SlideShare una empresa de Scribd logo

Mobile Apps Security: OTA11

L
lxt04

Slides from the Mobile Apps Security presentation at Over The Air 2011 - apologies for the PDF, but I use Keynote and I figure you'll probably want to have them in a format you can open!

Tecnología
1 de 34
Descargar para leer sin conexión
IM IN UR CODEZ Securing Mobile Apps Sunday, 2 October 11
Hello! My name’s Nick. I work for Mobile Interactive Group We’re going to talk about app security ...also cats Sunday, 2 October 11
What this session is about... Mobile application security Developing apps defensively ...and what it’s not about User-based vulnerabilities (tap-jacking, etc) Mobile web security Sunday, 2 October 11
Mobile Apps Mobile Web Sunday, 2 October 11
Hardcoded passwords SQL injection In-app XSS Insecure Data Transmission Buffer overflows Storing user data Data leakage API impersonation Remote code execution Sunday, 2 October 11
Web & Apps have similar problems... ...they just appear in different places Sunday, 2 October 11
A fact (or two) Your app will be reverse engineered It’s only a matter of time Obfuscation is not a be-all/end-all Sunday, 2 October 11
You might think (comparatively) that your mobile platform is not compromised... ...but how many rooted/jailbreaked phones are out there? Assume your platform is compromised, and your app will be reverse engineered Sunday, 2 October 11
You must therefore strongly protect your APIs and supporting application servers Let’s look at three of the most common issues with apps Two of these relate to API/server issues Sunday, 2 October 11
...but first... Sunday, 2 October 11
We’re all pretty smart developers (...hopefully!) Sunday, 2 October 11
The chasm of misfortune Your Goals Your App We are all cats - we have good intentions... ...and sometimes can’t foresee the consequences Sunday, 2 October 11
Your Goals Your App Remembering Storing credentials insecurely Banking App Users Not using SSL Using an API Blogging App Uploading Hardcoding your API keys Content ? UCG App Sunday, 2 October 11
Keys and Secrets Sunday, 2 October 11
“API keys must be protected just like passwords. This means they should not be [...] baked into non-obfuscated applications that can be analysed relatively easily” Cloud Security Alliance, April 18 2011 (...assume this means all mobile apps) 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
Demo time Major paid for API About 1,000,000 downloads ...let’s take a look! 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
Demo time User: iPhone Password: PnkFdrYRh75N 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
Consequences The bad A competing app uses your API key to exceed your rate limits Your users get frustrated and leave The ugly Somebody pulls your S3 secret key and charges £££ to your account 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
This API is now compromised I can use it in my own apps without paying the license fee Because it’s hard-coded in the app it can’t be revoked 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
This API is now compromised I can use it in my own apps without paying the license fee Because it’s hard-coded in the app it can’t be revoked 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
Prevention Use an alternative method to authenticate Facebook, Amazon, and other large providers provide these Don’t trust key verification If you have an API that uses a key, don’t assume you can trust the user Think permissions If you do have to use keys, limit the damage that can be done with them Have a plan ...think about the inevitable. What happens if your API is outed? 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
Leaking Information Sunday, 2 October 11
This shouldn’t need a slide If you’re sending passwords in the clear, leave the room ...no, wait - come back! I forgive you! People share passwords. All the time. My Tumblr password might be my Facebook password 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
Specific shaming: ...but not the app! 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
“But Nick, everyone knows SSL/TLS is totally broken!” “It’s the user’s fault for connecting to an insecure network” “It’s too much effort / time-consuming to implement” “My app isn’t important enough for this to be a problem” 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
Not using TLS is like leaving your house unlocked Nobody is saying locks are going to stop you from getting burgled... ...but not locking your door is stupid. 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
Storing Details Sunday, 2 October 11
Very popular! Username and password in plain text! 1 keys and secrets 2 leaking information 3 Storing Details According to ViaForensics, June 2011 Sunday, 2 October 11
Obvious information Passwords, usernames Account numbers, etc Overlooked information Location information Personal information (date of birth, address, 1 keys and secrets 2 leaking information 3 Storing Details Sunday, 2 October 11
Consequences The bad You get some bad PR People laugh at you as you walk down the street The ugly You store passwords or account information unencrypted This compromises your app, and users information is leaked You are fined by the ICO 1 keys and secrets 2 leaking information 3 Storing Details Sunday, 2 October 11
In Summary ...we’re all smart developers... (remember this bit? from earlier on?) Sunday, 2 October 11
...but so are the... Bank of America, Citibank, National Rail Enquiries, Tumblr, AOL, Bump, Flirtomatic, Foursquare, Groupon, LinkedIn, Mint, Skype, Wells Fargo, WordPress, Match.com Yahoo! Messenger, and many many more... ...developers. Nobody is perfect, no app is truly secure (including me!) Sunday, 2 October 11
Remember the cat* *unlike the cat, your app will not survive a fall from height Sunday, 2 October 11
Thanks :) nick.shearer@migcan.com (I don’t tweet - booo!) Slides will be available on the OTA site soon! Sunday, 2 October 11

