security considerations for mobile apps and apis
play

Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. - PowerPoint PPT Presentation

Dec 20, 2022 •346 likes •700 views

Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New Zealand - Auckland August 2019 Wellhow did I get here? Born and raised in northeastern US Straight to university from high school

  1. Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New Zealand - Auckland August 2019

  2. “Well…how did I get here?” • Born and raised in northeastern US • Straight to university from high school – B.S.E.E. in Computer Engineering – No relevant summer jobs or internships • Started first job four weeks after graduation • Swore would never return to school

  3. “Well…how did I get here?” • Phase 1: Operations Research / Simulation – US military systems (Army/DoD) • Other duties: TEMPEST assessments, Unix admin. – US air traffic control (FAA) – Two Master’s degrees, part-time – Doctoral research: FreeSML simulation “language” • This phase lasted 17 years

  4. “Well…how did I get here?” • Phase 2: Java/Web App Development – Tinkering: Java Applets, CGI Scripts, etc. – Studies: Programming Languages course – Teaching: Info. Systems, Programming, Maths – Building server-side applications • US Dept. of Agriculture – Farm subsidy programmes • Java, JSP, Struts, Spring, etc. • “Heavyweight” Web Services – SOAP, EJBs – Shifted to Architect roles – mostly AFK since • This phase lasted 18 years

  5. “And you may find yourself in another part of the world” • Phase 3: Application Security – Started with teaching…again – Cross-trained: GSSP-Java, GSEC, CEH – Secure Coding à Software Assurance – Moved to New Zealand in 2017 • This phase has lasted six years, so far… – BTW…it has NOT been 41 years since graduation – There were overlaps

  6. “And you may find yourself in a beautiful house…” • Joined Orion Health in December 2017 – I am the Application Security Team – And usually work out of Orion House, in Auckland • Orion specialises in healthcare information systems – Electronic Medical Records – Healthcare Analytics – “Precision Medicine” (Machine Learning) – PHI protection has to be a high priority • Customers world-wide – District/Regional Health Boards – Private Health Insurers – Hospitals – Health Information Exchanges (HIEs)

  7. Sidebar: Orion Heath is Hiring • Current headcount: 650+ – Development teams in Auckland, Christchurch, Canberra, Bangkok, Montreal – Solution implementation teams worldwide • Hiring Intern and Graduate Developers – Working in Auckland (for Grads, initially) – Apply through: summeroftech.co.nz – CV review already ongoing – Interviews 17 September, in Auckland – Offers out in early October

  8. “Letting the days go by…” Then…I got involved in OWASP – OWASP Kansas City Chapter • Spoke up at Meetups • Invited to join Chapter Steering Committee – OWASP New Zealand Chapter • Attended OWASP NZ Day • Filled vacant role as Auckland-area Leader – OWASP Projects • Software Assurance Maturity Model (SAMM) Project • Co-Leader, AppSec Curriculum Project

  9. OWASP Activities and Events • Global AppSec Conferences – December 2020: Tokyo (tentative) • Regional AppSec Conferences – AppSec Days, Sydney • Training: 28 – 31 October • Conference: 1 November • Meetups - Auckland, Christchurch, Wellington • Chapter Mailing List To join: https://groups.google.com/a/owasp.org/forum/#!foru m/new-zealand-chapter/join • InfoSecNZ Slack (infosecnz.slack.com)

  10. OWASP New Zealand Day • University of Auckland Business School – Training: 19 – 20 February – Conference: 21 February – Still FREE! • Some travel “scholarships” will be available – Applications will open 1 December • Training – Fees higher this year • Half-day class: $325 • One-day class: $625 • Two-day class: $1250 – But…watch for future news

  11. OWASP New Zealand Day Sponsors to Date

  12. And now…this Something, Something, Mobile App Security

  13. OWASP Resources • Web Site – https://www.owasp.org • Mobile Security Project – Mobile Top Ten – Mobile Security Testing Guide (MSTG) (LeanPub) – Mobile AppSec Verification Standard (MASVS) (PDF) – Mobile Application Security Checklist (GitHub)

  14. OWASP Mobile Top 10 (2016) M1 – Improper Platform Usage M2 – Insecure Data Storage M3 – Insecure Communication M4 – Insecure Authentication M5 – Insufficient Cryptography M6 – Insecure Authorization M7 – Client Code Quality M8 – Code Tampering M9 - Reverse Engineering M10 – Extraneous Functionality

  15. Mobile and Client-Side Apps Mobile apps and client-side applications have a lot in common – Emphasis on responsive user experience – Business logic executes in end-user device – Rely on “back-end” service requests to obtain/persist data Much of what we’ll look at really applies to both

  16. Considerations when Building Apps • SECURITY and PRIVACY – Design it in from the start! • User experience and useability • Performance • Platform(s) to support • Testing approach • Monetization – Payment processing – Users: The customer or the product? • Future-proofing – Scalability – Reliability – Updates and patching

