SlideShare ist ein Scribd-Unternehmen logo

Mobile Application Security Code Reviews

Denim Group
Denim Group

This document provides an overview of a mobile app security code review presentation given at BSides Las Vegas 2011. The presentation focused on identifying security issues in mobile apps related to data storage, third-party services, and untrusted inputs. It also covered platform-specific concerns for Android and iOS apps, such as encryption best practices, network communication standards, and input validation. Static code analysis techniques were discussed for examining how apps store data, access external services, and handle untrusted content.

Technologie
1 von 48
Downloaden Sie, um offline zu lesen
Mobile App Security Code Reviews Security BSides Las Vegas 2011 © Copyright 2011 Denim Group - All Rights Reserved
Instructor Dan Cornell dan@denimgroup.com @danielcornell www.denimgroup.com www.smartphonesdumbapps.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 1
My Background • Dan Cornell – Founder and CTO Denim Group • Software developer by background (Java, .NET, etc.) • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and e-Learning © Copyright 2011 Denim Group - All Rights Reserved 2
Agenda 1. Introduction and Overview 2. Data: In Motion and at Rest 3. Other Dangerous Inputs 4. Platform-Specific Concerns 5. Conclusions / Questions © Copyright 2011 Denim Group - All Rights Reserved 3
1 – Introduction and Overview • Focus For This Class • Security Implications for Mobile Applications • Mobile Application Threat Model • Testing the Security of Mobile Applications • Platform Background – Android – iOS © Copyright 2011 Denim Group - All Rights Reserved 4
Tradeoffs: Value versus Risk • Mobile applications can create tremendous value for organizations – New classes of applications utilizing mobile capabilities: GPS, camera, etc. – Innovating applications for employees and customers • Mobile devices and mobile applications can create tremendous risks – Sensitive data inevitably stored on the device (email, contacts) – Connect to a lot of untrusted networks (carrier, WiFi) • Most developers are not trained to develop secure applications – Fact of life, but slowing getting better • Most developers are new to creating mobile applications – Different platforms have different security characteristics and capabilities © Copyright 2011 Denim Group - All Rights Reserved 5
Smart Phones, Dumb Apps • Lots of media focus on device and platform security – Important because successful attacks give tremendous attacker leverage • Most organizations: – Accept realities of device and platform security – Concerned about the security of their custom applications – Concerned about sensitive data on the device because of their apps – Concerned about network-available resources that support their apps • Who has mobile application deployed for customers? • Who has had mobile applications deployed without their knowledge? – *$!%$# marketing department… © Copyright 2011 Denim Group - All Rights Reserved 6
Generic Mobile Application Threat Model © Copyright 2011 Denim Group - All Rights Reserved 7
Some Assumptions for Developers • Smartphone applications are essentially thick-client applications – That people carry in their pockets – And drop in toilets – And put on eBay when the new iPhone comes out – And leave on airplanes – And so on… • Attackers will be able to access: – Target user (victim) devices – Your application binaries • What else should you assume they know or will find out? © Copyright 2011 Denim Group - All Rights Reserved 8
Testing the Security of Mobile Applications • IMPORTANT: It is really the system as a whole you care about – Application plus… – 3rd party web services – Enterprise services – And so on • The most “interesting” weaknesses and vulnerabilities we find are in mobile applications’ interactions with supporting services • Mobile applications are different than web applications – Can’t just fire up an automated scanner and turn up a bunch of SQL injection and XSS vulnerabilities – Usually… © Copyright 2011 Denim Group - All Rights Reserved 9
Testing the Security of Mobile Applications Type of Analysis Activities Static Analysis Source Code Source code scanning Manual source code review Binary Reverse engineering Dynamic Analysis Debugger execution Traffic capture via proxy Forensic Analysis File permission analysis File content analysis © Copyright 2011 Denim Group - All Rights Reserved 10
Platform Background: Android • Linux-based operating system • Applications typically written in Java • Java compiled to DEX bytecode for the Dalvik virtual machine – Kind of like a Java virtual machine – Register-based rather than stack-based © Copyright 2011 Denim Group - All Rights Reserved 11
Platform Background: • UNIX-based operating system • Applications written in Objective-C © Copyright 2011 Denim Group - All Rights Reserved 12
Pandemobium Stock Trader Application • Android and iOS versions • Functionality – Log in – Track stock tips – Make stock trades – Get stock tips – Share stock tips • We will use as an example through the class © Copyright 2011 Denim Group - All Rights Reserved 13
2 – Data: In Motion and at Rest • Local Data Storage • Consuming 3rd Party Web Services • Mobile Applications and Enterprise Services © Copyright 2011 Denim Group - All Rights Reserved 14
