SlideShare a Scribd company logo

Tips and Tricks for Building Secure Mobile Apps

Download as PPTX, PDF
T
TechWell

Mobile application development is now a mission-critical component of many IT organizations. Due to the security threats associated with mobile devices, it is critical that mobile applications are built to be secure from the ground up. However, many application developers and testers do not understand how to build and test secure mobile applications. Jeff Payne discusses the risks associated with mobile platforms/applications and describes best practices for ensuring mobile applications are secure. Jeff discusses the unique nuances of mobile platforms and how these differences impact the security approach that must be taken when building mobile applications. Topics such as session management, data encryption, securing legacy code, and platform security models are presented. Learn what to watch out for when building mobile applications and leave with tips and tricks for effectively securing your apps.

Software
1 of 15
1© Copyright 2013 Coveros, Inc.. All rights reserved. Tips and Tricks for Building Secure Mobile Applications Jeffery Payne Chief Executive Officer, Coveros, Inc. jeff.payne@coveros.com www.coveros.com Twitter: @jefferyepayne
2© Copyright 2013 Coveros, Inc.. All rights reserved. Bio Jeffery Payne Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, software research funding, and software quality.
3© Copyright 2013 Coveros, Inc.. All rights reserved.  Coveros helps organizations accelerate the delivery of secure, reliable software  Our consulting services: – Agile software development – Application security – Software quality assurance  Agile services – Agility assessments – Process improvement – Hands-on agile software development – Agile project management – Agile testing and automation – Agile training by role About Coveros Areas of Expertise
4© Copyright 2013 Coveros, Inc.. All rights reserved. Agenda  Mobile applications: the perfect security storm – Typical architecture(s) – A changing threat model  Mobile risks and development strategies – Local storage – Session management – Untrusted clients – Native code – Mobile platforms – Traditional risks  Getting more help
5© Copyright 2013 Coveros, Inc.. All rights reserved. Mobile Apps: The Perfect Security Storm Smartphones Database Connectivity Gateways Tablets Cell Network Laptops with mobile data modems Internet App server Web server Sw Apps & Data Fat client concerns Untrusted apps Untrusted users Traditional web security concerns Traditional sw security concerns
6© Copyright 2013 Coveros, Inc.. All rights reserved. A Changing Threat Model  New Attack Profiles – Increased access by malicious users – Malicious 3rd party applications – Increased information for attacking application back-ends  Fluid Trust Boundaries – Level of trust necessary to use 3rd party applications – Local access to sensitive data  Nuances of Mobile Platforms – Differing security models – Different vulnerabilities due to programming languages Mobile Apps: The Perfect Security Storm
7© Copyright 2013 Coveros, Inc.. All rights reserved. Mobile Risks  Local storage – Storage of data (implicitly or explicitly) on a device  Session management – Managing the on-going interactions between a mobile app user and the rest of a distributed environment  Untrusted clients – Client requests might not be legitimate  Native Code – Native code is still prevalent in mobile applications  Mobile Platforms – How the device (and OS) configures and controls apps  Traditional Risks – Other risks we already know about Mobile App Security
8© Copyright 2013 Coveros, Inc.. All rights reserved. Do Not Allow Storage of Sensitive Data on Devices  Why? – Devices use flash memory for local storage – External devices have global data permissions – Data encryption libraries and key management functions are often misused by developers – UI screens are captured and stored in “temporary” storage  What to do – Store sensitive data on back-end servers behind a firewall – Replace sensitive data that must be entered / displayed on UI with replacement tokens or partial data when it doesn’t need to be fully viewable – If you must store some data locally, use encryption routines and a computational key derivation function for generating keys Mobile App Security: Best Practices
9© Copyright 2013 Coveros, Inc.. All rights reserved. Make Sure Sessions are Managed Carefully  Why? – Mobile application sessions tend to be left open longer on mobile devices to support mobile app use cases – Untrusted applications that are malicious can compromise your applications if session management isn’t secure – People often leave their phones laying around …  What to do – Terminate idle sessions after automatically after no more than 5 minutes if application is security-critical – Do not use device identifier / MEID as a session token – Support token revocation that includes the ability to revoke tokens remotely – Use only temporary session keys (to thwart ‘replay attacks’) Mobile App Security: Best Practices
10© Copyright 2013 Coveros, Inc.. All rights reserved. Assume No Client (or App) is Trustworthy  Why? – The increased threat of mobile device compromise means no client / App requesting information can be trusted – Trusted apps may have been misconfigured to allow easy compromise  What to do – Make sure lower levels of encryption (export grade) have been disabled on the backend servers – Validate the integrity of all data received from a client or other application (trust no one!) – Sanitize all data receive from a client or other input – Return the minimum amount of information to the user when an error has occured – Move all default directories on all servers – Do not allow software to be installed/configured with default passwords Mobile App Security: Best Practices
11© Copyright 2013 Coveros, Inc.. All rights reserved. Test Native Code for Known Vulnerabilities  Why? – Mobile platforms often support the development of native code applications that are vulnerable to traditional attacks – Software written for Apple devices are written in Objective-C, Java can call native code – VM’s often include vulnerabilities!  What to do – Use Address Space Layout Randomization (ASLR) to combat overflow attacks – Perform traditional secure code scanning on all native code as part of the software development process – Avoid using native code if possible Mobile App Security: Best Practices
12© Copyright 2013 Coveros, Inc.. All rights reserved. Understand Your Mobile Platform  Why? – Each platform uses a different security model – Each platform manages applications differently  What to learn – Learn how applications store data, protect it from access, and when data is physically deleted from the device – Understand the default configurations for applications, browsers, and communication protocols – Learn how and when information is cached, keyboard keys are logged, and screenshots are saved – Understand how libraries are loaded and run (and in what order) Mobile App Security: Best Practices
13© Copyright 2013 Coveros, Inc.. All rights reserved. Don’t Forget About Traditional Risks  Why? – Mobile applications are often just mobile front-ends for our traditional systems (banking, e-commerce, etc.) – Mysql often ships with devices and are susceptible to SQL injection – Web vulnerabilities exist in thin client mobile apps  What to do – Check for SQL injections – Check for web application security issues (XSS, CRSF, etc.) Mobile App Security: Best Practices
14© Copyright 2013 Coveros, Inc.. All rights reserved. Getting Smarter  OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP_Mobile_Security_Project  Coveros Labs – R&D in: – Secure mobile development – Malicious code analysis – Cloud security – http://www.coveros.com/content/coveros-labs Mobile App Security
15© Copyright 2013 Coveros, Inc.. All rights reserved. Questions? Thank You Contact Information: Jeffery Payne jeff.payne@coveros.com 703.431.2920

