SlideShare una empresa de Scribd logo

How to make Android apps secure: dos and don’ts

NowSecure
NowSecure

Learn from the mobile app security fails of others and understand how to get Android app security right the first time around. A quarter of mobile apps include flaws that expose sensitive personal or corporate data that can be used for illicit purposes. And the security of a mobile app has a lot to do with a user’s impression of its quality. Fixing vulnerabilities in the late stages of your build-and-deploy cycle is a hassle, and more expensive. You’ve got to switch contexts, dig through code you haven’t thought about in weeks (or didn’t develop in the first place), and delay progress on your latest sprint. So, what can you, the savvy Android developer, do to get security right the first time around and save yourself work later? Or, if you’re a security practitioner, how can you give security guidance up front to help your colleagues on the development team work more efficiently?

Tecnología
1 de 19
Descargar para leer sin conexión
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. How to make Android apps secure: Dos and don’ts
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Connect with us Follow us on Twitter @NowSecureMobile — NowSecure’s Secure Mobile Development Best Practices www.nowsecure.com/resources/secure-mobile-development/ — Visit our website https://www.nowsecure.com
Jake Van Dyke Mobile security researcher © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Sam Bakken Content marketing manager
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Pokemon GORead the NowSecure blog post about security risks and Pokemon GO: https://www.nowsecure.com/blog/2016/07/12/pokemon-go-security-risks-what-cisos-and-security- pros-need-to-know/
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● Overview ● Android app security fails ● Dos and don’ts ● Questions
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Overview
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. 25%of apps include a high-risk flaw Mary Meeker, Internet Trends 2016 33apps installed on the average device >8vulnerable apps on a device 444,213 2016 NowSecure Mobile Security Report x =
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. 53,844 devices in the average global enterprise 444,213 vulnerable apps residing on dual-use devices in the average global enterprise Ponemon Institute, The Economic Risk of Confidential Data on Mobile Devices in the Workplace
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Recent Android security developments ● Static analysis on apps submitted to Google Play ● Detecting links to third-party libraries ● Android Nougat ○ File system permission changes ○ Sharing files between apps ○ NDK apps linking to platform libraries ○ Android for Work apps ○ Crypto and SHA1PRNG are deprecated ○ Changes to trusted certificate authorities (CA) https://developer.android.com/preview/behavior-changes.html General tightening of security in the OS and SDK to provide a “safety net”
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Android app security fails
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Vulnerabilities in the Vitamio SDK World Writable Code Is Bad, MMMMKAY NowSecure Blog Relevant best practice Test third party libraries “Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code.”
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. SwiftKey vulnerabilities (CVE-2015-4640 & CVE-2015-4641) Remote Code Execution as System User on Samsung Phones NowSecure Blog Relevant best practices Fully validate SSL/TLS “An application not properly validating its connection to the server is susceptible to a man-in-the-middle attack by a privileged network attacker.” Embrace least permissions
Developing secure apps for Android: Dos and don’ts
© Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Secure Mobile Development Best Practices (SMDBP) Review the NowSecure Secure Mobile Development Best Practices in their entirety: https://www.nowsecure.com/resources/secure-mobile-development/
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Android ● Implement File Permissions Carefully ● Implement intents carefully ● Check Activities ● Use Broadcasts Carefully ● Implement Pending Intents Carefully ● Protect Application Services Review the NowSecure Secure Mobile Development Best Practices in their entirety: https://www.nowsecure.com/resources/secure-mobile-development/ ● Avoid Intent Sniffing ● Implement Content Providers Carefully ● Follow WebView Best Practices ● Avoid Storing Cached Camera Images ● Avoid GUI Objects Caching ● Sign Android APKs
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Coding practices ● Increase Code Complexity and Use Obfuscation ● Avoid Simple Logic ● Test Third-Party libraries ● Implement Anti-tamper Techniques ● Securely Store Sensitive Data in RAM ● Understand Secure Deletion of Data ● Avoid Query String for Sensitive Data Review the NowSecure Secure Mobile Development Best Practices in their entirety: https://www.nowsecure.com/resources/secure-mobile-development/ Caching and logging ● Avoid Caching App Data ● Avoid Crash Logs ● Limit Caching of Username ● Carefully Manage Debug Logs ● Be Aware of the Keyboard Cache ● Be Aware of Copy and Paste
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Handling sensitive data ● Implement Secure Data Storage ● Use SECURE Setting For Cookies ● Fully validate SSL/TLS ● Protect Against SSL Downgrade attacks ● Limit Use of UUID ● Treat Geolocation Data Carefully ● Institute Local Session Timeout Review the NowSecure Secure Mobile Development Best Practices in their entirety: https://www.nowsecure.com/resources/secure-mobile-development/ ● Implement Enhanced / Two-Factor Authentication ● Protect Application Settings ● Hide Account Numbers and Use Tokens ● Implement Secure Network Transmission of Sensitive Data ● Validate Input From Client
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Webviews ● Prevent Framing and Clickjacking ● Protect against CSRF with form tokens Review the NowSecure Secure Mobile Development Best Practices in their entirety: https://www.nowsecure.com/resources/secure-mobile-development/ ● Implement Proper Web Server Configuration ● Properly Configure Server-side SSL ● Use Proper Session Management ● Protect and Pen Test Web services ● Protect Internal Resources Servers
Let’s talk - submit questions using the chat function in the GoToWebinar interface +1 312.878.1100 @NowSecureMobile www.nowsecure.com Learn more about developing secure Android and iOS apps with the NowSecure Secure Mobile Development Best Practices - www.nowsecure.com/resources/secure-mobile-development/