Local Data Storage • Overview • Identifying Potential Storage Issues • Encryption Best Practices © Copyright 2011 Denim Group - All Rights Reserved 15
Local Data Storage Overview • If you store data on the device it can be captured – How you store the data can impact how easy this is – But at the end of the day it can be captured – So be careful what you store on the device. And be careful how you store it • But what if I encrypt the data? – Great idea. Where are you going to store the key? • This is an issue that gets a lot of media attention © Copyright 2011 Denim Group - All Rights Reserved 16
Local Data Storage: Android • Files – Internal storage (file permissions enforced) – External storage (no file permissions enforced) • SQLite Databases • Shared Preferences • Web Cache © Copyright 2011 Denim Group - All Rights Reserved 17
Android Data Storage • In Android, every application gets its own uid/gid – Clever use of the Linux security model – But external storage does not have permission enforcement • Default permissions are to be readable and writeable by the app only – Files – SQLite databases – Shared Permissions – Context.MODE_PRIVATE • But of course you can override this – Context.MODE_WORLD_READABLE – Context.MODE_WORLD_WRITEABLE © Copyright 2011 Denim Group - All Rights Reserved 18
Local Data Storage: • Files • SQLite Databases • plist Files • Keychain • Web Cache © Copyright 2011 Denim Group - All Rights Reserved 19
Android Static Analysis for Storage Issues • Android-specific functions for file handling: – Context.openFileOutput() – Context.openFileInput() – Context.getDir() • Android-specific functions for SQLite database handling: – Context.openOrCreateDatabase() – Context.getDatabasePath() – SQLiteDatabase.openDatabase() © Copyright 2011 Denim Group - All Rights Reserved 20
Android Static Analysis for Storage Issues • Android-specific functions for Shared Preferences handling – Context.getSharedPreferences() • Android-specific functions for cache handling: – Context.getCacheDir() – Context.getExternalCacheDir() • Non-Android-specific functions – Anything else you would examine in Java – java.io and the like © Copyright 2011 Denim Group - All Rights Reserved 21
Android Static Analysis for Storage Issues • File permissions: – MODE_PRIVATE – generally all right – MODE_WORLD_READABLE, MODE_WORLD_WRITEABLE – why? • What is being stored? • How is it being used? • World readable/writeable files can be manipulated by malicious applications © Copyright 2011 Denim Group - All Rights Reserved 22
iOS Static Analysis for Storage Issues • NSFileManager class – NSFileProtectionKey attribute • NSFileProtectionNone – Always accessible • NSFileProtectionComplete – Encrypted on disk when device is locked or booting • UIApplicationProtectedDataWillBecomeUnavailable notification – Fired when application data is about to become unavailable – References to sensitive files should be dropped © Copyright 2011 Denim Group - All Rights Reserved 23
Encryption Best Practices • Key management is a huge problem • If encrypted data and the key are stored on the device… • Android Encryption – Access to javax.crypto libraries – Open source options like Bouncy Castle • iOS Encryption – Access to common crypto algorithms – Keychain available for encrypted storage © Copyright 2011 Denim Group - All Rights Reserved 24
iOS Keychain • Allows you to store key/value pairs using iOS protections • Default: only visible to “owning” application • Possible values for kSecAttrAccessible: – kSecAttrAccessibleWhenUnlocked – kSecAttrAccessibleAfterFirstUnlock – kSecAttrAccessibleAlways – kSecAttrAccessibleWhenUnlockedThisDeviceOnly – kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly – kSecAttrAccessibleAlwaysThisDeviceOnly • But… – Clever German researchers found out how to dump non-PIN protected data – And clever Russian researchers found out how to brute-force the PIN – Do not store sensitive data on the device © Copyright 2011 Denim Group - All Rights Reserved 25
Consuming 3rd Party Web Services • Overview • Identifying Services In Use • Data Communications and Handling Best Practices © Copyright 2011 Denim Group - All Rights Reserved 26
Overview of Consuming 3rd Party Web Services • Interesting apps need to talk to stuff – And most of that stuff you should not trust • These are untrusted inputs – Positively validate them before use • You do not control what they do with the data – Be careful what you send © Copyright 2011 Denim Group - All Rights Reserved 27
Identifying Services In Use • Look for URL connections • Look for network connections • Look for web controls © Copyright 2011 Denim Group - All Rights Reserved 28
Data Communications and Handling Best Practices • Remember: Mobile devices can talk on lots of different networks • So use SSL – Can not observe or change traffic – DNS concerns • And force it to be used correctly – With valid certificates • Be careful of caching © Copyright 2011 Denim Group - All Rights Reserved 29
Android Network Connections • Android-specific classes: – android.net.* – android.net.SSLCertificateFactory • Make sure server validation has not been turned off • Java platform classes: – java.net.URLConnection – java.net.URL – And so on… © Copyright 2011 Denim Group - All Rights Reserved 30