Recomendados

Is Data Secure On The Password Protected Blackberry Device
Is Data Secure On The Password Protected Blackberry DeviceIs Data Secure On The Password Protected Blackberry Device
Is Data Secure On The Password Protected Blackberry DeviceYury Chemerkin
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applicationsn|u - The Open Security Community
 
SecurEntry by PrehKeyTec
SecurEntry by PrehKeyTecSecurEntry by PrehKeyTec
SecurEntry by PrehKeyTeccshergi
 
Arkami product overview
Arkami product overviewArkami product overview
Arkami product overviewMark Thacker
 
Bla
BlaBla
Blarakushka
 
Jeopardy(electricity)
Jeopardy(electricity)Jeopardy(electricity)
Jeopardy(electricity)Steven Gabrys
 
Are You Smarter Than a Fifth Grader- Geography Edition
Are You Smarter Than a Fifth Grader- Geography EditionAre You Smarter Than a Fifth Grader- Geography Edition
Are You Smarter Than a Fifth Grader- Geography Editionmwinfield1
 

Recomendados

Is Data Secure On The Password Protected Blackberry Device
Is Data Secure On The Password Protected Blackberry DeviceIs Data Secure On The Password Protected Blackberry Device
Is Data Secure On The Password Protected Blackberry DeviceYury Chemerkin
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applicationsn|u - The Open Security Community
 
SecurEntry by PrehKeyTec
SecurEntry by PrehKeyTecSecurEntry by PrehKeyTec
SecurEntry by PrehKeyTeccshergi
 
Arkami product overview
Arkami product overviewArkami product overview
Arkami product overviewMark Thacker
 
Bla
BlaBla
Blarakushka
 
Jeopardy(electricity)
Jeopardy(electricity)Jeopardy(electricity)
Jeopardy(electricity)Steven Gabrys
 
Are You Smarter Than a Fifth Grader- Geography Edition
Are You Smarter Than a Fifth Grader- Geography EditionAre You Smarter Than a Fifth Grader- Geography Edition
Are You Smarter Than a Fifth Grader- Geography Editionmwinfield1
 
Multiplication quiz
Multiplication quizMultiplication quiz
Multiplication quizNonticha1998
 
Smarter than 5th grader chapter 6 7
Smarter than 5th grader chapter 6 7Smarter than 5th grader chapter 6 7
Smarter than 5th grader chapter 6 7Moores6
 
Are They Smarter Than a 5th Grader? Round 1
Are They Smarter Than a 5th Grader? Round 1Are They Smarter Than a 5th Grader? Round 1
Are They Smarter Than a 5th Grader? Round 1warren_wade
 
Are You Smarter Than a 5th Grader
Are You Smarter Than a 5th Grader Are You Smarter Than a 5th Grader
Are You Smarter Than a 5th Grader egriffin
 
