Upload
nowsecure
View
515
Download
3
Embed Size (px)
Citation preview
Five things you MUST knowto CRUSH mobile security bugs
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Connect with us
Follow us on Twitter @NowSecureMobile
—
Subscribe to #MobSec5 our weekly mobile security news digest
http://mobsec5.nowsecure.com/
—
Visit our website https://www.nowsecure.com
Jake Van DykeMobile Security Researcher
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Jeff NolanVP Marketing
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Contents
● Intro discussion
● 5 things you must know
● Questions
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
There are a lot of mobile bugs out there on major OSes
325 Lifetime Android CVEs by type (130 in 2015) 897 Lifetime iOS CVEs by type (385 in 2015)
Source: CVE Details Source: CVE Details
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Known vulnerabilities on Android and iOS in 2016
154vulnerabilities in
Google Android in 2016
84vulnerabilities in
Apple iOS in 2016
Leaving users exposed
Source: CVE DetailsSource: CVE Details
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
25% of mobile apps have at least one high risk security or privacy flaw
NowSecure: 2016 NowSecure Mobile Security Report
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Introductory questions
● What is a security bug, flaw, vulnerability, exploit?
● What benefit and harm can arise from embedding security personnel
in a development team?
● How do you prioritize the dramatically increasing number of mobile
vulnerabilities and best practices?
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
1. Focus on the data
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Data best practices
Implement Secure Data Storage
NowSecure
Validate SSL / TLS
NowSecure
Certificate and Public Key Pinning
OWASP
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
2. Thwart reverse-engineering
Making your app more complex internally makes it more difficult for attackers to see how the app operates, which can reduce the number of attack vectors.
NowSecure: Secure Mobile Development Best Practices
Strip debugging information in your release build.
Android Studio: https://developer.android.com/studio/build/shrink-code.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
3. Consider security part of quality
Automate or Die: Achieving continuous mobile app security & performance testing
Because tests occur later in the app development cycle, fixing the inevitable bugs that arise are more difficult and expensive. Legacy testing workflows create delays between the availability of test results and when engineers last worked on their code.
“
”
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
4. Embrace least privilege
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Permissions are:An access control mechanism to allow mobile applications access to device resources.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
50%of popular apps integrate an Ad-
library
* Some to as many as 16 different ad networks
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Talking Tom app from Outfit7
Integrates with 8 Ad libraries 500M installsSusceptible to RCE
NowSecure: A Pattern for Remote Code Execution Using Arbitrary File Writes and MultiDex Applications
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
5. Monitor 3rd-party protocols, code libraries, and standards implementations
80-90% of mobile software consists of re-used libraries.
Olli Jarva, Codenomicon: Third Party Components in Applications: Understanding Application Security
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
of apps referencing open-source components used the latest version of some library
TechBeacon: Third-Party libraries are one of the most insecure parts of an application
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
A quick recap:
1
2
3
4
5
Focus on the data
Thwart reverse-engineering
Consider security part of quality
Embrace least privilege
Monitor 3rd-party protocols, code libraries, and standards implementations
Let’s talk
Keep tabs on the state of mobile security. Subscribe to #MobSec5 - a collection of the week’s mobile news that
matters - http://mobsec5.nowsecure.com/