SlideShare ist ein Scribd-Unternehmen logo

Mobile Apps Security: OTA11

L
lxt04

Slides from the Mobile Apps Security presentation at Over The Air 2011 - apologies for the PDF, but I use Keynote and I figure you'll probably want to have them in a format you can open!

Technologie
1 von 34
Downloaden Sie, um offline zu lesen
IM IN UR CODEZ Securing Mobile Apps Sunday, 2 October 11
Hello! My name’s Nick. I work for Mobile Interactive Group We’re going to talk about app security ...also cats Sunday, 2 October 11
What this session is about... Mobile application security Developing apps defensively ...and what it’s not about User-based vulnerabilities (tap-jacking, etc) Mobile web security Sunday, 2 October 11
Mobile Apps Mobile Web Sunday, 2 October 11
Hardcoded passwords SQL injection In-app XSS Insecure Data Transmission Buffer overflows Storing user data Data leakage API impersonation Remote code execution Sunday, 2 October 11
Web & Apps have similar problems... ...they just appear in different places Sunday, 2 October 11
A fact (or two) Your app will be reverse engineered It’s only a matter of time Obfuscation is not a be-all/end-all Sunday, 2 October 11
You might think (comparatively) that your mobile platform is not compromised... ...but how many rooted/jailbreaked phones are out there? Assume your platform is compromised, and your app will be reverse engineered Sunday, 2 October 11
You must therefore strongly protect your APIs and supporting application servers Let’s look at three of the most common issues with apps Two of these relate to API/server issues Sunday, 2 October 11
...but first... Sunday, 2 October 11
We’re all pretty smart developers (...hopefully!) Sunday, 2 October 11
The chasm of misfortune Your Goals Your App We are all cats - we have good intentions... ...and sometimes can’t foresee the consequences Sunday, 2 October 11
Your Goals Your App Remembering Storing credentials insecurely Banking App Users Not using SSL Using an API Blogging App Uploading Hardcoding your API keys Content ? UCG App Sunday, 2 October 11
Keys and Secrets Sunday, 2 October 11
“API keys must be protected just like passwords. This means they should not be [...] baked into non-obfuscated applications that can be analysed relatively easily” Cloud Security Alliance, April 18 2011 (...assume this means all mobile apps) 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
Demo time Major paid for API About 1,000,000 downloads ...let’s take a look! 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
Demo time User: iPhone Password: PnkFdrYRh75N 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
Consequences The bad A competing app uses your API key to exceed your rate limits Your users get frustrated and leave The ugly Somebody pulls your S3 secret key and charges £££ to your account 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
This API is now compromised I can use it in my own apps without paying the license fee Because it’s hard-coded in the app it can’t be revoked 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
This API is now compromised I can use it in my own apps without paying the license fee Because it’s hard-coded in the app it can’t be revoked 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
Prevention Use an alternative method to authenticate Facebook, Amazon, and other large providers provide these Don’t trust key verification If you have an API that uses a key, don’t assume you can trust the user Think permissions If you do have to use keys, limit the damage that can be done with them Have a plan ...think about the inevitable. What happens if your API is outed? 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
Leaking Information Sunday, 2 October 11
This shouldn’t need a slide If you’re sending passwords in the clear, leave the room ...no, wait - come back! I forgive you! People share passwords. All the time. My Tumblr password might be my Facebook password 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
Specific shaming: ...but not the app! 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
“But Nick, everyone knows SSL/TLS is totally broken!” “It’s the user’s fault for connecting to an insecure network” “It’s too much effort / time-consuming to implement” “My app isn’t important enough for this to be a problem” 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
Not using TLS is like leaving your house unlocked Nobody is saying locks are going to stop you from getting burgled... ...but not locking your door is stupid. 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
Storing Details Sunday, 2 October 11
Very popular! Username and password in plain text! 1 keys and secrets 2 leaking information 3 Storing Details According to ViaForensics, June 2011 Sunday, 2 October 11
Obvious information Passwords, usernames Account numbers, etc Overlooked information Location information Personal information (date of birth, address, 1 keys and secrets 2 leaking information 3 Storing Details Sunday, 2 October 11
Consequences The bad You get some bad PR People laugh at you as you walk down the street The ugly You store passwords or account information unencrypted This compromises your app, and users information is leaked You are fined by the ICO 1 keys and secrets 2 leaking information 3 Storing Details Sunday, 2 October 11
In Summary ...we’re all smart developers... (remember this bit? from earlier on?) Sunday, 2 October 11
...but so are the... Bank of America, Citibank, National Rail Enquiries, Tumblr, AOL, Bump, Flirtomatic, Foursquare, Groupon, LinkedIn, Mint, Skype, Wells Fargo, WordPress, Match.com Yahoo! Messenger, and many many more... ...developers. Nobody is perfect, no app is truly secure (including me!) Sunday, 2 October 11
Remember the cat* *unlike the cat, your app will not survive a fall from height Sunday, 2 October 11
Thanks :) nick.shearer@migcan.com (I don’t tweet - booo!) Slides will be available on the OTA site soon! Sunday, 2 October 11