  17. Security Mobile Apps What should I worry about? Well…what’s in the threat model ? “Four Questions” Approach (Adam Shostack) 1. What are we building? 2. What could go wrong (threat)? 3. What can we do about that (mitigation)? 4. How did we do? • Verify mitigations • Validate model

  18. What are we building? • Mobile app – Our source code (usually proprietary) – Core platform and build system – Third-party libraries – Local data storage, including keys/credentials – Device function interfaces (camera, GPS, etc.) • REST APIs • Data – Users – Subjects – Transactions à Users’ rights/permissions/abilities/swag

  19. What could go wrong? - Our source code Insecure code • Injection vulnerabilities – Home-built encryption or AuthX system – Buffer overflows – Memory management issues (leaks) – Test mode/test code/demo creds included in releases – Mobile Top 10: M7 – Client Code Quality M10 – Extraneous Functionality Mitigation: Don’t do that! – Developer training and awareness – Secure coding standards – Shared libraries/services – Automated security testing (static and/or dynamic) – Code reviews

  20. What could go wrong? - Our source code • Malicious modification – Source code, in the repository – Executable app – in store – Executable app – through unauthorized redistribution Mobile Top 10: M8 – Code Tampering Mitigation: – Restrict access to source code repositories – Restrict access to build-publish pipeline – Separation of duties in release approval process – Use application signing – Distribute only through reputable app stores – Provenance checking – more challenging

  21. What could go wrong? - Our source code • Theft – Publication – Appropriation – Zero-day attacks Mobile Top 10: M9 – Reverse Engineering Mitigation: – Restrict access to source code repositories – Data Loss Prevention (DLP) – Robust Joiners/Movers/Leavers (JML) processes – Anti-reverse engineering techniques

  22. What could go wrong? - Our source code • Corruption / Destruction – Entire code base – Recent work – Expert knowledge Mitigation: – Replication and/or backups of code repositories • And test them! – Developer training: Frequent commits – Never skip documentation “to save time” – JML processes, again

  23. What could go wrong? - Core Platform and Build System • Vulnerabilities in core platform libraries • Vulnerabilities in build system components Mobile Top 10: M7 – Client Code Quality Mitigation: – Pay attention to various “intelligence channels” • “Official” sources: US-CERT, CERT NZ, vendors • “Informal” channels: Twitter, Blogs, Reddit (usually faster) • “News summary” sources: Slashdot, etc. (usually slower ) – Install patches/updates, obtained from trusted sources, in a reliable, timely manner

  24. What could go wrong? - Third-Party Libraries • Vulnerabilities in core platform libraries • Vulnerabilities in build system components Mobile Top 10: M7 – Client Code Quality Mitigation: – Pay attention to various “intelligence channels” – Install patches/updates, obtained from trusted sources, in a reliable, timely manner – Have a complete inventory of dependencies – including dependencies of dependencies – Use locked, local mirrors for releases

  25. What could go wrong? - Local Data Storage (on device) • Sensitive data / credentials stored insecurely Mobile Top 10: M2 – Insecure Data Storage M5 – Insufficient Cryptography Mitigation: – Leverage device support (e.g., Private mode) – Encrypt all data • Incorporate factor known by user (when possible) • Use device-provided support for key storage

  26. What could go wrong? - Device function interfaces • App has permissions to access and/or update hardware/data it doesn’t need Mobile Top 10: M1 – Improper Platform Usage Mitigation: – Request only the minimum set of permissions required – Request permission for “high-value” access only if user requests functionality requires it – Ensure app responds sensibly, if permission for “high-value” access is denied

Recommend

PAST, PRESENT AND FUTURE OF APIS FOR MOBILE AND WEB APPS Once upon a time We tried to connect

PAST, PRESENT AND FUTURE OF APIS FOR MOBILE AND WEB APPS Once upon a time We tried to connect

Ole Lensmar CTO SmartBear Software PAST, PRESENT AND FUTURE OF APIS FOR MOBILE AND WEB APPS Once upon a time We tried to connect (early 90:ies) Multiple protocols / initiatives DCE/RPC (OSF) CORBA (OMG) COM / DCOM

621 views • 48 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
Building Mobile APIs with Services by Stephan Jaensch - sjaensch@yelp.com What's Yelp?

Building Mobile APIs with Services by Stephan Jaensch - sjaensch@yelp.com What's Yelp?

