SlideShare una empresa de Scribd logo

How to Test Security and Vulnerability of Your Android and iOS Apps

Descargar como PPTX, PDF
Bitbar
Bitbar

Watch a live presentation at http://offer.bitbar.com/how-to-test-security-and-vulnerability-of-your-android-and-ios-apps Majority of today’s mobile apps consist of third-party code/libraries. This is a prudent and well-accepted development practice that offloads the task of developing code for non-core functions of your mobile app – or game. Identifying third-party code, its vulnerabilities and its license restrictions, is highly critical in order to understand your security exposure and your liability. Stay tuned and join our upcoming webinars at http://bitbar.com/testing/webinars/

Tecnología
1 de 40
How to Test Security and Vulnerability of Your Android and iOS Apps 4 December 2013 Ville-Veikko Helppi Antti Häyrynen Technical Product Manager Security Specialist ville-veikko.helppi@bitbar.com antti.hayrynen@codenomicon.com
webinar Agenda • Mobile Apps & Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 2
webinar Agenda • Mobile Apps & Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 3
webinar Security Testing for Mobile Apps • How to test something you don’t know it exists? • Security testing doesn’t replace white/black box testing but can complement it very well • e.g. Android protects • User data • System resources • Application isolation • Security at the OS level © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 4
webinar Hot debate about Android security • Open Platform – All source code available • Linux security (e.g. users, process isolation, IPC) • Filesystem permissions • Cryptography (API) • Memory management • 1.5 -> 4.2 • Application security • Android has defenses to protect itself – not data! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 5
webinar Mobile Apps & Open Source Components Blurred Blurred © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 6
webinar Mobile Apps & Third-Party Components • Majority of today’s applications consist largely of third-party code/libraries and application-specific glue to hold everything together • This is a prudent and well-accepted development practice that offloads the task of developing code for non-core functions of the application • Each piece of third-party code has an associated license whose terms can affect the distribution and licensing of your application © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 7
webinar Mobile Apps & Third-Party Components • Identifying 3rd party code, its vulnerabilities and its licenses, is critical in order to understand your security exposure and your liability: • • • • • Know those 3rd party components/libs used in your app Identify binding software licenses for 3rd party code Identify vulnerabilities in 3rd party components that could be security risks in your application (and its users) 3rd party components evolve and change – it’s important to know what is new and what makes your app vulnerable Instant way of checking any app (Android & iOS) will enable you to focus on your core activities © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 8
webinar Agenda • Mobile Apps & Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 9
webinar Apps for Mobile Subverticals Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile • Testdroid has helped thousands of app developers in these subverticals! • What are the critical elements in each these verticals? • How are the security requirements different in each subvertical? © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 10
webinar Apps for Mobile Subverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –User Experience! –Resource consumption & validation (CPU, Mem…) –Fully utilizing hardware – e.g. Touch screen –Access to graphics APIs (e.g. OpenGL ES) •Open source license © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 11
webinar Apps for Mobile Subverticals •Top requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Usability! –Functional and Behavioral testing –Metrics analysis for all captured data (e.g. logs, screenshots, perf stats) –Relation to other apps •Open source license © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 12
webinar Apps for Mobile Subverticals •Top requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Performance! –Connectivity, robustness and durability –Screen orientation (portrait vs. landscape) –Graphics quality, streaming capabilities –User profiles •Security & Vulnerability © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 13
webinar Apps for Mobile Subverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Security! –Secure connectivity with back-end systems –Top Quality – extremely brand sensitive vertical –Compliances and verification between real devices and infrastructure •Security is the no. 1 thing © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 14
webinar Apps for Mobile Subverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Data! –Connectivity and data connection with back-ends –Configurability of the app –Bad quality WILL hurt the brand and make customers leave your app •Security, Licenses © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 15
webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 16
Is your mobile app safe? Codenomicon AppCheck
