SlideShare a Scribd company logo

Mobile App Security - Best Practices

RedBlackTree
RedBlackTree

Kadhambari Anbalagan, a software architect at RedBlackTree Terrace, will give a talk on Monday, April 8th at 5:00pm about security best practices for mobile apps. Research shows that the majority of top free and paid apps have been subjected to hacking. Common mobile app security issues include improper platform usage, insecure data storage, insecure communication, insecure authentication, insufficient cryptography, insecure authorization, code quality issues, code tampering, reverse engineering, and including extraneous functionality. The talk will provide best practices to address each of these issues.

1 of 15
Download to read offline
Security Best Practices MOBILE APPS <CodeRed> Talks Kadhambari Anbalagan, Software Architect 5:00pm Monday, 8 April, 2017 RedBlackTree Terrace
What do the statistics say? Popular Free App Findings Among top 20 free apps, 80% of Android and 75% of iOS apps have been subjected to hacking. Top Paid Apps Findings Research reveals, among top 100 paid apps, 97% of Android and 87% of iOS apps have been subjected to hacking. <CodeRed> Talks
Reason? Apps that we build are Insecure <CodeRed> Talks
Mobile App Security Issues • Improper Platform usage • Insecure data • Insecure communication • Insecure Authentication • Insufficient Cryptography • Insecure Authorization • Code Quality Issues • Code Tampering • Reverse Engineering • Extraneous functionality <CodeRed> Talks
Improper Platform Usage Misuse of platform feature or lack of platform security controls for the android or IOS operating system What can happen? 1. Improper implementation of android Intents - Data leakage, restricted functions being called and program flow being manipulated 2. Using Keychain for secure data storage - In several scenarios, the keychain can be compromised and decrypted Best Practices Know your platform well Use intents carefully Use the keychain carefully <CodeRed> Talks
Insecure Data Vulnerabilities that leak personal information and provide access to hackers Report By NowSecure: 1 in 10 Mobile app leak private, sensitive data like email, username or password. Best Practices • When possible, do not store/cache data • Implement secure data storage • Securely store data only in RAM • Encryption using verified third party libraries <CodeRed> Talks
Insecure Communication Communication being sent in clear text as well as other insecure methods. Real World Example: Best Practices • Implement secure transmission of sensitive data • Use SSL/TLS or for increased security implement certificate pinning • Leverage app layer encryption to protect user data <CodeRed> Talks<CodeRed> Talks
Insecure Authentication Inability to Securely identify a user and maintain that user’s identity Real World Example: Best Practices • Use token based Authentication <CodeRed> Talks
Insufficient Cryptography • Process behind encryption and decryption may allow a hacker to decrypt sensitive data. • Algorithm behind encryption and decryption may be weak in nature. Vulnerable? • Poor key management processes • Use of custom encryption protocols • Use of insecure algorithms Best Practices • Implement secure data storage • Avoid custom encryption methods and use proven encryption algorithm and methods • Avoid storage of sensitive information on mobile • NIST guidelines on recommended algorithms <CodeRed> Talks
Insecure Authorization Failure of a server to properly enforce identity and permissions as stated by the mobile app Best Practices • Verify the roles and permissions of the authenticated user using only information contained in backend systems. Avoid relying on any roles or permission information that comes from the mobile device itself <CodeRed> Talks
Client code Quality Risks that come from vulnerabilities like buffer overflows, format string vulnerabilities and various code level mistakes Real World Example: Vitamio SDK – Used in thousands of mobile apps. Have millions of app downloads. In another instance high risk man in the middle vulnerability identified in one of the third party library used in an app. What to do ? • Avoid third party libraries with high risk flaws •Maintain consistent coding patterns •Write well documented and easily readable code •Via automation, identify buffer overflows and memory leaks through the use of third-party static analysis tools; <CodeRed> Talks
Code Tampering When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third party app marketplaces. Popular Example: What to Do? • implement anti tampering techniques such as checksums, digital signatures and other validation mechanisms to help detect file tampering <CodeRed> Talks
Reverse Engineering Analysis of a final binary to determine its source code, libraries, algorithms and more. Real World Example: Hackers decompiled mobile app and recompiled it so they dint have to pay for premium content. What to Do? • Increase code complexity and use obfuscation <CodeRed> Talks
Extraneous Functionality • Developers frequently include hidden backdoors or security controls they do not plan on releasing into production • This error creates risk when a feature is released to the wild that was never intended to be shared Real World example: What to do? • Carefully manage debug logs • Clean coding practices <CodeRed> Talks
Thank You
Ad

