SlideShare uma empresa Scribd logo

Mobile Application Security Code Reviews

Denim Group
Denim Group

This document provides an overview of a mobile app security code review presentation given at BSides Las Vegas 2011. The presentation focused on identifying security issues in mobile apps related to data storage, third-party services, and untrusted inputs. It also covered platform-specific concerns for Android and iOS apps, such as encryption best practices, network communication standards, and input validation. Static code analysis techniques were discussed for examining how apps store data, access external services, and handle untrusted content.

Tecnologia
1 de 48
Baixar para ler offline
Mobile App Security Code Reviews Security BSides Las Vegas 2011 © Copyright 2011 Denim Group - All Rights Reserved
Instructor Dan Cornell dan@denimgroup.com @danielcornell www.denimgroup.com www.smartphonesdumbapps.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 1
My Background • Dan Cornell – Founder and CTO Denim Group • Software developer by background (Java, .NET, etc.) • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and e-Learning © Copyright 2011 Denim Group - All Rights Reserved 2
Agenda 1. Introduction and Overview 2. Data: In Motion and at Rest 3. Other Dangerous Inputs 4. Platform-Specific Concerns 5. Conclusions / Questions © Copyright 2011 Denim Group - All Rights Reserved 3
1 – Introduction and Overview • Focus For This Class • Security Implications for Mobile Applications • Mobile Application Threat Model • Testing the Security of Mobile Applications • Platform Background – Android – iOS © Copyright 2011 Denim Group - All Rights Reserved 4
Tradeoffs: Value versus Risk • Mobile applications can create tremendous value for organizations – New classes of applications utilizing mobile capabilities: GPS, camera, etc. – Innovating applications for employees and customers • Mobile devices and mobile applications can create tremendous risks – Sensitive data inevitably stored on the device (email, contacts) – Connect to a lot of untrusted networks (carrier, WiFi) • Most developers are not trained to develop secure applications – Fact of life, but slowing getting better • Most developers are new to creating mobile applications – Different platforms have different security characteristics and capabilities © Copyright 2011 Denim Group - All Rights Reserved 5
Smart Phones, Dumb Apps • Lots of media focus on device and platform security – Important because successful attacks give tremendous attacker leverage • Most organizations: – Accept realities of device and platform security – Concerned about the security of their custom applications – Concerned about sensitive data on the device because of their apps – Concerned about network-available resources that support their apps • Who has mobile application deployed for customers? • Who has had mobile applications deployed without their knowledge? – *$!%$# marketing department… © Copyright 2011 Denim Group - All Rights Reserved 6
Generic Mobile Application Threat Model © Copyright 2011 Denim Group - All Rights Reserved 7
Some Assumptions for Developers • Smartphone applications are essentially thick-client applications – That people carry in their pockets – And drop in toilets – And put on eBay when the new iPhone comes out – And leave on airplanes – And so on… • Attackers will be able to access: – Target user (victim) devices – Your application binaries • What else should you assume they know or will find out? © Copyright 2011 Denim Group - All Rights Reserved 8
Testing the Security of Mobile Applications • IMPORTANT: It is really the system as a whole you care about – Application plus… – 3rd party web services – Enterprise services – And so on • The most “interesting” weaknesses and vulnerabilities we find are in mobile applications’ interactions with supporting services • Mobile applications are different than web applications – Can’t just fire up an automated scanner and turn up a bunch of SQL injection and XSS vulnerabilities – Usually… © Copyright 2011 Denim Group - All Rights Reserved 9
Testing the Security of Mobile Applications Type of Analysis Activities Static Analysis Source Code Source code scanning Manual source code review Binary Reverse engineering Dynamic Analysis Debugger execution Traffic capture via proxy Forensic Analysis File permission analysis File content analysis © Copyright 2011 Denim Group - All Rights Reserved 10
Platform Background: Android • Linux-based operating system • Applications typically written in Java • Java compiled to DEX bytecode for the Dalvik virtual machine – Kind of like a Java virtual machine – Register-based rather than stack-based © Copyright 2011 Denim Group - All Rights Reserved 11
Platform Background: • UNIX-based operating system • Applications written in Objective-C © Copyright 2011 Denim Group - All Rights Reserved 12
Pandemobium Stock Trader Application • Android and iOS versions • Functionality – Log in – Track stock tips – Make stock trades – Get stock tips – Share stock tips • We will use as an example through the class © Copyright 2011 Denim Group - All Rights Reserved 13
2 – Data: In Motion and at Rest • Local Data Storage • Consuming 3rd Party Web Services • Mobile Applications and Enterprise Services © Copyright 2011 Denim Group - All Rights Reserved 14
