Enviar búsqueda
Cargar
Designing Secure Mobile Apps
•
4 recomendaciones
•
3,319 vistas
Denim Group
Seguir
There are more ways to your mobile phone can be compromised than theft.
Leer menos
Leer más
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 32
Descargar ahora
Descargar para leer sin conexión
Recomendados
Android App
Android App
OnlineUser4
Mobile Browser Content Handling
Mobile Browser Content Handling
Denim Group
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
Denim Group
Building secure mobile apps
Building secure mobile apps
Martin Vigo
Mobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings
Symantec
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
Vince Verbeke
Recomendados
Android App
Android App
OnlineUser4
Mobile Browser Content Handling
Mobile Browser Content Handling
Denim Group
How is Your AppSec Program Doing Compared to Others
How is Your AppSec Program Doing Compared to Others
Denim Group
Building secure mobile apps
Building secure mobile apps
Martin Vigo
Mobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
Developing Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
2012 State of Mobile Survey Global Key Findings
2012 State of Mobile Survey Global Key Findings
Symantec
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
Vince Verbeke
Mobile Security
Mobile Security
Xavier Mertens
Mobile Application Security
Mobile Application Security
Dirk Nicol
Security testing of mobile applications
Security testing of mobile applications
GTestClub
Mobile security
Mobile security
priyanka pandey
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
SISA Information Security Pvt.Ltd
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
IBM Danmark
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
IBM Mobile Analyzer Saves the Day
IBM Mobile Analyzer Saves the Day
IBM Security
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
Hamilton Turner
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
Sam Bowne
Security Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
Mobile security - Intense overview
Mobile security - Intense overview
PrivateWave Italia SpA
Mobile Device Security
Mobile Device Security
John Rhoton
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Security
Chapter 4
Chapter 4
NorazlinaAbdullah4
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
Subho Halder
How to Hack a Cryptographic Key
How to Hack a Cryptographic Key
IBM Security
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
David Rogers
Android application design
Android application design
Uday Sharma
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoT
Sukumar Nayak
Más contenido relacionado
La actualidad más candente
Mobile Security
Mobile Security
Xavier Mertens
Mobile Application Security
Mobile Application Security
Dirk Nicol
Security testing of mobile applications
Security testing of mobile applications
GTestClub
Mobile security
Mobile security
priyanka pandey
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
SISA Information Security Pvt.Ltd
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
IBM Danmark
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
IBM Mobile Analyzer Saves the Day
IBM Mobile Analyzer Saves the Day
IBM Security
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
Hamilton Turner
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
Sam Bowne
Security Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
Mobile security - Intense overview
Mobile security - Intense overview
PrivateWave Italia SpA
Mobile Device Security
Mobile Device Security
John Rhoton
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Security
Chapter 4
Chapter 4
NorazlinaAbdullah4
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
Subho Halder
How to Hack a Cryptographic Key
How to Hack a Cryptographic Key
IBM Security
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
David Rogers
La actualidad más candente
(20)
Mobile Security
Mobile Security
Mobile Application Security
Mobile Application Security
Security testing of mobile applications
Security testing of mobile applications
Mobile security
Mobile security
New trends in Payments Security: NFC & Mobile
New trends in Payments Security: NFC & Mobile
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Mobile Analyzer Saves the Day
IBM Mobile Analyzer Saves the Day
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
Security Testing Mobile Applications
Security Testing Mobile Applications
Mobile security - Intense overview
Mobile security - Intense overview
Mobile Device Security
Mobile Device Security
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
Chapter 4
Chapter 4
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
How to Hack a Cryptographic Key
How to Hack a Cryptographic Key
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
Dark Clouds and Rainy Days, the Bad Side of Cloud Computing
Destacado
Android application design
Android application design
Uday Sharma
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoT
Sukumar Nayak
Cloud-powered Cross-platform Mobile Apps on AWS
Cloud-powered Cross-platform Mobile Apps on AWS
Danilo Poccia
[Vietnam Mobile Day 2013] - Designing input form for smartphone application
[Vietnam Mobile Day 2013] - Designing input form for smartphone application
AiTi Education
Designing for Android - Anjan Shrestha
Designing for Android - Anjan Shrestha
MobileNepal
Android training day 3
Android training day 3
Vivek Bhusal
Information Warfare
Information Warfare
dibyendupaul
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Denim Group
Mobile Application Security
Mobile Application Security
Ishan Girdhar
Designing an Android App from Idea to Market
Designing an Android App from Idea to Market
Tony Hillerson
Android ppt
Android ppt
blogger at indiandswad
Destacado
(11)
Android application design
Android application design
SN-Security Architecture for Mobile Computing and IoT
