SlideShare a Scribd company logo

Android 8 Oreo and iOS 11 security updates: What you need to know

NowSecure
NowSecure

Google released Android 8 (Oreo) recently, and soon Apple will release iOS 11. Both updates include a number of security enhancements. This 30-minute overview covers the security updates and will also touch on: -- Changes in iOS 11 that provide better security for app data in transit -- App permissions updates in Android Oreo -- How Android Oreo and iOS 11 updates affect mobile app security assessments Originally presented 9/14/2017

Mobile
1 of 18
Download to read offline
Android 8 “Oreo” & iOS 11 security updates: What you need to know 8X FASTER 3X DEEPER MOST TRUSTED © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NowSecure #MobSec5 Weekly mobile security news update SUBSCRIBE NOW: www.nowsecure.com/go/subscribe
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA + SPEAKERS Android 8 (“Oreo”) ▪ Google Play Protect ▪ App permissions changes ▪ WebViews security enhancements ▪ Other Android 8 security quick hits iOS 11 - available Sept. 19 ▪ Password AutoFill ▪ FileProvider ▪ New barriers to unlocking phones ▪ Other iOS 11 security quick hits Tony Ramirez Mobile Security Analyst Michael Krueger Mobile Security Analyst
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Android 8 “Oreo” Security Highlights
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Google Play Protect Malware scanning ▪ Scans and reports on apps on the device ▪ Will also scan unknown/side-loaded apps SafetyNet Verify Apps API ▪ An app can query apps on a device prior to executing ▪ And refuse to run if known malicious app is found
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Noteworthy app permissions changes Install unknown apps (side-loaded apps) ▪ Replaces “Allow unknown sources” ▪ Required for sources other than trusted stores ▪ Defense against “hostile downloaders” TYPE_APPLICATION_OVERLAY ▪ Stops apps from over-laying critical windows ▪ Fights against overlay malware More granular granting of app permissions ▪ Entire permission groups no longer granted ▪ Automatically-grants subsequent requests for additional permissions within the same group Example unknown app alert
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WebView security enhancements Multi Process mode ▪ Isolates WebView from app ▪ Prevents malicious content from accessing the app ▪ Good for security, but won’t fix every issue Safe Browsing API ▪ Protection against known bad websites ▪ WebViews are easy to re-direct and use for executing phishing attacks Example Safe Browsing alert
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. PROJECT TREBLE ▪ Creates vendor interface in Android ▪ Makes the OS more modular ▪ Purpose is to make OEM updates faster & easier ▪ Hardware Abstraction Layers (HAL) limit media framework access to kernel Other Android 8 Security Quick Hits 8 NETWORK SECURITY ▪ HttpsURLConnection will not fall back to insecure versions of SSL/TLS ▪ Drops support for SSLv3 OS DOWNGRADE PROTECTION ▪ Prevents downgrading a device to a more vulnerable version of Android DEVELOPER OPTIONS - PASSWORD ▪ Now requires password for access ▪ Privileged access (e.g., debug mode, bootloader, developer tools) SECCOMP FILTER ▪ Secure Computing (SECCOMP) filter applied to all apps ▪ System calls can expose the kernel to attack
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. iOS 11 Security Highlights
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Password AutoFill Features ▪ Existing iCloud Keychain & Safari AutoFill passwords available on the QuickType bar within apps ▪ Button on right authenticates with TouchID Security ▪ Only presents credentials associated with the app ▪ Website associations stored in app entitlements ▪ The JSON file apple-app-site-associationon the server-side points to the allowed apps Example password autofill implementation
