mobile app security
play

Mobile App Security An introduction Marc Obrador Who am I? Marc - PowerPoint PPT Presentation

Oct 20, 2022 •484 likes •808 views

Mobile App Security An introduction Marc Obrador Who am I? Marc Obrador Co-founder & Head of Product Architecture @ Build38 Barcelona marc@build38.com @marcobrador /in/marc-obrador Build38 | Intro to Mobile App Security February 2020

  1. Mobile App Security An introduction Marc Obrador

  2. Who am I? Marc Obrador Co-founder & Head of Product Architecture @ Build38 Barcelona marc@build38.com @marcobrador /in/marc-obrador Build38 | Intro to Mobile App Security February 2020 2

  3. Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle 2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador Build38 | Intro to Mobile App Security February 2020 3

  4. Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle 2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador Build38 | Intro to Mobile App Security February 2020 4

  5. Why Mobile App Security? 2009 2015 2020 100 Desktop 80 60 40 20 Mobile 0 Source: www.gs.statcounter.com Smartphone = Regulation Mobile-first world (depending on market) untrusted device Build38 | Intro to Mobile App Security February 2020 5

  6. Mobile AppSec vs “traditional” Cyber Securtity Build38 | Intro to Mobile App Security February 2020 6

  7. Is there anything I can do? Let’s first switch our perspective Build38 | Intro to Mobile App Security February 2020 7

  8. The hacker’s perspective 25 80 20 60 15 40 10 20 5 0 0 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 -20 -5 -10 -40 Investment Income Cumulated Profit Build38 | Intro to Mobile App Security February 2020 8

  9. Is there anything I can do? Build38 | Intro to Mobile App Security February 2020 9

  10. Is there anything I can do? Make it unattractive for the hacker Build38 | Intro to Mobile App Security February 2020 10

  11. Is there anything I can do? 25 80 20 60 15 40 10 20 5 0 0 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 -20 -5 -10 -40 Investment Income Cumulated Profit Build38 | Intro to Mobile App Security February 2020 11

  12. Is there anything I can do? 1. Increase required investment: Obfuscation + Anti-reversing 25 80 2. Reduce income: Diversification 20 60 3. Force periodic investment: Renewability 15 40 10 20 5 0 0 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 -20 -5 -10 -40 Investment Income Cumulated Profit Build38 | Intro to Mobile App Security February 2020 12

  13. Things to protect User Data Business Data / IP DRM Build38 | Intro to Mobile App Security February 2020 13

  14. Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle 2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador Build38 | Intro to Mobile App Security February 2020 14

  15. Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle 2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador Build38 | Intro to Mobile App Security February 2020 15

  16. MITM HTTPS is assumed! Build38 | Intro to Mobile App Security February 2020 16

  17. MITM with HTTPS? No, if Certificate Pinning is used Android: depends on OEM iOS: requires social engineering Build38 | Intro to Mobile App Security February 2020 17

  18. Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle 2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador Build38 | Intro to Mobile App Security February 2020 18

  19. What is it? 1. Download 2. Unpack 3. Modify 4. Repack 5. Distribute Build38 | Intro to Mobile App Security February 2020 19

  20. But, why? Cheating on games Getting paid features for free Stealing user data Build38 | Intro to Mobile App Security February 2020 20

  21. Android: apktool + smali code Build38 | Intro to Mobile App Security February 2020 21

  22. iOS: dynamic library injection Build38 | Intro to Mobile App Security February 2020 22

  23. Protecting against app repackaging Obfuscation Detect it Build38 | Intro to Mobile App Security February 2020 23

  24. Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle 2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador Build38 | Intro to Mobile App Security February 2020 24

  25. The ”sandbox” model @marcobrador Build38 | Intro to Mobile App Security February 2020 25

  26. Root / Jailbreak Detection /scottyab/rootbeer /KimChangYoun/rootbeerFresh /Stericson/RootTools /avltree9798/isJailbroken /thii/DTTJailbreakDetection @marcobrador Build38 | Intro to Mobile App Security February 2020 26

  27. What to do if Root / Jailbreak is found? @marcobrador Build38 | Intro to Mobile App Security February 2020 27

  28. What to do if Root is found? Sources: - https://techcrunch.com/2019/08/29/google-iphone-secretly-hacked/ - https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html @marcobrador Build38 | Intro to Mobile App Security February 2020 28

  29. What to do if Root is found? Nothing Restrict some sensitive functionality Deny service Design your security model assuming that root can (and will) happen @marcobrador Build38 | Intro to Mobile App Security February 2020 29

  30. Agenda 1. Introduction 2. Some Common Threads 1. Man-In-The-Middle 2. App Tampering & Repackaging 3. Root / Jailbreak 3. Recap @marcobrador Build38 | Intro to Mobile App Security February 2020 30

  31. Recap - 100% protection does not exist – aim for “good enough” - Certificate Pinning is a good idea - Apps can be reverse engineered and repackaged § Move security-relevant logic to backend or write it in native C - Root can be really bad – come up with a plan Build38 | Intro to Mobile App Security February 2020 31

  32. Thank you! Any questions?

Recommend

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides
Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction Statistics of Mobile Usage Current State of Mobile Security Recent Attacks Various Mobile Threats Security & Privacy

1.03k views • 57 slides
Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues. Mobile access is expected to become the main access method. Services and mobile commerce (mCommerce) are expected to become a major business.