Recommended

Emergent Design: History, Concepts, and Principles
Emergent Design: History, Concepts, and PrinciplesEmergent Design: History, Concepts, and Principles
Emergent Design: History, Concepts, and PrinciplesTechWell
 
The Coming Mobile Wearable World
The Coming Mobile Wearable WorldThe Coming Mobile Wearable World
The Coming Mobile Wearable WorldTechWell
 
Continuous Testing in the Cloud
Continuous Testing in the CloudContinuous Testing in the Cloud
Continuous Testing in the CloudTechWell
 
The Magic of Assumptions
The Magic of AssumptionsThe Magic of Assumptions
The Magic of AssumptionsTechWell
 
Data-Driven Software Testing: The New, Lean Approach to Quality
Data-Driven Software Testing: The New, Lean Approach to QualityData-Driven Software Testing: The New, Lean Approach to Quality
Data-Driven Software Testing: The New, Lean Approach to QualityTechWell
 
Servant Leadership: It’s Not All It’s Cracked Up to Be
Servant Leadership: It’s Not All It’s Cracked Up to BeServant Leadership: It’s Not All It’s Cracked Up to Be
Servant Leadership: It’s Not All It’s Cracked Up to BeTechWell
 
Continuous Mobile Testing for Critical Business Apps
Continuous Mobile Testing for Critical Business AppsContinuous Mobile Testing for Critical Business Apps
Continuous Mobile Testing for Critical Business AppsTechWell
 
Unleashing the Creative Mind of the Test Engineer
Unleashing the Creative Mind of the Test EngineerUnleashing the Creative Mind of the Test Engineer
Unleashing the Creative Mind of the Test EngineerTechWell
 

Recommended

Emergent Design: History, Concepts, and Principles
Emergent Design: History, Concepts, and PrinciplesEmergent Design: History, Concepts, and Principles
Emergent Design: History, Concepts, and PrinciplesTechWell
 
The Coming Mobile Wearable World
The Coming Mobile Wearable WorldThe Coming Mobile Wearable World
The Coming Mobile Wearable WorldTechWell
 