Real World Math (Packet for Home)
Real World Math (Packet for Home)Real World Math (Packet for Home)
Real World Math (Packet for Home)mwinfield1
 
Solved exercise boolean-algebra
Solved exercise boolean-algebraSolved exercise boolean-algebra
Solved exercise boolean-algebrashardapatel
 
iPhone App Solothurner Filmtage
iPhone App Solothurner FilmtageiPhone App Solothurner Filmtage
iPhone App Solothurner Filmtagewebgearing ag
 
E-Shop The Climate Store
E-Shop The Climate StoreE-Shop The Climate Store
E-Shop The Climate Storewebgearing ag
 
iPhone App Blackout
iPhone App BlackoutiPhone App Blackout
iPhone App Blackoutwebgearing ag
 
I pad app kuoni kataloge english 1.0
I pad app kuoni kataloge english 1.0I pad app kuoni kataloge english 1.0
I pad app kuoni kataloge english 1.0webgearing ag
 
Erik Johannson Db
Erik Johannson DbErik Johannson Db
Erik Johannson Dbguest874f57
 
iMatcher Facebook App
iMatcher Facebook AppiMatcher Facebook App
iMatcher Facebook Appwebgearing ag
 
X6 drill practice
X6 drill practiceX6 drill practice
X6 drill practiceSteven Gabrys
 
X3 drill practice
X3 drill practiceX3 drill practice
X3 drill practiceSteven Gabrys
 
эпоха возрождения
эпоха возрожденияэпоха возрождения
эпоха возрожденияDmidry
 
Our Final Project
Our Final ProjectOur Final Project
Our Final Projectguest27d35a
 
iPhone App Mühle Hunziken
iPhone App Mühle HunzikeniPhone App Mühle Hunziken
iPhone App Mühle Hunzikenwebgearing ag
 
Double jeopardy(flight)
Double jeopardy(flight)Double jeopardy(flight)
Double jeopardy(flight)Steven Gabrys
 
Sample2
Sample2Sample2
Sample2guest4acf93
 
Are You Smarter than a Third Grader?
Are You Smarter than a Third Grader?Are You Smarter than a Third Grader?
Are You Smarter than a Third Grader?Cindyw05
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthApigee | Google Cloud
 

Más contenido relacionado

Destacado

Multiplication quiz
Multiplication quizMultiplication quiz
Multiplication quizNonticha1998
 
Smarter than 5th grader chapter 6 7
Smarter than 5th grader chapter 6 7Smarter than 5th grader chapter 6 7
Smarter than 5th grader chapter 6 7Moores6
 
Are They Smarter Than a 5th Grader? Round 1
Are They Smarter Than a 5th Grader? Round 1Are They Smarter Than a 5th Grader? Round 1
Are They Smarter Than a 5th Grader? Round 1warren_wade
 
Are You Smarter Than a 5th Grader
Are You Smarter Than a 5th Grader Are You Smarter Than a 5th Grader
Are You Smarter Than a 5th Grader egriffin
 
Real World Math (Packet for Home)
Real World Math (Packet for Home)Real World Math (Packet for Home)
Real World Math (Packet for Home)mwinfield1
 
Solved exercise boolean-algebra
Solved exercise boolean-algebraSolved exercise boolean-algebra
Solved exercise boolean-algebrashardapatel
 
iPhone App Solothurner Filmtage
iPhone App Solothurner FilmtageiPhone App Solothurner Filmtage
iPhone App Solothurner Filmtagewebgearing ag
 
E-Shop The Climate Store
E-Shop The Climate StoreE-Shop The Climate Store
E-Shop The Climate Storewebgearing ag
 
I pad app kuoni kataloge english 1.0
I pad app kuoni kataloge english 1.0I pad app kuoni kataloge english 1.0
I pad app kuoni kataloge english 1.0webgearing ag
 
