devour the OWASP stuff
  • 32. INTRODUCTION MOBILE INSECURITY THE END DUDAS? FYI: http://fcastaneda.herokuapp.com/f/c/g/mobileday.pdf @f99942 || @fcg99942 fernando.castaneda@cert.unam.mx 6665726e616e646f@gmail.com
  • 33. INTRODUCTION MOBILE INSECURITY THE END DUDAS? FYI: http://fcastaneda.herokuapp.com/f/c/g/mobileday.pdf @f99942 || @fcg99942 fernando.castaneda@cert.unam.mx 6665726e616e646f@gmail.com GRACIAS!!!!!!!!!!