SlideShare uma empresa Scribd logo

Debunking the Top 5 Myths About Mobile AppSec

NowSecure
NowSecure

Originally presented June 24, 2019 https://www.nowsecure.com/resource/debunking-the-top-5-myths-about-mobile-appsec/ It’s hard to believe that mobile app stores are more than a decade old yet some crazy misconceptions about mobile application security still linger. Have you heard these before? - Testing mobile apps is the same as web apps - SAST is good enough for mobile, you don’t need DAST - Mobile apps are secure because Apple and Google security test them - Outsourcing a penetration test once per year is sufficient to mitigate risk Sort fact from fiction and learn how to ensure your mobile appsec program is on the right track. You may discover some surprising things about modern mobile application security.

Celular
1 de 38
Baixar para ler offline
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. DEBUNKING THE TOP 5 MYTHS ABOUT MOBILE APPSEC
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ALL THINGS MOBILE DEVSECOPS Subscribe Here https://www.nowsecure.com/go/subscribe/ Semi-monthly Newsletter Delivered 1st & 3rd Wednesday of the month Resources for the Mobile DevSecOps journey
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.3 ASK A QUESTION ANY TIME Use the “Ask a Question” tab below the slides
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ALAN SNYDER CHIEF EXECUTIVE OFFICER NOWSECURE AGENDA INTRODUCTIONS MOBILE TRENDS THE 5 MYTHS KEY TAKEAWAYS Q&A PICK A PRIZE WINNER! SPEAKER 4 BRIAN REED CHIEF MOBILITY OFFICER NOWSECURE MODERATOR
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE WORLD’S MOBILE APP ECONOMY 42.6 3MILLION Mobile Apps US App Stores BILLION Mobile Device Users MILLION Shortage in Cyber Security Professionals 12MILLION Mobile App Developers 5 sources: Statista, (ISC)2 , BusinessOfApps (2018/2019) 5
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.6 MCDONALDS SPENDING $6BN ON TRANSFORMATION
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.7 MOBILE APPS DOMINATE USAGE, BRINGS THE ATTACKERS
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Mobile apps are secure because Apple and Google test them. 8 MYTH #1
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.9 MOBILE APP RISKS ARE REAL AND PAINFULLY EXPOSED
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. MOBILE PRIVACY 250 STUDY - 70% LEAK DATA 10 www.nowsecure.com/go/protectmydata
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. DEVELOPERS MUST TEST THEIR OWN SOFTWARE 11 ▪ Secure Development (Certificates, HTTPS, etc) ▪ App Data Leakage (Privacy) ▪ 3rd Party Libraries (Privacy or Vulnerabilities) ▪ App Functionality and Dynamic Code Apple App Store® Google Play™ Store WHAT APPLE & GOOGLE CHECK ▪ Guideline/API Compliance, Malware, Static Vulnerabilities ▪ Apple Dev Guidelines: ▪ You are responsible for making sure everything in your app complies with these guidelines, including ad networks, analytics services, and third-party SDKs, so review and choose them carefully. ▪ 1.6 Data Security - Apps should implement appropriate security measures to ensure proper handling of user information collected pursuant to the Apple Developer Program License Agreement and these Guidelines (see Guideline 5.1 for more information) and prevent its unauthorized use, disclosure, or access by third parties. WHAT APPLE & GOOGLE DON’T CHECK
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Testing mobile apps is the same as web apps. 12 MYTH #2
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. FUNDAMENTAL DIFFERENCES 13 WEB APP MOBILE APP Browser inherent isolation from client machine Full operating system underlies the app AND apps can interact Majority of code on server behind firewall and other protections Substantial code, IP logic, data on the client device Browser handles SSL/HTTPS AppDev must properly code network calls Browser isolates data from local machine memory and files AppDev must properly code to handle local memory and files Test frameworks can be loaded directly into browser environments Locked down iOS/Android operating systems and containerization dramatically raises complexity
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.14 OWASP TOP 10 COMPARISON 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorization 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities 5. Broken Access Control 6. Security Misconfiguration 7. Cross Site Scripting 8. Insecure Deserialization 9. Using Vulnerable Components 10. Insufficient Logging/Monitoring Mobile Web