Continuous Testing in the Cloud
Continuous Testing in the CloudContinuous Testing in the Cloud
Continuous Testing in the CloudTechWell
 
The Magic of Assumptions
The Magic of AssumptionsThe Magic of Assumptions
The Magic of AssumptionsTechWell
 
Data-Driven Software Testing: The New, Lean Approach to Quality
Data-Driven Software Testing: The New, Lean Approach to QualityData-Driven Software Testing: The New, Lean Approach to Quality
Data-Driven Software Testing: The New, Lean Approach to QualityTechWell
 
Servant Leadership: It’s Not All It’s Cracked Up to Be
Servant Leadership: It’s Not All It’s Cracked Up to BeServant Leadership: It’s Not All It’s Cracked Up to Be
Servant Leadership: It’s Not All It’s Cracked Up to BeTechWell
 
Continuous Mobile Testing for Critical Business Apps
Continuous Mobile Testing for Critical Business AppsContinuous Mobile Testing for Critical Business Apps
Continuous Mobile Testing for Critical Business AppsTechWell
 
Unleashing the Creative Mind of the Test Engineer
Unleashing the Creative Mind of the Test EngineerUnleashing the Creative Mind of the Test Engineer
Unleashing the Creative Mind of the Test EngineerTechWell
 
STAREAST 2015 Lightning Strikes the Keynotes
STAREAST 2015 Lightning Strikes the KeynotesSTAREAST 2015 Lightning Strikes the Keynotes
STAREAST 2015 Lightning Strikes the KeynotesTechWell
 
Blunders in Test Automation
Blunders in Test AutomationBlunders in Test Automation
Blunders in Test AutomationTechWell
 
Managing Technological Diversity: Avoid Boiling the Ocean
Managing Technological Diversity: Avoid Boiling the OceanManaging Technological Diversity: Avoid Boiling the Ocean
Managing Technological Diversity: Avoid Boiling the OceanTechWell
 
Manage a Complex Test Effort with Lean and Kanban
Manage a Complex Test Effort with Lean and KanbanManage a Complex Test Effort with Lean and Kanban
Manage a Complex Test Effort with Lean and KanbanTechWell
 
When Testers Feel Left Out in the Cold
When Testers Feel Left Out in the ColdWhen Testers Feel Left Out in the Cold
When Testers Feel Left Out in the ColdTechWell
 
Avoiding Over Design and Under Design
Avoiding Over Design and Under DesignAvoiding Over Design and Under Design
Avoiding Over Design and Under DesignTechWell
 
The Changing Face of Test Management in an Agile World
The Changing Face of Test Management in an Agile WorldThe Changing Face of Test Management in an Agile World
The Changing Face of Test Management in an Agile WorldTechWell
 
Automating End-to-End Business Scenario Testing
Automating End-to-End Business Scenario TestingAutomating End-to-End Business Scenario Testing
Automating End-to-End Business Scenario TestingTechWell
 
Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and RecoveringTechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization TechWell
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTechWell
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartTechWell
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyTechWell
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTechWell
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowTechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityTechWell
 
Ma 15
Ma 15Ma 15
Ma 15TechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyTechWell
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTechWell
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipTechWell
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsTechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GameTechWell
 

More Related Content

Viewers also liked

STAREAST 2015 Lightning Strikes the Keynotes
STAREAST 2015 Lightning Strikes the KeynotesSTAREAST 2015 Lightning Strikes the Keynotes
STAREAST 2015 Lightning Strikes the KeynotesTechWell
 
Blunders in Test Automation
Blunders in Test AutomationBlunders in Test Automation
Blunders in Test AutomationTechWell
 
Managing Technological Diversity: Avoid Boiling the Ocean
Managing Technological Diversity: Avoid Boiling the OceanManaging Technological Diversity: Avoid Boiling the Ocean
Managing Technological Diversity: Avoid Boiling the OceanTechWell
 
Manage a Complex Test Effort with Lean and Kanban
Manage a Complex Test Effort with Lean and KanbanManage a Complex Test Effort with Lean and Kanban
Manage a Complex Test Effort with Lean and KanbanTechWell
 
When Testers Feel Left Out in the Cold
When Testers Feel Left Out in the ColdWhen Testers Feel Left Out in the Cold
When Testers Feel Left Out in the ColdTechWell
 
Avoiding Over Design and Under Design
Avoiding Over Design and Under DesignAvoiding Over Design and Under Design
Avoiding Over Design and Under DesignTechWell
 
