SlideShare a Scribd company logo

Please, Please, PLEASE Defend Your Mobile Apps!

Download as PPTX, PDF
Jerod Brennen
Jerod Brennen

The document discusses how to strengthen the security of mobile apps. It recommends conducting source code reviews, security testing apps during QA, and analyzing deployed apps. It provides examples of security checks like reviewing for vulnerabilities and threats. The document also shares tools for analyzing iOS and Android apps, such as reverse engineering toolkits and decompiling APK files. Resources are listed for tasks like monitoring network traffic and examining app databases and files.

Technology
1 of 23
Please, Please, PLEASE! Defend Your Mobile Apps! Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Strengthening Cybersecurity Defenders #ISC2Congress
2 #ISC2Congress Agenda » A Little Understanding Goes a Long Way » Mobile App Defense 101 » Attacking Your Own Apps » Vetting Apps » Resources
How to Write Good Code From http://xkcd.com/844/ 3 #ISC2Congress
Understand Your Environment » What development methodologies do we follow? » What programming languages do we use? » What risk/security frameworks do we follow? » What third-party libraries do we use? » What stages in the development process require approval from the security team? 4 #ISC2Congress
Understand Your Platforms 5 #ISC2Congress » iOS » Android » BlackBerry » Windows
Three Four Key Security Checks 6 #ISC2Congress » Defined Security Requirements – Project Plan – RFP, Contracts, etc. » Source Code Security Reviews – Manual Reviews – Reverse Binaries » Security Tests in QA • Positive AND Negative Test Cases » Analysis of “Deployed” Apps • Automated Scans • Manual Analysis
Source Code Reviews (OWASP) 7 #ISC2Congress » Methodology (v1.1, current) • Preparation • Security Code Review in the SDLC • Security Code Review Coverage • Application Threat Modeling • Code Review Metrics » Methodology (v2.0, in development) • Preparation • Application Threat Modeling • Understanding Code Layout/Design/Architecture • Reviewing by Technical Control • Reviewing by Vulnerability • Security Code Review for Agile Development
QA Security Test Cases 8 #ISC2Congress » Positive AND Negative » Top 10 Negative Test Cases • Embedded Single Quote • Required Data Entry • Field Type Test • Field Size Test • Numeric Bounds Test • Numeric Limits Test • Date Bounds Test • Date Validity • Web Session Testing • Performance Changes List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
Application Analysis » Automated scanning tools and manual analysis 9 #ISC2Congress » OWASP Testing Guide (v3) • Information Gathering • Configuration Management Testing • Authentication Testing • Session Management Testing • Authorization Testing • Business Logic Testing • Data Validation Testing • Testing for Denial of Service • Web Services Testing • AJAX Testing » 42+ Secure Mobile Development Best Practices (viaForensics)
OWASP Top 10 Mobile Risks Image from https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks 10 #ISC2Congress
iOS AppSec Cheat Sheet Image from https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet 11 #ISC2Congress
Deconstructing .ipa Files 12 #ISC2Congress » Download from app store • Mac OS X 10.7 Lion: ~/Music/iTunes/iTunes Media/Mobile Applications/ • Mac OS X 10.6: ~/Music/iTunes/Mobile Applications/ • Windows 7: C:UsersUsernameMy MusiciTunesiTunes MediaMobile Applications » Extract app to folder using 7-zip » Manually examine the files using Notepad++ or prgrep » Look for sensitive info (integration points) • Connection strings • Calls to Internet-facing web services • Calls to other local resources
13 #ISC2Congress iOS Target Files File name/extension Description .sinf Apple iOS digital rights management file .supp Apple iOS file (archives) .plist Apple property list XML file .nib Apple Interface Builder user interface resources .sqlite SQL Lite database file AppName <no extension> App file itself ChangeLog <no extension> No! Bad developer! Bad! PkgInfo <no extension> 4b package type + 4b app signature
Deconstructing .apk Files » Download from app store • Copy .apk file from rooted Android device to laptop via USB cable • Send .apk file from non-rooted Android device to Dropbox via APK Extractor • Alternately, you can download some .apk files from .apk archive sites » Extract app to folder using 7-zip » Manually examine the files using Notepad++ or prgrep » Look for sensitive info (integration points) • Connection strings • Calls to Internet-facing web services • Calls to other local resources 14 #ISC2Congress
Android Target Files File name/extension Description Assets <folder> All your base are belong in here Lib <folder> .so files (third party libraries) META-INF <folder> .rsa, .fs, manifest.mf (hash values + certs = integrity) Res <folder> XML files and supporting graphics (how the app draws the 15 #ISC2Congress interface) Templates <folder> Licenses, release notes, etc. AndroidManifest.xml Info that the device needs before it can run the app classes.dex Dalvik Executable (Exterminate! Exterminate!) resources.arsc Compiled application resources (strings, images, etc.)
Man-in-the-Middle » Plug laptop into wired network connection » Created an ad hoc wireless network on laptop » Connect mobile device to ad hoc wireless network » Start Wireshark on laptop • Capture ALL packets between mobile device and server » Use mobile device as a normal end user » Analyze Wireshark traffic • Unencrypted credentials • Unencrypted account information • Connection strings to servers (including third parties) » Alternately, use a proxy like Mallory (TCP) or 16 #ISC2Congress Charles/Burp (HTTP)
iOS Reverse Engineering Toolkit 17 #ISC2Congress Running iRET » Jailbreak your iDevice » Install supporting utilities » Install the target app on jailbroken iDevice » Open iRET app » Open the target app » Browse to http://deviceip:5555 from your laptop Supporting Utilities » oTool » dumpDecrypted » Sqlite » Theos » Keychain_dumper » file » plutil » Class-dump-z
18 #ISC2Congress Vetting an App » Encrypted communications » Encrypted storage » Use of UUID » Analytics and ad services » Location services » Data sharing capabilities – Bluetooth » Access to… • Address book • Calendar • Reminder • Photos • Microphone • Social media services • Lock screen images • Cloud-based file sharing services
19 #ISC2Congress Vetting Support
20 #ISC2Congress Resources » Wireshark • http://www.wireshark.org/ » SQLite Database Browser • http://sourceforge.net/projects/sqlitebrowser/ » iPhone Backup Analyzer • http://www.ipbackupanalyzer.com/ » iOS Reverse Engineering Toolkit • http://blog.veracode.com/2014/03/introducing-the-ios-reverse- engineering-toolkit/ • https://www.veracode.com/iret-ios-reverse-engineering-toolkit » Charles Web Debugging Proxy • http://www.charlesproxy.com/
21 #ISC2Congress Resources » AXMLPrinter2 • https://code.google.com/p/android4me/downloads/list » Android SDK + Android Developer Tools (ADT bundle) • http://developer.android.com/sdk/index.html » dex2jar • https://code.google.com/p/dex2jar/ » Java Decompiler (JD-GUI) • http://jd.benow.ca/ » Step-by-Step Guide to Decompiling Android Apps • http://slandail.net/step-by-step-guide-to-decompiling-android- apps/
22 #ISC2Congress Resources » Clueful • http://www.cluefulapp.com/ » viaProtect • https://www.viaprotect.com/ » Malwarebytes • https://www.malwarebytes.org/mobile/ » Lookout • https://www.lookout.com/ » MyPermissions • http://mypermissions.com/
23 #ISC2Congress Questions? Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin/com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com/ contact@jacadis.com