Mobile software •Software development is increasingly shifting into mobile •Android and iOS dominant platforms, followed by WP and Qt –All different, even on preferred programming language level •Volumes larger than traditionally, average revenue per user much lower
Mobile software paradigm •Traditionally software opens files and handles them. –Only Android supports this properly via registering as content handler •The modern way is to have client / server architecture –Mobile device is a client. Payload is usually json, protobuf, xml or media.
Traditional Threats •Open malicious file / content (via email, web etc) that contains an exploit -> target popped. •In Android, content handlers can have these issues. –Platform somewhat limits what the attacker can do unless privilege escalation is possible. –For example PDF readers, video players etc.
Modern threats •In the modern app paradigm, the mobile client “enriches” content from pre-defined server –Usually SSL protected –Certificate checks? •Cert pinning? •Attacks somewhat limited to either –Man in the middle –Injecting malice via server
IOS apps •IOS apps are Mach binaries usually written in Objective-C •Packaging follows the common paradigm – manifest, code and resources inside zip •Inside the device executable code is usually encrypted, but in clear before blessed by Apple. –Can be decrypted on jailbroken devices. •Allows mixing of C into apps -> common OSS libs can be used.
Anatomy of an Android app •The simplest form: simple java application. –Manifest, .dex, resource files •Manifest has meta data (app name, permissions, content handler registrations etc) •DEX contains java byte code –With or without proguard obfuscation. •Resource files contain images etc. •Optionally native code (usually just ARM) in lib/
Native code •Sometimes java is not enough. –~15% of android apps contain native code •.so’s in lib/ –Among popular apps, the amount is much higher •If the native code processes untrusted data, it’s out of dalvik supervision. –Can corrupt memory and contain exploitable bugs.
Third party code •Modern world contains plenty of ready components either as open source or licensable. •People use them to –Avoid re-inventing the wheel –Save time and costs –Create better software – many of those components are actually great at what they do. •Apps that use them inherit the bugs they have. •Since there’s no “package management” in Android like in Linux distros, apps bundle third party code with them. –Fixing 3rd party bugs require actions from app vendor
Third party code in Android apps •There are different types of 3rd party libs popular in Android, for example –Ad networks –Protocol clients –Content decoders/encoders –Shiny UI widgets –Cross-platform app frameworks –Most of the Java 3rd party libs usable in Android •Either Java or native
Introducing Appcheck •Codenomicon Appcheck makes it easy and fast to increase your application security •Integrated into Testdroid •Works on binaries, no source code necessary. •Main idea is to look for third party code from apps and categorize them.
Vulnerabilities •Third party libraries may contain vulnerabilities that endanger application security •Common pitfalls in android libraries include for example missing certificate checks, missing crypto, privacy issues •In native libraries common native code problems persist. •Vulnerability feeds provide vulnerability information on common components –http://nvd.nist.gov/ –Appcheck performs matching against vulnerability feeds
Ad networks •Ad networks vary from benign to outright evil –Some replace dial tone –Some have critical vulnerabilities –Some may send more information than user is willing to accept •Appcheck detects all the common ad networks.
Licenses •Third party code sometimes comes with some strings attached in form of licenses –Eg. GPL requires you to distribute source code of derivative works –Apache license requires some attribution –GPLv3 forbids DRM •Common pitfall in Android would be to bundle for example LGPL lib in on .so with rest of the native code •Appcheck makes all the used licenses visible
Improving security •By being aware of security issues of reusable third party components in their apps, developers can take action to fix issues •If you source software, you can use Appcheck to check what supplier has actually bundled inside the app.
Conclusions •Mobile applications face threats and risks stemming from bundled 3rd party code. •Third party code scanning gives you actionable results to –Remove or mitigate known vulnerabilities –Eliminate license risk –Remove overlapping and unwanted functionality such as privacy leaks
webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 33
webinar Testdroid Products Complete Solution for Mobile Apps/Games Testing © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 34
webinar Testdroid & Appcheck – Get Your App an Insurance for Security & Vulnerability! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 35
webinar Testdroid Blog and Webinars – Because it is important to how to automate your testing! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 36
webinar Codenomicon Website and Events © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 37
webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 38
webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 39
webinar © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 40