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE ATTACKER POV iOS APPS TEST APP Dynamic to monitor dynamic code loading from the network Dynamic to test MITM Only NowSecure uniquely takes the Attacker POV to test across app, compiler, data at rest, data in motion, OS, HW & SW during and after running the mobile app on real devices iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE 15 Data Center & App Backend Network & Cloud Services Behavioral to test active memory Dynamic to taint & trace sensor data from HAL Dynamic to test persistent storage Behavioral to determine app to app vulns Dynamic to track interaction with contacts Dynamic & Behavioral to test Certificate Pinning Dynamic to track interaction with file system Dynamic to test SSL Stripping Behavioral to to track interaction with Keychain Dynamic to track interaction with Microphone
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Static Source Code Analysis (SAST) is good enough for mobile 16 MYTH #3
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. SUMMARY STATIC SOURCE VS DYNAMIC BINARY STATIC SOURCE DYNAMIC BINARY CODE ISSUES YES YES DATA AT REST YES DATA IN MOTION YES FIND MiTM VULN YES FIND IP ADDRESSES YES FIND 3rd PARTY LIBS YES 17
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. INSIDE THE MOBILE ATTACK SURFACE iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE CODE FUNCTIONALITY DATA AT REST DATA IN MOTION Data Center & App Backend Network & Cloud Services TEST APP ▪ GPS spoofing ▪ Buffer overflow ▪ allowBackup Flag ▪ allowDebug Flag ▪ Code Obfuscation ▪ Configuration manipulation ▪ Escalated privileges ▪ URL schemes ▪ GPS Leaking ▪ Integrity/tampering/repacking ▪ Side channel attacks ▪ App signing key unprotected ▪ JSON-RPC ▪ Automatic Reference Counting ▪ Dynamic runtime injection ▪ Unintended permissions ▪ UI overlay/pin stealing ▪ Intent hijacking ▪ Zip directory traversal ▪ Clipboard data ▪ World Readable Files ▪ Data caching ▪ Data stored in application directory ▪ Decryption of keychain ▪ Data stored in log files ▪ Data cached in memory/RAM ▪ Data stored in SD card ▪ OS data caching ▪ Passwords & data accessible ▪ No/Weak encryption ▪ TEE/Secure Enclave Processor ▪ Side channel leak ▪ SQLite database ▪ Emulator variance ▪ Wi-Fi (no/weak encryption) ▪ Rogue access point ▪ Packet sniffing ▪ Man-in-the-middle ▪ Session hijacking ▪ DNS poisoning ▪ TLS Downgrade ▪ Fake TLS certificate ▪ Improper TLS validation ▪ HTTP Proxies ▪ VPNs ▪ Weak/No Local authentication ▪ App transport security ▪ Transmitted to insecure server ▪ Zip files in transit ▪ Cookie “httpOnly” flag ▪ Cookie “secure” flag 18 ▪ Android rooting/iOS jailbreak ▪ User-initiated code ▪ Confused deputy attack ▪ Media/file format parsers ▪ Insecure 3rd party libraries ▪ World Writable Files ▪ World Writable Executables WEB + SAST VENDORS
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE APPSEC TESTING COVERAGE CHECKLIST ✓ Man in the Middle: Cert Validation ✓ Man in the Middle: Cert Pinning ✓ Man in the Middle: HTTP Connections ✓ SSL Downgrade ✓ Unprotected TLS traffic ✓ Cookie integrity ✓ Certificate Validity ✓ App Transport Security ✓ … ✓ App files & Log Files ✓ Keychain ✓ SD Card ✓ World Writable Files ✓ World Readable Files ✓ RAM ✓ Unencrypted credential storage ✓ SQLite Databases ✓ Secure Enclave Processor ✓ … ✓ Development flags ✓ Automatic Reference Counting ✓ Stack Smashing ✓ Bad Authentication/Authorization ✓ Root access ✓ Path Traversal ✓ SQL Injection ✓ Vulnerable 3rd party libraries ✓ Heartbleed ✓ Bad cryptography ✓ Obfuscation ✓ … CODE FUNCTIONALITY DATA IN MOTIONDATA AT REST Data Center & App Backend Network & Cloud Services iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE TEST APP 19 AUTOMATED MOBILE APP SECURITY TESTING ON REAL DEVICES analyzes the binary post-compilation to discover vulnerabilities including those in third-party libraries STATIC TESTING attacks the binary & network environment to discover vulnerabilities within the app with near zero false positives BEHAVIORAL TESTING observes the binary at runtime to discover vulnerabilities within the app DYNAMIC TESTING
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Penetration testing once a year is enough to mitigate risk. 20 MYTH #4
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.21 CURRENT STATE OF THE ART TESTING: Manual Security Testing TIME: 1-2 weeks @ 1 per year COST: $15,000 per manual PEN test MOBILE APPSEC TESTING IN THE DARK AGES
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE COMPOUNDING RISK OF MONTHLY RELEASES 22 Security Testing Peak Protection Dev Release cycle Annual Pen Test
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.23 MANAGING YOUR POOL OF MOBILE RISK $ Millions in mobile security risk SAST 1 PEN TEST UNKNOWN + UNMITIGATED RISK SAST NS PEN TEST NS AUTO PEN TESTING SW Dramatically Reduced Risk Broader Visibility and Control Critical Gap to Address