Android Network Connections • Included Apache classes: – org.apache.http.HttpClient – org.apache.http.HttpPost – org.apache.http.Response • WebView component – Include HTML content in web applications © Copyright 2011 Denim Group - All Rights Reserved 31
iOS Network Connections • CFStream – kCFStreamPropertyShouldCloseNativeSocket – kCFStreamPropertySocketSecurityLevel – kCFStreamPropertySOCKSProxy – kCFStreamPropertySSLPeerCertificates – kCFStreamPropertySSLPeerTrust – kCFStreamPropertySSLSettings • CFHost • NSStream • NSHost • NSURLDownload • NSURL • UIWebView © Copyright 2011 Denim Group - All Rights Reserved 32
What to do With 3rd Party Services? • Largest concern is how they impact YOUR security – Validate all input – Be careful how your logic treats the data – Be careful what you send © Copyright 2011 Denim Group - All Rights Reserved 33
Overview of Mobile Applications and Enterprise Services • If you were a bad guy, would you rather have – The data on one device – All the data on the server – I guess it depends on how advanced and persistent you are… • These provide a great window into your organization – Client data – Transaction data – And so on… • The most serious vulnerabilities we find in assessments deal with apps’ interactions with enterprise services © Copyright 2011 Denim Group - All Rights Reserved 34
3 – Other Dangerous Inputs • Mobile Browser Content Handling © Copyright 2011 Denim Group - All Rights Reserved 35
Mobile Browser Content Handling • Identifying Mobile Browser Content Handlers • Testing the Security of Content Handlers © Copyright 2011 Denim Group - All Rights Reserved 36
Android: Identifying Content Handlers • Look in AndroidManifest.xml • Look for <intent-filter> tags: <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme=“the_scheme" /> </intent-filter> • But what apps export intents? – http://www.openintents.org/ © Copyright 2011 Denim Group - All Rights Reserved 37
iOS: Identifying Content Handlers • Look in Info.plist • Look for <key>CFBundleURLSchemes</key> <array> <dict> <key>CFBundleURLSchemes</key> <array> <string>the_scheme</string> </array> </dict> </array> • But what apps handle custom schemes? – http://handleopenurl.com/ © Copyright 2011 Denim Group - All Rights Reserved 38
Testing the Security of Content Handlers • How to reach them? – Get a user to click: <a href=“the_scheme://stuff?param=value” /> – Get a user to visit a malicious web page: <iframe src=“the_scheme://stuff?param=value” /> • Approaches: – Fuzzing – Targeted attacks © Copyright 2011 Denim Group - All Rights Reserved 39
Implementing Secure Content Handlers • This is remotely-accessible attack surface • Ask yourself: Do you really need to expose this attack surface? • Of course you do, think of how cool this will be… • Treat that as any untrusted input – Positive validation – Design logic accordingly © Copyright 2011 Denim Group - All Rights Reserved 40
Where Does Tainted Data Come From? • Android: – Activity.getIntent().getData() • iOS: – handleOpenURL() – Now deprecated – openURL() – New method – complete w/ naming conflict © Copyright 2011 Denim Group - All Rights Reserved 41
Interlude: SQL Injection for Mobile Applications • iOS and Android both provide built-in access to SQLite databases • Validate input and properly encode it before including it in SQL queries • Android – query(), rawQuery() – Be careful – compileStatement() – Better, but still be careful • iOS – sqlite3_exec() – Be careful – sqlite3_prepare_v2() – Better, but still be careful – iOS SQLite has such an elegant syntax, doesn’t it? © Copyright 2011 Denim Group - All Rights Reserved 42
But How Bad is SQL Injection in Mobile Apps? • Probably not as bad as SQL injection for web applications – Probably • Remember DREAD: – Damage Potential – Reproducibility – Exploitability – Affected Users – Discoverability © Copyright 2011 Denim Group - All Rights Reserved 43
4 – Platform-Specific Concerns • Secure Coding Practices for the iOS Platform – Buffer overflows and format strings – Everything old is new again – Objective-C is a superset of “actual” C – enjoy © Copyright 2011 Denim Group - All Rights Reserved 44
Let’s Take Apart Some Apps: Android • Example of static • axml2xml.pl – http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl binary analysis • dedexer – http://dedexer.sourceforge.net/ • Application structure • dex2jar – AndroidManifest.xml – http://code.google.com/p/dex2jar/ – assets/ • JD-GUI – res/ – http://java.decompiler.free.fr/ – classes.dex • SQLite Browser – http://java.decompiler.free.fr/ © Copyright 2011 Denim Group - All Rights Reserved 45
Other Materials • www.smartphonesdumbapps.com – Denim Group presentations, slides and code for mobile application security • http://software-security.sans.org/downloads/appsec-2011- files/dhanjani-hacking-securing-next-gen.pdf - SANS APPSEC SUMMIT 2011 presentation from Nitesh Dhanjani and Sean Pennline • http://www.slideshare.net/SOURCEConference/david-thiel-secure- development-on-ios - SOURCE Boston 2011 presentation from David Thiel from iSecPartners • McAfee mobile pen testing guidelines: – http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-testing- iphone-ipad-apps.pdf – http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-testing- android-apps.pdf © Copyright 2011 Denim Group - All Rights Reserved 46
5 – Conclusions and Questions Dan Cornell dan@denimgroup.com @danielcornell www.denimgroup.com www.smartphonesdumbapps.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 47

