SlideShare una empresa de Scribd logo

5 Mobile App Security MUST-DOs in 2018

NowSecure
NowSecure

Originally presented on 12/5/2017 To close out the 2017 webinar season, our mobile security expert panel will review the top mobile threats of 2017 (e.g., Cloudbleed, Bootstomp, Broadpwn, and more) and then debate what’s next in mobile app security and mobile app security testing for 2018. See the slides from this spirited discussion of the security ramifications of the new iPhone X, iOS 11, Android 8, the latest innovations in the mobile app security testing, and more. Compare your mobile app security and mobile app security testing initiatives with what our experts say should be your top priorities in 2018.

Tecnología
1 de 35
Descargar para leer sin conexión
5 Mobile App Security MUST-DOs in 2018 8X FASTER 3X DEEPER MOST TRUSTED © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. DEEP MOBILE SECURITY EXPERTISE Open source Books & Speaking 2 Mobile threat research is in our DNA ▪ Dream team of security researchers ▪ Every waking moment spent: – Discovering critical vulns – Identifying novel attack vectors – Creating/maintaining renowned open-source mobile security tools/projects The NowSecure Mission ▪ Save the world from unsafe mobile apps ▪ Educate enterprises on the latest mobile threats ▪ Maximize the security of apps enterprises develop, purchase and use
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NowSecure #MobSec5 Weekly mobile security news update SUBSCRIBE NOW: www.nowsecure.com/go/subscribe
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA + SPEAKERS 2017 Mobile AppSec Year in Review 2018 Mobile AppSec Must-Dos Q & A Brian Reed Chief Mobility Officer Andrew Hoog Founder Katie Strzempka VP Cust. Success & Svcs
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. MOBILE APPSEC IN 2017: YEAR IN REVIEW
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. YEAR IN REVIEW: SECURITY VULNS BROADPWN KRACKBOOTSTOMP
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. YEAR IN REVIEW: PRIVACY
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. YEAR IN REVIEW: COMPLIANCE General Data Protection Regulation (GDPR) Takes effect May 2018 NY Cybersecurity Reqs. for Financial Services Companies Took effect August 2017
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. YEAR IN REVIEW: PLATFORM UPDATES Face ID on Apple iPhone X Progress in authentication? Jury’s still out Android 8 Google Play Protect, SafetyNet API, Project Treble, more iOS 11 Granular location services notifications, SOS mode, TLS improvements, more
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. LEGACY WAST INSIDE THE MOBILE APP ATTACK SURFACE ▪GPS spoofing ▪Buffer overflow ▪allowBackup Flag ▪allowDebug Flag ▪Code Obfuscation ▪Configuration manipulation ▪Escalated privileges ▪URL schemes ▪GPS spoofing ▪Integrity/tampering/repacking ▪Side channel attacks ▪App signing key unprotected ▪JSON-RPC ▪Automatic Reference Counting 10 DATA AT REST CODE FUNCTIONALITY DATA IN MOTION API BACKEND ▪Data caching ▪Data stored in application directory ▪Decryption of keychain ▪Data stored in log files ▪Data cached in memory/RAM ▪Data stored in SD card ▪Platform vulnerabilities ▪Server misconfiguration ▪Cross-site scripting ▪Cross-site request forgery ▪Cross origin resource sharing ▪Brute force attacks ▪Side channel attacks ▪SQL injection ▪Privilege escalation ▪Data dumping ▪OS command execution ▪Weak input validation ▪Hypervisor attack ▪VPN ▪OS data caching ▪Passwords & data accessible ▪No/Weak encryption ▪TEE/Secure Enclave Processor ▪Side channel leak ▪SQLite database ▪Emulator variance ▪Wi-Fi (no/weak encryption) ▪Rogue access point ▪Packet sniffing ▪Man-in-the-middle ▪Session hijacking ▪DNS poisoning ▪TLS Downgrade ▪Fake TLS certificate ▪Improper TLS validation ▪HTTP Proxies ▪VPNs ▪Weak/No Local authentication ▪App transport security ▪Transmitted to insecure server ▪ Zip files in transit ▪Cookie “httpOnly” flag ▪Cookie “secure” flag ▪Android rooting/iOS jailbreak ▪User-initiated code ▪Confused deputy attack ▪Multimedia/file format parsers ▪Insecure 3rd party libraries ▪World Writable Files ▪World Writable Executables ▪Dynamic runtime injection ▪Unintended permissions ▪UI overlay/pin stealing ▪Intent hijacking ▪Zip directory traversal ▪Clipboard data ▪World Readable Files
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. MOBILE APPSEC MUST-DOs FOR 2018
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 General Data Protection Regulation (GDPR)
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 80% of firms will not comply by May 2018. 50% intentionally. The other 50% will fail. Any successful case against a well-known giant will change the risk/cost balance. Forrester - Predictions 2018 #1: General Data Protection Regulation (GDPR) FINES ▪ Greater of: Up to 4% annual global revenue or €20 million pounds ($23,717,400 USD) ▪ Deadline: May 25, 2018 A FEW KEY CONCEPTS ▪ Purpose limitation ▪ Data minimization ▪ Limited storage periods ▪ Data protection by design & default ▪ Consent -- “Clear affirmative act” GDPR