Recomendados

Build a Large Scale In-House Test Lab for Mobile Apps
Build a Large Scale In-House Test Lab for Mobile AppsBuild a Large Scale In-House Test Lab for Mobile Apps
Build a Large Scale In-House Test Lab for Mobile AppsBitbar
 
Testdroid: Release Perfect Apps with Mobile Visual Testing in the Cloud
Testdroid: Release Perfect Apps with Mobile Visual Testing in the Cloud Testdroid: Release Perfect Apps with Mobile Visual Testing in the Cloud
Testdroid: Release Perfect Apps with Mobile Visual Testing in the Cloud Applitools
 
The Status of Android Hardware and Software - From App Developer's Point of View
The Status of Android Hardware and Software - From App Developer's Point of ViewThe Status of Android Hardware and Software - From App Developer's Point of View
The Status of Android Hardware and Software - From App Developer's Point of ViewBitbar
 
Which One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentWhich One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentBitbar
 
Best Practices for DevOps in Mobile App Testing
Best Practices for DevOps in Mobile App TestingBest Practices for DevOps in Mobile App Testing
Best Practices for DevOps in Mobile App TestingBitbar
 
Ensure Your Mobile Channels Generate Revenue on Holiday Peak Days
Ensure Your Mobile Channels Generate Revenue on Holiday Peak DaysEnsure Your Mobile Channels Generate Revenue on Holiday Peak Days
Ensure Your Mobile Channels Generate Revenue on Holiday Peak DaysBitbar
 
Fight back android fragmentation
Fight back android fragmentationFight back android fragmentation
Fight back android fragmentationBitbar
 
Hassle-Free Continuous Integration with Real Device Testing
Hassle-Free Continuous Integration with Real Device TestingHassle-Free Continuous Integration with Real Device Testing
Hassle-Free Continuous Integration with Real Device TestingBitbar
 

Recomendados

Build a Large Scale In-House Test Lab for Mobile Apps
Build a Large Scale In-House Test Lab for Mobile AppsBuild a Large Scale In-House Test Lab for Mobile Apps
Build a Large Scale In-House Test Lab for Mobile AppsBitbar
 
Testdroid: Release Perfect Apps with Mobile Visual Testing in the Cloud
Testdroid: Release Perfect Apps with Mobile Visual Testing in the Cloud Testdroid: Release Perfect Apps with Mobile Visual Testing in the Cloud
Testdroid: Release Perfect Apps with Mobile Visual Testing in the Cloud Applitools
 
The Status of Android Hardware and Software - From App Developer's Point of View
The Status of Android Hardware and Software - From App Developer's Point of ViewThe Status of Android Hardware and Software - From App Developer's Point of View
The Status of Android Hardware and Software - From App Developer's Point of ViewBitbar
 
Which One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentWhich One Works You The Best: In-House or Cloud-Based Development Environment
Which One Works You The Best: In-House or Cloud-Based Development EnvironmentBitbar
 
Best Practices for DevOps in Mobile App Testing
Best Practices for DevOps in Mobile App TestingBest Practices for DevOps in Mobile App Testing
Best Practices for DevOps in Mobile App TestingBitbar
 
Ensure Your Mobile Channels Generate Revenue on Holiday Peak Days
Ensure Your Mobile Channels Generate Revenue on Holiday Peak DaysEnsure Your Mobile Channels Generate Revenue on Holiday Peak Days
Ensure Your Mobile Channels Generate Revenue on Holiday Peak DaysBitbar
 
Fight back android fragmentation
Fight back android fragmentationFight back android fragmentation
Fight back android fragmentationBitbar
 
Hassle-Free Continuous Integration with Real Device Testing
Hassle-Free Continuous Integration with Real Device TestingHassle-Free Continuous Integration with Real Device Testing
Hassle-Free Continuous Integration with Real Device TestingBitbar
 
How to Leverage Appium in Your Mobile App Testing
How to Leverage Appium in Your Mobile App TestingHow to Leverage Appium in Your Mobile App Testing
How to Leverage Appium in Your Mobile App TestingBitbar
 
How to Reliably Measure and Optimize Graphics Performance of Your Android Games
How to Reliably Measure and Optimize Graphics Performance of Your Android GamesHow to Reliably Measure and Optimize Graphics Performance of Your Android Games
How to Reliably Measure and Optimize Graphics Performance of Your Android GamesBitbar
 
Do You Enjoy Espresso in Android App Testing?
Do You Enjoy Espresso in Android App Testing?Do You Enjoy Espresso in Android App Testing?
Do You Enjoy Espresso in Android App Testing?Bitbar
 
Best Practices in Mobile Game Testing
Best Practices in Mobile Game TestingBest Practices in Mobile Game Testing
Best Practices in Mobile Game TestingBitbar
 
Mobile performance metrics and performance monitoring meetup 2017 05 10
Mobile performance metrics and performance monitoring meetup 2017 05 10Mobile performance metrics and performance monitoring meetup 2017 05 10
Mobile performance metrics and performance monitoring meetup 2017 05 10Bitbar
 
