sign in sign up
<<
Home , Time bomb (software)

MOBILE

- STATE OF PLAY -

ZSOLT NEMETH

@ZSOLT_NEMETH MOBILE APPLICATION SECURITY 2

SUMMARY

- CONFLICT OF INTEREST BETWEEN PLAYERS

SECURITY DEVELOPERS VS. CONSULTANTS

- THEY DO NOT KNOW EACH OTHERS’ PLAYBOOKS MOBILE APPLICATION SECURITY 3

ISSUES

MANUAL PENTESTS LONG PATCHING CYCLES ARE SLOW MOBILE APPLICATION SECURITY 4

CONCERNS OVER MOBILE APPS

2013 24% CONCERN OVER MOBILE AND CLOUD-BASED APPLICATIONS BOTH INCREASED FROM LESS THAN 10% IN 2014 TO 2014 35% DOMINATE THE NEXT TOP SPOTS IN 2015. 2015 DEC 63%

1 2 3 SOURCE: SECURITY AWARENESS FORRESTER REPORT, 2015 MOBILE APPLICATION SECURITY 5

TESTING METHODS DAST SAST IAST DYNAMIC APPLICATION STATIC APPLICATION INTERACTIVE SECURITY TESTING APPLICATION SECURITY TESTING PENTEST BOUNTY

FUZZING CODE PENETRATION BUG BOUNTY REVIEW TESTING PROGRAMMES MOBILE APPLICATION SECURITY 5

TESTING METHODS DAST SAST IAST DYNAMIC APPLICATION STATIC APPLICATION INTERACTIVE SECURITY TESTING SECURITY TESTING APPLICATION SECURITY TESTING FUZZING PENTEST BOUNTY

FUZZING CODE PENETRATION BUG BOUNTY REVIEW TESTING PROGRAMMES MOBILE APPLICATION SECURITY 6

SOURCE CODE AVAILABILITY

AVAILABLE MISSING PROPER CODE-AUDITING CAN BE DONE REVERSE ENGINEERING NEEDED HIGHER CHANCE TO SPOT AN ERROR APPROX. 65% OF TESTS CAN BE DONE DEVELOPER CASES TELCO / RESELLER CASES ISSUE OF 3RD PARTY LIBRARIES ISSUE OF 3RD PARTY DEVELOPERS LESS PATCHING TIME MOBILE APPLICATION SECURITY 7

MOBILE APPLICATION SECURITY STANDARDS

OWASP TOP 10

ISO 27034

NIST 800-53/64 MOBILE APPLICATION SECURITY 8

THE TOP 10 LIST 1. ACTIVITY MONITORING AND DATA RETRIEVAL 2. UNAUTHORIZED DIALING, SMS AND PAYMENTS 3. UNAUTHORIZED NETWORK CONNECTIVITY (EXFILTRATION COMMAND & CONTROL) 4. UI IMPERSIONALIZATION 5. SYSTEM MODIFICATION (, APN PROXY CONFIG) 6. LOGIC OR TIME BOMB

7. SENSITIVE DATA LEAKAGE (INADVERTENT OR SIDE CHANNEL) 8. UNSAFE SENSITIVE DATA STORAGE 9. UNSAFE SENSITIVE DATA TRANSMISSION

SOURCE: HTTPS10.://HWWWARDCODED.OWASP.ORG/IMAGESPASSWORD/9/94/MOBILETOP/KEYSTEN.PDF MOBILE APPLICATION SECURITY 9

MAIN DRIVERS

COMPLIANCE

ECONOMIC IMPACT ON COMPANY

DIRECT RESPONSE FOR A SECURITY INCIDENT MOBILE APPLICATION SECURITY 10

SOLUTIONS

PENETRATION TESTING

EXPENSIVE & SLOW

TRAINING – SAFE CODE (WWW.SAFECODE.ORG)

TIME CONSUMING

SOURCE CODE ANALYSIS

ONLY IF SOURCE CODE IS AVAILABLE MOBILE APPLICATION SECURITY 11

AUTOMATED SOLUTIONS

VERACODE APPTHORITY APP-RAY (FULLY AUTOMATED) MOBILE APPLICATION SECURITY 12

HOW DOES IT WORK MOBILE APPLICATION SECURITY 12

HOWBENEFITSDOES IT:WORK PATCHING TIME LOW

TIME & COST EFFICIENT

SPOTTING SERIOUS ISSUES

IMMEDIATELY NO NEED OF SOURCE CODE

INTEGRATION INTO BUSINESS PROCESSES

APP-RAY LESS EXPERT WORKFORCE CAN DO IT (FULLY AUTOMATED) MOBILE APPLICATION SECURITY 12 "26% OF DEFENDERS TOOK 2-7 DAYS TO DEPLOY PATCHES TO CRITICAL APPS IN USE, WHILE ANOTHER 22% TOOK 8-30 DAYS, AND 14% NEEDED 31 DAYS HOW DOESTO THREEIT WORK MONTHS TO DEPLOY PATCHES SATISFACTORILY."

APP-RAY (FULLY AUTOMATED)

SOURCE: SECURITY AWARENESS REPORT, 2015 THANK YOU FOR YOUR ATTENTION

ZSOLT NEMETH, FOUNDER OF APP-RAY GMBH

WWW.APP-RAY.CO TYPICAL CUSTOMER TYPES FOR APP-RAY

1. TELECOM COMPANIES

2. ENTERPRISE APP STORES a) FOR EMPLOYEES (CREDIT AGRICOLE)

HTTPS://WWW.CREDITAGRICOLESTORE.FR/ a) FOR CUSTOMERS (DEUTSCHE BANK, ETC)

HTTPS://WWW.AUTOBAHN.DB.COM/MICROSITE/DOCS/A_NEW_GENERATION_OF_GTB_ SERVICES_FOR_CORPORATES_-

_EXPERIENCE_THE_AUTOBAHN_APP_MARKET_%28BROCHURE_ENGLISH%29.PDF a) BANKING APP STORES FOR CUSTOMERS

HTTP://EC.EUROPA.EU/FINANCE/PAYMENTS/DOCS/FRAMEWORK/PSD_CONSUMERS/PSD_EN.PDF

HTTPS://WWW.PIAPPBANK.COM.AU/APPGRID/APPCATALOGUE.HTM