Empfohlen

Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
NGHIÊN CỨU, TRIỂN KHAI CÔNG NGHỆ QRADAR CHO VIỆC GIÁM SÁT AN NINH MẠNG CNTT
NGHIÊN CỨU, TRIỂN KHAI CÔNG NGHỆ QRADAR CHO VIỆC GIÁM SÁT AN NINH MẠNG CNTTNGHIÊN CỨU, TRIỂN KHAI CÔNG NGHỆ QRADAR CHO VIỆC GIÁM SÁT AN NINH MẠNG CNTT
NGHIÊN CỨU, TRIỂN KHAI CÔNG NGHỆ QRADAR CHO VIỆC GIÁM SÁT AN NINH MẠNG CNTTYenPhuong16
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill ChainPuma Security, LLC
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 

Empfohlen

Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
NGHIÊN CỨU, TRIỂN KHAI CÔNG NGHỆ QRADAR CHO VIỆC GIÁM SÁT AN NINH MẠNG CNTT
NGHIÊN CỨU, TRIỂN KHAI CÔNG NGHỆ QRADAR CHO VIỆC GIÁM SÁT AN NINH MẠNG CNTTNGHIÊN CỨU, TRIỂN KHAI CÔNG NGHỆ QRADAR CHO VIỆC GIÁM SÁT AN NINH MẠNG CNTT
NGHIÊN CỨU, TRIỂN KHAI CÔNG NGHỆ QRADAR CHO VIỆC GIÁM SÁT AN NINH MẠNG CNTTYenPhuong16
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill ChainPuma Security, LLC
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...
ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...
ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...nataliej4
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Florian Roth
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access ManagementHitachi ID Systems, Inc.
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
CyberArk
CyberArkCyberArk
CyberArkJimmy Sze
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Chương 8_Bảo mật và an ninh mạng
Chương 8_Bảo mật và an ninh mạngChương 8_Bảo mật và an ninh mạng
Chương 8_Bảo mật và an ninh mạngHoa Le
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Ransomware protection
Ransomware protectionRansomware protection
Ransomware protectionRohit Srivastwa
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Kiểm thử bảo mật web
Kiểm thử bảo mật webKiểm thử bảo mật web
Kiểm thử bảo mật webMinh Tri Nguyen
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 

Weitere ähnliche Inhalte

Was ist angesagt?

Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...
ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...
ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...nataliej4
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Florian Roth
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Chương 8_Bảo mật và an ninh mạng
Chương 8_Bảo mật và an ninh mạngChương 8_Bảo mật và an ninh mạng
Chương 8_Bảo mật và an ninh mạngHoa Le
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Kiểm thử bảo mật web
Kiểm thử bảo mật webKiểm thử bảo mật web
Kiểm thử bảo mật webMinh Tri Nguyen
 

Was ist angesagt? (20)

Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...
ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...
ChuyenDeANM ung dung he thong IDS securityonion vao giam sat moi truong mang ...
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
CyberArk
CyberArkCyberArk
CyberArk
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Chương 8_Bảo mật và an ninh mạng
Chương 8_Bảo mật và an ninh mạngChương 8_Bảo mật và an ninh mạng
Chương 8_Bảo mật và an ninh mạng
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
Ransomware protection
Ransomware protectionRansomware protection
Ransomware protection
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Kiểm thử bảo mật web
Kiểm thử bảo mật webKiểm thử bảo mật web
Kiểm thử bảo mật web
 

Andere mochten auch

Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Objective briefing on the current mobile threat 2010/2011
Objective briefing on the current mobile threat 2010/2011Objective briefing on the current mobile threat 2010/2011
Objective briefing on the current mobile threat 2010/2011Транслируем.бел
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modelingShantanu Mitra
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile AppsDenim Group
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsSimon Willison
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Matt Raible
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSukumar Nayak
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer ConferenceFabio Pietrosanti
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 

Andere mochten auch (20)

Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Objective briefing on the current mobile threat 2010/2011
Objective briefing on the current mobile threat 2010/2011Objective briefing on the current mobile threat 2010/2011
Objective briefing on the current mobile threat 2010/2011
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_security
 
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoTSN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoT
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 

Ähnlich wie Mobile Application Security Code Reviews

Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content HandlingDenim Group
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1Nikhil Kulkarni
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsBitbar
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalRobin Lutchansky
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration TestingSurabaya Blackhat
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012 hakersinfo
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 

Ähnlich wie Mobile Application Security Code Reviews (20)

Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb Apps
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content Handling
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Google android os
Google android osGoogle android os
Google android os
 

Mehr von Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 

Mehr von Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Kürzlich hochgeladen

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Kürzlich hochgeladen (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Mobile Application Security Code Reviews