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #1: NEAR TERM TO DO ▪ Audit personal data collected & pay special attention to mobile apps ▪ Review privacy policy and other communications and make necessary changes ▪ Review how you receive & manage consent https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. 2 3rd-Party Libraries / SDKs Risk
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #2: CHOOSE 3RD-PARTY LIBS & SDKs WISELY 75%of GitHub Projects have dependencies Modern applications are largely “assembled,” not developed, and developers often download and use known vulnerable open-source components and frameworks. Gartner—DevSecOps: How to Seamlessly Integrate Security Into DevOps 70%of vulns in free Android apps stemmed from libraries (mostly 3rd-party) A Study on the Vulnerabilities of Mobile Apps associated with Software ModulesGitHub will soon warn developers of insecure dependencies
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #2: NEAR TERM TO DO Inventory 3rd-Party libraries and SDKs used within apps you control/develop Determine whether any of those versions in use include vulns (GitHub dependencies) Make devs aware of any identified vulns and work on a plan to update/replace 1 2 3
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. 3 DevSecOps Shifting Left
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #3: DevSecOps: Security MUST SHIFT LEFT 245 : 1 DEVS OUTNUMBER APPSEC Google Play Store New Apps/Month Apple App Store - New Apps/Month Integrate mobile AST with your broader AST program and use it as a trial or precursor for enterprise-wide DevOps. Gartner—Market Guide for MAST
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #3: NEAR TERM TO DO 20 RAPID TEST DEVELOPED APPS PRODUCTION YOUR APPSEC FACTORY RAPID: PASSED REQUIREMENTS DESIGN BUILD TEST ANY TEST: FAILED DEEP CERTIFICATION DEEP TEST DEEP: PASSED 1. Begin with just one dev team that has expressed interest in automation 2. Begin with just one app, one build 3. Use that success to build momentum & automation to move on to other teams/apps
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. 4 Address the low hanging fruit
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #4: FLAWS W/ LOW EFFORT/HIGH RETURN FIXES UP TO 75% UP TO 90% of Android apps allow world-read/write/exec. of Android apps allow backup check UP TO 30% of iOS apps don’t use ATS properly
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #4: NEAR TERM TO DO Perform basic security assessments of the apps your organization controls/develops Identify “low-hanging” security issues and work with your devs to remediate 1 2
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. 5 Risk in Apple App Store & Google Play store apps
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #5: DON’T IGNORE 3RD-PARTY APP RISK 33% Have at least 1 high risk flaw [CVSS score] 35% Have un-encrypted data transmission 60% of orgs report an insecure mobile app contributing to a breach more likely to leak account credentials Biz Apps 3X 68% of apps can expose sensitive data 50% Android Apps dynamically load code missed by static analysis 25 Sources: NowSecure Software and Research Data, Ponemon Institute 2016-2017
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #5: TO DO IN THE NEAR TERM Determine the 20 most prevalent apps within your organization using Mobile Device Management (MDM) Perform quick mobile app security testing scans to identify security, privacy, and compliance issues Identify proper remediation, re-configuration, or removal policy for risky mobile apps 1 2 3
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NEXT STEPS
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NowSecure INTEL AlwaysOn AppStore Cloud Analysis for EMM & Security teams NowSecure AUTO OnDemand Fast Cloud Analysis for Dev, QA & Security teams NowSecure WORKSTATION Deep Pen Testing Analysis for Security Analysts NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING NowSecure SERVICES Expert Pen Testing, Training & Programs for App Owners & Security teams 29 8X FASTER – 3X DEEPER – MOST TRUSTED
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. SHIFT LEFT WITH MOBILE APPSEC FACTORY 31 RAPID TEST DEVELOPED APPS PRODUCTION YOUR APPSEC FACTORY Rapid Test all apps in 15mins automatically… RAPID: PASSED REQUIREMENTS DESIGN BUILD TEST Spend <1 hour deep testing any concerning rapid results or additional advanced/pre-release certification DEEP CERTIFICATION DEEP TEST DEEP: PASSED ANY TEST: FAILED 3RD PARTY APPSTORE APPS ONLINE: FAILED ONLINE: PASSED Instantly Vet 3rd Party App Risk ONLINE TEST
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NOWSECURE COMING ATTRACTIONS AppSec Cali January 30-31, 2018 Come see NowSecure in Santa Monica, CA! ShmooCon XIV January 19-21, 2018 For those lucky enough to get a ticket... round 3 ticket sales are on Dec 10! 33
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. OPEN Q & A Brian Reed Chief Mobility Officer Andrew Hoog Founder Katie Strzempka VP Cust. Success & Svcs 2017 Mobile AppSec Year in Review 2018 Mobile AppSec Must-Dos Q & A
Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 A digest of the week’s mobile security news that matters https://www.nowsecure.com/go/subscribe