Empfohlen

Is Data Secure On The Password Protected Blackberry Device
Is Data Secure On The Password Protected Blackberry DeviceIs Data Secure On The Password Protected Blackberry Device
Is Data Secure On The Password Protected Blackberry DeviceYury Chemerkin
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applicationsn|u - The Open Security Community
 
SecurEntry by PrehKeyTec
SecurEntry by PrehKeyTecSecurEntry by PrehKeyTec
SecurEntry by PrehKeyTeccshergi
 
Arkami product overview
Arkami product overviewArkami product overview
Arkami product overviewMark Thacker
 
Bla
BlaBla
Blarakushka
 
Jeopardy(electricity)
Jeopardy(electricity)Jeopardy(electricity)
Jeopardy(electricity)Steven Gabrys
 
Are You Smarter Than a Fifth Grader- Geography Edition
Are You Smarter Than a Fifth Grader- Geography EditionAre You Smarter Than a Fifth Grader- Geography Edition
Are You Smarter Than a Fifth Grader- Geography Editionmwinfield1
 

Empfohlen

Is Data Secure On The Password Protected Blackberry Device
Is Data Secure On The Password Protected Blackberry DeviceIs Data Secure On The Password Protected Blackberry Device
Is Data Secure On The Password Protected Blackberry DeviceYury Chemerkin
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applicationsn|u - The Open Security Community
 
SecurEntry by PrehKeyTec
SecurEntry by PrehKeyTecSecurEntry by PrehKeyTec
SecurEntry by PrehKeyTeccshergi
 
Arkami product overview
Arkami product overviewArkami product overview
Arkami product overviewMark Thacker
 
Bla
BlaBla
Blarakushka
 
Jeopardy(electricity)
Jeopardy(electricity)Jeopardy(electricity)
Jeopardy(electricity)Steven Gabrys
 
Are You Smarter Than a Fifth Grader- Geography Edition
Are You Smarter Than a Fifth Grader- Geography EditionAre You Smarter Than a Fifth Grader- Geography Edition
Are You Smarter Than a Fifth Grader- Geography Editionmwinfield1
 
Multiplication quiz
Multiplication quizMultiplication quiz
Multiplication quizNonticha1998
 
Smarter than 5th grader chapter 6 7
Smarter than 5th grader chapter 6 7Smarter than 5th grader chapter 6 7
Smarter than 5th grader chapter 6 7Moores6
 
Are They Smarter Than a 5th Grader? Round 1
Are They Smarter Than a 5th Grader? Round 1Are They Smarter Than a 5th Grader? Round 1
Are They Smarter Than a 5th Grader? Round 1warren_wade
 