SN-Security Architecture for Mobile Computing and IoT
Cloud-powered Cross-platform Mobile Apps on AWS
Cloud-powered Cross-platform Mobile Apps on AWS
[Vietnam Mobile Day 2013] - Designing input form for smartphone application
[Vietnam Mobile Day 2013] - Designing input form for smartphone application
Designing for Android - Anjan Shrestha
Designing for Android - Anjan Shrestha
Android training day 3
Android training day 3
Information Warfare
Information Warfare
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
Mobile Application Security
Mobile Application Security
Designing an Android App from Idea to Market
Designing an Android App from Idea to Market
Android ppt
Android ppt
Similar a Designing Secure Mobile Apps
Smart Phones Dumb Apps
Smart Phones Dumb Apps
Denim Group
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
Denim Group
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Denim Group
Evaluating iOS Applications
Evaluating iOS Applications
iphonepentest
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
Bitbar
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
Vince Verbeke
Pentesting iPhone applications
Pentesting iPhone applications
Satish b
Android Security Humla Part 1
Android Security Humla Part 1
Nikhil Kulkarni
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
ClubHack
Mobile application development4
Mobile application development4
Appin Kulti Branch
Mobile application development
Mobile application development
Appin Hisar
Mobile application development2
Mobile application development2
Appin Ara
Mobile application development2
Mobile application development2
Appin Vijayanagar
Secured Mobile Application Development in Android, Blackberry & iOS
Secured Mobile Application Development in Android, Blackberry & iOS
Appin Delhi
iOS application (in)security
iOS application (in)security
iphonepentest
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
Symantec
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
Webinar on Enterprise Security & android
Webinar on Enterprise Security & android
Endeavour Software Technologies
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Sam Bowne
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
Similar a Designing Secure Mobile Apps
(20)
Smart Phones Dumb Apps
Smart Phones Dumb Apps
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
Evaluating iOS Applications
Evaluating iOS Applications
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
Pentesting iPhone applications
Pentesting iPhone applications
Android Security Humla Part 1
Android Security Humla Part 1
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
Mobile application development4
Mobile application development4
Mobile application development
Mobile application development
Mobile application development2
Mobile application development2
Mobile application development2
Mobile application development2
Secured Mobile Application Development in Android, Blackberry & iOS
Secured Mobile Application Development in Android, Blackberry & iOS
iOS application (in)security
iOS application (in)security
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Webinar on Enterprise Security & android
Webinar on Enterprise Security & android
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Más de Denim Group
Long-term Impact of Log4J
Long-term Impact of Log4J
Denim Group
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
Denim Group
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
Denim Group
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Denim Group
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Denim Group
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Denim Group
Más de Denim Group
(20)
Long-term Impact of Log4J
Long-term Impact of Log4J
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
Último
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Fwdays
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
The Digital Insurer
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
gvaughan
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Memoori
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Commit University
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Sergiu Bodiu
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
NavinnSomaal
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
SeasiaInfotech2
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
Último
(20)
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
Designing Secure Mobile Apps
1.
Designing Secure Mobile
Apps Guerilla Training Camp Security BSides Austin Dan Cornell © Copyright 2011 Denim Group - All Rights Reserved
2.
My Background •
Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and eLearning © Copyright 2011 Denim Group - All Rights Reserved 1
3.
Agenda • Generic
Mobile Application Threat Model • Mobile Application Design Concerns – Bypassing Platform Environment Restrictions – Application Permission Model – Local Storage and Encryption – Network Communication and Encryption – Native Code Execution – Browser Behavior • In-depth Look at Mobile Browser Content Handling • Questions © Copyright 2011 Denim Group - All Rights Reserved 2
4.
Tradeoffs: Value versus
Risk • Mobile applications can create tremendous value for organizations – New classes of applications utilizing mobile capabilities: GPS, camera, etc – Innovating applications for employees and customers • Mobile devices and mobile applications can create tremendous risks – Sensitive data inevitably stored on the device (email, contacts) – Connect to a lot of untrusted networks (carrier, WiFi) • Most developers are not trained to develop secure applications – Fact of life, but slowing getting better • Most developers are new to creating mobile applications – Different platforms have different security characteristics and capabilities © Copyright 2011 Denim Group - All Rights Reserved 3
5.