Erik Johannson Db
Erik Johannson DbErik Johannson Db
Erik Johannson Dbguest874f57
 
iMatcher Facebook App
iMatcher Facebook AppiMatcher Facebook App
iMatcher Facebook Appwebgearing ag
 
эпоха возрождения
эпоха возрожденияэпоха возрождения
эпоха возрожденияDmidry
 
Our Final Project
Our Final ProjectOur Final Project
Our Final Projectguest27d35a
 
iPhone App Mühle Hunziken
iPhone App Mühle HunzikeniPhone App Mühle Hunziken
iPhone App Mühle Hunzikenwebgearing ag
 
Double jeopardy(flight)
Double jeopardy(flight)Double jeopardy(flight)
Double jeopardy(flight)Steven Gabrys
 
Are You Smarter than a Third Grader?
Are You Smarter than a Third Grader?Are You Smarter than a Third Grader?
Are You Smarter than a Third Grader?Cindyw05
 

Destacado (20)

Multiplication quiz
Multiplication quizMultiplication quiz
Multiplication quiz
 
Smarter than 5th grader chapter 6 7
Smarter than 5th grader chapter 6 7Smarter than 5th grader chapter 6 7
Smarter than 5th grader chapter 6 7
 
Are They Smarter Than a 5th Grader? Round 1
Are They Smarter Than a 5th Grader? Round 1Are They Smarter Than a 5th Grader? Round 1
Are They Smarter Than a 5th Grader? Round 1
 
Are You Smarter Than a 5th Grader
Are You Smarter Than a 5th Grader Are You Smarter Than a 5th Grader
Are You Smarter Than a 5th Grader
 
Real World Math (Packet for Home)
Real World Math (Packet for Home)Real World Math (Packet for Home)
Real World Math (Packet for Home)
 
Solved exercise boolean-algebra
Solved exercise boolean-algebraSolved exercise boolean-algebra
Solved exercise boolean-algebra
 
iPhone App Solothurner Filmtage
iPhone App Solothurner FilmtageiPhone App Solothurner Filmtage
iPhone App Solothurner Filmtage
 
E-Shop The Climate Store
E-Shop The Climate StoreE-Shop The Climate Store
E-Shop The Climate Store
 
iPhone App Blackout
iPhone App BlackoutiPhone App Blackout
iPhone App Blackout
 
I pad app kuoni kataloge english 1.0
I pad app kuoni kataloge english 1.0I pad app kuoni kataloge english 1.0
I pad app kuoni kataloge english 1.0
 
Erik Johannson Db
Erik Johannson DbErik Johannson Db
Erik Johannson Db
 
iMatcher Facebook App
iMatcher Facebook AppiMatcher Facebook App
iMatcher Facebook App
 
X6 drill practice
X6 drill practiceX6 drill practice
X6 drill practice
 
X3 drill practice
X3 drill practiceX3 drill practice
X3 drill practice
 
эпоха возрождения
эпоха возрожденияэпоха возрождения
эпоха возрождения
 
Our Final Project
Our Final ProjectOur Final Project
Our Final Project
 
iPhone App Mühle Hunziken
iPhone App Mühle HunzikeniPhone App Mühle Hunziken
iPhone App Mühle Hunziken
 
Double jeopardy(flight)
Double jeopardy(flight)Double jeopardy(flight)
Double jeopardy(flight)
 
Sample2
Sample2Sample2
Sample2
 
Are You Smarter than a Third Grader?
Are You Smarter than a Third Grader?Are You Smarter than a Third Grader?
Are You Smarter than a Third Grader?
 

