Sck Mobile Application Security

บริษัท สยามํานาญกิจ จํากัด และเพ่ือนพ้องน้องพ่ี


Based on data rather than

assumptions


https://techinfographics.com/2016-mobile-app-development-trends/


http://www.smartinsights.com/mobile-marketing/mobile-marketing-analytics/mobile-marketing-statistics/


https://securityintelligence.com/how-to-protect-mobile-apps-essentials/


75% of mobile applications would not be able to pass out even the critical security tests--Gartner’s prediction


Most apps have been hacked !!


97% of the top 100 paid apps on the Google Android platform had been hacked—Arxan :: State of mobile security



87% of the top 100 paid apps for Apple iOS had been hacked

—Arxan :: State of mobile security



80% of popular free apps on Android had been hacked




75% of popular free apps on Apple iOS had been hacked




http://www.technoinfonet.com/blog/7-mobile-app-development-trends-to-watch-in-2016/


Security will still be a huge challenge in mobile applications


Mobile Security problems ?


Mobile Security problems ?

Unintended leakage of dataBroken cryptographyInsecure data storage

etc…


We need developer !!


But …


Mobile Developer


And …


Most developers are not trained to develop secure applications !!


Most developers are new to creating mobile applications !!


Reload


Mobile Application Security


Mobile technologies have their own distinct risks


Features of Mobile ?


Features of Mobile ?Carry in pocketDrop in toiletSell on e-commerceLeave on taxiAlways onlineetc …


Many mobile solutions are not secure as you think


Attackers will be able to access

Target user/deviceYour application binary


Mobile applications are different than web applications


Revolution


Why Mobile Security ?


Why Mobile Security ?

network !!


http://blog.scottlogic.com/2014/07/07/School-of-Testing.html




Security Expert



Stop Protecting Your Apps; It's Time for Apps to Protect Themselves--Joseph Feiman


1. Secure the code


2. Secure the device


3. Secure the data


4. Secure the transaction


5. Secure the network


Not enough !!


provide checklist & resources


Mobile Top Ten 2016

M1 Improper Platform Usage

M2 Insecure Data Storage

M3 Insecure Communication

M4 Insecure Authentication


Mobile Top Ten 2016





M5 Insufficient

Cryptography

M6 Insecure Authorization

M7 Client Code Quality

M8 Code Tempering


Mobile Top Ten 2016





M5 Insufficient

Cryptography

M6 Insecure Authorization

M7 Client Code Quality

M8 Code Tempering

M9 Reverse Engineering

M10 Extraneous

Functionality


State of Software Security in 2015

https://www.veracode.com/blog/2015/07/what-state-software-security-2015


Top 3


Mobile Application Security


Common mobile threats


Mobile Security Threats


Mobile Assessment


Assessment activities

Type Activities

Static AnalysisScan source codeReview source code Reverse engineering from binary

Dynamic AnalysisDebug execution Traffic capture via proxy Analysis remote services

Forensic AnalysisFile permission analysis File content analysis


Mobile Security Review


Demo with Android AppReverse engineering


APK file is ZIP fileA lot of information !!


http://www.javadecompilers.com/apk


Analyse APK in Android Studio


Analyze Source Code


http://www.javadecompilers.com/apk


Bad news for developer !!


Bad guys care,So you should … please


Attack tree

https://www.owasp.org/images/0/04/Security_Testing_Guidelines_for_mobile_Apps_-_Florian_Stahl%2BJohannes_Stroeher.pdf

https://www.owasp.org/images/0/04/Security_Testing_Guidelines_for_mobile_Apps_-_Florian_Stahl%2BJohannes_Stroeher.pdf

Sck Mobile Application Security

Technology

Transcript of Sck Mobile Application Security