  • 1. Mobile App Security Code Reviews Security BSides Las Vegas 2011 © Copyright 2011 Denim Group - All Rights Reserved
  • 2. Instructor Dan Cornell dan@denimgroup.com @danielcornell www.denimgroup.com www.smartphonesdumbapps.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 1
  • 3. My Background • Dan Cornell – Founder and CTO Denim Group • Software developer by background (Java, .NET, etc.) • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and e-Learning © Copyright 2011 Denim Group - All Rights Reserved 2
  • 4. Agenda 1. Introduction and Overview 2. Data: In Motion and at Rest 3. Other Dangerous Inputs 4. Platform-Specific Concerns 5. Conclusions / Questions © Copyright 2011 Denim Group - All Rights Reserved 3
  • 5. 1 – Introduction and Overview • Focus For This Class • Security Implications for Mobile Applications • Mobile Application Threat Model • Testing the Security of Mobile Applications • Platform Background – Android – iOS © Copyright 2011 Denim Group - All Rights Reserved 4
  • 6. Tradeoffs: Value versus Risk • Mobile applications can create tremendous value for organizations – New classes of applications utilizing mobile capabilities: GPS, camera, etc. – Innovating applications for employees and customers • Mobile devices and mobile applications can create tremendous risks – Sensitive data inevitably stored on the device (email, contacts) – Connect to a lot of untrusted networks (carrier, WiFi) • Most developers are not trained to develop secure applications – Fact of life, but slowing getting better • Most developers are new to creating mobile applications – Different platforms have different security characteristics and capabilities © Copyright 2011 Denim Group - All Rights Reserved 5
  • 7. Smart Phones, Dumb Apps • Lots of media focus on device and platform security – Important because successful attacks give tremendous attacker leverage • Most organizations: – Accept realities of device and platform security – Concerned about the security of their custom applications – Concerned about sensitive data on the device because of their apps – Concerned about network-available resources that support their apps • Who has mobile application deployed for customers? • Who has had mobile applications deployed without their knowledge? – *$!%$# marketing department… © Copyright 2011 Denim Group - All Rights Reserved 6
  • 8. Generic Mobile Application Threat Model © Copyright 2011 Denim Group - All Rights Reserved 7
  • 9. Some Assumptions for Developers • Smartphone applications are essentially thick-client applications – That people carry in their pockets – And drop in toilets – And put on eBay when the new iPhone comes out – And leave on airplanes – And so on… • Attackers will be able to access: – Target user (victim) devices – Your application binaries • What else should you assume they know or will find out? © Copyright 2011 Denim Group - All Rights Reserved 8
  • 10. Testing the Security of Mobile Applications • IMPORTANT: It is really the system as a whole you care about – Application plus… – 3rd party web services – Enterprise services – And so on • The most “interesting” weaknesses and vulnerabilities we find are in mobile applications’ interactions with supporting services • Mobile applications are different than web applications – Can’t just fire up an automated scanner and turn up a bunch of SQL injection and XSS vulnerabilities – Usually… © Copyright 2011 Denim Group - All Rights Reserved 9
  • 11. Testing the Security of Mobile Applications Type of Analysis Activities Static Analysis Source Code Source code scanning Manual source code review Binary Reverse engineering Dynamic Analysis Debugger execution Traffic capture via proxy Forensic Analysis File permission analysis File content analysis © Copyright 2011 Denim Group - All Rights Reserved 10
  • 12. Platform Background: Android • Linux-based operating system • Applications typically written in Java • Java compiled to DEX bytecode for the Dalvik virtual machine – Kind of like a Java virtual machine – Register-based rather than stack-based © Copyright 2011 Denim Group - All Rights Reserved 11
  • 13. Platform Background: • UNIX-based operating system • Applications written in Objective-C © Copyright 2011 Denim Group - All Rights Reserved 12
  • 14. Pandemobium Stock Trader Application • Android and iOS versions • Functionality – Log in – Track stock tips – Make stock trades – Get stock tips – Share stock tips • We will use as an example through the class © Copyright 2011 Denim Group - All Rights Reserved 13
  • 15. 2 – Data: In Motion and at Rest • Local Data Storage • Consuming 3rd Party Web Services • Mobile Applications and Enterprise Services © Copyright 2011 Denim Group - All Rights Reserved 14
  • 16. Local Data Storage • Overview • Identifying Potential Storage Issues • Encryption Best Practices © Copyright 2011 Denim Group - All Rights Reserved 15
  • 17. Local Data Storage Overview • If you store data on the device it can be captured – How you store the data can impact how easy this is – But at the end of the day it can be captured – So be careful what you store on the device. And be careful how you store it • But what if I encrypt the data? – Great idea. Where are you going to store the key? • This is an issue that gets a lot of media attention © Copyright 2011 Denim Group - All Rights Reserved 16