Smart Phones, Dumb
Apps • Lots of media focus on device and platform security – Important because successful attacks give tremendous attacker leverage • Most organizations: – Accept realities of device and platform security – Concerned about the security of their custom applications – Concerned about sensitive data on the device because of their apps – Concerned about network-available resources that support their apps • Who has smartphone application deployed for customers? • Who has had smartphone applications deployed without their knowledge? – *$!%$# marketing department… © Copyright 2011 Denim Group - All Rights Reserved 4
6.
Secure Mobile Development
Reference • Platform-specific recommendations • Key topic areas • Provide specific, proscriptive guidance to developers building mobile applications © Copyright 2011 Denim Group - All Rights Reserved 5
7.
Specific Platforms •
iOS (iPhone, iPad) • Android • Blackberry (in progress) • Windows Phone 7 (in progress) – Windows Mobile 6.5 (?) • Symbian (?) • Others (?) • Will be guided by demand, which is focused by new development activity © Copyright 2011 Denim Group - All Rights Reserved 6
8.
Topics Areas •
Topic Areas – Overview of Application Development – Overview of Secure Development – Defeating Platform Environment Restrictions – Installing Applications – Application Permissions Model – Local Storage – Encryption APIs – Network Communications – Protecting Network Communications – Native Code Execution – Application Licensing and Payments – Browser URL Handling © Copyright 2011 Denim Group - All Rights Reserved 7
9.
Generic Mobile Application
Threat Model © Copyright 2011 Denim Group - All Rights Reserved 8
10.
Some Assumptions for
Developers • Smartphone applications are essentially thick-client applications – That people carry in their pockets – And drop in toilets – And put on eBay when the new iPhone comes out – And leave on airplanes – And so on… • Attackers will be able to access: – Target user (victim) devices – Your application binaries • What else should you assume they know or will find out? © Copyright 2011 Denim Group - All Rights Reserved 9
11.
Bypassing Platform Environment
Restrictions • Mobile platforms, by default, make certain promises about their environment • Do not depend on these promises to keep your data and code safe – iPhone: devices can be jailbroken – Android: devices can be rooted • Impact: – Install arbitrary applications – Run applications in a debugger – Bypass file access restrictions • Malicious users will do this on purpose – Legitimate users might have it done without their knowledge © Copyright 2011 Denim Group - All Rights Reserved 10
12.
Application Permissions Model
• Mobile devices have access to all sorts of fun stuff: – GPS location, camera, microphone, emails, contacts, SMS, etc • How do you determine what an application can do? – iPhone: Prompts for access – Android: Permissions defined in the AndroidManifest.xml file • As a developer you should (obviously) know what your application should be able to do – Beware 3rd party code included in your application © Copyright 2011 Denim Group - All Rights Reserved 11
13.
Local Storage and
Encryption • Best solution: Just do not store anything sensitive on the device – Force the user to log in for every usage – no storage of usernames and passwords – Do not cache sensitive data like account numbers, etc • But I really want to… – Encrypt the data, but… – Realize that key management issues make this a reasonably futile pursuit • Example: iOS keyring – “Correct” way to store application secrets – http://www.sit.fraunhofer.de/en/forschungsbereiche/projekte/Lost_iPhone.jsp – Oops… – Android is even worse • Hope on the horizon? – http://www.engadget.com/2011/02/02/android-3-0-honeycomb-can-encrypt-all-your-data-needs-a-full/ © Copyright 2011 Denim Group - All Rights Reserved 12
14.
Network Communication and
Encryption • Data returned from calls to network endpoints should be treated as untrusted – Make sure to inform your static analysis tool… • Mobile devices connect to a variety of networks – Carrier, trusted wifi, untrusted wifi, bluetooth • Encrypt your network traffic – And verify server certificates… – (Android has a helper class that WORKS AROUND THIS PROTECTION) • SSLCertificateSocketFactory © Copyright 2011 Denim Group - All Rights Reserved 13
15.
Native Code Execution
• iOS: Objective C compiled down to ARM machine code – All native, all the time • Android: Java compiled to DEX bytecode – Can make native calls via the Native Development Kit (NDK) • Windows Phone 7: – No access to native code – Unless you are among a handful of ISVs like Adobe © Copyright 2011 Denim Group - All Rights Reserved 14
16.
Browser Behavior •
Many mobile application are a combination of “apps” and web content • Keep track of WebKit vulnerabilities: – http://www.webkit.org/ • Most mobile browsers aggressively cache and might ignore standard cache behavior © Copyright 2011 Denim Group - All Rights Reserved 15
17.
