SlideShare una empresa de Scribd logo

How iOS and Android Handle Security Webinar

Denim Group
Denim Group

The document discusses how iOS and Android handle security for mobile applications. It covers several areas of concern for secure mobile development including application development basics, secure data storage, secure data communication, mobile browsers, SMS/push messaging, and licensing/payments. The document provides an overview of the security capabilities and approaches of both platforms, noting challenges for developers to consider like permissions, encryption, and treating all inputs as untrusted. It recommends that security professionals understand the mobile threat models and that developers learn the platform security features and stay updated on vulnerabilities.

Tecnología
1 de 41
Descargar para leer sin conexión
How iOS and Android Handle Security Dan Cornell @danielcornell
Dan’s Background • Founder and CTO of Denim Group • Software developer by background • OWASP San Antonio
Denim Group Company Background • Professional services firm that builds & secures enterprise applications • External application & network assessments • Web, mobile, and cloud • Software development lifecycle development (SDLC) consulting • Secure development services: • Secure .NET and Java application development & remediation • Classroom secure developer training for PCI compliance • Develop ThreadFix
Overview • Challenges of secure mobile development • Areas of concern: • Basics of (secure) application development • Secure data storage • Secure data communication • Mobile browsers • Handling SMS and push messaging • Licensing and in-app payments • Questions and Answers
Secure Mobile Application Development Reference • Topics include: • Overview of Application Development • Overview of Secure Development • Defeating Platform Environment Restrictions • Installing Applications • Application Permissions Model • Local Storage • Encryption APIs • Network Communications • Protecting Network Communications • Application Licensing and Payments • Mobile Browser • Native Code Execution • Browser URL Handling • Mobile Application SMS/Push Update Handling http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
Secure Mobile Application Development Reference • For developers: • Learn the security capabilities of your mobile development platform • Get access to further learning resources • For security professionals: • Learn the security capabilities of the mobile development platform(s) your organization is targeting http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
CHALLENGES OF SECURE MOBILE DEVELOPMENT How iOS and Android Handle Security
Mobile Application Threat Model • More complicated than standard web application threat model • Chess versus checkers • Today we will focus on code running on the mobile device
Generic Mobile Application Threat Model 9
Typical Mobile Threats • Spoofing: Users to the Mobile Application • Spoofing: Web Services to Mobile Application • Tampering: Mobile Application • Tampering: Device Data Stores • Disclosure: Device Data Stores or Residual Data • Disclosure: Mobile Application to Web Service • Denial of Service: Mobile Application • Elevation of Privilege: Mobile Application or Web Services User Local App Storage Mobile Application Mobile Web Services Device Keychain Main Site Pages
AREAS OF CONCERN How iOS and Android Handle Security
Areas of Concern • Basics of (Secure) Application Development • Secure Data Storage • Secure Data Communication • Mobile Browsers • Handling SMS and Push Messaging • Licensing and In-App Payments
AREAS OF CONCERN How iOS and Android Handle Security Basics of (Secure) Application Development
Basics of (Secure) Application Development • Overview of Application Development • Overview of Secure Development • Defeating Platform Environmental Restrictions • Installing Applications • Application Permissions Model • Native Code Execution
Overview of Application Development iOS • Objective-C is most common • Swift for newer applications • iOS Developer program allows installing and testing applications to developer phones • Actual applications installed from iTunes Store Android • Typically written in Java • Previously: Dalvik and DEX • More recently: Android Runtime (ART) • Applications installed from Android Play store or side-loaded via USB
Overview of Secure Development iOS • Apple provides Secure Coding Guide with both: • General secure coding recommendations • iOS-specific recommendations Android • Google provides a Google Group with secure Android coding recommendations • Many 3rd party resources available as well
Defeating Platform Environmental Restrictions iOS • iOS devices can be “jailbroken” • Allows access to the device as the root user • Allows for loading of 3rd party applications to be installed • Allows for use of alternate app stores Android • Android devices can be “rooted” • Allows for root-level access to the device • Allows for custom kernels on many devices
Installing Applications iOS • Non-jailbroken iOS devices: • Apple iTunes Store • Developers can install applications on a set of test devices • Alternate app stores for jailbroken devices Android • Google Play store • Side-loading applications • For development/debugging • For general usage • Alternate app stores for rooted devices