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. FileProvider Enhancements (new Files App) ▪ Organizes, shares, and opens documents connected to cloud storage via the Document Browser ▪ “On My <iPad/iPhone>” FileProvider • Only local FileProvider • Apps use it to expose local documents to other apps ▪ Data saved and what apps can save data will be important ▪ Testing should evaluate data stored and access File Providers Document Browser UI Document based app Cloud backend
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. New barriers to unlocking phones Emergency SOS Mode ▪ Activated by pressing the lock button 5 times • Phone enters emergency mode • SOS button • Alerts emergency contacts to location • Can auto-call emergency services ▪ Also locks down device • Disables TouchID (passcode required) • Does NOT require you to actually call emergency services “...handy if you're being mugged or arrested and don't want to be compelled to unlock your device.” http://www.macworld.co.uk/how-to/iphone/how-use-so s-mode-on-iphone-3663371/
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Other iOS 11 security quick hits 13 FACE RECOGNITION - IPHONE X ▪ Protected by secure enclave ▪ Requires user attention to unlock ▪ Photo alone won’t work to bypass ▪ Questions about privacy of data OFFLOAD UNUSED APPS ▪ Delete an app from your phone, but save the data ▪ Data’s still there, will it be protected? TLS CONNECTIONS ▪ Preliminary TLSv1.3 support ▪ TLSv1.2 now default ▪ 3DES no longer an approved cipher ▪ SHA1 no longer accepted ▪ RSA keys must be at least 2048 bits LOCATION SERVICES ▪ More granularity about when apps can use them ▪ Blue bar displays when in use SAFARI - TRACKING PREVENTION ▪ Intelligent tracking prevention (ITP) ▪ Cookies for tracking and re-targeting disabled after 24 hours & purged after 30 days NATIVE SCREEN RECORDING ▪ Where will screen recordings reside? ▪ Malicious use of screen recordings
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. In action: Keeping up with the latest OS updates
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. BEST PRACTICE RECOMMENDATIONS 1. Recognize that every new OS release - big or small - can introduce new gaps and risks 2. Find a reputable source you can count on to keep you up to date a. Sign up for Nowsecure #MobSec5 at www.nowsecure.com/go/subscribe. b. Read our blog at www.nowsecure.com/blog 3. Test existing apps on new OS versions to identify potential risks and gaps 4. Re-test apps when update take advantage of new OS features to identify potential risks and gaps 5. Add a mobile app security testing platform to your app factory to test custom and 3rd party apps
Case study: Global Entertainment Brand ● PAIN: Staying current on Android/iOS updates ● Mobile app security requirements service ● Continually updated BPs to account for latest threats and versions of Android and iOS “By the time we finished a draft of requirements specific to one version of iOS, Apple released the next one. We couldn’t keep up with the changes in iOS and also do the same for Android.” — Security Engineer, Multi-billion Dollar Global Brand As a global leader in high quality entertainment delivered through an array of channels, this brand harnessed the power of mobile technology early. https://www.nowsecure.com/case-studies/mobile-app-security-program-for-global-entertainment-brand/ Global Entertainment Brand
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NowSecure INTELLIGENCE AlwaysOn AppStore Cloud Analysis for EMM & Security teams NowSecure AUTOMATED OnDemand Fast Cloud Analysis for Dev, QA & Security teams NowSecure WORKSTATION Deep Pen Testing Analysis for Security Analysts NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING NowSecure SERVICES Expert Pen Testing, Training & Programs for App Owners & Security teams 17 8X FASTER – 3X DEEPER – MOST TRUSTED
Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 A digest of the week’s mobile security news that matters https://www.nowsecure.com/go/subscribe