Are You Smarter Than a 5th Grader
Are You Smarter Than a 5th Grader Are You Smarter Than a 5th Grader
Are You Smarter Than a 5th Grader egriffin
 
Real World Math (Packet for Home)
Real World Math (Packet for Home)Real World Math (Packet for Home)
Real World Math (Packet for Home)mwinfield1
 
Solved exercise boolean-algebra
Solved exercise boolean-algebraSolved exercise boolean-algebra
Solved exercise boolean-algebrashardapatel
 
iPhone App Solothurner Filmtage
iPhone App Solothurner FilmtageiPhone App Solothurner Filmtage
iPhone App Solothurner Filmtagewebgearing ag
 
E-Shop The Climate Store
E-Shop The Climate StoreE-Shop The Climate Store
E-Shop The Climate Storewebgearing ag
 
iPhone App Blackout
iPhone App BlackoutiPhone App Blackout
iPhone App Blackoutwebgearing ag
 
I pad app kuoni kataloge english 1.0
I pad app kuoni kataloge english 1.0I pad app kuoni kataloge english 1.0
I pad app kuoni kataloge english 1.0webgearing ag
 
Erik Johannson Db
Erik Johannson DbErik Johannson Db
Erik Johannson Dbguest874f57
 
iMatcher Facebook App
iMatcher Facebook AppiMatcher Facebook App
iMatcher Facebook Appwebgearing ag
 
X6 drill practice
X6 drill practiceX6 drill practice
X6 drill practiceSteven Gabrys
 
X3 drill practice
X3 drill practiceX3 drill practice
X3 drill practiceSteven Gabrys
 
эпоха возрождения
эпоха возрожденияэпоха возрождения
эпоха возрожденияDmidry
 
Our Final Project
Our Final ProjectOur Final Project
Our Final Projectguest27d35a
 
iPhone App Mühle Hunziken
iPhone App Mühle HunzikeniPhone App Mühle Hunziken
iPhone App Mühle Hunzikenwebgearing ag
 
Double jeopardy(flight)
Double jeopardy(flight)Double jeopardy(flight)
Double jeopardy(flight)Steven Gabrys
 
Sample2
Sample2Sample2
Sample2guest4acf93
 
Are You Smarter than a Third Grader?
Are You Smarter than a Third Grader?Are You Smarter than a Third Grader?
Are You Smarter than a Third Grader?Cindyw05
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthApigee | Google Cloud
 

Weitere ähnliche Inhalte

Andere mochten auch

Multiplication quiz
Multiplication quizMultiplication quiz
Multiplication quizNonticha1998
 
Smarter than 5th grader chapter 6 7
Smarter than 5th grader chapter 6 7Smarter than 5th grader chapter 6 7
Smarter than 5th grader chapter 6 7Moores6
 
Are They Smarter Than a 5th Grader? Round 1
Are They Smarter Than a 5th Grader? Round 1Are They Smarter Than a 5th Grader? Round 1
Are They Smarter Than a 5th Grader? Round 1warren_wade
 
Are You Smarter Than a 5th Grader
Are You Smarter Than a 5th Grader Are You Smarter Than a 5th Grader
Are You Smarter Than a 5th Grader egriffin
 
Real World Math (Packet for Home)
Real World Math (Packet for Home)Real World Math (Packet for Home)
Real World Math (Packet for Home)mwinfield1
 
Solved exercise boolean-algebra
Solved exercise boolean-algebraSolved exercise boolean-algebra
Solved exercise boolean-algebrashardapatel
 
iPhone App Solothurner Filmtage
iPhone App Solothurner FilmtageiPhone App Solothurner Filmtage
iPhone App Solothurner Filmtagewebgearing ag
 
E-Shop The Climate Store
E-Shop The Climate StoreE-Shop The Climate Store
E-Shop The Climate Storewebgearing ag
 