Local Data Storage • Overview • Identifying Potential Storage Issues • Encryption Best Practices © Copyright 2011 Denim Group - All Rights Reserved 15
Local Data Storage Overview • If you store data on the device it can be captured – How you store the data can impact how easy this is – But at the end of the day it can be captured – So be careful what you store on the device. And be careful how you store it • But what if I encrypt the data? – Great idea. Where are you going to store the key? • This is an issue that gets a lot of media attention © Copyright 2011 Denim Group - All Rights Reserved 16
Local Data Storage: Android • Files – Internal storage (file permissions enforced) – External storage (no file permissions enforced) • SQLite Databases • Shared Preferences • Web Cache © Copyright 2011 Denim Group - All Rights Reserved 17
Android Data Storage • In Android, every application gets its own uid/gid – Clever use of the Linux security model – But external storage does not have permission enforcement • Default permissions are to be readable and writeable by the app only – Files – SQLite databases – Shared Permissions – Context.MODE_PRIVATE • But of course you can override this – Context.MODE_WORLD_READABLE – Context.MODE_WORLD_WRITEABLE © Copyright 2011 Denim Group - All Rights Reserved 18
Local Data Storage: • Files • SQLite Databases • plist Files • Keychain • Web Cache © Copyright 2011 Denim Group - All Rights Reserved 19
Android Static Analysis for Storage Issues • Android-specific functions for file handling: – Context.openFileOutput() – Context.openFileInput() – Context.getDir() • Android-specific functions for SQLite database handling: – Context.openOrCreateDatabase() – Context.getDatabasePath() – SQLiteDatabase.openDatabase() © Copyright 2011 Denim Group - All Rights Reserved 20
Android Static Analysis for Storage Issues • Android-specific functions for Shared Preferences handling – Context.getSharedPreferences() • Android-specific functions for cache handling: – Context.getCacheDir() – Context.getExternalCacheDir() • Non-Android-specific functions – Anything else you would examine in Java – java.io and the like © Copyright 2011 Denim Group - All Rights Reserved 21
Android Static Analysis for Storage Issues • File permissions: – MODE_PRIVATE – generally all right – MODE_WORLD_READABLE, MODE_WORLD_WRITEABLE – why? • What is being stored? • How is it being used? • World readable/writeable files can be manipulated by malicious applications © Copyright 2011 Denim Group - All Rights Reserved 22
iOS Static Analysis for Storage Issues • NSFileManager class – NSFileProtectionKey attribute • NSFileProtectionNone – Always accessible • NSFileProtectionComplete – Encrypted on disk when device is locked or booting • UIApplicationProtectedDataWillBecomeUnavailable notification – Fired when application data is about to become unavailable – References to sensitive files should be dropped © Copyright 2011 Denim Group - All Rights Reserved 23
Encryption Best Practices • Key management is a huge problem • If encrypted data and the key are stored on the device… • Android Encryption – Access to javax.crypto libraries – Open source options like Bouncy Castle • iOS Encryption – Access to common crypto algorithms – Keychain available for encrypted storage © Copyright 2011 Denim Group - All Rights Reserved 24
iOS Keychain • Allows you to store key/value pairs using iOS protections • Default: only visible to “owning” application • Possible values for kSecAttrAccessible: – kSecAttrAccessibleWhenUnlocked – kSecAttrAccessibleAfterFirstUnlock – kSecAttrAccessibleAlways – kSecAttrAccessibleWhenUnlockedThisDeviceOnly – kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly – kSecAttrAccessibleAlwaysThisDeviceOnly • But… – Clever German researchers found out how to dump non-PIN protected data – And clever Russian researchers found out how to brute-force the PIN – Do not store sensitive data on the device © Copyright 2011 Denim Group - All Rights Reserved 25
Consuming 3rd Party Web Services • Overview • Identifying Services In Use • Data Communications and Handling Best Practices © Copyright 2011 Denim Group - All Rights Reserved 26
Overview of Consuming 3rd Party Web Services • Interesting apps need to talk to stuff – And most of that stuff you should not trust • These are untrusted inputs – Positively validate them before use • You do not control what they do with the data – Be careful what you send © Copyright 2011 Denim Group - All Rights Reserved 27
Identifying Services In Use • Look for URL connections • Look for network connections • Look for web controls © Copyright 2011 Denim Group - All Rights Reserved 28
Data Communications and Handling Best Practices • Remember: Mobile devices can talk on lots of different networks • So use SSL – Can not observe or change traffic – DNS concerns • And force it to be used correctly – With valid certificates • Be careful of caching © Copyright 2011 Denim Group - All Rights Reserved 29
Android Network Connections • Android-specific classes: – android.net.* – android.net.SSLCertificateFactory • Make sure server validation has not been turned off • Java platform classes: – java.net.URLConnection – java.net.URL – And so on… © Copyright 2011 Denim Group - All Rights Reserved 30
Android Network Connections • Included Apache classes: – org.apache.http.HttpClient – org.apache.http.HttpPost – org.apache.http.Response • WebView component – Include HTML content in web applications © Copyright 2011 Denim Group - All Rights Reserved 31