In-Depth: Mobile Browser
Content Handling • Many mobile platforms allow you to designate applications to handle content found in web pages – By URI protocol – By content type • Provide a “premium” experience for users who have the target app installed • Examples: – tel:// URLs initiating phone calls – maps:// URLs to display maps © Copyright 2011 Denim Group - All Rights Reserved 16
18.
iPhone/iPad URL Schemes
• iOS applications can be set up to “handle” certain URL schemes • Defined in the application’s Info.plist • Binary format: annoying © Copyright 2011 Denim Group - All Rights Reserved 17
19.
Decoding plist Files
• plutil -convert xml1 Info.plist • Much nicer © Copyright 2011 Denim Group - All Rights Reserved 18
20.
iOS URL Handlers
• XPath: Look for: /plist/dict/array/dict[key='CFBundleURLSchemes']/array/string • Now you know the URL Schemes the app handles • SANS blog post on this issue in iOS: – http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes- apples- ios/?utm_source%253Drss%2526utm_medium%253Drss%2526utm_campaign%2 53Dinsecure-handling-url-schemes-apples-ios – Too long to type? http://bit.ly/ezqdK9 © Copyright 2011 Denim Group - All Rights Reserved 19
21.
Android Intents •
Intents are facilities for late-binding messaging between applications – http://developer.android.com/guide/topics/intents/intents-filters.html • One use is to allow applications to register to receive messages from the Browser when certain types of content are received – Like iOS URL Schemes but an even more comprehensive IPC mechanism © Copyright 2011 Denim Group - All Rights Reserved 20
22.
What’s Up With
My XML Files? • Binary encoding • Use axml2xml.pl to convert them to text http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl © Copyright 2011 Denim Group - All Rights Reserved 21
23.
Much Better •
Now we see: – Screens in application – Permissions required by the application – Intents applications is registered to consume – And so on © Copyright 2011 Denim Group - All Rights Reserved 22
24.
Intent Filter Example
<intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="danco" /> </intent-filter> • Action: What to do? • Data: Scheme is URI “protocol” to handle • Category BROWSABLE: Allow this Action to be initiated by the browser © Copyright 2011 Denim Group - All Rights Reserved 23
25.
Intent Filter Demo
– Manual Launch, HTML Page © Copyright 2011 Denim Group - All Rights Reserved 24
26.
Intent Filter Demo
– Anchor Launch, IFrame Launch © Copyright 2011 Denim Group - All Rights Reserved 25
27.
I’m a Security
Tester. Why Do I Care? • URL handlers are remotely-accessible attack surface • This is a way for you to “reach out and touch” applications installed on a device if you can get a user to navigate to a malicious page • Send in arbitrary URLs via links or (easier) embedded IFRAMEs • Example: iOS Skype application used to automatically launch the Skype application and initiate a call when it encountered a skype:// URL – Apple’s native Phone handle for tel:// URLs would confirm before a call was made © Copyright 2011 Denim Group - All Rights Reserved 26
28.
I’m a Developer.
Why Do I Care? • See the previous slide. Bad guys care. So should you. Please. • Content passed in via these handlers must be treated as untrusted – Positively validate – Enforce proper logic restrictions • All: – Should a malicious web page be able to cause this behavior? • Make phone call, transmit location, take photo, start audio recording, etc • iOS: – Validate inputs to handleOpenURL: message • Android: – Validate data brought in from Action.getIntent() method © Copyright 2011 Denim Group - All Rights Reserved 27
29.
So What Should
Developers Do? • Threat model your smartphone applications – More complicated architectures -> more opportunities for problems • Watch what you store on the device – May have PCI, HIPAA implications • Be careful consuming 3rd party services – Who do you love? Who do you trust? • Be careful deploying enterprise web services – Very attractive target for bad guys – Often deployed “under the radar” © Copyright 2011 Denim Group - All Rights Reserved 28
30.
So What Should
Security People Do? • Find out about smartphone projects – Not always done by your usual development teams – R&D, “Office of the CTO,” Marketing • Assess the security implications of smartphone applications – What data is stored on the device? – What services are you consuming? – Are new enterprise services being deployed to support the application? © Copyright 2011 Denim Group - All Rights Reserved 29
31.
Online • Code,
slides and videos online: www.smartphonesdumbapps.com © Copyright 2011 Denim Group - All Rights Reserved 30
32.
Questions? Dan Cornell
dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 31
Descargar ahora