MOBILE APPLICATION SECURITY
- STATE OF PLAY -
ZSOLT NEMETH
@ZSOLT_NEMETH MOBILE APPLICATION SECURITY 2
SUMMARY
- CONFLICT OF INTEREST BETWEEN PLAYERS
SECURITY DEVELOPERS VS. CONSULTANTS
- THEY DO NOT KNOW EACH OTHERS’ PLAYBOOKS MOBILE APPLICATION SECURITY 3
ISSUES
…
MANUAL PENTESTS SECURE CODING LONG PATCHING CYCLES ARE SLOW MOBILE APPLICATION SECURITY 4
CONCERNS OVER MOBILE APPS
2013 24% CONCERN OVER MOBILE AND CLOUD-BASED APPLICATIONS BOTH INCREASED FROM LESS THAN 10% IN 2014 TO 2014 35% DOMINATE THE NEXT TOP SPOTS IN 2015. 2015 DEC 63%
1 2 3 SOURCE: SECURITY AWARENESS FORRESTER REPORT, 2015 MOBILE APPLICATION SECURITY 5
TESTING METHODS DAST SAST IAST DYNAMIC APPLICATION STATIC APPLICATION INTERACTIVE SECURITY TESTING SECURITY TESTING APPLICATION SECURITY TESTING FUZZING PENTEST BOUNTY
FUZZING CODE PENETRATION BUG BOUNTY REVIEW TESTING PROGRAMMES MOBILE APPLICATION SECURITY 5
TESTING METHODS DAST SAST IAST DYNAMIC APPLICATION STATIC APPLICATION INTERACTIVE SECURITY TESTING SECURITY TESTING APPLICATION SECURITY TESTING FUZZING PENTEST BOUNTY
FUZZING CODE PENETRATION BUG BOUNTY REVIEW TESTING PROGRAMMES MOBILE APPLICATION SECURITY 6
SOURCE CODE AVAILABILITY
AVAILABLE MISSING PROPER CODE-AUDITING CAN BE DONE REVERSE ENGINEERING NEEDED HIGHER CHANCE TO SPOT AN ERROR APPROX. 65% OF TESTS CAN BE DONE DEVELOPER CASES TELCO / RESELLER CASES ISSUE OF 3RD PARTY LIBRARIES ISSUE OF 3RD PARTY DEVELOPERS LESS PATCHING TIME MOBILE APPLICATION SECURITY 7
MOBILE APPLICATION SECURITY STANDARDS
OWASP TOP 10
ISO 27034
NIST 800-53/64 MOBILE APPLICATION SECURITY 8
THE TOP 10 LIST 1. ACTIVITY MONITORING AND DATA RETRIEVAL 2. UNAUTHORIZED DIALING, SMS AND PAYMENTS 3. UNAUTHORIZED NETWORK CONNECTIVITY (EXFILTRATION COMMAND & CONTROL) 4. UI IMPERSIONALIZATION 5. SYSTEM MODIFICATION (ROOTKIT, APN PROXY CONFIG) 6. LOGIC OR TIME BOMB
7. SENSITIVE DATA LEAKAGE (INADVERTENT OR SIDE CHANNEL) 8. UNSAFE SENSITIVE DATA STORAGE 9. UNSAFE SENSITIVE DATA TRANSMISSION
SOURCE: HTTPS10.://HWWWARDCODED.OWASP.ORG/IMAGESPASSWORD/9/94/MOBILETOP/KEYSTEN.PDF MOBILE APPLICATION SECURITY 9
MAIN DRIVERS
COMPLIANCE
ECONOMIC IMPACT ON COMPANY
DIRECT RESPONSE FOR A SECURITY INCIDENT MOBILE APPLICATION SECURITY 10
SOLUTIONS
PENETRATION TESTING
EXPENSIVE & SLOW
TRAINING – SAFE CODE (WWW.SAFECODE.ORG)
TIME CONSUMING
SOURCE CODE ANALYSIS
ONLY IF SOURCE CODE IS AVAILABLE MOBILE APPLICATION SECURITY 11
AUTOMATED SOLUTIONS
VERACODE APPTHORITY APP-RAY (FULLY AUTOMATED) MOBILE APPLICATION SECURITY 12
HOW DOES IT WORK MOBILE APPLICATION SECURITY 12
HOWBENEFITSDOES IT:WORK PATCHING TIME LOW
TIME & COST EFFICIENT
SPOTTING SERIOUS ISSUES
IMMEDIATELY NO NEED OF SOURCE CODE
INTEGRATION INTO BUSINESS PROCESSES
APP-RAY LESS EXPERT WORKFORCE CAN DO IT (FULLY AUTOMATED) MOBILE APPLICATION SECURITY 12 "26% OF DEFENDERS TOOK 2-7 DAYS TO DEPLOY PATCHES TO CRITICAL APPS IN USE, WHILE ANOTHER 22% TOOK 8-30 DAYS, AND 14% NEEDED 31 DAYS HOW DOESTO THREEIT WORK MONTHS TO DEPLOY PATCHES SATISFACTORILY."
APP-RAY (FULLY AUTOMATED)
SOURCE: SECURITY AWARENESS REPORT, 2015 THANK YOU FOR YOUR ATTENTION
ZSOLT NEMETH, FOUNDER OF APP-RAY GMBH
WWW.APP-RAY.CO TYPICAL CUSTOMER TYPES FOR APP-RAY
1. TELECOM COMPANIES
2. ENTERPRISE APP STORES a) FOR EMPLOYEES (CREDIT AGRICOLE)
HTTPS://WWW.CREDITAGRICOLESTORE.FR/ a) FOR CUSTOMERS (DEUTSCHE BANK, ETC)
HTTPS://WWW.AUTOBAHN.DB.COM/MICROSITE/DOCS/A_NEW_GENERATION_OF_GTB_ SERVICES_FOR_CORPORATES_-
_EXPERIENCE_THE_AUTOBAHN_APP_MARKET_%28BROCHURE_ENGLISH%29.PDF a) BANKING APP STORES FOR CUSTOMERS
HTTP://EC.EUROPA.EU/FINANCE/PAYMENTS/DOCS/FRAMEWORK/PSD_CONSUMERS/PSD_EN.PDF
HTTPS://WWW.PIAPPBANK.COM.AU/APPGRID/APPCATALOGUE.HTM