iOS Network Connections • CFStream – kCFStreamPropertyShouldCloseNativeSocket – kCFStreamPropertySocketSecurityLevel – kCFStreamPropertySOCKSProxy – kCFStreamPropertySSLPeerCertificates – kCFStreamPropertySSLPeerTrust – kCFStreamPropertySSLSettings • CFHost • NSStream • NSHost • NSURLDownload • NSURL • UIWebView © Copyright 2011 Denim Group - All Rights Reserved 32
What to do With 3rd Party Services? • Largest concern is how they impact YOUR security – Validate all input – Be careful how your logic treats the data – Be careful what you send © Copyright 2011 Denim Group - All Rights Reserved 33
Overview of Mobile Applications and Enterprise Services • If you were a bad guy, would you rather have – The data on one device – All the data on the server – I guess it depends on how advanced and persistent you are… • These provide a great window into your organization – Client data – Transaction data – And so on… • The most serious vulnerabilities we find in assessments deal with apps’ interactions with enterprise services © Copyright 2011 Denim Group - All Rights Reserved 34
3 – Other Dangerous Inputs • Mobile Browser Content Handling © Copyright 2011 Denim Group - All Rights Reserved 35
Mobile Browser Content Handling • Identifying Mobile Browser Content Handlers • Testing the Security of Content Handlers © Copyright 2011 Denim Group - All Rights Reserved 36
Android: Identifying Content Handlers • Look in AndroidManifest.xml • Look for <intent-filter> tags: <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme=“the_scheme" /> </intent-filter> • But what apps export intents? – http://www.openintents.org/ © Copyright 2011 Denim Group - All Rights Reserved 37
iOS: Identifying Content Handlers • Look in Info.plist • Look for <key>CFBundleURLSchemes</key> <array> <dict> <key>CFBundleURLSchemes</key> <array> <string>the_scheme</string> </array> </dict> </array> • But what apps handle custom schemes? – http://handleopenurl.com/ © Copyright 2011 Denim Group - All Rights Reserved 38
Testing the Security of Content Handlers • How to reach them? – Get a user to click: <a href=“the_scheme://stuff?param=value” /> – Get a user to visit a malicious web page: <iframe src=“the_scheme://stuff?param=value” /> • Approaches: – Fuzzing – Targeted attacks © Copyright 2011 Denim Group - All Rights Reserved 39
Implementing Secure Content Handlers • This is remotely-accessible attack surface • Ask yourself: Do you really need to expose this attack surface? • Of course you do, think of how cool this will be… • Treat that as any untrusted input – Positive validation – Design logic accordingly © Copyright 2011 Denim Group - All Rights Reserved 40
Where Does Tainted Data Come From? • Android: – Activity.getIntent().getData() • iOS: – handleOpenURL() – Now deprecated – openURL() – New method – complete w/ naming conflict © Copyright 2011 Denim Group - All Rights Reserved 41
Interlude: SQL Injection for Mobile Applications • iOS and Android both provide built-in access to SQLite databases • Validate input and properly encode it before including it in SQL queries • Android – query(), rawQuery() – Be careful – compileStatement() – Better, but still be careful • iOS – sqlite3_exec() – Be careful – sqlite3_prepare_v2() – Better, but still be careful – iOS SQLite has such an elegant syntax, doesn’t it? © Copyright 2011 Denim Group - All Rights Reserved 42
But How Bad is SQL Injection in Mobile Apps? • Probably not as bad as SQL injection for web applications – Probably • Remember DREAD: – Damage Potential – Reproducibility – Exploitability – Affected Users – Discoverability © Copyright 2011 Denim Group - All Rights Reserved 43
4 – Platform-Specific Concerns • Secure Coding Practices for the iOS Platform – Buffer overflows and format strings – Everything old is new again – Objective-C is a superset of “actual” C – enjoy © Copyright 2011 Denim Group - All Rights Reserved 44
Let’s Take Apart Some Apps: Android • Example of static • axml2xml.pl – http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl binary analysis • dedexer – http://dedexer.sourceforge.net/ • Application structure • dex2jar – AndroidManifest.xml – http://code.google.com/p/dex2jar/ – assets/ • JD-GUI – res/ – http://java.decompiler.free.fr/ – classes.dex • SQLite Browser – http://java.decompiler.free.fr/ © Copyright 2011 Denim Group - All Rights Reserved 45
Other Materials • www.smartphonesdumbapps.com – Denim Group presentations, slides and code for mobile application security • http://software-security.sans.org/downloads/appsec-2011- files/dhanjani-hacking-securing-next-gen.pdf - SANS APPSEC SUMMIT 2011 presentation from Nitesh Dhanjani and Sean Pennline • http://www.slideshare.net/SOURCEConference/david-thiel-secure- development-on-ios - SOURCE Boston 2011 presentation from David Thiel from iSecPartners • McAfee mobile pen testing guidelines: – http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-testing- iphone-ipad-apps.pdf – http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-testing- android-apps.pdf © Copyright 2011 Denim Group - All Rights Reserved 46
5 – Conclusions and Questions Dan Cornell dan@denimgroup.com @danielcornell www.denimgroup.com www.smartphonesdumbapps.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 47