818 views • 20 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Announcement Course Evaluations Now online Will be available from Friday, Dec 7 Will also allow students to do

864 views • 50 slides
Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
Mobile Communications Mobile Communications Confidentiality Security No access to information

Mobile Communications Mobile Communications Confidentiality Security No access to information

Security Requirements Authorization Which objects are accessible by whom? Authentication Reliable identification of users identity . Mobile Communications Mobile Communications Confidentiality Security No access to information for

577 views • 11 slides
Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices Presented by Michael Harris [MS, CISSP, WAPT] Systems Security Analyst University of Missouri Overview What data needs to be protected, what

407 views • 18 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g.

506 views • 34 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g. 1234) or do

827 views • 54 slides
CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g. 1234) or do

780 views • 54 slides
Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software

Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software

Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords

520 views • 38 slides
CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mobile Phones Networked device

302 views • 11 slides
Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami

Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami

Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami R&D Team Member @ viaForensics I work mainly on Android/iOS The Problem We want to trace the code in mobile applications that we

632 views • 48 slides
Mobile Communications Mobile Communications Security Types of Attacks 802.11 Security

Mobile Communications Mobile Communications Security Types of Attacks 802.11 Security

Mobile Communications Mobile Communications Security Types of Attacks 802.11 Security Access Control Lists Access Control Lists GSM Security GSM Security WEP Authentication WPA/WPA2 Encryption 802.1X/EAP

409 views • 15 slides
Mobile Communications Mobile Communications Security Types of Attacks 802.11 Security

Mobile Communications Mobile Communications Security Types of Attacks 802.11 Security

Mobile Communications Mobile Communications Security Types of Attacks 802.11 Security Access Control Lists Access Control Lists GSM Security GSM Security WEP Authentication WPA/WPA2 Encryption 802.1X/EAP

536 views • 43 slides
Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device Security 2013 Boston, MA Presen sented ted by: Francis Brown & Joe DeMesy Bishop Fox www.bishopfox.com Introductions VERY QUICKLY

3.77k views • 83 slides
Security Issues in Mobile Agents E C Vijil School of Information Technology vijil@it.iitb.ac.in

Security Issues in Mobile Agents E C Vijil School of Information Technology vijil@it.iitb.ac.in

Security Issues in Mobile Agents E C Vijil School of Information Technology vijil@it.iitb.ac.in 16 January 2002 Security Issues in Mobile Agents 1 Overview of the Talk The Mobile Agent Paradigm Security Threats and Counter Measures

587 views • 24 slides
CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois

CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois

CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois at Urbana-Champaign Presentation by: Gliz Seray Tuncay Administrative Announcements : Reaction paper was due today (and all classes)

807 views • 52 slides
(Mobile SSL Failure (Mobile SSL Failure Stardate: 92492.76 Who are these guys? Who are these

(Mobile SSL Failure (Mobile SSL Failure Stardate: 92492.76 Who are these guys? Who are these

(Mobile SSL Failure (Mobile SSL Failure Stardate: 92492.76 Who are these guys? Who are these guys? Penetration Testers at LinkedIn Tony Trummer - Staff Security Engineer aka SecBro Tushar Dalvi - Sr. Security Engineer & Pool Hustler

1.17k views • 68 slides
Stay invisible in the digital world 1 Mobile Trust Telecommunications About us We provide a

Stay invisible in the digital world 1 Mobile Trust Telecommunications About us We provide a

Cyber security is a National Security Priority Barack Obama Mobile Trust Telecommunications (MTT) presents Stealthphone Information Security System Stay invisible in the digital world 1 Mobile Trust Telecommunications About us We

501 views • 21 slides
CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Mobile computing You are tasked in developing a mobile computing system. What features do you need? How do you ensure device

383 views • 24 slides
Admin Today/Friday: mobile platform security Wednesday: Guest lecture: Christoph Kern,

Admin Today/Friday: mobile platform security Wednesday: Guest lecture: Christoph Kern,

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [start] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John

638 views • 26 slides

More recommend