I pad app kuoni kataloge english 1.0
I pad app kuoni kataloge english 1.0I pad app kuoni kataloge english 1.0
I pad app kuoni kataloge english 1.0webgearing ag
 
Erik Johannson Db
Erik Johannson DbErik Johannson Db
Erik Johannson Dbguest874f57
 
iMatcher Facebook App
iMatcher Facebook AppiMatcher Facebook App
iMatcher Facebook Appwebgearing ag
 
эпоха возрождения
эпоха возрожденияэпоха возрождения
эпоха возрожденияDmidry
 
Our Final Project
Our Final ProjectOur Final Project
Our Final Projectguest27d35a
 
iPhone App Mühle Hunziken
iPhone App Mühle HunzikeniPhone App Mühle Hunziken
iPhone App Mühle Hunzikenwebgearing ag
 
Double jeopardy(flight)
Double jeopardy(flight)Double jeopardy(flight)
Double jeopardy(flight)Steven Gabrys
 
Are You Smarter than a Third Grader?
Are You Smarter than a Third Grader?Are You Smarter than a Third Grader?
Are You Smarter than a Third Grader?Cindyw05
 

Andere mochten auch (20)

Multiplication quiz
Multiplication quizMultiplication quiz
Multiplication quiz
 
Smarter than 5th grader chapter 6 7
Smarter than 5th grader chapter 6 7Smarter than 5th grader chapter 6 7
Smarter than 5th grader chapter 6 7
 
Are They Smarter Than a 5th Grader? Round 1
Are They Smarter Than a 5th Grader? Round 1Are They Smarter Than a 5th Grader? Round 1
Are They Smarter Than a 5th Grader? Round 1
 
Are You Smarter Than a 5th Grader
Are You Smarter Than a 5th Grader Are You Smarter Than a 5th Grader
Are You Smarter Than a 5th Grader
 
Real World Math (Packet for Home)
Real World Math (Packet for Home)Real World Math (Packet for Home)
Real World Math (Packet for Home)
 
Solved exercise boolean-algebra
Solved exercise boolean-algebraSolved exercise boolean-algebra
Solved exercise boolean-algebra
 
iPhone App Solothurner Filmtage
iPhone App Solothurner FilmtageiPhone App Solothurner Filmtage
iPhone App Solothurner Filmtage
 
E-Shop The Climate Store
E-Shop The Climate StoreE-Shop The Climate Store
E-Shop The Climate Store
 
iPhone App Blackout
iPhone App BlackoutiPhone App Blackout
iPhone App Blackout
 
I pad app kuoni kataloge english 1.0
I pad app kuoni kataloge english 1.0I pad app kuoni kataloge english 1.0
I pad app kuoni kataloge english 1.0
 
Erik Johannson Db
Erik Johannson DbErik Johannson Db
Erik Johannson Db
 
iMatcher Facebook App
iMatcher Facebook AppiMatcher Facebook App
iMatcher Facebook App
 
X6 drill practice
X6 drill practiceX6 drill practice
X6 drill practice
 
X3 drill practice
X3 drill practiceX3 drill practice
X3 drill practice
 
эпоха возрождения
эпоха возрожденияэпоха возрождения
эпоха возрождения
 
Our Final Project
Our Final ProjectOur Final Project
Our Final Project
 
iPhone App Mühle Hunziken
iPhone App Mühle HunzikeniPhone App Mühle Hunziken
iPhone App Mühle Hunziken
 
Double jeopardy(flight)
Double jeopardy(flight)Double jeopardy(flight)
Double jeopardy(flight)
 
Sample2
Sample2Sample2
Sample2
 
Are You Smarter than a Third Grader?
Are You Smarter than a Third Grader?Are You Smarter than a Third Grader?
Are You Smarter than a Third Grader?
 