Recomendados

Draw Star in Visual Studio
Draw Star in Visual StudioDraw Star in Visual Studio
Draw Star in Visual Studio
Maruf Abdullah (Rion)
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling Mindset
Robert Hurlbut
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Security and Privacy of Machine Learning
Security and Privacy of Machine LearningSecurity and Privacy of Machine Learning
Security and Privacy of Machine Learning
Priyanka Aash
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Prachi Mishra
 

Recomendados

Draw Star in Visual Studio
Draw Star in Visual StudioDraw Star in Visual Studio
Draw Star in Visual Studio
Maruf Abdullah (Rion)
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling Mindset
Robert Hurlbut
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Security and Privacy of Machine Learning
Security and Privacy of Machine LearningSecurity and Privacy of Machine Learning
Security and Privacy of Machine Learning
Priyanka Aash
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Prachi Mishra
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
Positive Hack Days
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
Red Team P1.pdf
Red Team P1.pdfRed Team P1.pdf
Red Team P1.pdf
soheil hashemi
 
Angular and Redux
Angular and ReduxAngular and Redux
Angular and Redux
Paulo Clavijo
 
Parallel Ablation Studies for Machine Learning with Maggy on Apache Spark
Parallel Ablation Studies for Machine Learning with Maggy on Apache SparkParallel Ablation Studies for Machine Learning with Maggy on Apache Spark
Parallel Ablation Studies for Machine Learning with Maggy on Apache Spark
Databricks
 
drools
droolsdrools
drools
Eduardo Oliveira
 
Technique de Cryptographie AES, DES et RSA
Technique de Cryptographie AES, DES et RSATechnique de Cryptographie AES, DES et RSA
Technique de Cryptographie AES, DES et RSA
Houda Elmoutaoukil
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
MATS stack (MLFlow, Airflow, Tensorflow, Spark) for Cross-system Orchestratio...
MATS stack (MLFlow, Airflow, Tensorflow, Spark) for Cross-system Orchestratio...MATS stack (MLFlow, Airflow, Tensorflow, Spark) for Cross-system Orchestratio...
MATS stack (MLFlow, Airflow, Tensorflow, Spark) for Cross-system Orchestratio...
Databricks
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
Practical Guide for Optimizing Unity on Mobiles
Practical Guide for Optimizing Unity on MobilesPractical Guide for Optimizing Unity on Mobiles
Practical Guide for Optimizing Unity on Mobiles
Valentin Simonov
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Building an Intelligence-Driven Security Operations Center
Building an Intelligence-Driven Security Operations CenterBuilding an Intelligence-Driven Security Operations Center
Building an Intelligence-Driven Security Operations Center
EMC
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
Code obfuscation theory and practices
Code obfuscation theory and practicesCode obfuscation theory and practices
Code obfuscation theory and practices
nlog2n
 
Security Analytics with OpenSearch
Security Analytics with OpenSearchSecurity Analytics with OpenSearch
Security Analytics with OpenSearch
Arnold Van Wijnbergen
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
OWASP Ottawa
 

