SlideShare une entreprise Scribd logo

Building secure mobile apps

Martin Vigo
Martin Vigo

This talk will be focused on how to develop secure mobile apps. We will look into specifics regarding mobile development and what are the best practices. We will make an emphasis on all issues affecting the mobile platform such as protocols, secure storage, secrets, caching, logging, etc.

Technologie
1  sur  19
Télécharger pour lire hors ligne
Building Secure Mobile Apps Sergey Gorbaty Senior Product Security Engineer @ser_gor Martin Vigo Associate Product Security Engineer @martin_vigo
Safe Harbor Safe harbor statement under the Private Securities Litigation ReformAct of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make.All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Martin Vigo Product Security Engineer
Sergey Gorbaty Senior Product Security Engineer
Outline • Attacks on Mobile Apps • Developing Secure Mobile Apps • What Frameworks Help You With
Attacks on Mobile Apps
Mobile App Threats • Native Mobile App Threats – File system, DB Storage, Logs – Network Communication – Clipboard – Backups – RPC, URL scheme handlers • Web App Threats – Input validation • Session management • Web app logic flaws – Web vulnerabilities • XSS, CSRF • Injections – SQL, header
Native App Threats • File system – Excessive Logging – Storing credentials and sensitive data unencrypted – Hardcoded secrets – Cached data • Network Communication – Not using TLS/SSL – Using self-signed SSL in QA and not disabling in production – Not using proper session management • Clipboard – Any app can read all messages • Backups – Sensitive data can be backed up to PC/Cloud
Web App Threats • Application logic flaws – Skipping through Activities in Android applications – Malicious Intents launched from attacker’s website • Web security – Input validation • Accept any input – Output Encoding • Make sure the tainted data is sanitized • XSS • Header injections – Protecting sensitive actions • CSRF
Outline • Attacks on Mobile Apps • Developing Secure Mobile Apps • What Frameworks Help You With
Developing Secure Mobile Apps • iOS/OS X ‘Secure Coding Guide’ – Comprehensive, 120 pages long – Covers topics from buffer overflows to web vulnerabilities – https://developer.apple.com/library/iOs/documentation/Security/Conceptual/SecureCodingGuide/S ecureCodingGuide.pdf • Android.com ‘Security Tips’ – 6 articles on • Storing data • Using permissions • Using networking • Using RPC • Webview security – http://developer.android.com/training/articles/security-tips.html
Outline • Attacks on Mobile Apps • Developing Secure Mobile Apps • What Frameworks Help You With
Mobile Frameworks The breakdown • All focus on rapid development using HTML • Most provide easy ways of creating secure TLS connections • Fair amount provide authentication support • Few provide secure credential storage • Very few provide secure data storage
Protecting Data Salesforce Mobile SDK - github.com/forcedotcom • Uses proper peer reviewed crypto with random IV, cipher mode and padding • Secrets are properly stored – Keychain – AccountManager • PIN code support for added security • TLS • Cordova plugins are properly scoped • Limited amount of logging
Demo Looking at files inside Apple Sandbox - iExplorer
Hybrid Apps • Can access device internals through plugins – Camera, photos – Accelerometer, GPS, Compass, Gyroscope – Keychain – SD card – Etc.
Demo XSS with BEEF on Hybrid mobile app
Protecting Mobile Apps What to focus on • Follow best development practices – Brush up on OWASP top 10 mobile threats – Review official vendor recommendations – Follow recommendations for storing secrets and data – Exercise minimal logging – Using TLS – Use security frameworks, don’t roll your own crypto • Use free security assessment tools – HTTP traffic examination: Burp Suite, Fiddler, Charles Proxy – App sandbox examination: iExplorer, drozer, Android debugging bridge – Source code review: Findbugs, Brakeman, Scanjs
Building secure mobile apps

Recommandé

Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile AppsDenim Group
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Chapter 4
Chapter 4Chapter 4
Chapter 4NorazlinaAbdullah4
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec
 

Recommandé

Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile AppsDenim Group
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Chapter 4
Chapter 4Chapter 4
Chapter 4NorazlinaAbdullah4
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content HandlingDenim Group
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityXavier Mertens
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key FindingsSymantec
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsVince Verbeke
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointHamilton Turner
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthIBM Security
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2Santosh Satam
 
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileNew trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileSISA Information Security Pvt.Ltd
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer ConferenceFabio Pietrosanti
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityDirk Nicol
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?IBM Security
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...IBM Security
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Tom Gersic
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKMartin Vigo
 

Contenu connexe

Tendances

Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content HandlingDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key FindingsSymantec
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsVince Verbeke
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointHamilton Turner
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthIBM Security
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityCygnet Infotech
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2Santosh Satam
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer ConferenceFabio Pietrosanti
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityDirk Nicol
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?IBM Security
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...IBM Security
 

Tendances (20)

Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content Handling
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient Truth
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App Security
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & MobileNew trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Mobile security
Mobile securityMobile security
Mobile security
 