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Dynamic testing can’t be automated. 24 MYTH #5
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE MOBILE TRIFECTA FREQUENCY USAGE COM PLEXITY My App 25
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. SCALING TESTING CAPACITY & RISK OVER TIME 26 TIME Mobile App Release volume and frequency as you scale SCALE NowSecure Automation for scales as app release and volume scales Current Manual testing capacity Critical Gap to Address
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.27 CURRENT STATE OF THE ART TESTING: Manual Security Testing TIME: 1-2 weeks @ 1 per year COST: $15,000 per manual PEN test NOWSECURE SOLUTIONS TESTING: Automated Security Testing TIME: <15mins every build, every day COST: $40 per daily test MODERN MOBILE APPSEC TESTING
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE POWERS YOUR MOBILE APPSEC TESTING Auto-Generate Issue Tickets 28 Build Binary Code Commit Test Binary </> Stage Deploy Auto-Test Every Build Test On-Demand MOBILE Dev Cycle Triage & Monitor Production Urgent / Periodic Pen Test
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.29 AUTOMATION WINS: CASE IN POINT LEGACY AST NOWSECURE AUTOMATION Time to complete 10 days 7 minutes Vulns Found 0 Found All 3 CC skimming Data Leakage Cert failure CHALLENGE RESULTS Large fast growing multi-divisional company Need reliable, deep, automated mobile AST for Dev Pipeline Bake-off: iOS Mobile App with intentionally inserted vulns
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1. Seek to build in security through Dev + Sec partnership 2. Model the risk level of your mobile apps and test appropriately 3. Mobile Security Standards ⇒ OWASP Mobile Top 10 4. Ensure DAST is core part of mobile appsec testing strategy 5. Plug automated security testing into your SDLC Toolchain 30 KEY TAKEAWAYS
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.31 NOWSECURE APPROACH
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.32 NOWSECURE DELIVERS THE SECURE VELOCITY YOU NEED FREQUENCY OF RELEASE FOR MOBILE APP(s) VALUE Rapid enhancements drive higher mobile app business value faster MOBILE BUSINESS VALUE CURVE FREQUENCY OF RELEASE TESTING EVERY RELEASE COST RISK MOBILE BUSINESS COST & RISK CURVE Manual pen testing every release drives costs exponentially Pen testing only once a year drives risk exponentially NowSecure Predictably Flattens Cost & Risk
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE SOLUTION Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine 33 NowSecure SOFTWARE NowSecure SERVICES For Dev, QA & Security Teams Automated Security Testing Dynamic Testing Across Full Lifecycle Scales to Continuous Testing & Monitoring For App Owners, Dev & Security Teams Expert Pen Testing Programs Training & App Security Programs Enterprise Mobile App Risk Assessments Internal/Outsourced Development On-Demand, API or CI/CD Integrated on-prem or cloud
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. INSIDE NOWSECURE MOBILE APP RISK SCORING 34
© Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. CASE STUDY: ADOPTING THE NOWSECURE PLATFORM Manual Testing Test PRE RELEASE Test ON DEMAND Full CI/CD Integration Increasing Volume of apps Integrate with SDLC infrastructure Test every build every day Auto-generate tickets from findings in local ticketing tool Auto-route reports to risk & compliance stakeholders Auto-route results & trends to management dashboard Perform deep dive investigations when needed Extended program to proactively monitor app store 3rd party risk 1 mo 3 mo 6 mo 12 mo Maximizing Value & Performance Increasing Frequency of releases 35
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Automated Mobile AppSec Testing Software Expert Pen Testing & Security Services Powers Security in Agile & DevOps Teams World-Class Security Research Team (builders of FRIDA & RADARE) Advanced Engineering & DevOps Teams from High Frequency Trading Companies Wrote the book on mobile forensics TRUSTED BY THE WORLD’S HIGHEST SECURITY ORGANIZATIONS 36
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE COMING ATTRACTIONS ATARC Federal Mobile Summit Aug 6, 2019 | Washington, DC Black Hat USA (Training + Conference) Aug 2-8, 2019 | Las Vegas, NV DevOps World/Jenkins World Aug 12-15, 2019 | San Francisco, CA [Webinar] Coming Soon: Android Q & iOS 13 Privacy Enhancements Jul 18, 2019 OWASP Global AppSec - DC Sep 9-13, 2019 | Washington, DC
© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.38 OPEN Q&A Use the “Ask a Question” tab below the slides BRIAN REED CMO, NOWSECURE ALAN SNYDER CEO, NOWSECURE