  • 18. Local Data Storage: Android • Files – Internal storage (file permissions enforced) – External storage (no file permissions enforced) • SQLite Databases • Shared Preferences • Web Cache © Copyright 2011 Denim Group - All Rights Reserved 17
  • 19. Android Data Storage • In Android, every application gets its own uid/gid – Clever use of the Linux security model – But external storage does not have permission enforcement • Default permissions are to be readable and writeable by the app only – Files – SQLite databases – Shared Permissions – Context.MODE_PRIVATE • But of course you can override this – Context.MODE_WORLD_READABLE – Context.MODE_WORLD_WRITEABLE © Copyright 2011 Denim Group - All Rights Reserved 18
  • 20. Local Data Storage: • Files • SQLite Databases • plist Files • Keychain • Web Cache © Copyright 2011 Denim Group - All Rights Reserved 19
  • 21. Android Static Analysis for Storage Issues • Android-specific functions for file handling: – Context.openFileOutput() – Context.openFileInput() – Context.getDir() • Android-specific functions for SQLite database handling: – Context.openOrCreateDatabase() – Context.getDatabasePath() – SQLiteDatabase.openDatabase() © Copyright 2011 Denim Group - All Rights Reserved 20
  • 22. Android Static Analysis for Storage Issues • Android-specific functions for Shared Preferences handling – Context.getSharedPreferences() • Android-specific functions for cache handling: – Context.getCacheDir() – Context.getExternalCacheDir() • Non-Android-specific functions – Anything else you would examine in Java – java.io and the like © Copyright 2011 Denim Group - All Rights Reserved 21
  • 23. Android Static Analysis for Storage Issues • File permissions: – MODE_PRIVATE – generally all right – MODE_WORLD_READABLE, MODE_WORLD_WRITEABLE – why? • What is being stored? • How is it being used? • World readable/writeable files can be manipulated by malicious applications © Copyright 2011 Denim Group - All Rights Reserved 22
  • 24. iOS Static Analysis for Storage Issues • NSFileManager class – NSFileProtectionKey attribute • NSFileProtectionNone – Always accessible • NSFileProtectionComplete – Encrypted on disk when device is locked or booting • UIApplicationProtectedDataWillBecomeUnavailable notification – Fired when application data is about to become unavailable – References to sensitive files should be dropped © Copyright 2011 Denim Group - All Rights Reserved 23
  • 25. Encryption Best Practices • Key management is a huge problem • If encrypted data and the key are stored on the device… • Android Encryption – Access to javax.crypto libraries – Open source options like Bouncy Castle • iOS Encryption – Access to common crypto algorithms – Keychain available for encrypted storage © Copyright 2011 Denim Group - All Rights Reserved 24
  • 26. iOS Keychain • Allows you to store key/value pairs using iOS protections • Default: only visible to “owning” application • Possible values for kSecAttrAccessible: – kSecAttrAccessibleWhenUnlocked – kSecAttrAccessibleAfterFirstUnlock – kSecAttrAccessibleAlways – kSecAttrAccessibleWhenUnlockedThisDeviceOnly – kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly – kSecAttrAccessibleAlwaysThisDeviceOnly • But… – Clever German researchers found out how to dump non-PIN protected data – And clever Russian researchers found out how to brute-force the PIN – Do not store sensitive data on the device © Copyright 2011 Denim Group - All Rights Reserved 25
  • 27. Consuming 3rd Party Web Services • Overview • Identifying Services In Use • Data Communications and Handling Best Practices © Copyright 2011 Denim Group - All Rights Reserved 26
  • 28. Overview of Consuming 3rd Party Web Services • Interesting apps need to talk to stuff – And most of that stuff you should not trust • These are untrusted inputs – Positively validate them before use • You do not control what they do with the data – Be careful what you send © Copyright 2011 Denim Group - All Rights Reserved 27
  • 29. Identifying Services In Use • Look for URL connections • Look for network connections • Look for web controls © Copyright 2011 Denim Group - All Rights Reserved 28
  • 30. Data Communications and Handling Best Practices • Remember: Mobile devices can talk on lots of different networks • So use SSL – Can not observe or change traffic – DNS concerns • And force it to be used correctly – With valid certificates • Be careful of caching © Copyright 2011 Denim Group - All Rights Reserved 29
  • 31. Android Network Connections • Android-specific classes: – android.net.* – android.net.SSLCertificateFactory • Make sure server validation has not been turned off • Java platform classes: – java.net.URLConnection – java.net.URL – And so on… © Copyright 2011 Denim Group - All Rights Reserved 30
  • 32. Android Network Connections • Included Apache classes: – org.apache.http.HttpClient – org.apache.http.HttpPost – org.apache.http.Response • WebView component – Include HTML content in web applications © Copyright 2011 Denim Group - All Rights Reserved 31