Similar a Mobile Apps Security: OTA11

Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthApigee | Google Cloud
 
1 security goals
1 security goals1 security goals
1 security goalsdrewz lin
 
CIS14: Trusted Tokens: An Identity Game Changer
CIS14: Trusted Tokens: An Identity Game ChangerCIS14: Trusted Tokens: An Identity Game Changer
CIS14: Trusted Tokens: An Identity Game ChangerCloudIDSummit
 
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Guy Podjarny
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To ProtectGuy Podjarny
 
TOP 6 Security Challenges of Internet of Things
TOP 6 Security Challenges of Internet of ThingsTOP 6 Security Challenges of Internet of Things
TOP 6 Security Challenges of Internet of ThingsChromeInfo Technologies
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxdeepikakumari643428
 
OWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention MethodsOWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention MethodsIRJET Journal
 
Highly Secure Cryptography Algorithm Method to Safeguard Audios and Visuals
Highly Secure Cryptography Algorithm Method to Safeguard Audios and VisualsHighly Secure Cryptography Algorithm Method to Safeguard Audios and Visuals
Highly Secure Cryptography Algorithm Method to Safeguard Audios and Visualsijcisjournal
 
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSHIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSijcisjournal
 
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSHIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSijdms
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
Android studio feature
Android studio featureAndroid studio feature
Android studio featurexvier3453
 
CocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesCocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesMutual Mobile
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 

Similar a Mobile Apps Security: OTA11 (20)

Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond OauthProtecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
 
1 security goals
1 security goals1 security goals
1 security goals
 
CIS14: Trusted Tokens: An Identity Game Changer
CIS14: Trusted Tokens: An Identity Game ChangerCIS14: Trusted Tokens: An Identity Game Changer
CIS14: Trusted Tokens: An Identity Game Changer
 
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
 
TOP 6 Security Challenges of Internet of Things
TOP 6 Security Challenges of Internet of ThingsTOP 6 Security Challenges of Internet of Things
TOP 6 Security Challenges of Internet of Things
 
Canary tokens
Canary tokensCanary tokens
Canary tokens
 
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptxiOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
 
OWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention MethodsOWASP Top 10 Web Attacks (2017) with Prevention Methods
OWASP Top 10 Web Attacks (2017) with Prevention Methods
 
Highly Secure Cryptography Algorithm Method to Safeguard Audios and Visuals
Highly Secure Cryptography Algorithm Method to Safeguard Audios and VisualsHighly Secure Cryptography Algorithm Method to Safeguard Audios and Visuals
Highly Secure Cryptography Algorithm Method to Safeguard Audios and Visuals
 
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSHIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
 
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALSHIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
HIGHLY SECURE CRYPTOGRAPHY ALGORITHM METHOD TO SAFEGUARD AUDIOS AND VISUALS
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Android studio feature
Android studio featureAndroid studio feature
Android studio feature
 
CocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesCocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best Practices
 
iOS Security
iOS SecurityiOS Security
iOS Security
 
iOS & Arduino
iOS & ArduinoiOS & Arduino
iOS & Arduino
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 

Último

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 

Último (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Mobile Apps Security: OTA11