Recomendados

It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016
NowSecure
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
NowSecure
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testing
NowSecure
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
NowSecure
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
NowSecure
 
Shifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityShifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and security
NowSecure
 
Five mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseFive mobile security challenges facing the enterprise
Five mobile security challenges facing the enterprise
NowSecure
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to know
NowSecure
 

Recomendados

It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016
NowSecure
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
NowSecure
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testing
NowSecure
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
NowSecure
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
NowSecure
 
Shifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and securityShifting left: Continuous testing for better app quality and security
Shifting left: Continuous testing for better app quality and security
NowSecure
 
Five mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseFive mobile security challenges facing the enterprise
Five mobile security challenges facing the enterprise
NowSecure
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to know
NowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
NowSecure
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
NowSecure
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
viaForensics
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
viaForensics
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
NowSecure
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability
Skycure
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web Applications
Ammar WK
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat report
Cyren, Inc
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
Prathan Phongthiproek
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
Cyren, Inc
 
Webinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowWebinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to know
Cyren, Inc
 
Kaspersky 2017 Thailand Launch
Kaspersky 2017 Thailand LaunchKaspersky 2017 Thailand Launch
Kaspersky 2017 Thailand Launch
Worapol Limsiriwong (Nex)
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
Novizul Evendi
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking survey
Cyren, Inc
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
 
Short Intro to PHP and MySQL
Short Intro to PHP and MySQLShort Intro to PHP and MySQL
Short Intro to PHP and MySQL
Jussi Pohjolainen
 
Mysql Crud, Php Mysql, php, sql
Mysql Crud, Php Mysql, php, sqlMysql Crud, Php Mysql, php, sql
Mysql Crud, Php Mysql, php, sql
Aimal Miakhel
 

Más contenido relacionado

La actualidad más candente

Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
viaForensics
 

La actualidad más candente (20)

Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web Applications
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat report
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
 
Webinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowWebinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to know
 
Kaspersky 2017 Thailand Launch
Kaspersky 2017 Thailand LaunchKaspersky 2017 Thailand Launch
Kaspersky 2017 Thailand Launch
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking survey
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 

Destacado

Short Intro to PHP and MySQL
Short Intro to PHP and MySQLShort Intro to PHP and MySQL
Short Intro to PHP and MySQL
Jussi Pohjolainen
 
Beginners PHP Tutorial
Beginners PHP TutorialBeginners PHP Tutorial
Beginners PHP Tutorial
alexjones89
 

Destacado (18)