Application Permissions Model iOS • App asks for relevant permission when needed • Can allow or deny • Can review permissions and which applications are requesting them Android • Baked into AndroidManifest.xml • Fairly fine-grained • But must be accepted wholesale • Take a look at what apps from the app store ask for…
Native Code Execution iOS • Objective-C compiles to ARM machine code • Objective-C not safe by nature (super) • Swift offers much more protection Android • Dalvik/ART should provide memory safety • Can run code via the Native Development Kit (NDK)
AREAS OF CONCERN How iOS and Android Handle Security Secure Data Storage
Secure Data Storage • Local Storage • Encryption APIs
Local Storage iOS • iOS (since 3.0) provides AES- based full-disk encryption (hooray!) • Based on a burned-in hardware UID (hrm…) • iOS 8 added a 5 second hardware delay to passcode attempts for newer hardware (hooray!) and moved more data under default protection mechanisms Android • Uses Linux user/group permissions • Android 5.0 allows for full-disk encryption based on PIN and password (hooray!) • Also can have hardware-backed storage of the encryption key via Trusted Execution Environment (TEE)
Encryption APIs iOS • Provides access to a variety of certificate and key management functions • iOS Keychain provides device- supported encryption capabilities Android • Now has Keystore system • Allows for more secure storage of key materials to prevent unauthorized use • Provides access to javax.crypto APIs • Can also use 3rd party Java libraries for encryption • Like BouncyCastle (be careful of vulnerable versions…)
AREAS OF CONCERN How iOS and Android Handle Security Secure Data Communication
Secure Data Communication • Network Communications • Protecting Network Communications
Network Communications iOS • Provides access to BSD sockets • Provides implementations of many higher-level protocols Android • Provides access to standard java.net.* classes • Provides access to a number of Apache HTTP Utilities • Provides some Android-specific classes for HTTP/S, SIP, and WiFi
Protecting Network Communications iOS • Provides implementations of common transport-layer security protocols • Default settings are not terrible Android • Provides access to javax.net.ssl classes allowing for TLS network communications • Be careful using the android.net.SSLCertificateSocketF actory because they make it easy to disable protections
AREAS OF CONCERN How iOS and Android Handle Security Mobile Browsers
Mobile Browsers • Mobile Browser Basics • Browser URL Handling
Mobile Browser Basics iOS • Mobile version of Safari browser that uses the WebKit HTML rendering engine Android • WebKit HTML rendering engine and a version of the Chrome V8 JavaScript engine
Browser URL Handling iOS • Allows applications to register to handle different URL schemes • Apple applications are given precedence for the schemes they register for • Developers should treat inputs as untrusted Android • Allows applications to register to handle events raised by the browser for different protocols • Uses the Android “intent” facility to deliver • Developers should treat inputs as untrusted
AREAS OF CONCERN How iOS and Android Handle Security Handling SMS and Push Messaging
Handling SMS and Push Messages iOS • Allows applications to receive pushed notifications so that they can display a message or download new data • Must treat inputs from push notifications as potentially malicious Android • Cloud to Device Messaging Framework (C2DM) has been deprecated and replaced by Google Cloud Messaging (GCM) • Must treat inputs from push notifications as potentially malicious
AREAS OF CONCERN How iOS and Android Handle Security Licensing and In-App Payments
Application Licensing and Payments iOS • In-App purchases allow you to sell items from within iOS applications • StoreKit API allows for these capabilities Android • In-App purchases allow you to sell items from within Android applications • Billing API proxies communications between your application and the relevant Google Play services • Supports purchases, subscriptions and in-app products
So Where Do You Go From Here?
So What Should Security People Do? • Understand the general mobile application threat model and any peculiarities of platforms your organization supports • Work with developers to set architecture, design, and coding guidelines and standards • Test the securing of mobile application systems – the entirety of systems, not just code running on the device – taking into account the security characteristics of your target platform 38
So What Should Developers Do? • Threat model your mobile application prior to development • Learn the security properties and capabilities of the platform(s) you develop for • Stay current as new security vulnerabilities and weaknesses are discovered and as new security capabilities are added to your target platform(s) 39
How Do iOS and Android Handle Security? • Denim Group Secure Mobile Application Development Reference • Overview of Application Development • Overview of Secure Development • Defeating Platform Environment Restrictions • Installing Applications • Application Permissions Model • Local Storage • Encryption APIs • Network Communications • Protecting Network Communications • Application Licensing and Payments • Mobile Browser • Native Code Execution • Browser URL Handling • Mobile Application SMS/Push Update Handling http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
QUESTIONS AND ANSWERS How iOS and Android Handle Security Dan Cornell @danielcornell