Different Android Test Automation Frameworks - What Works You the Best?
Different Android Test Automation Frameworks - What Works You the Best?Different Android Test Automation Frameworks - What Works You the Best?
Different Android Test Automation Frameworks - What Works You the Best?Bitbar
 
Exercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseExercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseBitbar
 
Introduction To Mobile-Automation
Introduction To Mobile-AutomationIntroduction To Mobile-Automation
Introduction To Mobile-AutomationMindfire Solutions
 
Testing Strategy for Progressive Web Apps
Testing Strategy for Progressive Web AppsTesting Strategy for Progressive Web Apps
Testing Strategy for Progressive Web AppsPerfecto by Perforce
 
Webinar: Appium & Perfecto: A Perfect Match
Webinar: Appium & Perfecto: A Perfect MatchWebinar: Appium & Perfecto: A Perfect Match
Webinar: Appium & Perfecto: A Perfect MatchLizzy Guido (she/her)
 
Appium vs. Appium with Perfecto
Appium vs. Appium with PerfectoAppium vs. Appium with Perfecto
Appium vs. Appium with PerfectoLizzy Guido (she/her)
 
Parallel Test Runs with Appium on Real Mobile Devices – Hands-on Webinar
Parallel Test Runs with Appium on Real Mobile Devices – Hands-on WebinarParallel Test Runs with Appium on Real Mobile Devices – Hands-on Webinar
Parallel Test Runs with Appium on Real Mobile Devices – Hands-on WebinarBitbar
 
Mobile Test Automation
Mobile Test AutomationMobile Test Automation
Mobile Test AutomationLee Barnes
 
Parallel testing with appium
Parallel testing with appiumParallel testing with appium
Parallel testing with appiummoizjv
 
TechTalk: Get to Know Perfecto
TechTalk: Get to Know Perfecto TechTalk: Get to Know Perfecto
TechTalk: Get to Know Perfecto Lizzy Guido (she/her)
 
Selenium training
Selenium trainingSelenium training
Selenium trainingShivaraj R
 
Test Automation for Mobile Applications: A Practical Guide
Test Automation for Mobile Applications: A Practical GuideTest Automation for Mobile Applications: A Practical Guide
Test Automation for Mobile Applications: A Practical GuideTechWell
 
Top Best Practices for Successful Mobile Test Automation
Top Best Practices for Successful Mobile Test AutomationTop Best Practices for Successful Mobile Test Automation
Top Best Practices for Successful Mobile Test AutomationFred Beringer
 
Everything You Need To Know about Appium and Selenium
Everything You Need To Know about Appium and SeleniumEverything You Need To Know about Appium and Selenium
Everything You Need To Know about Appium and SeleniumLizzy Guido (she/her)
 
Accelerating Digital Transformation With API Lifecycle & Test Automation
Accelerating Digital Transformation With API Lifecycle & Test AutomationAccelerating Digital Transformation With API Lifecycle & Test Automation
Accelerating Digital Transformation With API Lifecycle & Test AutomationPerfecto by Perforce
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 

Más contenido relacionado

La actualidad más candente

How to Leverage Appium in Your Mobile App Testing
How to Leverage Appium in Your Mobile App TestingHow to Leverage Appium in Your Mobile App Testing
How to Leverage Appium in Your Mobile App TestingBitbar
 
How to Reliably Measure and Optimize Graphics Performance of Your Android Games
How to Reliably Measure and Optimize Graphics Performance of Your Android GamesHow to Reliably Measure and Optimize Graphics Performance of Your Android Games
How to Reliably Measure and Optimize Graphics Performance of Your Android GamesBitbar
 
Do You Enjoy Espresso in Android App Testing?
Do You Enjoy Espresso in Android App Testing?Do You Enjoy Espresso in Android App Testing?
Do You Enjoy Espresso in Android App Testing?Bitbar
 
Best Practices in Mobile Game Testing
Best Practices in Mobile Game TestingBest Practices in Mobile Game Testing
Best Practices in Mobile Game TestingBitbar
 
Mobile performance metrics and performance monitoring meetup 2017 05 10
Mobile performance metrics and performance monitoring meetup 2017 05 10Mobile performance metrics and performance monitoring meetup 2017 05 10
Mobile performance metrics and performance monitoring meetup 2017 05 10Bitbar
 