Short Intro to PHP and MySQL
Short Intro to PHP and MySQLShort Intro to PHP and MySQL
Short Intro to PHP and MySQL
 
Mysql Crud, Php Mysql, php, sql
Mysql Crud, Php Mysql, php, sqlMysql Crud, Php Mysql, php, sql
Mysql Crud, Php Mysql, php, sql
 
PHP CRUD Database Mysql
PHP CRUD Database MysqlPHP CRUD Database Mysql
PHP CRUD Database Mysql
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 
PHP - Introduction to PHP MySQL Joins and SQL Functions
PHP - Introduction to PHP MySQL Joins and SQL FunctionsPHP - Introduction to PHP MySQL Joins and SQL Functions
PHP - Introduction to PHP MySQL Joins and SQL Functions
 
PHP - Beginner's Workshop
PHP - Beginner's WorkshopPHP - Beginner's Workshop
PHP - Beginner's Workshop
 
Php tutorial
Php tutorialPhp tutorial
Php tutorial
 
Php and MySQL
Php and MySQLPhp and MySQL
Php and MySQL
 
Beginners PHP Tutorial
Beginners PHP TutorialBeginners PHP Tutorial
Beginners PHP Tutorial
 
Php Ppt
Php PptPhp Ppt
Php Ppt
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHP
 
Open Source Package PHP & MySQL
Open Source Package PHP & MySQLOpen Source Package PHP & MySQL
Open Source Package PHP & MySQL
 
Oops in PHP
Oops in PHPOops in PHP
Oops in PHP
 
Php MySql For Beginners
Php MySql For BeginnersPhp MySql For Beginners
Php MySql For Beginners
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHP
 
Php mysql ppt
Php mysql pptPhp mysql ppt
Php mysql ppt
 
Php Presentation
Php PresentationPhp Presentation
Php Presentation
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHP
 

Similar a How to make Android apps secure: dos and don’ts

Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
NowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
NowSecure
 
Top Practices You Need To Develop Secure Mobile Apps.
Top Practices You Need To Develop Secure Mobile Apps.Top Practices You Need To Develop Secure Mobile Apps.
Top Practices You Need To Develop Secure Mobile Apps.
Techugo
 

Similar a How to make Android apps secure: dos and don’ts (20)

Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdf
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Mobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersMobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net Developers
 
Security overview 2
Security overview 2Security overview 2
Security overview 2
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 
Top Practices You Need To Develop Secure Mobile Apps.
Top Practices You Need To Develop Secure Mobile Apps.Top Practices You Need To Develop Secure Mobile Apps.
Top Practices You Need To Develop Secure Mobile Apps.
 
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next auditCompliance in the mobile enterprise: 5 tips to prepare for your next audit
Compliance in the mobile enterprise: 5 tips to prepare for your next audit
 
The 10 Commandments Security Of Mobile App Development
The 10 Commandments Security Of Mobile App DevelopmentThe 10 Commandments Security Of Mobile App Development
The 10 Commandments Security Of Mobile App Development
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 

Más de NowSecure

OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
NowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
NowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
NowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
NowSecure
 

Más de NowSecure (18)

iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

How to make Android apps secure: dos and don’ts

  • 1. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. How to make Android apps secure: Dos and don’ts
  • 2. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Connect with us Follow us on Twitter @NowSecureMobile — NowSecure’s Secure Mobile Development Best Practices www.nowsecure.com/resources/secure-mobile-development/ — Visit our website https://www.nowsecure.com
  • 3. Jake Van Dyke Mobile security researcher © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Sam Bakken Content marketing manager
  • 4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Pokemon GORead the NowSecure blog post about security risks and Pokemon GO: https://www.nowsecure.com/blog/2016/07/12/pokemon-go-security-risks-what-cisos-and-security- pros-need-to-know/
  • 5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Contents ● Overview ● Android app security fails ● Dos and don’ts ● Questions
  • 6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Overview
  • 7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. 25%of apps include a high-risk flaw Mary Meeker, Internet Trends 2016 33apps installed on the average device >8vulnerable apps on a device 444,213 2016 NowSecure Mobile Security Report x =
  • 8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. 53,844 devices in the average global enterprise 444,213 vulnerable apps residing on dual-use devices in the average global enterprise Ponemon Institute, The Economic Risk of Confidential Data on Mobile Devices in the Workplace
  • 9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Recent Android security developments ● Static analysis on apps submitted to Google Play ● Detecting links to third-party libraries ● Android Nougat ○ File system permission changes ○ Sharing files between apps ○ NDK apps linking to platform libraries ○ Android for Work apps ○ Crypto and SHA1PRNG are deprecated ○ Changes to trusted certificate authorities (CA) https://developer.android.com/preview/behavior-changes.html General tightening of security in the OS and SDK to provide a “safety net”
  • 10. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Android app security fails
  • 11. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Vulnerabilities in the Vitamio SDK World Writable Code Is Bad, MMMMKAY NowSecure Blog Relevant best practice Test third party libraries “Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code.”
  • 12. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. SwiftKey vulnerabilities (CVE-2015-4640 & CVE-2015-4641) Remote Code Execution as System User on Samsung Phones NowSecure Blog Relevant best practices Fully validate SSL/TLS “An application not properly validating its connection to the server is susceptible to a man-in-the-middle attack by a privileged network attacker.” Embrace least permissions
  • 13. Developing secure apps for Android: Dos and don’ts
  • 14. © Copyright 2015 NowSecure, Inc. All Rights Reserved. Proprietary information. Secure Mobile Development Best Practices (SMDBP) Review the NowSecure Secure Mobile Development Best Practices in their entirety: https://www.nowsecure.com/resources/secure-mobile-development/
  • 15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Android ● Implement File Permissions Carefully ● Implement intents carefully ● Check Activities ● Use Broadcasts Carefully ● Implement Pending Intents Carefully ● Protect Application Services Review the NowSecure Secure Mobile Development Best Practices in their entirety: https://www.nowsecure.com/resources/secure-mobile-development/ ● Avoid Intent Sniffing ● Implement Content Providers Carefully ● Follow WebView Best Practices ● Avoid Storing Cached Camera Images ● Avoid GUI Objects Caching ● Sign Android APKs
  • 16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Coding practices ● Increase Code Complexity and Use Obfuscation ● Avoid Simple Logic ● Test Third-Party libraries ● Implement Anti-tamper Techniques ● Securely Store Sensitive Data in RAM ● Understand Secure Deletion of Data ● Avoid Query String for Sensitive Data Review the NowSecure Secure Mobile Development Best Practices in their entirety: https://www.nowsecure.com/resources/secure-mobile-development/ Caching and logging ● Avoid Caching App Data ● Avoid Crash Logs ● Limit Caching of Username ● Carefully Manage Debug Logs ● Be Aware of the Keyboard Cache ● Be Aware of Copy and Paste
  • 17. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Handling sensitive data ● Implement Secure Data Storage ● Use SECURE Setting For Cookies ● Fully validate SSL/TLS ● Protect Against SSL Downgrade attacks ● Limit Use of UUID ● Treat Geolocation Data Carefully ● Institute Local Session Timeout Review the NowSecure Secure Mobile Development Best Practices in their entirety: https://www.nowsecure.com/resources/secure-mobile-development/ ● Implement Enhanced / Two-Factor Authentication ● Protect Application Settings ● Hide Account Numbers and Use Tokens ● Implement Secure Network Transmission of Sensitive Data ● Validate Input From Client
  • 18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Webviews ● Prevent Framing and Clickjacking ● Protect against CSRF with form tokens Review the NowSecure Secure Mobile Development Best Practices in their entirety: https://www.nowsecure.com/resources/secure-mobile-development/ ● Implement Proper Web Server Configuration ● Properly Configure Server-side SSL ● Use Proper Session Management ● Protect and Pen Test Web services ● Protect Internal Resources Servers
  • 19. Let’s talk - submit questions using the chat function in the GoToWebinar interface +1 312.878.1100 @NowSecureMobile www.nowsecure.com Learn more about developing secure Android and iOS apps with the NowSecure Secure Mobile Development Best Practices - www.nowsecure.com/resources/secure-mobile-development/