Mais conteúdo relacionado

Mais procurados

Parallel Ablation Studies for Machine Learning with Maggy on Apache Spark
Parallel Ablation Studies for Machine Learning with Maggy on Apache SparkParallel Ablation Studies for Machine Learning with Maggy on Apache Spark
Parallel Ablation Studies for Machine Learning with Maggy on Apache Spark
Databricks
 
Technique de Cryptographie AES, DES et RSA
Technique de Cryptographie AES, DES et RSATechnique de Cryptographie AES, DES et RSA
Technique de Cryptographie AES, DES et RSA
Houda Elmoutaoukil
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 

Mais procurados (20)

iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
 
Red Team P1.pdf
Red Team P1.pdfRed Team P1.pdf
Red Team P1.pdf
 
Angular and Redux
Angular and ReduxAngular and Redux
Angular and Redux
 
Parallel Ablation Studies for Machine Learning with Maggy on Apache Spark
Parallel Ablation Studies for Machine Learning with Maggy on Apache SparkParallel Ablation Studies for Machine Learning with Maggy on Apache Spark
Parallel Ablation Studies for Machine Learning with Maggy on Apache Spark
 
drools
droolsdrools
drools
 
Technique de Cryptographie AES, DES et RSA
Technique de Cryptographie AES, DES et RSATechnique de Cryptographie AES, DES et RSA
Technique de Cryptographie AES, DES et RSA
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
MATS stack (MLFlow, Airflow, Tensorflow, Spark) for Cross-system Orchestratio...
MATS stack (MLFlow, Airflow, Tensorflow, Spark) for Cross-system Orchestratio...MATS stack (MLFlow, Airflow, Tensorflow, Spark) for Cross-system Orchestratio...
MATS stack (MLFlow, Airflow, Tensorflow, Spark) for Cross-system Orchestratio...
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Practical Guide for Optimizing Unity on Mobiles
Practical Guide for Optimizing Unity on MobilesPractical Guide for Optimizing Unity on Mobiles
Practical Guide for Optimizing Unity on Mobiles
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Building an Intelligence-Driven Security Operations Center
Building an Intelligence-Driven Security Operations CenterBuilding an Intelligence-Driven Security Operations Center
Building an Intelligence-Driven Security Operations Center
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
 
Code obfuscation theory and practices
Code obfuscation theory and practicesCode obfuscation theory and practices
Code obfuscation theory and practices
 
Security Analytics with OpenSearch
Security Analytics with OpenSearchSecurity Analytics with OpenSearch
Security Analytics with OpenSearch
 

Destaque

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoT
Sukumar Nayak
 

Destaque (20)

Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Objective briefing on the current mobile threat 2010/2011
Objective briefing on the current mobile threat 2010/2011Objective briefing on the current mobile threat 2010/2011
Objective briefing on the current mobile threat 2010/2011
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_security
 
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoT
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 

Semelhante a Mobile Application Security Code Reviews

Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
hakersinfo
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Denim Group
 

Semelhante a Mobile Application Security Code Reviews (20)

Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content Handling
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Google android os
Google android osGoogle android os
Google android os
 

Mais de Denim Group

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
 

Mais de Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Mobile Application Security Code Reviews