Recommended

Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputraidsecconf
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Shmoocon XV - Analyzing Shodan Images with Optical Character Recognition
Shmoocon XV - Analyzing Shodan Images with Optical Character RecognitionShmoocon XV - Analyzing Shodan Images with Optical Character Recognition
Shmoocon XV - Analyzing Shodan Images with Optical Character RecognitionMichaelPortera2
 
PIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtPIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtAsaf Hecht
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 

Recommended

Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputraidsecconf
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Shmoocon XV - Analyzing Shodan Images with Optical Character Recognition
Shmoocon XV - Analyzing Shodan Images with Optical Character RecognitionShmoocon XV - Analyzing Shodan Images with Optical Character Recognition
Shmoocon XV - Analyzing Shodan Images with Optical Character RecognitionMichaelPortera2
 
PIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtPIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtAsaf Hecht
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareSai Kesavamatham
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101OWASP
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtThe Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtAsaf Hecht
 
CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...
CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...
CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...CloudIDSummit
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attackintegritysolutions
 

More Related Content

What's hot

ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...OWASP
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareSai Kesavamatham
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryPriyanka Aash
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101OWASP
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtThe Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtAsaf Hecht
 

What's hot (20)

ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshare
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
Beyond the mcse red teaming active directory
Beyond the mcse red teaming active directoryBeyond the mcse red teaming active directory
Beyond the mcse red teaming active directory
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtThe Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
 

Viewers also liked

CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...
CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...
CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...CloudIDSummit
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access ManagementNeo4j
 
Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Jerod Brennen
 
Assess all the things
Assess all the thingsAssess all the things
Assess all the thingsJerod Brennen
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINTJerod Brennen
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101OneLogin
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101Jerod Brennen
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Identacor
 
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017Amazon Web Services
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelSarah Moore
 
ITIL - IAM (Access Management)
ITIL - IAM (Access Management)ITIL - IAM (Access Management)
ITIL - IAM (Access Management)Josep Bardallo
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 

Viewers also liked (19)

CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...
CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...
CIS 2015- Provisioning IDaas- Using SCIM to Enable Cloud Identity- Pat Patter...
 