Ähnlich wie Mobile Apps Security: OTA11

Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthApigee | Google Cloud
 
1 security goals
1 security goals1 security goals
1 security goalsdrewz lin
 
CIS14: Trusted Tokens: An Identity Game Changer
CIS14: Trusted Tokens: An Identity Game ChangerCIS14: Trusted Tokens: An Identity Game Changer
CIS14: Trusted Tokens: An Identity Game ChangerCloudIDSummit
 
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Guy Podjarny
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To ProtectGuy Podjarny
 
TOP 6 Security Challenges of Internet of Things
TOP 6 Security Challenges of Internet of ThingsTOP 6 Security Challenges of Internet of Things
TOP 6 Security Challenges of Internet of ThingsChromeInfo Technologies
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxdeepikakumari643428
 
OWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention MethodsOWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention MethodsIRJET Journal
 
Highly Secure Cryptography Algorithm Method to Safeguard Audios and Visuals
Highly Secure Cryptography Algorithm Method to Safeguard Audios and VisualsHighly Secure Cryptography Algorithm Method to Safeguard Audios and Visuals
Highly Secure Cryptography Algorithm Method to Safeguard Audios and Visualsijcisjournal
 
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSHIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSijcisjournal
 
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSHIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSijdms
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
Android studio feature
Android studio featureAndroid studio feature
Android studio featurexvier3453
 
CocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesCocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesMutual Mobile
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 

Ähnlich wie Mobile Apps Security: OTA11 (20)

Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
 
1 security goals
1 security goals1 security goals
1 security goals
 
CIS14: Trusted Tokens: An Identity Game Changer
CIS14: Trusted Tokens: An Identity Game ChangerCIS14: Trusted Tokens: An Identity Game Changer
CIS14: Trusted Tokens: An Identity Game Changer
 
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
 
TOP 6 Security Challenges of Internet of Things
TOP 6 Security Challenges of Internet of ThingsTOP 6 Security Challenges of Internet of Things
TOP 6 Security Challenges of Internet of Things
 
Canary tokens
Canary tokensCanary tokens
Canary tokens
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
 
OWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention MethodsOWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention Methods
 
Highly Secure Cryptography Algorithm Method to Safeguard Audios and Visuals
Highly Secure Cryptography Algorithm Method to Safeguard Audios and VisualsHighly Secure Cryptography Algorithm Method to Safeguard Audios and Visuals
Highly Secure Cryptography Algorithm Method to Safeguard Audios and Visuals
 
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSHIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
 
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSHIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Android studio feature
Android studio featureAndroid studio feature
Android studio feature
 
CocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesCocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best Practices
 
iOS Security
iOS SecurityiOS Security
iOS Security
 
iOS & Arduino
iOS & ArduinoiOS & Arduino
iOS & Arduino
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 

Kürzlich hochgeladen

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Kürzlich hochgeladen (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Mobile Apps Security: OTA11