  • 1. Mobile App Security Code Reviews Security BSides Las Vegas 2011 © Copyright 2011 Denim Group - All Rights Reserved
  • 2. Instructor Dan Cornell dan@denimgroup.com @danielcornell www.denimgroup.com www.smartphonesdumbapps.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 1
  • 3. My Background • Dan Cornell – Founder and CTO Denim Group • Software developer by background (Java, .NET, etc.) • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and e-Learning © Copyright 2011 Denim Group - All Rights Reserved 2
  • 4. Agenda 1. Introduction and Overview 2. Data: In Motion and at Rest 3. Other Dangerous Inputs 4. Platform-Specific Concerns 5. Conclusions / Questions © Copyright 2011 Denim Group - All Rights Reserved 3
  • 5. 1 – Introduction and Overview • Focus For This Class • Security Implications for Mobile Applications • Mobile Application Threat Model • Testing the Security of Mobile Applications • Platform Background – Android – iOS © Copyright 2011 Denim Group - All Rights Reserved 4
  • 6. Tradeoffs: Value versus Risk • Mobile applications can create tremendous value for organizations – New classes of applications utilizing mobile capabilities: GPS, camera, etc. – Innovating applications for employees and customers • Mobile devices and mobile applications can create tremendous risks – Sensitive data inevitably stored on the device (email, contacts) – Connect to a lot of untrusted networks (carrier, WiFi) • Most developers are not trained to develop secure applications – Fact of life, but slowing getting better • Most developers are new to creating mobile applications – Different platforms have different security characteristics and capabilities © Copyright 2011 Denim Group - All Rights Reserved 5
  • 7. Smart Phones, Dumb Apps • Lots of media focus on device and platform security – Important because successful attacks give tremendous attacker leverage • Most organizations: – Accept realities of device and platform security – Concerned about the security of their custom applications – Concerned about sensitive data on the device because of their apps – Concerned about network-available resources that support their apps • Who has mobile application deployed for customers? • Who has had mobile applications deployed without their knowledge? – *$!%$# marketing department… © Copyright 2011 Denim Group - All Rights Reserved 6
  • 8. Generic Mobile Application Threat Model © Copyright 2011 Denim Group - All Rights Reserved 7
  • 9. Some Assumptions for Developers • Smartphone applications are essentially thick-client applications – That people carry in their pockets – And drop in toilets – And put on eBay when the new iPhone comes out – And leave on airplanes – And so on… • Attackers will be able to access: – Target user (victim) devices – Your application binaries • What else should you assume they know or will find out? © Copyright 2011 Denim Group - All Rights Reserved 8
  • 10. Testing the Security of Mobile Applications • IMPORTANT: It is really the system as a whole you care about – Application plus… – 3rd party web services – Enterprise services – And so on • The most “interesting” weaknesses and vulnerabilities we find are in mobile applications’ interactions with supporting services • Mobile applications are different than web applications – Can’t just fire up an automated scanner and turn up a bunch of SQL injection and XSS vulnerabilities – Usually… © Copyright 2011 Denim Group - All Rights Reserved 9
  • 11. Testing the Security of Mobile Applications Type of Analysis Activities Static Analysis Source Code Source code scanning Manual source code review Binary Reverse engineering Dynamic Analysis Debugger execution Traffic capture via proxy Forensic Analysis File permission analysis File content analysis © Copyright 2011 Denim Group - All Rights Reserved 10
  • 12. Platform Background: Android • Linux-based operating system • Applications typically written in Java • Java compiled to DEX bytecode for the Dalvik virtual machine – Kind of like a Java virtual machine – Register-based rather than stack-based © Copyright 2011 Denim Group - All Rights Reserved 11
  • 13. Platform Background: • UNIX-based operating system • Applications written in Objective-C © Copyright 2011 Denim Group - All Rights Reserved 12
  • 14. Pandemobium Stock Trader Application • Android and iOS versions • Functionality – Log in – Track stock tips – Make stock trades – Get stock tips – Share stock tips • We will use as an example through the class © Copyright 2011 Denim Group - All Rights Reserved 13
  • 15. 2 – Data: In Motion and at Rest • Local Data Storage • Consuming 3rd Party Web Services • Mobile Applications and Enterprise Services © Copyright 2011 Denim Group - All Rights Reserved 14
  • 16. Local Data Storage • Overview • Identifying Potential Storage Issues • Encryption Best Practices © Copyright 2011 Denim Group - All Rights Reserved 15
  • 17. Local Data Storage Overview • If you store data on the device it can be captured – How you store the data can impact how easy this is – But at the end of the day it can be captured – So be careful what you store on the device. And be careful how you store it • But what if I encrypt the data? – Great idea. Where are you going to store the key? • This is an issue that gets a lot of media attention © Copyright 2011 Denim Group - All Rights Reserved 16