Recomendados

Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 

Recomendados

Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
Backstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitBackstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitForgeRock
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...ForgeRock
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Prathan Phongthiproek
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellPrathan Phongthiproek
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Sydney Identity Summit: The Future's So Bright, I Gotta Wear Shades
Sydney Identity Summit: The Future's So Bright, I Gotta Wear ShadesSydney Identity Summit: The Future's So Bright, I Gotta Wear Shades
Sydney Identity Summit: The Future's So Bright, I Gotta Wear ShadesForgeRock
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVSPrathan Phongthiproek
 
Beyond username and password it's continuous authorization webinar
Beyond username and password it's continuous authorization webinarBeyond username and password it's continuous authorization webinar
Beyond username and password it's continuous authorization webinarForgeRock
 
How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsNowSecure
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 

Mais conteúdo relacionado

Mais procurados

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
Backstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitBackstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitForgeRock
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...ForgeRock
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Sydney Identity Summit: The Future's So Bright, I Gotta Wear Shades
Sydney Identity Summit: The Future's So Bright, I Gotta Wear ShadesSydney Identity Summit: The Future's So Bright, I Gotta Wear Shades
Sydney Identity Summit: The Future's So Bright, I Gotta Wear ShadesForgeRock
 
Beyond username and password it's continuous authorization webinar
Beyond username and password it's continuous authorization webinarBeyond username and password it's continuous authorization webinar
Beyond username and password it's continuous authorization webinarForgeRock
 

Mais procurados (20)

Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
Backstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity SummitBackstage Tour of Identity - London Identity Summit
Backstage Tour of Identity - London Identity Summit
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Sydney Identity Summit: The Future's So Bright, I Gotta Wear Shades
Sydney Identity Summit: The Future's So Bright, I Gotta Wear ShadesSydney Identity Summit: The Future's So Bright, I Gotta Wear Shades
Sydney Identity Summit: The Future's So Bright, I Gotta Wear Shades
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
Beyond username and password it's continuous authorization webinar
Beyond username and password it's continuous authorization webinarBeyond username and password it's continuous authorization webinar
Beyond username and password it's continuous authorization webinar
 

Semelhante a Debunking the Top 5 Myths About Mobile AppSec

How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsNowSecure
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IRelayware
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...CA API Management
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowSkycure
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf064ChetanWani
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSalesforce Developers
 
BYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility ManagerBYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility ManagerWSO2
 

Semelhante a Debunking the Top 5 Myths About Mobile AppSec (20)

How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’ts
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
 
BYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility ManagerBYOD for your business with WSO2 Enterprise Mobility Manager
BYOD for your business with WSO2 Enterprise Mobility Manager
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
 

Mais de NowSecure

Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsNowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowNowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskNowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechNowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowNowSecure
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceNowSecure
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNowSecure
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...NowSecure
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsNowSecure
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 

Mais de NowSecure (13)

Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 

Último

Android Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesAndroid Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesChandrakantDivate1
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRnishacall1
 
Mobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsMobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsChandrakantDivate1
 
Thane 💋 Call Girls 7738631006 💋 Call Girls in Thane Escort service book now. ...
Thane 💋 Call Girls 7738631006 💋 Call Girls in Thane Escort service book now. ...Thane 💋 Call Girls 7738631006 💋 Call Girls in Thane Escort service book now. ...
Thane 💋 Call Girls 7738631006 💋 Call Girls in Thane Escort service book now. ...Pooja Nehwal
 
Leading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfLeading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfCWS Technology
 
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Servicenishacall1
 
Mobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsMobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsChandrakantDivate1
 

Último (8)

Android Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesAndroid Application Components with Implementation & Examples
Android Application Components with Implementation & Examples
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
Mobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsMobile Application Development-Components and Layouts
Mobile Application Development-Components and Layouts
 
Thane 💋 Call Girls 7738631006 💋 Call Girls in Thane Escort service book now. ...
Thane 💋 Call Girls 7738631006 💋 Call Girls in Thane Escort service book now. ...Thane 💋 Call Girls 7738631006 💋 Call Girls in Thane Escort service book now. ...
Thane 💋 Call Girls 7738631006 💋 Call Girls in Thane Escort service book now. ...
 
Leading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdfLeading Mobile App Development Companies in India (2).pdf
Leading Mobile App Development Companies in India (2).pdf
 
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 52 (Delhi) Call Girl Service
 
Mobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsMobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s Tools
 