Different Android Test Automation Frameworks - What Works You the Best?
Different Android Test Automation Frameworks - What Works You the Best?Different Android Test Automation Frameworks - What Works You the Best?
Different Android Test Automation Frameworks - What Works You the Best?Bitbar
 
Exercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseExercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseBitbar
 
Introduction To Mobile-Automation
Introduction To Mobile-AutomationIntroduction To Mobile-Automation
Introduction To Mobile-AutomationMindfire Solutions
 
Testing Strategy for Progressive Web Apps
Testing Strategy for Progressive Web AppsTesting Strategy for Progressive Web Apps
Testing Strategy for Progressive Web AppsPerfecto by Perforce
 
Webinar: Appium & Perfecto: A Perfect Match
Webinar: Appium & Perfecto: A Perfect MatchWebinar: Appium & Perfecto: A Perfect Match
Webinar: Appium & Perfecto: A Perfect MatchLizzy Guido (she/her)
 
Parallel Test Runs with Appium on Real Mobile Devices – Hands-on Webinar
Parallel Test Runs with Appium on Real Mobile Devices – Hands-on WebinarParallel Test Runs with Appium on Real Mobile Devices – Hands-on Webinar
Parallel Test Runs with Appium on Real Mobile Devices – Hands-on WebinarBitbar
 
Mobile Test Automation
Mobile Test AutomationMobile Test Automation
Mobile Test AutomationLee Barnes
 
Parallel testing with appium
Parallel testing with appiumParallel testing with appium
Parallel testing with appiummoizjv
 
Selenium training
Selenium trainingSelenium training
Selenium trainingShivaraj R
 
Test Automation for Mobile Applications: A Practical Guide
Test Automation for Mobile Applications: A Practical GuideTest Automation for Mobile Applications: A Practical Guide
Test Automation for Mobile Applications: A Practical GuideTechWell
 
Top Best Practices for Successful Mobile Test Automation
Top Best Practices for Successful Mobile Test AutomationTop Best Practices for Successful Mobile Test Automation
Top Best Practices for Successful Mobile Test AutomationFred Beringer
 
Everything You Need To Know about Appium and Selenium
Everything You Need To Know about Appium and SeleniumEverything You Need To Know about Appium and Selenium
Everything You Need To Know about Appium and SeleniumLizzy Guido (she/her)
 
Accelerating Digital Transformation With API Lifecycle & Test Automation
Accelerating Digital Transformation With API Lifecycle & Test AutomationAccelerating Digital Transformation With API Lifecycle & Test Automation
Accelerating Digital Transformation With API Lifecycle & Test AutomationPerfecto by Perforce
 

La actualidad más candente (20)

How to Leverage Appium in Your Mobile App Testing
How to Leverage Appium in Your Mobile App TestingHow to Leverage Appium in Your Mobile App Testing
How to Leverage Appium in Your Mobile App Testing
 
How to Reliably Measure and Optimize Graphics Performance of Your Android Games
How to Reliably Measure and Optimize Graphics Performance of Your Android GamesHow to Reliably Measure and Optimize Graphics Performance of Your Android Games
How to Reliably Measure and Optimize Graphics Performance of Your Android Games
 
Do You Enjoy Espresso in Android App Testing?
Do You Enjoy Espresso in Android App Testing?Do You Enjoy Espresso in Android App Testing?
Do You Enjoy Espresso in Android App Testing?
 
Best Practices in Mobile Game Testing
Best Practices in Mobile Game TestingBest Practices in Mobile Game Testing
Best Practices in Mobile Game Testing
 
Mobile performance metrics and performance monitoring meetup 2017 05 10
Mobile performance metrics and performance monitoring meetup 2017 05 10Mobile performance metrics and performance monitoring meetup 2017 05 10
Mobile performance metrics and performance monitoring meetup 2017 05 10
 
Different Android Test Automation Frameworks - What Works You the Best?
Different Android Test Automation Frameworks - What Works You the Best?Different Android Test Automation Frameworks - What Works You the Best?
Different Android Test Automation Frameworks - What Works You the Best?
 
Exercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the EnterpriseExercising and Scaling Up Mobile DevOps in the Enterprise
Exercising and Scaling Up Mobile DevOps in the Enterprise
 
Introduction To Mobile-Automation
Introduction To Mobile-AutomationIntroduction To Mobile-Automation
Introduction To Mobile-Automation
 
Testing Strategy for Progressive Web Apps
Testing Strategy for Progressive Web AppsTesting Strategy for Progressive Web Apps
Testing Strategy for Progressive Web Apps
 
Webinar: Appium & Perfecto: A Perfect Match
Webinar: Appium & Perfecto: A Perfect MatchWebinar: Appium & Perfecto: A Perfect Match
Webinar: Appium & Perfecto: A Perfect Match
 
Appium vs. Appium with Perfecto
Appium vs. Appium with PerfectoAppium vs. Appium with Perfecto
Appium vs. Appium with Perfecto
 
Parallel Test Runs with Appium on Real Mobile Devices – Hands-on Webinar
Parallel Test Runs with Appium on Real Mobile Devices – Hands-on WebinarParallel Test Runs with Appium on Real Mobile Devices – Hands-on Webinar
Parallel Test Runs with Appium on Real Mobile Devices – Hands-on Webinar
 
Mobile Test Automation
Mobile Test AutomationMobile Test Automation
Mobile Test Automation
 
Parallel testing with appium
Parallel testing with appiumParallel testing with appium
Parallel testing with appium
 
TechTalk: Get to Know Perfecto
TechTalk: Get to Know Perfecto TechTalk: Get to Know Perfecto
TechTalk: Get to Know Perfecto
 
Selenium training
Selenium trainingSelenium training
Selenium training
 
Test Automation for Mobile Applications: A Practical Guide
Test Automation for Mobile Applications: A Practical GuideTest Automation for Mobile Applications: A Practical Guide
Test Automation for Mobile Applications: A Practical Guide
 
Top Best Practices for Successful Mobile Test Automation
Top Best Practices for Successful Mobile Test AutomationTop Best Practices for Successful Mobile Test Automation
Top Best Practices for Successful Mobile Test Automation
 
Everything You Need To Know about Appium and Selenium
Everything You Need To Know about Appium and SeleniumEverything You Need To Know about Appium and Selenium
Everything You Need To Know about Appium and Selenium
 
Accelerating Digital Transformation With API Lifecycle & Test Automation
Accelerating Digital Transformation With API Lifecycle & Test AutomationAccelerating Digital Transformation With API Lifecycle & Test Automation
Accelerating Digital Transformation With API Lifecycle & Test Automation
 

Similar a How to Test Security and Vulnerability of Your Android and iOS Apps

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1Nikhil Kulkarni
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfNomanKhan869872
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfFuGenx Technologies
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityLumension
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile AppsDenim Group
 

Similar a How to Test Security and Vulnerability of Your Android and iOS Apps (20)

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdf
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Android ppt
Android ppt Android ppt
Android ppt
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suite
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdf
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Android
AndroidAndroid
Android
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
 

Más de Bitbar

The Best of Both Worlds - Combining Performance and Functional Mobile App Tes...
The Best of Both Worlds - Combining Performance and Functional Mobile App Tes...The Best of Both Worlds - Combining Performance and Functional Mobile App Tes...
The Best of Both Worlds - Combining Performance and Functional Mobile App Tes...Bitbar
 
Getting Started with XCTest and XCUITest for iOS App Testing
Getting Started with XCTest and XCUITest for iOS App TestingGetting Started with XCTest and XCUITest for iOS App Testing
Getting Started with XCTest and XCUITest for iOS App TestingBitbar
 
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)Bitbar
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingBitbar
 
Testing Your Android and iOS Apps with Appium in Testdroid Cloud
Testing Your Android and iOS Apps with Appium in Testdroid CloudTesting Your Android and iOS Apps with Appium in Testdroid Cloud
Testing Your Android and iOS Apps with Appium in Testdroid CloudBitbar
 
Maximize the Benefits from Your Test Automation Investment
Maximize the Benefits from Your Test Automation InvestmentMaximize the Benefits from Your Test Automation Investment
Maximize the Benefits from Your Test Automation InvestmentBitbar
 
Android testing
Android testingAndroid testing
Android testingBitbar
 

Más de Bitbar (7)

The Best of Both Worlds - Combining Performance and Functional Mobile App Tes...
The Best of Both Worlds - Combining Performance and Functional Mobile App Tes...The Best of Both Worlds - Combining Performance and Functional Mobile App Tes...
The Best of Both Worlds - Combining Performance and Functional Mobile App Tes...
 