Recomendados

Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldDenim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 

Recomendados

Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldDenim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2Santosh Satam
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101Lookout
 

Más contenido relacionado

La actualidad más candente

What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?Denim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 

La actualidad más candente (20)

What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 

Destacado

C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2Santosh Satam
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101Lookout
 
Mobile security
Mobile securityMobile security
Mobile securityhome
 
How to Secure Your iOs Device and Keep Client Data Safe
How to Secure Your iOs Device and Keep Client Data SafeHow to Secure Your iOs Device and Keep Client Data Safe
How to Secure Your iOs Device and Keep Client Data SafeRocket Matter, LLC
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Android on Intel platforms : current state, near-future, future & developers ...
Android on Intel platforms : current state, near-future, future & developers ...Android on Intel platforms : current state, near-future, future & developers ...
Android on Intel platforms : current state, near-future, future & developers ...BeMyApp
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)lpilorz
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security ModelMichael Rushanan
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS securitySumanth Veera
 
Android vs i os features
Android vs i os featuresAndroid vs i os features
Android vs i os featuresGuang Ying Yuan
 
Security Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSeSecurity Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSeWP Engine
 
Android vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityAndroid vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityCloudCheckr
 
Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFixDenim Group
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 

Destacado (20)

C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
 
Mobile security
Mobile securityMobile security
Mobile security
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overview
 
How to Secure Your iOs Device and Keep Client Data Safe
How to Secure Your iOs Device and Keep Client Data SafeHow to Secure Your iOs Device and Keep Client Data Safe
How to Secure Your iOs Device and Keep Client Data Safe
 
Ios seminar
Ios seminarIos seminar
Ios seminar
 
InfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidInfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and Android
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
Android on Intel platforms : current state, near-future, future & developers ...
Android on Intel platforms : current state, near-future, future & developers ...Android on Intel platforms : current state, near-future, future & developers ...
Android on Intel platforms : current state, near-future, future & developers ...
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS security
 
Android vs i os features
Android vs i os featuresAndroid vs i os features
Android vs i os features
 
Mobile security
Mobile securityMobile security
Mobile security
 
Security Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSeSecurity Webinar: Harden the Heart of Your WordPress SiteSe
Security Webinar: Harden the Heart of Your WordPress SiteSe
 
Android vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityAndroid vs. iPhone for Mobile Security
Android vs. iPhone for Mobile Security
 
Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix Clear AppSec Visibility with AppSpider and ThreadFix
Clear AppSec Visibility with AppSpider and ThreadFix
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 

Similar a How iOS and Android Handle Security Webinar

Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA NITIN GUPTA
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfNomanKhan869872
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1Nikhil Kulkarni
 
Android introduction
Android introductionAndroid introduction
Android introductionperpetrotech
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration TestingSurabaya Blackhat
 
MobApp development 01 application platform.pptx
MobApp development 01 application platform.pptxMobApp development 01 application platform.pptx
MobApp development 01 application platform.pptxsanaiftikhar23
 
Mobile appliaction w android week 1 by osama
Mobile appliaction w android week 1 by osamaMobile appliaction w android week 1 by osama
Mobile appliaction w android week 1 by osamaOsama Ghandour Geris
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
20220728-iOSAppDev-MobileAppDev.pptx
20220728-iOSAppDev-MobileAppDev.pptx20220728-iOSAppDev-MobileAppDev.pptx
20220728-iOSAppDev-MobileAppDev.pptxSuman Garai
 

Similar a How iOS and Android Handle Security Webinar (20)

Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdf
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Android ppt
Android ppt Android ppt
Android ppt
 
Android
AndroidAndroid
Android
 
CROSS PLATFORM APPLICATIONS DEVELOPMENT
CROSS PLATFORM APPLICATIONS DEVELOPMENT CROSS PLATFORM APPLICATIONS DEVELOPMENT
CROSS PLATFORM APPLICATIONS DEVELOPMENT
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1
 
Android introduction
Android introductionAndroid introduction
Android introduction
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
MobApp development 01 application platform.pptx
MobApp development 01 application platform.pptxMobApp development 01 application platform.pptx
MobApp development 01 application platform.pptx
 