  • 18. Local Data Storage: Android • Files – Internal storage (file permissions enforced) – External storage (no file permissions enforced) • SQLite Databases • Shared Preferences • Web Cache © Copyright 2011 Denim Group - All Rights Reserved 17
  • 19. Android Data Storage • In Android, every application gets its own uid/gid – Clever use of the Linux security model – But external storage does not have permission enforcement • Default permissions are to be readable and writeable by the app only – Files – SQLite databases – Shared Permissions – Context.MODE_PRIVATE • But of course you can override this – Context.MODE_WORLD_READABLE – Context.MODE_WORLD_WRITEABLE © Copyright 2011 Denim Group - All Rights Reserved 18
  • 20. Local Data Storage: • Files • SQLite Databases • plist Files • Keychain • Web Cache © Copyright 2011 Denim Group - All Rights Reserved 19
  • 21. Android Static Analysis for Storage Issues • Android-specific functions for file handling: – Context.openFileOutput() – Context.openFileInput() – Context.getDir() • Android-specific functions for SQLite database handling: – Context.openOrCreateDatabase() – Context.getDatabasePath() – SQLiteDatabase.openDatabase() © Copyright 2011 Denim Group - All Rights Reserved 20
  • 22. Android Static Analysis for Storage Issues • Android-specific functions for Shared Preferences handling – Context.getSharedPreferences() • Android-specific functions for cache handling: – Context.getCacheDir() – Context.getExternalCacheDir() • Non-Android-specific functions – Anything else you would examine in Java – java.io and the like © Copyright 2011 Denim Group - All Rights Reserved 21
  • 23. Android Static Analysis for Storage Issues • File permissions: – MODE_PRIVATE – generally all right – MODE_WORLD_READABLE, MODE_WORLD_WRITEABLE – why? • What is being stored? • How is it being used? • World readable/writeable files can be manipulated by malicious applications © Copyright 2011 Denim Group - All Rights Reserved 22
  • 24. iOS Static Analysis for Storage Issues • NSFileManager class – NSFileProtectionKey attribute • NSFileProtectionNone – Always accessible • NSFileProtectionComplete – Encrypted on disk when device is locked or booting • UIApplicationProtectedDataWillBecomeUnavailable notification – Fired when application data is about to become unavailable – References to sensitive files should be dropped © Copyright 2011 Denim Group - All Rights Reserved 23
  • 25. Encryption Best Practices • Key management is a huge problem • If encrypted data and the key are stored on the device… • Android Encryption – Access to javax.crypto libraries – Open source options like Bouncy Castle • iOS Encryption – Access to common crypto algorithms – Keychain available for encrypted storage © Copyright 2011 Denim Group - All Rights Reserved 24
  • 26. iOS Keychain • Allows you to store key/value pairs using iOS protections • Default: only visible to “owning” application • Possible values for kSecAttrAccessible: – kSecAttrAccessibleWhenUnlocked – kSecAttrAccessibleAfterFirstUnlock – kSecAttrAccessibleAlways – kSecAttrAccessibleWhenUnlockedThisDeviceOnly – kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly – kSecAttrAccessibleAlwaysThisDeviceOnly • But… – Clever German researchers found out how to dump non-PIN protected data – And clever Russian researchers found out how to brute-force the PIN – Do not store sensitive data on the device © Copyright 2011 Denim Group - All Rights Reserved 25
  • 27. Consuming 3rd Party Web Services • Overview • Identifying Services In Use • Data Communications and Handling Best Practices © Copyright 2011 Denim Group - All Rights Reserved 26
  • 28. Overview of Consuming 3rd Party Web Services • Interesting apps need to talk to stuff – And most of that stuff you should not trust • These are untrusted inputs – Positively validate them before use • You do not control what they do with the data – Be careful what you send © Copyright 2011 Denim Group - All Rights Reserved 27
  • 29. Identifying Services In Use • Look for URL connections • Look for network connections • Look for web controls © Copyright 2011 Denim Group - All Rights Reserved 28
  • 30. Data Communications and Handling Best Practices • Remember: Mobile devices can talk on lots of different networks • So use SSL – Can not observe or change traffic – DNS concerns • And force it to be used correctly – With valid certificates • Be careful of caching © Copyright 2011 Denim Group - All Rights Reserved 29
  • 31. Android Network Connections • Android-specific classes: – android.net.* – android.net.SSLCertificateFactory • Make sure server validation has not been turned off • Java platform classes: – java.net.URLConnection – java.net.URL – And so on… © Copyright 2011 Denim Group - All Rights Reserved 30
  • 32. Android Network Connections • Included Apache classes: – org.apache.http.HttpClient – org.apache.http.HttpPost – org.apache.http.Response • WebView component – Include HTML content in web applications © Copyright 2011 Denim Group - All Rights Reserved 31