RSA Anatomy of an Attack
RSA Anatomy of an AttackRSA Anatomy of an Attack
RSA Anatomy of an Attack
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
 
Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
Assess all the things
Assess all the thingsAssess all the things
Assess all the things
 
Single sign on
Single sign onSingle sign on
Single sign on
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor Technology
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations Seminar
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
Security, Identity, and Access Management - Module 3 Part 1 - AWSome Day 2017
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity Model
 
ITIL - IAM (Access Management)
ITIL - IAM (Access Management)ITIL - IAM (Access Management)
ITIL - IAM (Access Management)
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 

Similar to Please, Please, PLEASE Defend Your Mobile Apps!

Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Content Disarm Reconstruction & Cyber Kill Chain
Content Disarm Reconstruction & Cyber Kill ChainContent Disarm Reconstruction & Cyber Kill Chain
Content Disarm Reconstruction & Cyber Kill ChainMuhammad Sahputra
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...MrityunjayaHikkalgut1
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...Docker, Inc.
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxGrace Jansen
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 

Similar to Please, Please, PLEASE Defend Your Mobile Apps! (20)

Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Hacking mobile apps
Hacking mobile appsHacking mobile apps
Hacking mobile apps
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Content Disarm Reconstruction & Cyber Kill Chain
Content Disarm Reconstruction & Cyber Kill ChainContent Disarm Reconstruction & Cyber Kill Chain
Content Disarm Reconstruction & Cyber Kill Chain
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
Back to the Future: Containerize Legacy Applications - Rob Tanner, Northern T...
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptx
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 

More from Jerod Brennen

Embedding Security in the SDLC
Embedding Security in the SDLCEmbedding Security in the SDLC
Embedding Security in the SDLCJerod Brennen
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Jerod Brennen
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTFJerod Brennen
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development processJerod Brennen
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapJerod Brennen
 

More from Jerod Brennen (7)

Embedding Security in the SDLC
Embedding Security in the SDLCEmbedding Security in the SDLC
Embedding Security in the SDLC
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTF
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development process
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit Gap
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 

Recently uploaded (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

Please, Please, PLEASE Defend Your Mobile Apps!