Recomendados

Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskNowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 

Recomendados

Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskNowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
Five mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseFive mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseNowSecure
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookNowSecure
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditNowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk
 
INFINITY Presentation
INFINITY PresentationINFINITY Presentation
INFINITY PresentationCristian Garcia G.
 
Ascendiendo a la GEN V de Cyber Security
Ascendiendo a la GEN V de Cyber SecurityAscendiendo a la GEN V de Cyber Security
Ascendiendo a la GEN V de Cyber SecurityCristian Garcia G.
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsNowSecure
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceNowSecure
 

Más contenido relacionado

La actualidad más candente

Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
Five mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseFive mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseNowSecure
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookNowSecure
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditNowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk
 
Ascendiendo a la GEN V de Cyber Security
Ascendiendo a la GEN V de Cyber SecurityAscendiendo a la GEN V de Cyber Security
Ascendiendo a la GEN V de Cyber SecurityCristian Garcia G.
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsNowSecure
 

La actualidad más candente (20)

Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
 
Five mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseFive mobile security challenges facing the enterprise
Five mobile security challenges facing the enterprise
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security Keynote
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Splunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security SessionSplunk Discovery Dusseldorf: September 2017 - Security Session
Splunk Discovery Dusseldorf: September 2017 - Security Session
 
INFINITY Presentation
INFINITY PresentationINFINITY Presentation
INFINITY Presentation
 
Ascendiendo a la GEN V de Cyber Security
Ascendiendo a la GEN V de Cyber SecurityAscendiendo a la GEN V de Cyber Security
Ascendiendo a la GEN V de Cyber Security
 
OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-Dive
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
 

Similar a 5 Mobile App Security MUST-DOs in 2018

Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceNowSecure
 
Protecting What Matters Most – Data
Protecting What Matters Most – DataProtecting What Matters Most – Data
Protecting What Matters Most – DataFujitsu Middle East
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Do You Manage Software? Understanding Your Role in Cybersecurity Defense
Do You Manage Software? Understanding Your Role in Cybersecurity DefenseDo You Manage Software? Understanding Your Role in Cybersecurity Defense
Do You Manage Software? Understanding Your Role in Cybersecurity DefenseFlexera
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetWatcher
 
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Adam Tice
 
Cloudy with a Chance of...Visibility, Accountability & Security
Cloudy with a Chance of...Visibility, Accountability & SecurityCloudy with a Chance of...Visibility, Accountability & Security
Cloudy with a Chance of...Visibility, Accountability & SecurityForcepoint LLC
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksSAP Customer Experience
 
How to prevent data leaks with application security testing strategy
How to prevent data leaks with application security testing strategyHow to prevent data leaks with application security testing strategy
How to prevent data leaks with application security testing strategyCigniti Technologies Ltd
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015Francisco Anes
 