Recommended

Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
Priyanka Aash
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Software Guru
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defense
Priyanka Aash
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
Priyanka Aash
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
centralohioissa
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber Resiliency
Alert Logic
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application Security
Anne Oikarinen
 
Security testing
Security testingSecurity testing
Security testing
baskar p
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
Priyanka Aash
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Dr. Anish Cheriyan (PhD)
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
Greg Foss
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
ANURAG CHAKRABORTY
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
Edureka!
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
Android security testing
Android security testingAndroid security testing
Android security testing
VodqaBLR
 
Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360
Tripwire
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
ONE BCG
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
Anant Shrivastava
 
Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesImportance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best Practices
ElanusTechnologies
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
Ravi Aggarwal
 
Ad

More Related Content

What's hot (20)

Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber Resiliency
Alert Logic
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application Security
Anne Oikarinen
 
Security testing
Security testingSecurity testing
Security testing
baskar p
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
Priyanka Aash
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Dr. Anish Cheriyan (PhD)
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
Greg Foss
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
ANURAG CHAKRABORTY
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
Edureka!
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
Android security testing
Android security testingAndroid security testing
Android security testing
VodqaBLR
 
Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360
Tripwire
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
ONE BCG
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
Anant Shrivastava
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
AllanGray11
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber Resiliency
Alert Logic
 
Evil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application SecurityEvil User Stories - Improve Your Application Security
Evil User Stories - Improve Your Application Security
Anne Oikarinen
 
Security testing
Security testingSecurity testing
Security testing
baskar p
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
Priyanka Aash
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Dr. Anish Cheriyan (PhD)
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
Greg Foss
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
ANURAG CHAKRABORTY
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
Edureka!
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
Android security testing
Android security testingAndroid security testing
Android security testing
VodqaBLR
 
Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
Joel Aleburu
 
Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360Network Situational Awareness using Tripwire IP360
Network Situational Awareness using Tripwire IP360
Tripwire
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
ONE BCG
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
Anant Shrivastava
 

Similar to Mobile App Security - Best Practices (20)

Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesImportance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best Practices
ElanusTechnologies
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
Ravi Aggarwal
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
Shelly Megan
 
Secure codingguide
Secure codingguideSecure codingguide
Secure codingguide
David Kwak
 
Top 8 Best Practices to Develop Secure Mobile Apps
Top 8 Best Practices to Develop Secure Mobile AppsTop 8 Best Practices to Develop Secure Mobile Apps
Top 8 Best Practices to Develop Secure Mobile Apps
Clarion Technologies
 
" onclick="alert(1)
" onclick="alert(1)" onclick="alert(1)
" onclick="alert(1)
slideshareperson2
 
&lt;marquee>html title testfsdjk34254&lt;/marquee>
&lt;marquee>html title testfsdjk34254&lt;/marquee>&lt;marquee>html title testfsdjk34254&lt;/marquee>
&lt;marquee>html title testfsdjk34254&lt;/marquee>
slideshareperson2
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
Appsecco
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
Jerod Brennen
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
Sam Bowne
 
How to Overcome the Challenges of Cloud Application
How to Overcome the Challenges of Cloud ApplicationHow to Overcome the Challenges of Cloud Application
How to Overcome the Challenges of Cloud Application
Embitel Technologies - A VOLKSWAGEN GROUP COMPANY
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Importance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best PracticesImportance of Secure Coding with it’s Best Practices
Importance of Secure Coding with it’s Best Practices
ElanusTechnologies
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
Ravi Aggarwal
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
Shelly Megan
 
Secure codingguide
Secure codingguideSecure codingguide
Secure codingguide
David Kwak
 
Top 8 Best Practices to Develop Secure Mobile Apps
Top 8 Best Practices to Develop Secure Mobile AppsTop 8 Best Practices to Develop Secure Mobile Apps
Top 8 Best Practices to Develop Secure Mobile Apps
Clarion Technologies
 