Mobile appliaction w android week 1 by osama
Mobile appliaction w android week 1 by osamaMobile appliaction w android week 1 by osama
Mobile appliaction w android week 1 by osama
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Android - Anroid Pproject
Android - Anroid PprojectAndroid - Anroid Pproject
Android - Anroid Pproject
 
20220728-iOSAppDev-MobileAppDev.pptx
20220728-iOSAppDev-MobileAppDev.pptx20220728-iOSAppDev-MobileAppDev.pptx
20220728-iOSAppDev-MobileAppDev.pptx
 

Más de Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 

Más de Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Último

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 

Último (20)

Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 

How iOS and Android Handle Security Webinar

  • 1. How iOS and Android Handle Security Dan Cornell @danielcornell
  • 2. Dan’s Background • Founder and CTO of Denim Group • Software developer by background • OWASP San Antonio
  • 3. Denim Group Company Background • Professional services firm that builds & secures enterprise applications • External application & network assessments • Web, mobile, and cloud • Software development lifecycle development (SDLC) consulting • Secure development services: • Secure .NET and Java application development & remediation • Classroom secure developer training for PCI compliance • Develop ThreadFix
  • 4. Overview • Challenges of secure mobile development • Areas of concern: • Basics of (secure) application development • Secure data storage • Secure data communication • Mobile browsers • Handling SMS and push messaging • Licensing and in-app payments • Questions and Answers
  • 5. Secure Mobile Application Development Reference • Topics include: • Overview of Application Development • Overview of Secure Development • Defeating Platform Environment Restrictions • Installing Applications • Application Permissions Model • Local Storage • Encryption APIs • Network Communications • Protecting Network Communications • Application Licensing and Payments • Mobile Browser • Native Code Execution • Browser URL Handling • Mobile Application SMS/Push Update Handling http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
  • 6. Secure Mobile Application Development Reference • For developers: • Learn the security capabilities of your mobile development platform • Get access to further learning resources • For security professionals: • Learn the security capabilities of the mobile development platform(s) your organization is targeting http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
  • 7. CHALLENGES OF SECURE MOBILE DEVELOPMENT How iOS and Android Handle Security
  • 8. Mobile Application Threat Model • More complicated than standard web application threat model • Chess versus checkers • Today we will focus on code running on the mobile device
  • 9. Generic Mobile Application Threat Model 9
  • 10. Typical Mobile Threats • Spoofing: Users to the Mobile Application • Spoofing: Web Services to Mobile Application • Tampering: Mobile Application • Tampering: Device Data Stores • Disclosure: Device Data Stores or Residual Data • Disclosure: Mobile Application to Web Service • Denial of Service: Mobile Application • Elevation of Privilege: Mobile Application or Web Services User Local App Storage Mobile Application Mobile Web Services Device Keychain Main Site Pages
  • 11. AREAS OF CONCERN How iOS and Android Handle Security
  • 12. Areas of Concern • Basics of (Secure) Application Development • Secure Data Storage • Secure Data Communication • Mobile Browsers • Handling SMS and Push Messaging • Licensing and In-App Payments
  • 13. AREAS OF CONCERN How iOS and Android Handle Security Basics of (Secure) Application Development
  • 14. Basics of (Secure) Application Development • Overview of Application Development • Overview of Secure Development • Defeating Platform Environmental Restrictions • Installing Applications • Application Permissions Model • Native Code Execution
  • 15. Overview of Application Development iOS • Objective-C is most common • Swift for newer applications • iOS Developer program allows installing and testing applications to developer phones • Actual applications installed from iTunes Store Android • Typically written in Java • Previously: Dalvik and DEX • More recently: Android Runtime (ART) • Applications installed from Android Play store or side-loaded via USB
  • 16. Overview of Secure Development iOS • Apple provides Secure Coding Guide with both: • General secure coding recommendations • iOS-specific recommendations Android • Google provides a Google Group with secure Android coding recommendations • Many 3rd party resources available as well
  • 17. Defeating Platform Environmental Restrictions iOS • iOS devices can be “jailbroken” • Allows access to the device as the root user • Allows for loading of 3rd party applications to be installed • Allows for use of alternate app stores Android • Android devices can be “rooted” • Allows for root-level access to the device • Allows for custom kernels on many devices
  • 18. Installing Applications iOS • Non-jailbroken iOS devices: • Apple iTunes Store • Developers can install applications on a set of test devices • Alternate app stores for jailbroken devices Android • Google Play store • Side-loading applications • For development/debugging • For general usage • Alternate app stores for rooted devices
  • 19. Application Permissions Model iOS • App asks for relevant permission when needed • Can allow or deny • Can review permissions and which applications are requesting them Android • Baked into AndroidManifest.xml • Fairly fine-grained • But must be accepted wholesale • Take a look at what apps from the app store ask for…