Debunking the Top 5 Myths About Mobile AppSec

  • 1. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. DEBUNKING THE TOP 5 MYTHS ABOUT MOBILE APPSEC
  • 2. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ALL THINGS MOBILE DEVSECOPS Subscribe Here https://www.nowsecure.com/go/subscribe/ Semi-monthly Newsletter Delivered 1st & 3rd Wednesday of the month Resources for the Mobile DevSecOps journey
  • 3. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.3 ASK A QUESTION ANY TIME Use the “Ask a Question” tab below the slides
  • 4. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. ALAN SNYDER CHIEF EXECUTIVE OFFICER NOWSECURE AGENDA INTRODUCTIONS MOBILE TRENDS THE 5 MYTHS KEY TAKEAWAYS Q&A PICK A PRIZE WINNER! SPEAKER 4 BRIAN REED CHIEF MOBILITY OFFICER NOWSECURE MODERATOR
  • 5. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE WORLD’S MOBILE APP ECONOMY 42.6 3MILLION Mobile Apps US App Stores BILLION Mobile Device Users MILLION Shortage in Cyber Security Professionals 12MILLION Mobile App Developers 5 sources: Statista, (ISC)2 , BusinessOfApps (2018/2019) 5
  • 6. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.6 MCDONALDS SPENDING $6BN ON TRANSFORMATION
  • 7. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.7 MOBILE APPS DOMINATE USAGE, BRINGS THE ATTACKERS
  • 8. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Mobile apps are secure because Apple and Google test them. 8 MYTH #1
  • 9. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.9 MOBILE APP RISKS ARE REAL AND PAINFULLY EXPOSED
  • 10. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. MOBILE PRIVACY 250 STUDY - 70% LEAK DATA 10 www.nowsecure.com/go/protectmydata
  • 11. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. DEVELOPERS MUST TEST THEIR OWN SOFTWARE 11 ▪ Secure Development (Certificates, HTTPS, etc) ▪ App Data Leakage (Privacy) ▪ 3rd Party Libraries (Privacy or Vulnerabilities) ▪ App Functionality and Dynamic Code Apple App Store® Google Play™ Store WHAT APPLE & GOOGLE CHECK ▪ Guideline/API Compliance, Malware, Static Vulnerabilities ▪ Apple Dev Guidelines: ▪ You are responsible for making sure everything in your app complies with these guidelines, including ad networks, analytics services, and third-party SDKs, so review and choose them carefully. ▪ 1.6 Data Security - Apps should implement appropriate security measures to ensure proper handling of user information collected pursuant to the Apple Developer Program License Agreement and these Guidelines (see Guideline 5.1 for more information) and prevent its unauthorized use, disclosure, or access by third parties. WHAT APPLE & GOOGLE DON’T CHECK
  • 12. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Testing mobile apps is the same as web apps. 12 MYTH #2
  • 13. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. FUNDAMENTAL DIFFERENCES 13 WEB APP MOBILE APP Browser inherent isolation from client machine Full operating system underlies the app AND apps can interact Majority of code on server behind firewall and other protections Substantial code, IP logic, data on the client device Browser handles SSL/HTTPS AppDev must properly code network calls Browser isolates data from local machine memory and files AppDev must properly code to handle local memory and files Test frameworks can be loaded directly into browser environments Locked down iOS/Android operating systems and containerization dramatically raises complexity
  • 14. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.14 OWASP TOP 10 COMPARISON 1. Improper Platform Usage 2. Insecure Data Storage 3. Insecure Communication 4. Insecure Authentication 5. Insufficient Cryptography 6. Insecure Authorization 7. Client Code Quality 8. Code Tampering 9. Reverse Engineering 10. Extraneous Functionality 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities 5. Broken Access Control 6. Security Misconfiguration 7. Cross Site Scripting 8. Insecure Deserialization 9. Using Vulnerable Components 10. Insufficient Logging/Monitoring Mobile Web
  • 15. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE ATTACKER POV iOS APPS TEST APP Dynamic to monitor dynamic code loading from the network Dynamic to test MITM Only NowSecure uniquely takes the Attacker POV to test across app, compiler, data at rest, data in motion, OS, HW & SW during and after running the mobile app on real devices iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE 15 Data Center & App Backend Network & Cloud Services Behavioral to test active memory Dynamic to taint & trace sensor data from HAL Dynamic to test persistent storage Behavioral to determine app to app vulns Dynamic to track interaction with contacts Dynamic & Behavioral to test Certificate Pinning Dynamic to track interaction with file system Dynamic to test SSL Stripping Behavioral to to track interaction with Keychain Dynamic to track interaction with Microphone