What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
 

Similaire à Building secure mobile apps

Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Tom Gersic
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKMartin Vigo
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSalesforce Developers
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
Intro to the Salesforce Mobile SDK: Building iOS Apps Webinar
Intro to the Salesforce Mobile SDK: Building iOS Apps WebinarIntro to the Salesforce Mobile SDK: Building iOS Apps Webinar
Intro to the Salesforce Mobile SDK: Building iOS Apps WebinarSalesforce Developers
 
Building a great mobile experience on the force.com platforms
Building a great mobile experience on the force.com platformsBuilding a great mobile experience on the force.com platforms
Building a great mobile experience on the force.com platformsJohn Stevenson
 
Mobile Developer Week
Mobile Developer WeekMobile Developer Week
Mobile Developer WeekPat Patterson
 
Building Mobile Apps on Salesforce Platform with Mobile SDK
Building Mobile Apps on Salesforce Platform with Mobile SDKBuilding Mobile Apps on Salesforce Platform with Mobile SDK
Building Mobile Apps on Salesforce Platform with Mobile SDKSalesforce Developers
 
Build Customer Centric Applications Using the Salesforce Toolkits for .NET
Build Customer Centric Applications Using the Salesforce Toolkits for .NETBuild Customer Centric Applications Using the Salesforce Toolkits for .NET
Build Customer Centric Applications Using the Salesforce Toolkits for .NETSalesforce Developers
 
Build Customer Centric Applications Using the Salesforce Toolkits for .NET
Build Customer Centric Applications Using the Salesforce Toolkits for .NETBuild Customer Centric Applications Using the Salesforce Toolkits for .NET
Build Customer Centric Applications Using the Salesforce Toolkits for .NETSalesforce Developers
 
CCT London 2013 Theatre Intro to Apex
CCT London 2013 Theatre Intro to ApexCCT London 2013 Theatre Intro to Apex
CCT London 2013 Theatre Intro to ApexPeter Chittum
 
Salesforce.com Mobile Dev Week Chicago DUG
Salesforce.com Mobile Dev Week Chicago DUGSalesforce.com Mobile Dev Week Chicago DUG
Salesforce.com Mobile Dev Week Chicago DUGTom Gersic
 
Mobile architecture overview
Mobile architecture overviewMobile architecture overview
Mobile architecture overviewDavid Scruggs
 
Create a Hybrid Mobile App With the Salesforce Mobile SDK
Create a Hybrid Mobile App With the Salesforce Mobile SDKCreate a Hybrid Mobile App With the Salesforce Mobile SDK
Create a Hybrid Mobile App With the Salesforce Mobile SDKSalesforce Developers
 
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.comCreating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.comSalesforce Developers
 
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.comCreating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.comSalesforce Developers
 
Modev presentation
Modev presentationModev presentation
Modev presentationRyan Upton
 

Similaire à Building secure mobile apps (20)

Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
 
API Design for Your Packaged App
API Design for Your Packaged AppAPI Design for Your Packaged App
API Design for Your Packaged App
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
 
Intro to the Salesforce Mobile SDK: Building iOS Apps Webinar
Intro to the Salesforce Mobile SDK: Building iOS Apps WebinarIntro to the Salesforce Mobile SDK: Building iOS Apps Webinar
Intro to the Salesforce Mobile SDK: Building iOS Apps Webinar
 
Building a great mobile experience on the force.com platforms
Building a great mobile experience on the force.com platformsBuilding a great mobile experience on the force.com platforms
Building a great mobile experience on the force.com platforms
 
API Design for Your Packaged App
API Design for Your Packaged AppAPI Design for Your Packaged App
API Design for Your Packaged App
 
Mobile Developer Week
Mobile Developer WeekMobile Developer Week
Mobile Developer Week
 
Building Mobile Apps on Salesforce Platform with Mobile SDK
Building Mobile Apps on Salesforce Platform with Mobile SDKBuilding Mobile Apps on Salesforce Platform with Mobile SDK
Building Mobile Apps on Salesforce Platform with Mobile SDK
 
Build Customer Centric Applications Using the Salesforce Toolkits for .NET
Build Customer Centric Applications Using the Salesforce Toolkits for .NETBuild Customer Centric Applications Using the Salesforce Toolkits for .NET
Build Customer Centric Applications Using the Salesforce Toolkits for .NET
 
Build Customer Centric Applications Using the Salesforce Toolkits for .NET
Build Customer Centric Applications Using the Salesforce Toolkits for .NETBuild Customer Centric Applications Using the Salesforce Toolkits for .NET
Build Customer Centric Applications Using the Salesforce Toolkits for .NET
 
CCT London 2013 Theatre Intro to Apex
CCT London 2013 Theatre Intro to ApexCCT London 2013 Theatre Intro to Apex
CCT London 2013 Theatre Intro to Apex
 
Salesforce.com Mobile Dev Week Chicago DUG
Salesforce.com Mobile Dev Week Chicago DUGSalesforce.com Mobile Dev Week Chicago DUG
Salesforce.com Mobile Dev Week Chicago DUG
 