  • 1. IM IN UR CODEZ Securing Mobile Apps Sunday, 2 October 11
  • 2. Hello! My name’s Nick. I work for Mobile Interactive Group We’re going to talk about app security ...also cats Sunday, 2 October 11
  • 3. What this session is about... Mobile application security Developing apps defensively ...and what it’s not about User-based vulnerabilities (tap-jacking, etc) Mobile web security Sunday, 2 October 11
  • 4. Mobile Apps Mobile Web Sunday, 2 October 11
  • 5. Hardcoded passwords SQL injection In-app XSS Insecure Data Transmission Buffer overflows Storing user data Data leakage API impersonation Remote code execution Sunday, 2 October 11
  • 6. Web & Apps have similar problems... ...they just appear in different places Sunday, 2 October 11
  • 7. A fact (or two) Your app will be reverse engineered It’s only a matter of time Obfuscation is not a be-all/end-all Sunday, 2 October 11
  • 8. You might think (comparatively) that your mobile platform is not compromised... ...but how many rooted/jailbreaked phones are out there? Assume your platform is compromised, and your app will be reverse engineered Sunday, 2 October 11
  • 9. You must therefore strongly protect your APIs and supporting application servers Let’s look at three of the most common issues with apps Two of these relate to API/server issues Sunday, 2 October 11
  • 11. We’re all pretty smart developers (...hopefully!) Sunday, 2 October 11
  • 12. The chasm of misfortune Your Goals Your App We are all cats - we have good intentions... ...and sometimes can’t foresee the consequences Sunday, 2 October 11
  • 13. Your Goals Your App Remembering Storing credentials insecurely Banking App Users Not using SSL Using an API Blogging App Uploading Hardcoding your API keys Content ? UCG App Sunday, 2 October 11
  • 14. Keys and Secrets Sunday, 2 October 11
  • 15. “API keys must be protected just like passwords. This means they should not be [...] baked into non-obfuscated applications that can be analysed relatively easily” Cloud Security Alliance, April 18 2011 (...assume this means all mobile apps) 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 16. Demo time Major paid for API About 1,000,000 downloads ...let’s take a look! 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 17. Demo time User: iPhone Password: PnkFdrYRh75N 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 18. Consequences The bad A competing app uses your API key to exceed your rate limits Your users get frustrated and leave The ugly Somebody pulls your S3 secret key and charges £££ to your account 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 19. This API is now compromised I can use it in my own apps without paying the license fee Because it’s hard-coded in the app it can’t be revoked 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 20. This API is now compromised I can use it in my own apps without paying the license fee Because it’s hard-coded in the app it can’t be revoked 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 21. Prevention Use an alternative method to authenticate Facebook, Amazon, and other large providers provide these Don’t trust key verification If you have an API that uses a key, don’t assume you can trust the user Think permissions If you do have to use keys, limit the damage that can be done with them Have a plan ...think about the inevitable. What happens if your API is outed? 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 23. This shouldn’t need a slide If you’re sending passwords in the clear, leave the room ...no, wait - come back! I forgive you! People share passwords. All the time. My Tumblr password might be my Facebook password 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
  • 24. Specific shaming: ...but not the app! 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
  • 25. “But Nick, everyone knows SSL/TLS is totally broken!” “It’s the user’s fault for connecting to an insecure network” “It’s too much effort / time-consuming to implement” “My app isn’t important enough for this to be a problem” 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
  • 26. Not using TLS is like leaving your house unlocked Nobody is saying locks are going to stop you from getting burgled... ...but not locking your door is stupid. 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
  • 28. Very popular! Username and password in plain text! 1 keys and secrets 2 leaking information 3 Storing Details According to ViaForensics, June 2011 Sunday, 2 October 11
  • 29. Obvious information Passwords, usernames Account numbers, etc Overlooked information Location information Personal information (date of birth, address, 1 keys and secrets 2 leaking information 3 Storing Details Sunday, 2 October 11
  • 30. Consequences The bad You get some bad PR People laugh at you as you walk down the street The ugly You store passwords or account information unencrypted This compromises your app, and users information is leaked You are fined by the ICO 1 keys and secrets 2 leaking information 3 Storing Details Sunday, 2 October 11
  • 31. In Summary ...we’re all smart developers... (remember this bit? from earlier on?) Sunday, 2 October 11
  • 32. ...but so are the... Bank of America, Citibank, National Rail Enquiries, Tumblr, AOL, Bump, Flirtomatic, Foursquare, Groupon, LinkedIn, Mint, Skype, Wells Fargo, WordPress, Match.com Yahoo! Messenger, and many many more... ...developers. Nobody is perfect, no app is truly secure (including me!) Sunday, 2 October 11
  • 33. Remember the cat* *unlike the cat, your app will not survive a fall from height Sunday, 2 October 11
  • 34. Thanks :) nick.shearer@migcan.com (I don’t tweet - booo!) Slides will be available on the OTA site soon! Sunday, 2 October 11