The Changing Face of Test Management in an Agile World
The Changing Face of Test Management in an Agile WorldThe Changing Face of Test Management in an Agile World
The Changing Face of Test Management in an Agile WorldTechWell
 
Automating End-to-End Business Scenario Testing
Automating End-to-End Business Scenario TestingAutomating End-to-End Business Scenario Testing
Automating End-to-End Business Scenario TestingTechWell
 

Viewers also liked (8)

STAREAST 2015 Lightning Strikes the Keynotes
STAREAST 2015 Lightning Strikes the KeynotesSTAREAST 2015 Lightning Strikes the Keynotes
STAREAST 2015 Lightning Strikes the Keynotes
 
Blunders in Test Automation
Blunders in Test AutomationBlunders in Test Automation
Blunders in Test Automation
 
Managing Technological Diversity: Avoid Boiling the Ocean
Managing Technological Diversity: Avoid Boiling the OceanManaging Technological Diversity: Avoid Boiling the Ocean
Managing Technological Diversity: Avoid Boiling the Ocean
 
Manage a Complex Test Effort with Lean and Kanban
Manage a Complex Test Effort with Lean and KanbanManage a Complex Test Effort with Lean and Kanban
Manage a Complex Test Effort with Lean and Kanban
 
When Testers Feel Left Out in the Cold
When Testers Feel Left Out in the ColdWhen Testers Feel Left Out in the Cold
When Testers Feel Left Out in the Cold
 
Avoiding Over Design and Under Design
Avoiding Over Design and Under DesignAvoiding Over Design and Under Design
Avoiding Over Design and Under Design
 
The Changing Face of Test Management in an Agile World
The Changing Face of Test Management in an Agile WorldThe Changing Face of Test Management in an Agile World
The Changing Face of Test Management in an Agile World
 
Automating End-to-End Business Scenario Testing
Automating End-to-End Business Scenario TestingAutomating End-to-End Business Scenario Testing
Automating End-to-End Business Scenario Testing
 

More from TechWell

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and RecoveringTechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization TechWell
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTechWell
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartTechWell
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyTechWell
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTechWell
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowTechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityTechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyTechWell
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTechWell
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipTechWell
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsTechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GameTechWell
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsTechWell
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationTechWell
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessTechWell
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateTechWell
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessTechWell
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTechWell
 

More from TechWell (20)

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
 
Ma 15
Ma 15Ma 15
Ma 15
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
 

Recently uploaded

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 

Recently uploaded (20)