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarUsing Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarSplunk
 
How to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdfHow to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdfvenkatprasadvadla1
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowNowSecure
 
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...Splunk
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Improving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityImproving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityDoug Copley
 
Software Distribution, Customer Experience and the IoT: Get Ready for Fast, S...
Software Distribution, Customer Experience and the IoT: Get Ready for Fast, S...Software Distribution, Customer Experience and the IoT: Get Ready for Fast, S...
Software Distribution, Customer Experience and the IoT: Get Ready for Fast, S...Flexera
 

Similar a 5 Mobile App Security MUST-DOs in 2018 (20)

Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
 
Protecting What Matters Most – Data
Protecting What Matters Most – DataProtecting What Matters Most – Data
Protecting What Matters Most – Data
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
 
Do You Manage Software? Understanding Your Role in Cybersecurity Defense
Do You Manage Software? Understanding Your Role in Cybersecurity DefenseDo You Manage Software? Understanding Your Role in Cybersecurity Defense
Do You Manage Software? Understanding Your Role in Cybersecurity Defense
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017Security crawl walk run presentation mckay v1 2017
Security crawl walk run presentation mckay v1 2017
 
Cloudy with a Chance of...Visibility, Accountability & Security
Cloudy with a Chance of...Visibility, Accountability & SecurityCloudy with a Chance of...Visibility, Accountability & Security
Cloudy with a Chance of...Visibility, Accountability & Security
 
Protect Your Customers Data from Cyberattacks
Protect Your Customers Data from CyberattacksProtect Your Customers Data from Cyberattacks
Protect Your Customers Data from Cyberattacks
 
How to prevent data leaks with application security testing strategy
How to prevent data leaks with application security testing strategyHow to prevent data leaks with application security testing strategy
How to prevent data leaks with application security testing strategy
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015
 
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - WebinarUsing Machine Learning and Analytics to Hunt for Security Threats - Webinar
Using Machine Learning and Analytics to Hunt for Security Threats - Webinar
 
How to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdfHow to Build Secure Mobile Apps.pdf
How to Build Secure Mobile Apps.pdf
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to know
 
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...
SplunkLive! Zurich 2017 - Build a Security Portfolio That Strengthens Your Se...
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Improving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & SecurityImproving Cloud Visibility, Accountability & Security
Improving Cloud Visibility, Accountability & Security
 
Software Distribution, Customer Experience and the IoT: Get Ready for Fast, S...
Software Distribution, Customer Experience and the IoT: Get Ready for Fast, S...Software Distribution, Customer Experience and the IoT: Get Ready for Fast, S...
Software Distribution, Customer Experience and the IoT: Get Ready for Fast, S...
 

Más de NowSecure

iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsNowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowNowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowNowSecure
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...NowSecure
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 

Más de NowSecure (7)

iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 

Último

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Último (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