  • 20. Native Code Execution iOS • Objective-C compiles to ARM machine code • Objective-C not safe by nature (super) • Swift offers much more protection Android • Dalvik/ART should provide memory safety • Can run code via the Native Development Kit (NDK)
  • 21. AREAS OF CONCERN How iOS and Android Handle Security Secure Data Storage
  • 22. Secure Data Storage • Local Storage • Encryption APIs
  • 23. Local Storage iOS • iOS (since 3.0) provides AES- based full-disk encryption (hooray!) • Based on a burned-in hardware UID (hrm…) • iOS 8 added a 5 second hardware delay to passcode attempts for newer hardware (hooray!) and moved more data under default protection mechanisms Android • Uses Linux user/group permissions • Android 5.0 allows for full-disk encryption based on PIN and password (hooray!) • Also can have hardware-backed storage of the encryption key via Trusted Execution Environment (TEE)
  • 24. Encryption APIs iOS • Provides access to a variety of certificate and key management functions • iOS Keychain provides device- supported encryption capabilities Android • Now has Keystore system • Allows for more secure storage of key materials to prevent unauthorized use • Provides access to javax.crypto APIs • Can also use 3rd party Java libraries for encryption • Like BouncyCastle (be careful of vulnerable versions…)
  • 25. AREAS OF CONCERN How iOS and Android Handle Security Secure Data Communication
  • 26. Secure Data Communication • Network Communications • Protecting Network Communications
  • 27. Network Communications iOS • Provides access to BSD sockets • Provides implementations of many higher-level protocols Android • Provides access to standard java.net.* classes • Provides access to a number of Apache HTTP Utilities • Provides some Android-specific classes for HTTP/S, SIP, and WiFi
  • 28. Protecting Network Communications iOS • Provides implementations of common transport-layer security protocols • Default settings are not terrible Android • Provides access to javax.net.ssl classes allowing for TLS network communications • Be careful using the android.net.SSLCertificateSocketF actory because they make it easy to disable protections
  • 29. AREAS OF CONCERN How iOS and Android Handle Security Mobile Browsers
  • 30. Mobile Browsers • Mobile Browser Basics • Browser URL Handling
  • 31. Mobile Browser Basics iOS • Mobile version of Safari browser that uses the WebKit HTML rendering engine Android • WebKit HTML rendering engine and a version of the Chrome V8 JavaScript engine
  • 32. Browser URL Handling iOS • Allows applications to register to handle different URL schemes • Apple applications are given precedence for the schemes they register for • Developers should treat inputs as untrusted Android • Allows applications to register to handle events raised by the browser for different protocols • Uses the Android “intent” facility to deliver • Developers should treat inputs as untrusted
  • 33. AREAS OF CONCERN How iOS and Android Handle Security Handling SMS and Push Messaging
  • 34. Handling SMS and Push Messages iOS • Allows applications to receive pushed notifications so that they can display a message or download new data • Must treat inputs from push notifications as potentially malicious Android • Cloud to Device Messaging Framework (C2DM) has been deprecated and replaced by Google Cloud Messaging (GCM) • Must treat inputs from push notifications as potentially malicious
  • 35. AREAS OF CONCERN How iOS and Android Handle Security Licensing and In-App Payments
  • 36. Application Licensing and Payments iOS • In-App purchases allow you to sell items from within iOS applications • StoreKit API allows for these capabilities Android • In-App purchases allow you to sell items from within Android applications • Billing API proxies communications between your application and the relevant Google Play services • Supports purchases, subscriptions and in-app products
  • 37. So Where Do You Go From Here?
  • 38. So What Should Security People Do? • Understand the general mobile application threat model and any peculiarities of platforms your organization supports • Work with developers to set architecture, design, and coding guidelines and standards • Test the securing of mobile application systems – the entirety of systems, not just code running on the device – taking into account the security characteristics of your target platform 38
  • 39. So What Should Developers Do? • Threat model your mobile application prior to development • Learn the security properties and capabilities of the platform(s) you develop for • Stay current as new security vulnerabilities and weaknesses are discovered and as new security capabilities are added to your target platform(s) 39
  • 40. How Do iOS and Android Handle Security? • Denim Group Secure Mobile Application Development Reference • Overview of Application Development • Overview of Secure Development • Defeating Platform Environment Restrictions • Installing Applications • Application Permissions Model • Local Storage • Encryption APIs • Network Communications • Protecting Network Communications • Application Licensing and Payments • Mobile Browser • Native Code Execution • Browser URL Handling • Mobile Application SMS/Push Update Handling http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
  • 41. QUESTIONS AND ANSWERS How iOS and Android Handle Security Dan Cornell @danielcornell