Getting Started with XCTest and XCUITest for iOS App Testing
Getting Started with XCTest and XCUITest for iOS App TestingGetting Started with XCTest and XCUITest for iOS App Testing
Getting Started with XCTest and XCUITest for iOS App Testing
 
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
 
The Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and TestingThe Powerful and Comprehensive API for Mobile App Development and Testing
The Powerful and Comprehensive API for Mobile App Development and Testing
 
Testing Your Android and iOS Apps with Appium in Testdroid Cloud
Testing Your Android and iOS Apps with Appium in Testdroid CloudTesting Your Android and iOS Apps with Appium in Testdroid Cloud
Testing Your Android and iOS Apps with Appium in Testdroid Cloud
 
Maximize the Benefits from Your Test Automation Investment
Maximize the Benefits from Your Test Automation InvestmentMaximize the Benefits from Your Test Automation Investment
Maximize the Benefits from Your Test Automation Investment
 
Android testing
Android testingAndroid testing
Android testing
 

Último

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 

Último (20)

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 

How to Test Security and Vulnerability of Your Android and iOS Apps

  • 1. How to Test Security and Vulnerability of Your Android and iOS Apps 4 December 2013 Ville-Veikko Helppi Antti Häyrynen Technical Product Manager Security Specialist ville-veikko.helppi@bitbar.com antti.hayrynen@codenomicon.com
  • 2. webinar Agenda • Mobile Apps & Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 2
  • 3. webinar Agenda • Mobile Apps & Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 3
  • 4. webinar Security Testing for Mobile Apps • How to test something you don’t know it exists? • Security testing doesn’t replace white/black box testing but can complement it very well • e.g. Android protects • User data • System resources • Application isolation • Security at the OS level © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 4
  • 5. webinar Hot debate about Android security • Open Platform – All source code available • Linux security (e.g. users, process isolation, IPC) • Filesystem permissions • Cryptography (API) • Memory management • 1.5 -> 4.2 • Application security • Android has defenses to protect itself – not data! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 5
  • 6. webinar Mobile Apps & Open Source Components Blurred Blurred © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 6
  • 7. webinar Mobile Apps & Third-Party Components • Majority of today’s applications consist largely of third-party code/libraries and application-specific glue to hold everything together • This is a prudent and well-accepted development practice that offloads the task of developing code for non-core functions of the application • Each piece of third-party code has an associated license whose terms can affect the distribution and licensing of your application © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 7
  • 8. webinar Mobile Apps & Third-Party Components • Identifying 3rd party code, its vulnerabilities and its licenses, is critical in order to understand your security exposure and your liability: • • • • • Know those 3rd party components/libs used in your app Identify binding software licenses for 3rd party code Identify vulnerabilities in 3rd party components that could be security risks in your application (and its users) 3rd party components evolve and change – it’s important to know what is new and what makes your app vulnerable Instant way of checking any app (Android & iOS) will enable you to focus on your core activities © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 8
  • 9. webinar Agenda • Mobile Apps & Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 9
  • 10. webinar Apps for Mobile Subverticals Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile • Testdroid has helped thousands of app developers in these subverticals! • What are the critical elements in each these verticals? • How are the security requirements different in each subvertical? © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 10
  • 11. webinar Apps for Mobile Subverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –User Experience! –Resource consumption & validation (CPU, Mem…) –Fully utilizing hardware – e.g. Touch screen –Access to graphics APIs (e.g. OpenGL ES) •Open source license © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 11
  • 12. webinar Apps for Mobile Subverticals •Top requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Usability! –Functional and Behavioral testing –Metrics analysis for all captured data (e.g. logs, screenshots, perf stats) –Relation to other apps •Open source license © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 12
  • 13. webinar Apps for Mobile Subverticals •Top requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Performance! –Connectivity, robustness and durability –Screen orientation (portrait vs. landscape) –Graphics quality, streaming capabilities –User profiles •Security & Vulnerability © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 13
  • 14. webinar Apps for Mobile Subverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Security! –Secure connectivity with back-end systems –Top Quality – extremely brand sensitive vertical –Compliances and verification between real devices and infrastructure •Security is the no. 1 thing © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 14
  • 15. webinar Apps for Mobile Subverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Data! –Connectivity and data connection with back-ends –Configurability of the app –Bad quality WILL hurt the brand and make customers leave your app •Security, Licenses © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 15