5 Mobile App Security MUST-DOs in 2018

  • 1. 5 Mobile App Security MUST-DOs in 2018 8X FASTER 3X DEEPER MOST TRUSTED © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
  • 2. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. DEEP MOBILE SECURITY EXPERTISE Open source Books & Speaking 2 Mobile threat research is in our DNA ▪ Dream team of security researchers ▪ Every waking moment spent: – Discovering critical vulns – Identifying novel attack vectors – Creating/maintaining renowned open-source mobile security tools/projects The NowSecure Mission ▪ Save the world from unsafe mobile apps ▪ Educate enterprises on the latest mobile threats ▪ Maximize the security of apps enterprises develop, purchase and use
  • 3. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NowSecure #MobSec5 Weekly mobile security news update SUBSCRIBE NOW: www.nowsecure.com/go/subscribe
  • 4. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA + SPEAKERS 2017 Mobile AppSec Year in Review 2018 Mobile AppSec Must-Dos Q & A Brian Reed Chief Mobility Officer Andrew Hoog Founder Katie Strzempka VP Cust. Success & Svcs
  • 5. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. MOBILE APPSEC IN 2017: YEAR IN REVIEW
  • 6. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. YEAR IN REVIEW: SECURITY VULNS BROADPWN KRACKBOOTSTOMP
  • 7. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. YEAR IN REVIEW: PRIVACY
  • 8. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. YEAR IN REVIEW: COMPLIANCE General Data Protection Regulation (GDPR) Takes effect May 2018 NY Cybersecurity Reqs. for Financial Services Companies Took effect August 2017
  • 9. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. YEAR IN REVIEW: PLATFORM UPDATES Face ID on Apple iPhone X Progress in authentication? Jury’s still out Android 8 Google Play Protect, SafetyNet API, Project Treble, more iOS 11 Granular location services notifications, SOS mode, TLS improvements, more
  • 10. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. LEGACY WAST INSIDE THE MOBILE APP ATTACK SURFACE ▪GPS spoofing ▪Buffer overflow ▪allowBackup Flag ▪allowDebug Flag ▪Code Obfuscation ▪Configuration manipulation ▪Escalated privileges ▪URL schemes ▪GPS spoofing ▪Integrity/tampering/repacking ▪Side channel attacks ▪App signing key unprotected ▪JSON-RPC ▪Automatic Reference Counting 10 DATA AT REST CODE FUNCTIONALITY DATA IN MOTION API BACKEND ▪Data caching ▪Data stored in application directory ▪Decryption of keychain ▪Data stored in log files ▪Data cached in memory/RAM ▪Data stored in SD card ▪Platform vulnerabilities ▪Server misconfiguration ▪Cross-site scripting ▪Cross-site request forgery ▪Cross origin resource sharing ▪Brute force attacks ▪Side channel attacks ▪SQL injection ▪Privilege escalation ▪Data dumping ▪OS command execution ▪Weak input validation ▪Hypervisor attack ▪VPN ▪OS data caching ▪Passwords & data accessible ▪No/Weak encryption ▪TEE/Secure Enclave Processor ▪Side channel leak ▪SQLite database ▪Emulator variance ▪Wi-Fi (no/weak encryption) ▪Rogue access point ▪Packet sniffing ▪Man-in-the-middle ▪Session hijacking ▪DNS poisoning ▪TLS Downgrade ▪Fake TLS certificate ▪Improper TLS validation ▪HTTP Proxies ▪VPNs ▪Weak/No Local authentication ▪App transport security ▪Transmitted to insecure server ▪ Zip files in transit ▪Cookie “httpOnly” flag ▪Cookie “secure” flag ▪Android rooting/iOS jailbreak ▪User-initiated code ▪Confused deputy attack ▪Multimedia/file format parsers ▪Insecure 3rd party libraries ▪World Writable Files ▪World Writable Executables ▪Dynamic runtime injection ▪Unintended permissions ▪UI overlay/pin stealing ▪Intent hijacking ▪Zip directory traversal ▪Clipboard data ▪World Readable Files
  • 11. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. MOBILE APPSEC MUST-DOs FOR 2018
  • 12. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 General Data Protection Regulation (GDPR)
  • 13. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 80% of firms will not comply by May 2018. 50% intentionally. The other 50% will fail. Any successful case against a well-known giant will change the risk/cost balance. Forrester - Predictions 2018 #1: General Data Protection Regulation (GDPR) FINES ▪ Greater of: Up to 4% annual global revenue or €20 million pounds ($23,717,400 USD) ▪ Deadline: May 25, 2018 A FEW KEY CONCEPTS ▪ Purpose limitation ▪ Data minimization ▪ Limited storage periods ▪ Data protection by design & default ▪ Consent -- “Clear affirmative act” GDPR
  • 14. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #1: NEAR TERM TO DO ▪ Audit personal data collected & pay special attention to mobile apps ▪ Review privacy policy and other communications and make necessary changes ▪ Review how you receive & manage consent https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
  • 15. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. 2 3rd-Party Libraries / SDKs Risk