Recommended

Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編OESF Education
 
Androidの新ビルドシステム
Androidの新ビルドシステムAndroidの新ビルドシステム
Androidの新ビルドシステムl_b__
 
基礎から学ぶ組み込みAndroid
基礎から学ぶ組み込みAndroid基礎から学ぶ組み込みAndroid
基礎から学ぶ組み込みAndroiddemuyan
 
Junitを使ったjavaのテスト入門
Junitを使ったjavaのテスト入門Junitを使ったjavaのテスト入門
Junitを使ったjavaのテスト入門Satoshi Kubo
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 

Recommended

Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編OESF Education
 
Androidの新ビルドシステム
Androidの新ビルドシステムAndroidの新ビルドシステム
Androidの新ビルドシステムl_b__
 
基礎から学ぶ組み込みAndroid
基礎から学ぶ組み込みAndroid基礎から学ぶ組み込みAndroid
基礎から学ぶ組み込みAndroiddemuyan
 
Junitを使ったjavaのテスト入門
Junitを使ったjavaのテスト入門Junitを使ったjavaのテスト入門
Junitを使ったjavaのテスト入門Satoshi Kubo
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsNowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowNowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskNowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechNowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowNowSecure
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceNowSecure
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNowSecure
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Pooja Nehwal
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceanilsa9823
 

More Related Content

More from NowSecure

OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsNowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowNowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskNowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechNowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowNowSecure
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceNowSecure
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNowSecure
 

More from NowSecure (20)

OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 

Recently uploaded

Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Pooja Nehwal
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceanilsa9823
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceanilsa9823
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7Pooja Nehwal
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRnishacall1
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPsychicRuben LoveSpells
 

Recently uploaded (7)

Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 

Android 8 Oreo and iOS 11 security updates: What you need to know

  • 1. Android 8 “Oreo” & iOS 11 security updates: What you need to know 8X FASTER 3X DEEPER MOST TRUSTED © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
  • 2. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NowSecure #MobSec5 Weekly mobile security news update SUBSCRIBE NOW: www.nowsecure.com/go/subscribe
  • 3. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA + SPEAKERS Android 8 (“Oreo”) ▪ Google Play Protect ▪ App permissions changes ▪ WebViews security enhancements ▪ Other Android 8 security quick hits iOS 11 - available Sept. 19 ▪ Password AutoFill ▪ FileProvider ▪ New barriers to unlocking phones ▪ Other iOS 11 security quick hits Tony Ramirez Mobile Security Analyst Michael Krueger Mobile Security Analyst
  • 4. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Android 8 “Oreo” Security Highlights
  • 5. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Google Play Protect Malware scanning ▪ Scans and reports on apps on the device ▪ Will also scan unknown/side-loaded apps SafetyNet Verify Apps API ▪ An app can query apps on a device prior to executing ▪ And refuse to run if known malicious app is found
  • 6. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Noteworthy app permissions changes Install unknown apps (side-loaded apps) ▪ Replaces “Allow unknown sources” ▪ Required for sources other than trusted stores ▪ Defense against “hostile downloaders” TYPE_APPLICATION_OVERLAY ▪ Stops apps from over-laying critical windows ▪ Fights against overlay malware More granular granting of app permissions ▪ Entire permission groups no longer granted ▪ Automatically-grants subsequent requests for additional permissions within the same group Example unknown app alert
  • 7. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WebView security enhancements Multi Process mode ▪ Isolates WebView from app ▪ Prevents malicious content from accessing the app ▪ Good for security, but won’t fix every issue Safe Browsing API ▪ Protection against known bad websites ▪ WebViews are easy to re-direct and use for executing phishing attacks Example Safe Browsing alert
  • 8. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. PROJECT TREBLE ▪ Creates vendor interface in Android ▪ Makes the OS more modular ▪ Purpose is to make OEM updates faster & easier ▪ Hardware Abstraction Layers (HAL) limit media framework access to kernel Other Android 8 Security Quick Hits 8 NETWORK SECURITY ▪ HttpsURLConnection will not fall back to insecure versions of SSL/TLS ▪ Drops support for SSLv3 OS DOWNGRADE PROTECTION ▪ Prevents downgrading a device to a more vulnerable version of Android DEVELOPER OPTIONS - PASSWORD ▪ Now requires password for access ▪ Privileged access (e.g., debug mode, bootloader, developer tools) SECCOMP FILTER ▪ Secure Computing (SECCOMP) filter applied to all apps ▪ System calls can expose the kernel to attack
  • 9. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. iOS 11 Security Highlights
  • 10. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Password AutoFill Features ▪ Existing iCloud Keychain & Safari AutoFill passwords available on the QuickType bar within apps ▪ Button on right authenticates with TouchID Security ▪ Only presents credentials associated with the app ▪ Website associations stored in app entitlements ▪ The JSON file apple-app-site-associationon the server-side points to the allowed apps Example password autofill implementation
  • 11. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. FileProvider Enhancements (new Files App) ▪ Organizes, shares, and opens documents connected to cloud storage via the Document Browser ▪ “On My <iPad/iPhone>” FileProvider • Only local FileProvider • Apps use it to expose local documents to other apps ▪ Data saved and what apps can save data will be important ▪ Testing should evaluate data stored and access File Providers Document Browser UI Document based app Cloud backend
  • 12. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. New barriers to unlocking phones Emergency SOS Mode ▪ Activated by pressing the lock button 5 times • Phone enters emergency mode • SOS button • Alerts emergency contacts to location • Can auto-call emergency services ▪ Also locks down device • Disables TouchID (passcode required) • Does NOT require you to actually call emergency services “...handy if you're being mugged or arrested and don't want to be compelled to unlock your device.” http://www.macworld.co.uk/how-to/iphone/how-use-so s-mode-on-iphone-3663371/
  • 13. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Other iOS 11 security quick hits 13 FACE RECOGNITION - IPHONE X ▪ Protected by secure enclave ▪ Requires user attention to unlock ▪ Photo alone won’t work to bypass ▪ Questions about privacy of data OFFLOAD UNUSED APPS ▪ Delete an app from your phone, but save the data ▪ Data’s still there, will it be protected? TLS CONNECTIONS ▪ Preliminary TLSv1.3 support ▪ TLSv1.2 now default ▪ 3DES no longer an approved cipher ▪ SHA1 no longer accepted ▪ RSA keys must be at least 2048 bits LOCATION SERVICES ▪ More granularity about when apps can use them ▪ Blue bar displays when in use SAFARI - TRACKING PREVENTION ▪ Intelligent tracking prevention (ITP) ▪ Cookies for tracking and re-targeting disabled after 24 hours & purged after 30 days NATIVE SCREEN RECORDING ▪ Where will screen recordings reside? ▪ Malicious use of screen recordings
  • 14. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. In action: Keeping up with the latest OS updates
  • 15. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. BEST PRACTICE RECOMMENDATIONS 1. Recognize that every new OS release - big or small - can introduce new gaps and risks 2. Find a reputable source you can count on to keep you up to date a. Sign up for Nowsecure #MobSec5 at www.nowsecure.com/go/subscribe. b. Read our blog at www.nowsecure.com/blog 3. Test existing apps on new OS versions to identify potential risks and gaps 4. Re-test apps when update take advantage of new OS features to identify potential risks and gaps 5. Add a mobile app security testing platform to your app factory to test custom and 3rd party apps
  • 16. Case study: Global Entertainment Brand ● PAIN: Staying current on Android/iOS updates ● Mobile app security requirements service ● Continually updated BPs to account for latest threats and versions of Android and iOS “By the time we finished a draft of requirements specific to one version of iOS, Apple released the next one. We couldn’t keep up with the changes in iOS and also do the same for Android.” — Security Engineer, Multi-billion Dollar Global Brand As a global leader in high quality entertainment delivered through an array of channels, this brand harnessed the power of mobile technology early. https://www.nowsecure.com/case-studies/mobile-app-security-program-for-global-entertainment-brand/ Global Entertainment Brand
  • 17. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NowSecure INTELLIGENCE AlwaysOn AppStore Cloud Analysis for EMM & Security teams NowSecure AUTOMATED OnDemand Fast Cloud Analysis for Dev, QA & Security teams NowSecure WORKSTATION Deep Pen Testing Analysis for Security Analysts NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING NowSecure SERVICES Expert Pen Testing, Training & Programs for App Owners & Security teams 17 8X FASTER – 3X DEEPER – MOST TRUSTED
  • 18. Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 A digest of the week’s mobile security news that matters https://www.nowsecure.com/go/subscribe