  • 16. webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 16
  • 17. Is your mobile app safe? Codenomicon AppCheck
  • 18. Mobile software •Software development is increasingly shifting into mobile •Android and iOS dominant platforms, followed by WP and Qt –All different, even on preferred programming language level •Volumes larger than traditionally, average revenue per user much lower
  • 19. Mobile software paradigm •Traditionally software opens files and handles them. –Only Android supports this properly via registering as content handler •The modern way is to have client / server architecture –Mobile device is a client. Payload is usually json, protobuf, xml or media.
  • 20. Traditional Threats •Open malicious file / content (via email, web etc) that contains an exploit -> target popped. •In Android, content handlers can have these issues. –Platform somewhat limits what the attacker can do unless privilege escalation is possible. –For example PDF readers, video players etc.
  • 21. Modern threats •In the modern app paradigm, the mobile client “enriches” content from pre-defined server –Usually SSL protected –Certificate checks? •Cert pinning? •Attacks somewhat limited to either –Man in the middle –Injecting malice via server
  • 22. IOS apps •IOS apps are Mach binaries usually written in Objective-C •Packaging follows the common paradigm – manifest, code and resources inside zip •Inside the device executable code is usually encrypted, but in clear before blessed by Apple. –Can be decrypted on jailbroken devices. •Allows mixing of C into apps -> common OSS libs can be used.
  • 23. Anatomy of an Android app •The simplest form: simple java application. –Manifest, .dex, resource files •Manifest has meta data (app name, permissions, content handler registrations etc) •DEX contains java byte code –With or without proguard obfuscation. •Resource files contain images etc. •Optionally native code (usually just ARM) in lib/
  • 24. Native code •Sometimes java is not enough. –~15% of android apps contain native code •.so’s in lib/ –Among popular apps, the amount is much higher •If the native code processes untrusted data, it’s out of dalvik supervision. –Can corrupt memory and contain exploitable bugs.
  • 25. Third party code •Modern world contains plenty of ready components either as open source or licensable. •People use them to –Avoid re-inventing the wheel –Save time and costs –Create better software – many of those components are actually great at what they do. •Apps that use them inherit the bugs they have. •Since there’s no “package management” in Android like in Linux distros, apps bundle third party code with them. –Fixing 3rd party bugs require actions from app vendor
  • 26. Third party code in Android apps •There are different types of 3rd party libs popular in Android, for example –Ad networks –Protocol clients –Content decoders/encoders –Shiny UI widgets –Cross-platform app frameworks –Most of the Java 3rd party libs usable in Android •Either Java or native
  • 27. Introducing Appcheck •Codenomicon Appcheck makes it easy and fast to increase your application security •Integrated into Testdroid •Works on binaries, no source code necessary. •Main idea is to look for third party code from apps and categorize them.
  • 28. Vulnerabilities •Third party libraries may contain vulnerabilities that endanger application security •Common pitfalls in android libraries include for example missing certificate checks, missing crypto, privacy issues •In native libraries common native code problems persist. •Vulnerability feeds provide vulnerability information on common components –http://nvd.nist.gov/ –Appcheck performs matching against vulnerability feeds
  • 29. Ad networks •Ad networks vary from benign to outright evil –Some replace dial tone –Some have critical vulnerabilities –Some may send more information than user is willing to accept •Appcheck detects all the common ad networks.
  • 30. Licenses •Third party code sometimes comes with some strings attached in form of licenses –Eg. GPL requires you to distribute source code of derivative works –Apache license requires some attribution –GPLv3 forbids DRM •Common pitfall in Android would be to bundle for example LGPL lib in on .so with rest of the native code •Appcheck makes all the used licenses visible
  • 31. Improving security •By being aware of security issues of reusable third party components in their apps, developers can take action to fix issues •If you source software, you can use Appcheck to check what supplier has actually bundled inside the app.
  • 32. Conclusions •Mobile applications face threats and risks stemming from bundled 3rd party code. •Third party code scanning gives you actionable results to –Remove or mitigate known vulnerabilities –Eliminate license risk –Remove overlapping and unwanted functionality such as privacy leaks
  • 33. webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 33
  • 34. webinar Testdroid Products Complete Solution for Mobile Apps/Games Testing © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 34
  • 35. webinar Testdroid & Appcheck – Get Your App an Insurance for Security & Vulnerability! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 35
  • 36. webinar Testdroid Blog and Webinars – Because it is important to how to automate your testing! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 36
  • 37. webinar Codenomicon Website and Events © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 37
  • 38. webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 38
  • 39. webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 39
  • 40. webinar © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 40