  • 16. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Static Source Code Analysis (SAST) is good enough for mobile 16 MYTH #3
  • 17. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. SUMMARY STATIC SOURCE VS DYNAMIC BINARY STATIC SOURCE DYNAMIC BINARY CODE ISSUES YES YES DATA AT REST YES DATA IN MOTION YES FIND MiTM VULN YES FIND IP ADDRESSES YES FIND 3rd PARTY LIBS YES 17
  • 18. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. INSIDE THE MOBILE ATTACK SURFACE iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE CODE FUNCTIONALITY DATA AT REST DATA IN MOTION Data Center & App Backend Network & Cloud Services TEST APP ▪ GPS spoofing ▪ Buffer overflow ▪ allowBackup Flag ▪ allowDebug Flag ▪ Code Obfuscation ▪ Configuration manipulation ▪ Escalated privileges ▪ URL schemes ▪ GPS Leaking ▪ Integrity/tampering/repacking ▪ Side channel attacks ▪ App signing key unprotected ▪ JSON-RPC ▪ Automatic Reference Counting ▪ Dynamic runtime injection ▪ Unintended permissions ▪ UI overlay/pin stealing ▪ Intent hijacking ▪ Zip directory traversal ▪ Clipboard data ▪ World Readable Files ▪ Data caching ▪ Data stored in application directory ▪ Decryption of keychain ▪ Data stored in log files ▪ Data cached in memory/RAM ▪ Data stored in SD card ▪ OS data caching ▪ Passwords & data accessible ▪ No/Weak encryption ▪ TEE/Secure Enclave Processor ▪ Side channel leak ▪ SQLite database ▪ Emulator variance ▪ Wi-Fi (no/weak encryption) ▪ Rogue access point ▪ Packet sniffing ▪ Man-in-the-middle ▪ Session hijacking ▪ DNS poisoning ▪ TLS Downgrade ▪ Fake TLS certificate ▪ Improper TLS validation ▪ HTTP Proxies ▪ VPNs ▪ Weak/No Local authentication ▪ App transport security ▪ Transmitted to insecure server ▪ Zip files in transit ▪ Cookie “httpOnly” flag ▪ Cookie “secure” flag 18 ▪ Android rooting/iOS jailbreak ▪ User-initiated code ▪ Confused deputy attack ▪ Media/file format parsers ▪ Insecure 3rd party libraries ▪ World Writable Files ▪ World Writable Executables WEB + SAST VENDORS
  • 19. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE APPSEC TESTING COVERAGE CHECKLIST ✓ Man in the Middle: Cert Validation ✓ Man in the Middle: Cert Pinning ✓ Man in the Middle: HTTP Connections ✓ SSL Downgrade ✓ Unprotected TLS traffic ✓ Cookie integrity ✓ Certificate Validity ✓ App Transport Security ✓ … ✓ App files & Log Files ✓ Keychain ✓ SD Card ✓ World Writable Files ✓ World Readable Files ✓ RAM ✓ Unencrypted credential storage ✓ SQLite Databases ✓ Secure Enclave Processor ✓ … ✓ Development flags ✓ Automatic Reference Counting ✓ Stack Smashing ✓ Bad Authentication/Authorization ✓ Root access ✓ Path Traversal ✓ SQL Injection ✓ Vulnerable 3rd party libraries ✓ Heartbleed ✓ Bad cryptography ✓ Obfuscation ✓ … CODE FUNCTIONALITY DATA IN MOTIONDATA AT REST Data Center & App Backend Network & Cloud Services iOS APPS iOS FRAMEWORKS iOS NATIVE LIBRARIES iOS Mach/XNU KERNEL iOS HAL HARDWARE TEST APP 19 AUTOMATED MOBILE APP SECURITY TESTING ON REAL DEVICES analyzes the binary post-compilation to discover vulnerabilities including those in third-party libraries STATIC TESTING attacks the binary & network environment to discover vulnerabilities within the app with near zero false positives BEHAVIORAL TESTING observes the binary at runtime to discover vulnerabilities within the app DYNAMIC TESTING
  • 20. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Penetration testing once a year is enough to mitigate risk. 20 MYTH #4
  • 21. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.21 CURRENT STATE OF THE ART TESTING: Manual Security Testing TIME: 1-2 weeks @ 1 per year COST: $15,000 per manual PEN test MOBILE APPSEC TESTING IN THE DARK AGES
  • 22. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE COMPOUNDING RISK OF MONTHLY RELEASES 22 Security Testing Peak Protection Dev Release cycle Annual Pen Test
  • 23. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.23 MANAGING YOUR POOL OF MOBILE RISK $ Millions in mobile security risk SAST 1 PEN TEST UNKNOWN + UNMITIGATED RISK SAST NS PEN TEST NS AUTO PEN TESTING SW Dramatically Reduced Risk Broader Visibility and Control Critical Gap to Address
  • 24. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Dynamic testing can’t be automated. 24 MYTH #5
  • 25. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE MOBILE TRIFECTA FREQUENCY USAGE COM PLEXITY My App 25