  • 33. iOS Network Connections • CFStream – kCFStreamPropertyShouldCloseNativeSocket – kCFStreamPropertySocketSecurityLevel – kCFStreamPropertySOCKSProxy – kCFStreamPropertySSLPeerCertificates – kCFStreamPropertySSLPeerTrust – kCFStreamPropertySSLSettings • CFHost • NSStream • NSHost • NSURLDownload • NSURL • UIWebView © Copyright 2011 Denim Group - All Rights Reserved 32
  • 34. What to do With 3rd Party Services? • Largest concern is how they impact YOUR security – Validate all input – Be careful how your logic treats the data – Be careful what you send © Copyright 2011 Denim Group - All Rights Reserved 33
  • 35. Overview of Mobile Applications and Enterprise Services • If you were a bad guy, would you rather have – The data on one device – All the data on the server – I guess it depends on how advanced and persistent you are… • These provide a great window into your organization – Client data – Transaction data – And so on… • The most serious vulnerabilities we find in assessments deal with apps’ interactions with enterprise services © Copyright 2011 Denim Group - All Rights Reserved 34
  • 36. 3 – Other Dangerous Inputs • Mobile Browser Content Handling © Copyright 2011 Denim Group - All Rights Reserved 35
  • 37. Mobile Browser Content Handling • Identifying Mobile Browser Content Handlers • Testing the Security of Content Handlers © Copyright 2011 Denim Group - All Rights Reserved 36
  • 38. Android: Identifying Content Handlers • Look in AndroidManifest.xml • Look for <intent-filter> tags: <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme=“the_scheme" /> </intent-filter> • But what apps export intents? – http://www.openintents.org/ © Copyright 2011 Denim Group - All Rights Reserved 37
  • 39. iOS: Identifying Content Handlers • Look in Info.plist • Look for <key>CFBundleURLSchemes</key> <array> <dict> <key>CFBundleURLSchemes</key> <array> <string>the_scheme</string> </array> </dict> </array> • But what apps handle custom schemes? – http://handleopenurl.com/ © Copyright 2011 Denim Group - All Rights Reserved 38
  • 40. Testing the Security of Content Handlers • How to reach them? – Get a user to click: <a href=“the_scheme://stuff?param=value” /> – Get a user to visit a malicious web page: <iframe src=“the_scheme://stuff?param=value” /> • Approaches: – Fuzzing – Targeted attacks © Copyright 2011 Denim Group - All Rights Reserved 39
  • 41. Implementing Secure Content Handlers • This is remotely-accessible attack surface • Ask yourself: Do you really need to expose this attack surface? • Of course you do, think of how cool this will be… • Treat that as any untrusted input – Positive validation – Design logic accordingly © Copyright 2011 Denim Group - All Rights Reserved 40
  • 42. Where Does Tainted Data Come From? • Android: – Activity.getIntent().getData() • iOS: – handleOpenURL() – Now deprecated – openURL() – New method – complete w/ naming conflict © Copyright 2011 Denim Group - All Rights Reserved 41
  • 43. Interlude: SQL Injection for Mobile Applications • iOS and Android both provide built-in access to SQLite databases • Validate input and properly encode it before including it in SQL queries • Android – query(), rawQuery() – Be careful – compileStatement() – Better, but still be careful • iOS – sqlite3_exec() – Be careful – sqlite3_prepare_v2() – Better, but still be careful – iOS SQLite has such an elegant syntax, doesn’t it? © Copyright 2011 Denim Group - All Rights Reserved 42
  • 44. But How Bad is SQL Injection in Mobile Apps? • Probably not as bad as SQL injection for web applications – Probably • Remember DREAD: – Damage Potential – Reproducibility – Exploitability – Affected Users – Discoverability © Copyright 2011 Denim Group - All Rights Reserved 43
  • 45. 4 – Platform-Specific Concerns • Secure Coding Practices for the iOS Platform – Buffer overflows and format strings – Everything old is new again – Objective-C is a superset of “actual” C – enjoy © Copyright 2011 Denim Group - All Rights Reserved 44
  • 46. Let’s Take Apart Some Apps: Android • Example of static • axml2xml.pl – http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl binary analysis • dedexer – http://dedexer.sourceforge.net/ • Application structure • dex2jar – AndroidManifest.xml – http://code.google.com/p/dex2jar/ – assets/ • JD-GUI – res/ – http://java.decompiler.free.fr/ – classes.dex • SQLite Browser – http://java.decompiler.free.fr/ © Copyright 2011 Denim Group - All Rights Reserved 45
  • 47. Other Materials • www.smartphonesdumbapps.com – Denim Group presentations, slides and code for mobile application security • http://software-security.sans.org/downloads/appsec-2011- files/dhanjani-hacking-securing-next-gen.pdf - SANS APPSEC SUMMIT 2011 presentation from Nitesh Dhanjani and Sean Pennline • http://www.slideshare.net/SOURCEConference/david-thiel-secure- development-on-ios - SOURCE Boston 2011 presentation from David Thiel from iSecPartners • McAfee mobile pen testing guidelines: – http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-testing- iphone-ipad-apps.pdf – http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-testing- android-apps.pdf © Copyright 2011 Denim Group - All Rights Reserved 46
  • 48. 5 – Conclusions and Questions Dan Cornell dan@denimgroup.com @danielcornell www.denimgroup.com www.smartphonesdumbapps.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 47