  • 33. iOS Network Connections • CFStream – kCFStreamPropertyShouldCloseNativeSocket – kCFStreamPropertySocketSecurityLevel – kCFStreamPropertySOCKSProxy – kCFStreamPropertySSLPeerCertificates – kCFStreamPropertySSLPeerTrust – kCFStreamPropertySSLSettings • CFHost • NSStream • NSHost • NSURLDownload • NSURL • UIWebView © Copyright 2011 Denim Group - All Rights Reserved 32
  • 34. What to do With 3rd Party Services? • Largest concern is how they impact YOUR security – Validate all input – Be careful how your logic treats the data – Be careful what you send © Copyright 2011 Denim Group - All Rights Reserved 33
  • 35. Overview of Mobile Applications and Enterprise Services • If you were a bad guy, would you rather have – The data on one device – All the data on the server – I guess it depends on how advanced and persistent you are… • These provide a great window into your organization – Client data – Transaction data – And so on… • The most serious vulnerabilities we find in assessments deal with apps’ interactions with enterprise services © Copyright 2011 Denim Group - All Rights Reserved 34
  • 36. 3 – Other Dangerous Inputs • Mobile Browser Content Handling © Copyright 2011 Denim Group - All Rights Reserved 35
  • 37. Mobile Browser Content Handling • Identifying Mobile Browser Content Handlers • Testing the Security of Content Handlers © Copyright 2011 Denim Group - All Rights Reserved 36
  • 38. Android: Identifying Content Handlers • Look in AndroidManifest.xml • Look for <intent-filter> tags: <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme=“the_scheme" /> </intent-filter> • But what apps export intents? – http://www.openintents.org/ © Copyright 2011 Denim Group - All Rights Reserved 37
  • 39. iOS: Identifying Content Handlers • Look in Info.plist • Look for <key>CFBundleURLSchemes</key> <array> <dict> <key>CFBundleURLSchemes</key> <array> <string>the_scheme</string> </array> </dict> </array> • But what apps handle custom schemes? – http://handleopenurl.com/ © Copyright 2011 Denim Group - All Rights Reserved 38
  • 40. Testing the Security of Content Handlers • How to reach them? – Get a user to click: <a href=“the_scheme://stuff?param=value” /> – Get a user to visit a malicious web page: <iframe src=“the_scheme://stuff?param=value” /> • Approaches: – Fuzzing – Targeted attacks © Copyright 2011 Denim Group - All Rights Reserved 39
  • 41. Implementing Secure Content Handlers • This is remotely-accessible attack surface • Ask yourself: Do you really need to expose this attack surface? • Of course you do, think of how cool this will be… • Treat that as any untrusted input – Positive validation – Design logic accordingly © Copyright 2011 Denim Group - All Rights Reserved 40
  • 42. Where Does Tainted Data Come From? • Android: – Activity.getIntent().getData() • iOS: – handleOpenURL() – Now deprecated – openURL() – New method – complete w/ naming conflict © Copyright 2011 Denim Group - All Rights Reserved 41
  • 43. Interlude: SQL Injection for Mobile Applications • iOS and Android both provide built-in access to SQLite databases • Validate input and properly encode it before including it in SQL queries • Android – query(), rawQuery() – Be careful – compileStatement() – Better, but still be careful • iOS – sqlite3_exec() – Be careful – sqlite3_prepare_v2() – Better, but still be careful – iOS SQLite has such an elegant syntax, doesn’t it? © Copyright 2011 Denim Group - All Rights Reserved 42
  • 44. But How Bad is SQL Injection in Mobile Apps? • Probably not as bad as SQL injection for web applications – Probably • Remember DREAD: – Damage Potential – Reproducibility – Exploitability – Affected Users – Discoverability © Copyright 2011 Denim Group - All Rights Reserved 43
  • 45. 4 – Platform-Specific Concerns • Secure Coding Practices for the iOS Platform – Buffer overflows and format strings – Everything old is new again – Objective-C is a superset of “actual” C – enjoy © Copyright 2011 Denim Group - All Rights Reserved 44
  • 46. Let’s Take Apart Some Apps: Android • Example of static • axml2xml.pl – http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl binary analysis • dedexer – http://dedexer.sourceforge.net/ • Application structure • dex2jar – AndroidManifest.xml – http://code.google.com/p/dex2jar/ – assets/ • JD-GUI – res/ – http://java.decompiler.free.fr/ – classes.dex • SQLite Browser – http://java.decompiler.free.fr/ © Copyright 2011 Denim Group - All Rights Reserved 45
  • 47. Other Materials • www.smartphonesdumbapps.com – Denim Group presentations, slides and code for mobile application security • http://software-security.sans.org/downloads/appsec-2011- files/dhanjani-hacking-securing-next-gen.pdf - SANS APPSEC SUMMIT 2011 presentation from Nitesh Dhanjani and Sean Pennline • http://www.slideshare.net/SOURCEConference/david-thiel-secure- development-on-ios - SOURCE Boston 2011 presentation from David Thiel from iSecPartners • McAfee mobile pen testing guidelines: – http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-testing- iphone-ipad-apps.pdf – http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-testing- android-apps.pdf © Copyright 2011 Denim Group - All Rights Reserved 46
  • 48. 5 – Conclusions and Questions Dan Cornell dan@denimgroup.com @danielcornell www.denimgroup.com www.smartphonesdumbapps.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 47