Mobile architecture overview
Mobile architecture overviewMobile architecture overview
Mobile architecture overview
 
Create a Hybrid Mobile App With the Salesforce Mobile SDK
Create a Hybrid Mobile App With the Salesforce Mobile SDKCreate a Hybrid Mobile App With the Salesforce Mobile SDK
Create a Hybrid Mobile App With the Salesforce Mobile SDK
 
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.comCreating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
 
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.comCreating HTML5 Applications with jQuery Mobile, Ruby and Database.com
Creating HTML5 Applications with jQuery Mobile, Ruby and Database.com
 
Mobile Packs From Salesforce.com
Mobile Packs From Salesforce.comMobile Packs From Salesforce.com
Mobile Packs From Salesforce.com
 
Modev presentation
Modev presentationModev presentation
Modev presentation
 

Plus de Martin Vigo

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsMartin Vigo
 
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsMartin Vigo
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachMartin Vigo
 
Ransombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsRansombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsMartin Vigo
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsMartin Vigo
 
Mobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLiMobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLiMartin Vigo
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsMartin Vigo
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Martin Vigo
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkMartin Vigo
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemMartin Vigo
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolMartin Vigo
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolMartin Vigo
 

Plus de Martin Vigo (12)

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
 
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
 
Ransombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsRansombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch sms
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
 
Mobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLiMobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLi
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 

Dernier

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Dernier (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

Building secure mobile apps

  • 1. Building Secure Mobile Apps Sergey Gorbaty Senior Product Security Engineer @ser_gor Martin Vigo Associate Product Security Engineer @martin_vigo
  • 2. Safe Harbor Safe harbor statement under the Private Securities Litigation ReformAct of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make.All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 4. Sergey Gorbaty Senior Product Security Engineer
  • 5. Outline • Attacks on Mobile Apps • Developing Secure Mobile Apps • What Frameworks Help You With
  • 7. Mobile App Threats • Native Mobile App Threats – File system, DB Storage, Logs – Network Communication – Clipboard – Backups – RPC, URL scheme handlers • Web App Threats – Input validation • Session management • Web app logic flaws – Web vulnerabilities • XSS, CSRF • Injections – SQL, header
  • 8. Native App Threats • File system – Excessive Logging – Storing credentials and sensitive data unencrypted – Hardcoded secrets – Cached data • Network Communication – Not using TLS/SSL – Using self-signed SSL in QA and not disabling in production – Not using proper session management • Clipboard – Any app can read all messages • Backups – Sensitive data can be backed up to PC/Cloud
  • 9. Web App Threats • Application logic flaws – Skipping through Activities in Android applications – Malicious Intents launched from attacker’s website • Web security – Input validation • Accept any input – Output Encoding • Make sure the tainted data is sanitized • XSS • Header injections – Protecting sensitive actions • CSRF
  • 10. Outline • Attacks on Mobile Apps • Developing Secure Mobile Apps • What Frameworks Help You With
  • 11. Developing Secure Mobile Apps • iOS/OS X ‘Secure Coding Guide’ – Comprehensive, 120 pages long – Covers topics from buffer overflows to web vulnerabilities – https://developer.apple.com/library/iOs/documentation/Security/Conceptual/SecureCodingGuide/S ecureCodingGuide.pdf • Android.com ‘Security Tips’ – 6 articles on • Storing data • Using permissions • Using networking • Using RPC • Webview security – http://developer.android.com/training/articles/security-tips.html
  • 12. Outline • Attacks on Mobile Apps • Developing Secure Mobile Apps • What Frameworks Help You With
  • 13. Mobile Frameworks The breakdown • All focus on rapid development using HTML • Most provide easy ways of creating secure TLS connections • Fair amount provide authentication support • Few provide secure credential storage • Very few provide secure data storage
  • 14. Protecting Data Salesforce Mobile SDK - github.com/forcedotcom • Uses proper peer reviewed crypto with random IV, cipher mode and padding • Secrets are properly stored – Keychain – AccountManager • PIN code support for added security • TLS • Cordova plugins are properly scoped • Limited amount of logging
  • 15. Demo Looking at files inside Apple Sandbox - iExplorer
  • 16. Hybrid Apps • Can access device internals through plugins – Camera, photos – Accelerometer, GPS, Compass, Gyroscope – Keychain – SD card – Etc.
  • 17. Demo XSS with BEEF on Hybrid mobile app
  • 18. Protecting Mobile Apps What to focus on • Follow best development practices – Brush up on OWASP top 10 mobile threats – Review official vendor recommendations – Follow recommendations for storing secrets and data – Exercise minimal logging – Using TLS – Use security frameworks, don’t roll your own crypto • Use free security assessment tools – HTTP traffic examination: Burp Suite, Fiddler, Charles Proxy – App sandbox examination: iExplorer, drozer, Android debugging bridge – Source code review: Findbugs, Brakeman, Scanjs