" onclick="alert(1)
" onclick="alert(1)" onclick="alert(1)
" onclick="alert(1)
slideshareperson2
 
&lt;marquee>html title testfsdjk34254&lt;/marquee>
&lt;marquee>html title testfsdjk34254&lt;/marquee>&lt;marquee>html title testfsdjk34254&lt;/marquee>
&lt;marquee>html title testfsdjk34254&lt;/marquee>
slideshareperson2
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
Appsecco
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
Jerod Brennen
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
Sam Bowne
 
How to Overcome the Challenges of Cloud Application
How to Overcome the Challenges of Cloud ApplicationHow to Overcome the Challenges of Cloud Application
How to Overcome the Challenges of Cloud Application
Embitel Technologies - A VOLKSWAGEN GROUP COMPANY
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
Ad

More from RedBlackTree (8)

An Introduction to Druid
An Introduction to DruidAn Introduction to Druid
An Introduction to Druid
RedBlackTree
 
The Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTree
The Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTreeThe Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTree
The Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTree
RedBlackTree
 
Navigation in React Native
Navigation in React NativeNavigation in React Native
Navigation in React Native
RedBlackTree
 
Introduction to React Native
Introduction to React NativeIntroduction to React Native
Introduction to React Native
RedBlackTree
 
Couchbase Chennai Meetup 2 - Couchbase - Mobile
Couchbase Chennai Meetup 2 - Couchbase - MobileCouchbase Chennai Meetup 2 - Couchbase - Mobile
Couchbase Chennai Meetup 2 - Couchbase - Mobile
RedBlackTree
 
Couchbase Chennai Meetup 2 - Big Data & Analytics
Couchbase Chennai Meetup 2 - Big Data & AnalyticsCouchbase Chennai Meetup 2 - Big Data & Analytics
Couchbase Chennai Meetup 2 - Big Data & Analytics
RedBlackTree
 
Performance testing with Apache JMeter
Performance testing with Apache JMeterPerformance testing with Apache JMeter
Performance testing with Apache JMeter
RedBlackTree
 
An Introduction to Couchbase Mobile
An Introduction to Couchbase MobileAn Introduction to Couchbase Mobile
An Introduction to Couchbase Mobile
RedBlackTree
 
An Introduction to Druid
An Introduction to DruidAn Introduction to Druid
An Introduction to Druid
RedBlackTree
 
The Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTree
The Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTreeThe Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTree
The Mobile ToolChain with Fastlane - Code Red Talk at RedBlackTree
RedBlackTree
 
Navigation in React Native
Navigation in React NativeNavigation in React Native
Navigation in React Native
RedBlackTree
 
Introduction to React Native
Introduction to React NativeIntroduction to React Native
Introduction to React Native
RedBlackTree
 
Couchbase Chennai Meetup 2 - Couchbase - Mobile
Couchbase Chennai Meetup 2 - Couchbase - MobileCouchbase Chennai Meetup 2 - Couchbase - Mobile
Couchbase Chennai Meetup 2 - Couchbase - Mobile
RedBlackTree
 
Couchbase Chennai Meetup 2 - Big Data & Analytics
Couchbase Chennai Meetup 2 - Big Data & AnalyticsCouchbase Chennai Meetup 2 - Big Data & Analytics
Couchbase Chennai Meetup 2 - Big Data & Analytics
RedBlackTree
 
Performance testing with Apache JMeter
Performance testing with Apache JMeterPerformance testing with Apache JMeter
Performance testing with Apache JMeter
RedBlackTree
 
An Introduction to Couchbase Mobile
An Introduction to Couchbase MobileAn Introduction to Couchbase Mobile
An Introduction to Couchbase Mobile
RedBlackTree
 
Ad

Recently uploaded (20)

Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
University of Hawai‘i at Mānoa
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKMaxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINK
younisnoman75
 
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRYLEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
NidaFarooq10
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Adobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest VersionAdobe Illustrator Crack FREE Download 2025 Latest Version
Adobe Illustrator Crack FREE Download 2025 Latest Version
kashifyounis067
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
University of Hawai‘i at Mānoa
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKMaxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINK
younisnoman75
 