  • 1. Please, Please, PLEASE! Defend Your Mobile Apps! Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis Strengthening Cybersecurity Defenders #ISC2Congress
  • 2. 2 #ISC2Congress Agenda » A Little Understanding Goes a Long Way » Mobile App Defense 101 » Attacking Your Own Apps » Vetting Apps » Resources
  • 3. How to Write Good Code From http://xkcd.com/844/ 3 #ISC2Congress
  • 4. Understand Your Environment » What development methodologies do we follow? » What programming languages do we use? » What risk/security frameworks do we follow? » What third-party libraries do we use? » What stages in the development process require approval from the security team? 4 #ISC2Congress
  • 5. Understand Your Platforms 5 #ISC2Congress » iOS » Android » BlackBerry » Windows
  • 6. Three Four Key Security Checks 6 #ISC2Congress » Defined Security Requirements – Project Plan – RFP, Contracts, etc. » Source Code Security Reviews – Manual Reviews – Reverse Binaries » Security Tests in QA • Positive AND Negative Test Cases » Analysis of “Deployed” Apps • Automated Scans • Manual Analysis
  • 7. Source Code Reviews (OWASP) 7 #ISC2Congress » Methodology (v1.1, current) • Preparation • Security Code Review in the SDLC • Security Code Review Coverage • Application Threat Modeling • Code Review Metrics » Methodology (v2.0, in development) • Preparation • Application Threat Modeling • Understanding Code Layout/Design/Architecture • Reviewing by Technical Control • Reviewing by Vulnerability • Security Code Review for Agile Development
  • 8. QA Security Test Cases 8 #ISC2Congress » Positive AND Negative » Top 10 Negative Test Cases • Embedded Single Quote • Required Data Entry • Field Type Test • Field Size Test • Numeric Bounds Test • Numeric Limits Test • Date Bounds Test • Date Validity • Web Session Testing • Performance Changes List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
  • 9. Application Analysis » Automated scanning tools and manual analysis 9 #ISC2Congress » OWASP Testing Guide (v3) • Information Gathering • Configuration Management Testing • Authentication Testing • Session Management Testing • Authorization Testing • Business Logic Testing • Data Validation Testing • Testing for Denial of Service • Web Services Testing • AJAX Testing » 42+ Secure Mobile Development Best Practices (viaForensics)
  • 10. OWASP Top 10 Mobile Risks Image from https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks 10 #ISC2Congress
  • 11. iOS AppSec Cheat Sheet Image from https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet 11 #ISC2Congress
  • 12. Deconstructing .ipa Files 12 #ISC2Congress » Download from app store • Mac OS X 10.7 Lion: ~/Music/iTunes/iTunes Media/Mobile Applications/ • Mac OS X 10.6: ~/Music/iTunes/Mobile Applications/ • Windows 7: C:UsersUsernameMy MusiciTunesiTunes MediaMobile Applications » Extract app to folder using 7-zip » Manually examine the files using Notepad++ or prgrep » Look for sensitive info (integration points) • Connection strings • Calls to Internet-facing web services • Calls to other local resources
  • 13. 13 #ISC2Congress iOS Target Files File name/extension Description .sinf Apple iOS digital rights management file .supp Apple iOS file (archives) .plist Apple property list XML file .nib Apple Interface Builder user interface resources .sqlite SQL Lite database file AppName <no extension> App file itself ChangeLog <no extension> No! Bad developer! Bad! PkgInfo <no extension> 4b package type + 4b app signature
  • 14. Deconstructing .apk Files » Download from app store • Copy .apk file from rooted Android device to laptop via USB cable • Send .apk file from non-rooted Android device to Dropbox via APK Extractor • Alternately, you can download some .apk files from .apk archive sites » Extract app to folder using 7-zip » Manually examine the files using Notepad++ or prgrep » Look for sensitive info (integration points) • Connection strings • Calls to Internet-facing web services • Calls to other local resources 14 #ISC2Congress
  • 15. Android Target Files File name/extension Description Assets <folder> All your base are belong in here Lib <folder> .so files (third party libraries) META-INF <folder> .rsa, .fs, manifest.mf (hash values + certs = integrity) Res <folder> XML files and supporting graphics (how the app draws the 15 #ISC2Congress interface) Templates <folder> Licenses, release notes, etc. AndroidManifest.xml Info that the device needs before it can run the app classes.dex Dalvik Executable (Exterminate! Exterminate!) resources.arsc Compiled application resources (strings, images, etc.)
  • 16. Man-in-the-Middle » Plug laptop into wired network connection » Created an ad hoc wireless network on laptop » Connect mobile device to ad hoc wireless network » Start Wireshark on laptop • Capture ALL packets between mobile device and server » Use mobile device as a normal end user » Analyze Wireshark traffic • Unencrypted credentials • Unencrypted account information • Connection strings to servers (including third parties) » Alternately, use a proxy like Mallory (TCP) or 16 #ISC2Congress Charles/Burp (HTTP)
  • 17. iOS Reverse Engineering Toolkit 17 #ISC2Congress Running iRET » Jailbreak your iDevice » Install supporting utilities » Install the target app on jailbroken iDevice » Open iRET app » Open the target app » Browse to http://deviceip:5555 from your laptop Supporting Utilities » oTool » dumpDecrypted » Sqlite » Theos » Keychain_dumper » file » plutil » Class-dump-z
  • 18. 18 #ISC2Congress Vetting an App » Encrypted communications » Encrypted storage » Use of UUID » Analytics and ad services » Location services » Data sharing capabilities – Bluetooth » Access to… • Address book • Calendar • Reminder • Photos • Microphone • Social media services • Lock screen images • Cloud-based file sharing services
  • 20. 20 #ISC2Congress Resources » Wireshark • http://www.wireshark.org/ » SQLite Database Browser • http://sourceforge.net/projects/sqlitebrowser/ » iPhone Backup Analyzer • http://www.ipbackupanalyzer.com/ » iOS Reverse Engineering Toolkit • http://blog.veracode.com/2014/03/introducing-the-ios-reverse- engineering-toolkit/ • https://www.veracode.com/iret-ios-reverse-engineering-toolkit » Charles Web Debugging Proxy • http://www.charlesproxy.com/
  • 21. 21 #ISC2Congress Resources » AXMLPrinter2 • https://code.google.com/p/android4me/downloads/list » Android SDK + Android Developer Tools (ADT bundle) • http://developer.android.com/sdk/index.html » dex2jar • https://code.google.com/p/dex2jar/ » Java Decompiler (JD-GUI) • http://jd.benow.ca/ » Step-by-Step Guide to Decompiling Android Apps • http://slandail.net/step-by-step-guide-to-decompiling-android- apps/
  • 22. 22 #ISC2Congress Resources » Clueful • http://www.cluefulapp.com/ » viaProtect • https://www.viaprotect.com/ » Malwarebytes • https://www.malwarebytes.org/mobile/ » Lookout • https://www.lookout.com/ » MyPermissions • http://mypermissions.com/
  • 23. 23 #ISC2Congress Questions? Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin/com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com/ contact@jacadis.com