Notas del editor

  1. -Will look at the capabilities of the two platforms, as well as how those capabilities are implemented
  2. -My background is as a developer so when I look at the different mobile application platforms I want to know what their capabilities are, as well as how those capabilities are implemented so development teams know how to best use them
  3. Have done a tremendous amount of mobile testing for our clients, including Fortune 500 and sensitive Have assessed MDM systems And made recommendation to sensitive .gov and .mil clients surrounding application testing Also do secure mobile development and secure mobile application remediation Can also use ThreadFix to keep track of your mobile application security program
  4. -Looking at two mobile environments: iOS and Android -Those are the most dominant. We also do work with Window Mobile, Blackberry, etc – but the majority of the work we do is for iOS and Android -Story: “We should only develop for Blackberry because of the way they handle ephemeral crypto keys” BUT only 10% of their users were on Blackberry and that number was declining
  5. -This webinar is actually a concentrated version of Denim Group’s Secure Mobile Application Development Reference (available for download) -That guide has a more in-depth look at the topic as well as links to supporting resources
  6. -This webinar is actually a concentrated version of Denim Group’s Secure Mobile Application Development Reference (available for download) -That guide has a more in-depth look at the topic as well as links to supporting resources
  7. With apologies to folks with Windows Mobile, Blackberry, Tizen…
  8. -Hopefully most developers have a feel for the standard web application Thread Model (not really, but we can hope) -Smartphone applications have a different Thread Model and this has a huge impact on the security of the systems being created around them -Smartphone applications run on a device that can’t be trusted – it might have been jailbroken/rooted, it might have been stolen, code might be running in a debugger. Much like Rich Internet Applications (RIA) more code and data is running in an untrusted and unreliable environment -Also we’re talking about “interesting” smartphone applications. Not “make fart noise” or “shake the phone to throw the monkey” application. Instead we are talking about applications that use the capabilities of the device – GPS, camera, ability to make calls – and combine those capabilities with network services to do something cool and valuable -3rd party web services are often in use and their output should not be trusted -Enterprise services are often used for access to customer or transaction data and these will need to be protected -So smartphone application security isn’t just about the application on the smartphone, it is about the entire system that supports the smartphone application
  9. -Hopefully most developers have a feel for the standard web application Threat Model (not really, but we can hope) -Smartphone applications have a different Threat Model and this has a huge impact on the security of the systems being created around them -Smartphone applications run on a device that can’t be trusted – it might have been jailbroken/rooted, it might have been stolen, code might be running in a debugger. Much like Rich Internet Applications (RIA) more code and data is running in an untrusted and unreliable environment -Also we’re talking about “interesting” smartphone applications. Not “make fart noise” or “shake the phone to throw the monkey” application. Instead we are talking about applications that use the capabilities of the device – GPS, camera, ability to make calls – and combine those capabilities with network services to do something cool and valuable -3rd party web services are often in use and their output should not be trusted -Enterprise services are often used for access to customer or transaction data and these will need to be protected -So smartphone application security isn’t just about the application on the smartphone, it is about the entire system that supports the smartphone application
  10. So let’s drill in and look at different areas of concern, and how iOS and Android treat these areas. There are both similarities and differences, and if developers want to build secure applications they need to understand these fo
  11. So what are the basics of developing applications, and what resources are available for developers who want to build secure applications?
  12. -Most corporate environments will rely on users using the most basic installation cases – iTunes Store and Apple Play store -Other folks may have different use cases
  13. -This webinar is actually a concentrated version of Denim Group’s Secure Mobile Application Development Reference (available for download) -That guide has a more in-depth look at the topic as well as links to supporting resources