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRYLEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
NidaFarooq10
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 

Mobile App Security - Best Practices

  • 1. Security Best Practices MOBILE APPS <CodeRed> Talks Kadhambari Anbalagan, Software Architect 5:00pm Monday, 8 April, 2017 RedBlackTree Terrace
  • 2. What do the statistics say? Popular Free App Findings Among top 20 free apps, 80% of Android and 75% of iOS apps have been subjected to hacking. Top Paid Apps Findings Research reveals, among top 100 paid apps, 97% of Android and 87% of iOS apps have been subjected to hacking. <CodeRed> Talks
  • 3. Reason? Apps that we build are Insecure <CodeRed> Talks
  • 4. Mobile App Security Issues • Improper Platform usage • Insecure data • Insecure communication • Insecure Authentication • Insufficient Cryptography • Insecure Authorization • Code Quality Issues • Code Tampering • Reverse Engineering • Extraneous functionality <CodeRed> Talks
  • 5. Improper Platform Usage Misuse of platform feature or lack of platform security controls for the android or IOS operating system What can happen? 1. Improper implementation of android Intents - Data leakage, restricted functions being called and program flow being manipulated 2. Using Keychain for secure data storage - In several scenarios, the keychain can be compromised and decrypted Best Practices Know your platform well Use intents carefully Use the keychain carefully <CodeRed> Talks
  • 6. Insecure Data Vulnerabilities that leak personal information and provide access to hackers Report By NowSecure: 1 in 10 Mobile app leak private, sensitive data like email, username or password. Best Practices • When possible, do not store/cache data • Implement secure data storage • Securely store data only in RAM • Encryption using verified third party libraries <CodeRed> Talks
  • 7. Insecure Communication Communication being sent in clear text as well as other insecure methods. Real World Example: Best Practices • Implement secure transmission of sensitive data • Use SSL/TLS or for increased security implement certificate pinning • Leverage app layer encryption to protect user data <CodeRed> Talks<CodeRed> Talks
  • 8. Insecure Authentication Inability to Securely identify a user and maintain that user’s identity Real World Example: Best Practices • Use token based Authentication <CodeRed> Talks
  • 9. Insufficient Cryptography • Process behind encryption and decryption may allow a hacker to decrypt sensitive data. • Algorithm behind encryption and decryption may be weak in nature. Vulnerable? • Poor key management processes • Use of custom encryption protocols • Use of insecure algorithms Best Practices • Implement secure data storage • Avoid custom encryption methods and use proven encryption algorithm and methods • Avoid storage of sensitive information on mobile • NIST guidelines on recommended algorithms <CodeRed> Talks
  • 10. Insecure Authorization Failure of a server to properly enforce identity and permissions as stated by the mobile app Best Practices • Verify the roles and permissions of the authenticated user using only information contained in backend systems. Avoid relying on any roles or permission information that comes from the mobile device itself <CodeRed> Talks
  • 11. Client code Quality Risks that come from vulnerabilities like buffer overflows, format string vulnerabilities and various code level mistakes Real World Example: Vitamio SDK – Used in thousands of mobile apps. Have millions of app downloads. In another instance high risk man in the middle vulnerability identified in one of the third party library used in an app. What to do ? • Avoid third party libraries with high risk flaws •Maintain consistent coding patterns •Write well documented and easily readable code •Via automation, identify buffer overflows and memory leaks through the use of third-party static analysis tools; <CodeRed> Talks
  • 12. Code Tampering When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third party app marketplaces. Popular Example: What to Do? • implement anti tampering techniques such as checksums, digital signatures and other validation mechanisms to help detect file tampering <CodeRed> Talks
  • 13. Reverse Engineering Analysis of a final binary to determine its source code, libraries, algorithms and more. Real World Example: Hackers decompiled mobile app and recompiled it so they dint have to pay for premium content. What to Do? • Increase code complexity and use obfuscation <CodeRed> Talks
  • 14. Extraneous Functionality • Developers frequently include hidden backdoors or security controls they do not plan on releasing into production • This error creates risk when a feature is released to the wild that was never intended to be shared Real World example: What to do? • Carefully manage debug logs • Clean coding practices <CodeRed> Talks