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 

Tips and Tricks for Building Secure Mobile Apps

  • 1. 1© Copyright 2013 Coveros, Inc.. All rights reserved. Tips and Tricks for Building Secure Mobile Applications Jeffery Payne Chief Executive Officer, Coveros, Inc. jeff.payne@coveros.com www.coveros.com Twitter: @jefferyepayne
  • 2. 2© Copyright 2013 Coveros, Inc.. All rights reserved. Bio Jeffery Payne Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, software research funding, and software quality.
  • 3. 3© Copyright 2013 Coveros, Inc.. All rights reserved.  Coveros helps organizations accelerate the delivery of secure, reliable software  Our consulting services: – Agile software development – Application security – Software quality assurance  Agile services – Agility assessments – Process improvement – Hands-on agile software development – Agile project management – Agile testing and automation – Agile training by role About Coveros Areas of Expertise
  • 4. 4© Copyright 2013 Coveros, Inc.. All rights reserved. Agenda  Mobile applications: the perfect security storm – Typical architecture(s) – A changing threat model  Mobile risks and development strategies – Local storage – Session management – Untrusted clients – Native code – Mobile platforms – Traditional risks  Getting more help
  • 5. 5© Copyright 2013 Coveros, Inc.. All rights reserved. Mobile Apps: The Perfect Security Storm Smartphones Database Connectivity Gateways Tablets Cell Network Laptops with mobile data modems Internet App server Web server Sw Apps & Data Fat client concerns Untrusted apps Untrusted users Traditional web security concerns Traditional sw security concerns
  • 6. 6© Copyright 2013 Coveros, Inc.. All rights reserved. A Changing Threat Model  New Attack Profiles – Increased access by malicious users – Malicious 3rd party applications – Increased information for attacking application back-ends  Fluid Trust Boundaries – Level of trust necessary to use 3rd party applications – Local access to sensitive data  Nuances of Mobile Platforms – Differing security models – Different vulnerabilities due to programming languages Mobile Apps: The Perfect Security Storm
  • 7. 7© Copyright 2013 Coveros, Inc.. All rights reserved. Mobile Risks  Local storage – Storage of data (implicitly or explicitly) on a device  Session management – Managing the on-going interactions between a mobile app user and the rest of a distributed environment  Untrusted clients – Client requests might not be legitimate  Native Code – Native code is still prevalent in mobile applications  Mobile Platforms – How the device (and OS) configures and controls apps  Traditional Risks – Other risks we already know about Mobile App Security
  • 8. 8© Copyright 2013 Coveros, Inc.. All rights reserved. Do Not Allow Storage of Sensitive Data on Devices  Why? – Devices use flash memory for local storage – External devices have global data permissions – Data encryption libraries and key management functions are often misused by developers – UI screens are captured and stored in “temporary” storage  What to do – Store sensitive data on back-end servers behind a firewall – Replace sensitive data that must be entered / displayed on UI with replacement tokens or partial data when it doesn’t need to be fully viewable – If you must store some data locally, use encryption routines and a computational key derivation function for generating keys Mobile App Security: Best Practices
  • 9. 9© Copyright 2013 Coveros, Inc.. All rights reserved. Make Sure Sessions are Managed Carefully  Why? – Mobile application sessions tend to be left open longer on mobile devices to support mobile app use cases – Untrusted applications that are malicious can compromise your applications if session management isn’t secure – People often leave their phones laying around …  What to do – Terminate idle sessions after automatically after no more than 5 minutes if application is security-critical – Do not use device identifier / MEID as a session token – Support token revocation that includes the ability to revoke tokens remotely – Use only temporary session keys (to thwart ‘replay attacks’) Mobile App Security: Best Practices
  • 10. 10© Copyright 2013 Coveros, Inc.. All rights reserved. Assume No Client (or App) is Trustworthy  Why? – The increased threat of mobile device compromise means no client / App requesting information can be trusted – Trusted apps may have been misconfigured to allow easy compromise  What to do – Make sure lower levels of encryption (export grade) have been disabled on the backend servers – Validate the integrity of all data received from a client or other application (trust no one!) – Sanitize all data receive from a client or other input – Return the minimum amount of information to the user when an error has occured – Move all default directories on all servers – Do not allow software to be installed/configured with default passwords Mobile App Security: Best Practices
  • 11. 11© Copyright 2013 Coveros, Inc.. All rights reserved. Test Native Code for Known Vulnerabilities  Why? – Mobile platforms often support the development of native code applications that are vulnerable to traditional attacks – Software written for Apple devices are written in Objective-C, Java can call native code – VM’s often include vulnerabilities!  What to do – Use Address Space Layout Randomization (ASLR) to combat overflow attacks – Perform traditional secure code scanning on all native code as part of the software development process – Avoid using native code if possible Mobile App Security: Best Practices
  • 12. 12© Copyright 2013 Coveros, Inc.. All rights reserved. Understand Your Mobile Platform  Why? – Each platform uses a different security model – Each platform manages applications differently  What to learn – Learn how applications store data, protect it from access, and when data is physically deleted from the device – Understand the default configurations for applications, browsers, and communication protocols – Learn how and when information is cached, keyboard keys are logged, and screenshots are saved – Understand how libraries are loaded and run (and in what order) Mobile App Security: Best Practices
  • 13. 13© Copyright 2013 Coveros, Inc.. All rights reserved. Don’t Forget About Traditional Risks  Why? – Mobile applications are often just mobile front-ends for our traditional systems (banking, e-commerce, etc.) – Mysql often ships with devices and are susceptible to SQL injection – Web vulnerabilities exist in thin client mobile apps  What to do – Check for SQL injections – Check for web application security issues (XSS, CRSF, etc.) Mobile App Security: Best Practices
  • 14. 14© Copyright 2013 Coveros, Inc.. All rights reserved. Getting Smarter  OWASP Mobile Security Project – https://www.owasp.org/index.php/OWASP_Mobile_Security_Project  Coveros Labs – R&D in: – Secure mobile development – Malicious code analysis – Cloud security – http://www.coveros.com/content/coveros-labs Mobile App Security
  • 15. 15© Copyright 2013 Coveros, Inc.. All rights reserved. Questions? Thank You Contact Information: Jeffery Payne jeff.payne@coveros.com 703.431.2920