  • 16. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #2: CHOOSE 3RD-PARTY LIBS & SDKs WISELY 75%of GitHub Projects have dependencies Modern applications are largely “assembled,” not developed, and developers often download and use known vulnerable open-source components and frameworks. Gartner—DevSecOps: How to Seamlessly Integrate Security Into DevOps 70%of vulns in free Android apps stemmed from libraries (mostly 3rd-party) A Study on the Vulnerabilities of Mobile Apps associated with Software ModulesGitHub will soon warn developers of insecure dependencies
  • 17. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #2: NEAR TERM TO DO Inventory 3rd-Party libraries and SDKs used within apps you control/develop Determine whether any of those versions in use include vulns (GitHub dependencies) Make devs aware of any identified vulns and work on a plan to update/replace 1 2 3
  • 18. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. 3 DevSecOps Shifting Left
  • 19. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #3: DevSecOps: Security MUST SHIFT LEFT 245 : 1 DEVS OUTNUMBER APPSEC Google Play Store New Apps/Month Apple App Store - New Apps/Month Integrate mobile AST with your broader AST program and use it as a trial or precursor for enterprise-wide DevOps. Gartner—Market Guide for MAST
  • 20. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #3: NEAR TERM TO DO 20 RAPID TEST DEVELOPED APPS PRODUCTION YOUR APPSEC FACTORY RAPID: PASSED REQUIREMENTS DESIGN BUILD TEST ANY TEST: FAILED DEEP CERTIFICATION DEEP TEST DEEP: PASSED 1. Begin with just one dev team that has expressed interest in automation 2. Begin with just one app, one build 3. Use that success to build momentum & automation to move on to other teams/apps
  • 21. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. 4 Address the low hanging fruit
  • 22. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #4: FLAWS W/ LOW EFFORT/HIGH RETURN FIXES UP TO 75% UP TO 90% of Android apps allow world-read/write/exec. of Android apps allow backup check UP TO 30% of iOS apps don’t use ATS properly
  • 23. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #4: NEAR TERM TO DO Perform basic security assessments of the apps your organization controls/develops Identify “low-hanging” security issues and work with your devs to remediate 1 2
  • 24. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. 5 Risk in Apple App Store & Google Play store apps
  • 25. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #5: DON’T IGNORE 3RD-PARTY APP RISK 33% Have at least 1 high risk flaw [CVSS score] 35% Have un-encrypted data transmission 60% of orgs report an insecure mobile app contributing to a breach more likely to leak account credentials Biz Apps 3X 68% of apps can expose sensitive data 50% Android Apps dynamically load code missed by static analysis 25 Sources: NowSecure Software and Research Data, Ponemon Institute 2016-2017
  • 26. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. #5: TO DO IN THE NEAR TERM Determine the 20 most prevalent apps within your organization using Mobile Device Management (MDM) Perform quick mobile app security testing scans to identify security, privacy, and compliance issues Identify proper remediation, re-configuration, or removal policy for risky mobile apps 1 2 3
  • 27. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
  • 28. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NEXT STEPS
  • 29. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NowSecure INTEL AlwaysOn AppStore Cloud Analysis for EMM & Security teams NowSecure AUTO OnDemand Fast Cloud Analysis for Dev, QA & Security teams NowSecure WORKSTATION Deep Pen Testing Analysis for Security Analysts NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING NowSecure SERVICES Expert Pen Testing, Training & Programs for App Owners & Security teams 29 8X FASTER – 3X DEEPER – MOST TRUSTED
  • 30. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
  • 31. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. SHIFT LEFT WITH MOBILE APPSEC FACTORY 31 RAPID TEST DEVELOPED APPS PRODUCTION YOUR APPSEC FACTORY Rapid Test all apps in 15mins automatically… RAPID: PASSED REQUIREMENTS DESIGN BUILD TEST Spend <1 hour deep testing any concerning rapid results or additional advanced/pre-release certification DEEP CERTIFICATION DEEP TEST DEEP: PASSED ANY TEST: FAILED 3RD PARTY APPSTORE APPS ONLINE: FAILED ONLINE: PASSED Instantly Vet 3rd Party App Risk ONLINE TEST
  • 32. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
  • 33. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NOWSECURE COMING ATTRACTIONS AppSec Cali January 30-31, 2018 Come see NowSecure in Santa Monica, CA! ShmooCon XIV January 19-21, 2018 For those lucky enough to get a ticket... round 3 ticket sales are on Dec 10! 33
  • 34. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. OPEN Q & A Brian Reed Chief Mobility Officer Andrew Hoog Founder Katie Strzempka VP Cust. Success & Svcs 2017 Mobile AppSec Year in Review 2018 Mobile AppSec Must-Dos Q & A
  • 35. Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 A digest of the week’s mobile security news that matters https://www.nowsecure.com/go/subscribe