  • 1. IM IN UR CODEZ Securing Mobile Apps Sunday, 2 October 11
  • 2. Hello! My name’s Nick. I work for Mobile Interactive Group We’re going to talk about app security ...also cats Sunday, 2 October 11
  • 3. What this session is about... Mobile application security Developing apps defensively ...and what it’s not about User-based vulnerabilities (tap-jacking, etc) Mobile web security Sunday, 2 October 11
  • 4. Mobile Apps Mobile Web Sunday, 2 October 11
  • 5. Hardcoded passwords SQL injection In-app XSS Insecure Data Transmission Buffer overflows Storing user data Data leakage API impersonation Remote code execution Sunday, 2 October 11
  • 6. Web & Apps have similar problems... ...they just appear in different places Sunday, 2 October 11
  • 7. A fact (or two) Your app will be reverse engineered It’s only a matter of time Obfuscation is not a be-all/end-all Sunday, 2 October 11
  • 8. You might think (comparatively) that your mobile platform is not compromised... ...but how many rooted/jailbreaked phones are out there? Assume your platform is compromised, and your app will be reverse engineered Sunday, 2 October 11
  • 9. You must therefore strongly protect your APIs and supporting application servers Let’s look at three of the most common issues with apps Two of these relate to API/server issues Sunday, 2 October 11
  • 11. We’re all pretty smart developers (...hopefully!) Sunday, 2 October 11
  • 12. The chasm of misfortune Your Goals Your App We are all cats - we have good intentions... ...and sometimes can’t foresee the consequences Sunday, 2 October 11
  • 13. Your Goals Your App Remembering Storing credentials insecurely Banking App Users Not using SSL Using an API Blogging App Uploading Hardcoding your API keys Content ? UCG App Sunday, 2 October 11
  • 14. Keys and Secrets Sunday, 2 October 11
  • 15. “API keys must be protected just like passwords. This means they should not be [...] baked into non-obfuscated applications that can be analysed relatively easily” Cloud Security Alliance, April 18 2011 (...assume this means all mobile apps) 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 16. Demo time Major paid for API About 1,000,000 downloads ...let’s take a look! 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 17. Demo time User: iPhone Password: PnkFdrYRh75N 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 18. Consequences The bad A competing app uses your API key to exceed your rate limits Your users get frustrated and leave The ugly Somebody pulls your S3 secret key and charges £££ to your account 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 19. This API is now compromised I can use it in my own apps without paying the license fee Because it’s hard-coded in the app it can’t be revoked 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 20. This API is now compromised I can use it in my own apps without paying the license fee Because it’s hard-coded in the app it can’t be revoked 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 21. Prevention Use an alternative method to authenticate Facebook, Amazon, and other large providers provide these Don’t trust key verification If you have an API that uses a key, don’t assume you can trust the user Think permissions If you do have to use keys, limit the damage that can be done with them Have a plan ...think about the inevitable. What happens if your API is outed? 1 Keys and Secrets 2 leaking information 3 storing details Sunday, 2 October 11
  • 23. This shouldn’t need a slide If you’re sending passwords in the clear, leave the room ...no, wait - come back! I forgive you! People share passwords. All the time. My Tumblr password might be my Facebook password 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
  • 24. Specific shaming: ...but not the app! 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
  • 25. “But Nick, everyone knows SSL/TLS is totally broken!” “It’s the user’s fault for connecting to an insecure network” “It’s too much effort / time-consuming to implement” “My app isn’t important enough for this to be a problem” 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
  • 26. Not using TLS is like leaving your house unlocked Nobody is saying locks are going to stop you from getting burgled... ...but not locking your door is stupid. 1 keys and secrets 2 Leaking Information 3 storing details Sunday, 2 October 11
  • 28. Very popular! Username and password in plain text! 1 keys and secrets 2 leaking information 3 Storing Details According to ViaForensics, June 2011 Sunday, 2 October 11
  • 29. Obvious information Passwords, usernames Account numbers, etc Overlooked information Location information Personal information (date of birth, address, 1 keys and secrets 2 leaking information 3 Storing Details Sunday, 2 October 11
  • 30. Consequences The bad You get some bad PR People laugh at you as you walk down the street The ugly You store passwords or account information unencrypted This compromises your app, and users information is leaked You are fined by the ICO 1 keys and secrets 2 leaking information 3 Storing Details Sunday, 2 October 11
  • 31. In Summary ...we’re all smart developers... (remember this bit? from earlier on?) Sunday, 2 October 11
  • 32. ...but so are the... Bank of America, Citibank, National Rail Enquiries, Tumblr, AOL, Bump, Flirtomatic, Foursquare, Groupon, LinkedIn, Mint, Skype, Wells Fargo, WordPress, Match.com Yahoo! Messenger, and many many more... ...developers. Nobody is perfect, no app is truly secure (including me!) Sunday, 2 October 11
  • 33. Remember the cat* *unlike the cat, your app will not survive a fall from height Sunday, 2 October 11
  • 34. Thanks :) nick.shearer@migcan.com (I don’t tweet - booo!) Slides will be available on the OTA site soon! Sunday, 2 October 11