  • 26. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. SCALING TESTING CAPACITY & RISK OVER TIME 26 TIME Mobile App Release volume and frequency as you scale SCALE NowSecure Automation for scales as app release and volume scales Current Manual testing capacity Critical Gap to Address
  • 27. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.27 CURRENT STATE OF THE ART TESTING: Manual Security Testing TIME: 1-2 weeks @ 1 per year COST: $15,000 per manual PEN test NOWSECURE SOLUTIONS TESTING: Automated Security Testing TIME: <15mins every build, every day COST: $40 per daily test MODERN MOBILE APPSEC TESTING
  • 28. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE POWERS YOUR MOBILE APPSEC TESTING Auto-Generate Issue Tickets 28 Build Binary Code Commit Test Binary </> Stage Deploy Auto-Test Every Build Test On-Demand MOBILE Dev Cycle Triage & Monitor Production Urgent / Periodic Pen Test
  • 29. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.29 AUTOMATION WINS: CASE IN POINT LEGACY AST NOWSECURE AUTOMATION Time to complete 10 days 7 minutes Vulns Found 0 Found All 3 CC skimming Data Leakage Cert failure CHALLENGE RESULTS Large fast growing multi-divisional company Need reliable, deep, automated mobile AST for Dev Pipeline Bake-off: iOS Mobile App with intentionally inserted vulns
  • 30. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1. Seek to build in security through Dev + Sec partnership 2. Model the risk level of your mobile apps and test appropriately 3. Mobile Security Standards ⇒ OWASP Mobile Top 10 4. Ensure DAST is core part of mobile appsec testing strategy 5. Plug automated security testing into your SDLC Toolchain 30 KEY TAKEAWAYS
  • 31. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.31 NOWSECURE APPROACH
  • 32. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.32 NOWSECURE DELIVERS THE SECURE VELOCITY YOU NEED FREQUENCY OF RELEASE FOR MOBILE APP(s) VALUE Rapid enhancements drive higher mobile app business value faster MOBILE BUSINESS VALUE CURVE FREQUENCY OF RELEASE TESTING EVERY RELEASE COST RISK MOBILE BUSINESS COST & RISK CURVE Manual pen testing every release drives costs exponentially Pen testing only once a year drives risk exponentially NowSecure Predictably Flattens Cost & Risk
  • 33. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE SOLUTION Data Repository Dashboards & Reports Advanced Configuration Device Farm Compliance Mapping Analysis Engine 33 NowSecure SOFTWARE NowSecure SERVICES For Dev, QA & Security Teams Automated Security Testing Dynamic Testing Across Full Lifecycle Scales to Continuous Testing & Monitoring For App Owners, Dev & Security Teams Expert Pen Testing Programs Training & App Security Programs Enterprise Mobile App Risk Assessments Internal/Outsourced Development On-Demand, API or CI/CD Integrated on-prem or cloud
  • 34. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. INSIDE NOWSECURE MOBILE APP RISK SCORING 34
  • 35. © Copyright 2018 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. CASE STUDY: ADOPTING THE NOWSECURE PLATFORM Manual Testing Test PRE RELEASE Test ON DEMAND Full CI/CD Integration Increasing Volume of apps Integrate with SDLC infrastructure Test every build every day Auto-generate tickets from findings in local ticketing tool Auto-route reports to risk & compliance stakeholders Auto-route results & trends to management dashboard Perform deep dive investigations when needed Extended program to proactively monitor app store 3rd party risk 1 mo 3 mo 6 mo 12 mo Maximizing Value & Performance Increasing Frequency of releases 35
  • 36. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Automated Mobile AppSec Testing Software Expert Pen Testing & Security Services Powers Security in Agile & DevOps Teams World-Class Security Research Team (builders of FRIDA & RADARE) Advanced Engineering & DevOps Teams from High Frequency Trading Companies Wrote the book on mobile forensics TRUSTED BY THE WORLD’S HIGHEST SECURITY ORGANIZATIONS 36
  • 37. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NOWSECURE COMING ATTRACTIONS ATARC Federal Mobile Summit Aug 6, 2019 | Washington, DC Black Hat USA (Training + Conference) Aug 2-8, 2019 | Las Vegas, NV DevOps World/Jenkins World Aug 12-15, 2019 | San Francisco, CA [Webinar] Coming Soon: Android Q & iOS 13 Privacy Enhancements Jul 18, 2019 OWASP Global AppSec - DC Sep 9-13, 2019 | Washington, DC
  • 38. © Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.38 OPEN Q&A Use the “Ask a Question” tab below the slides BRIAN REED CMO, NOWSECURE ALAN SNYDER CEO, NOWSECURE