Building Mobile APIs with Services by Stephan Jaensch - sjaensch@yelp.com What's Yelp? connect people with great local businesses website, apps, mobile site 142 million monthly unique visitors 77 million reviews Yelp for Biz Owners

508 views • 29 slides
Educational Mobile Apps Dr. Agnieszka (Aga) Palalas October 2013 1 Educational Mobile Apps

Educational Mobile Apps Dr. Agnieszka (Aga) Palalas October 2013 1 Educational Mobile Apps

Educational Mobile Apps Dr. Agnieszka (Aga) Palalas October 2013 1 Educational Mobile Apps Outcome : To determine the key benefits and uses of mobile apps inside and outside the classroom. To identify the main issues to be considered when

620 views • 14 slides
Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project discussions Native Apps Live on device Access to all device features GPS, accelerometer, compass, list of contacts Written for specific

654 views • 38 slides
Mobile Apps in the Marketplace Mobile Technology Association of Michigan 1 Mobile Apps in the

Mobile Apps in the Marketplace Mobile Technology Association of Michigan 1 Mobile Apps in the

Mobile Apps in the Phone: (248) 470-3257 Email: Linda@GoMobileMichigan.org Marketplace Twitter: twitter.com/GoMobileMI Mobile Apps in the Marketplace Mobile Technology Association of Michigan 1 Mobile Apps in the Phone: (248)

611 views • 32 slides
Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
CS 403X Mobile and Ubiquitous Computing Lecture 14: Google Places, Other Useful Android APIs and

CS 403X Mobile and Ubiquitous Computing Lecture 14: Google Places, Other Useful Android APIs and

CS 403X Mobile and Ubiquitous Computing Lecture 14: Google Places, Other Useful Android APIs and Cool Location Aware Apps Emmanuel Agu Google Places Place: physical space that has a name (e.g. local businesses, points of interest,

690 views • 24 slides
Delivering Delight to Mobile App Customers Our Apps. PRESENTATION NAME GOES HERE 2013 2015

Delivering Delight to Mobile App Customers Our Apps. PRESENTATION NAME GOES HERE 2013 2015

Delivering Delight to Mobile App Customers Our Apps. PRESENTATION NAME GOES HERE 2013 2015 2016/2017 New features in Adobe Mobile The Lott Mobile Apps are Tatts.com Mobile Apps Services are released to launched (Tatts.com

396 views • 24 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
10 th Stakeholders Forum Harnessing mobile apps and social media for product safety Phil

10 th Stakeholders Forum Harnessing mobile apps and social media for product safety Phil

10 th Stakeholders Forum Harnessing mobile apps and social media for product safety Phil Tregunno, MHRA WEB-RADR Consortium Mobile Apps Mobile technology Apps Launched Package under development for other MS by the end of the project

368 views • 17 slides
Responsive Webapps & Mobile Apps Mobile-friendly CSS frameworks and introduction to mobile

Responsive Webapps & Mobile Apps Mobile-friendly CSS frameworks and introduction to mobile

Responsive Webapps & Mobile Apps Mobile-friendly CSS frameworks and introduction to mobile apps CS 370 SE Practicum, Cengiz Gnay (Some slides courtesy of Eugene Agichtein and the Internets) CS 370, Gnay (Emory) Responsive Webapps &

1.21k views • 67 slides
Building Pinterests Mobile Apps Mike Beltzner Product Manager Garrett Moon Mobile Team

Building Pinterests Mobile Apps Mike Beltzner Product Manager Garrett Moon Mobile Team

Building Pinterests Mobile Apps Mike Beltzner Product Manager Garrett Moon Mobile Team (iOS) Discover Pinterest Engineers Building Pinterests Mobile Apps Pinterest and mobile Launched iPhone app in 2011 Summer of Apps in

625 views • 36 slides
Mobile Apps Marketing strategies November 23 2015 Mohamed Abdeljalil Managing Director &

Mobile Apps Marketing strategies November 23 2015 Mohamed Abdeljalil Managing Director &

Mobile Apps Marketing strategies November 23 2015 Mohamed Abdeljalil Managing Director & Co-Founder of MIMV Technology MOBILE APPS: Time for Introduction ! 2 App IS Millions of Apps are released in the App stores, hundreds are

664 views • 49 slides
Security Analysis of Anti-Theft Solutions by Android Mobile Anti-Virus Apps Laurent Simon

Security Analysis of Anti-Theft Solutions by Android Mobile Anti-Virus Apps Laurent Simon

Security Analysis of Anti-Theft Solutions by Android Mobile Anti-Virus Apps Laurent Simon lmrs2@cam.ac.uk https://www.cl.cam.ac.uk/~lmrs2/ Talk outline Background Mobile Anti Virus (MAV) sample Lock Wipe 21/05/15 Laurent

481 views • 28 slides
mobile measurements: the mobile app / OS perspective Why understanding mobile app performance is

mobile measurements: the mobile app / OS perspective Why understanding mobile app performance is

mobile measurements: the mobile app / OS perspective Why understanding mobile app performance is hard cellular performance matters to some apps most demanding apps multiplayer gaming VoIP video chat somewhat demanding web

806 views • 52 slides
WELCOME How to build Mobile apps for Magento stores Jenny Ta Max Ta Marketing manager CTO

WELCOME How to build Mobile apps for Magento stores Jenny Ta Max Ta Marketing manager CTO

WELCOME How to build Mobile apps for Magento stores Jenny Ta Max Ta Marketing manager CTO SimiCart.com| Magento in a mobile app Agenda - Opportunities to come - Hurdles to overcome - Build mobile apps. Without mobile coding - Q&A

570 views • 23 slides
STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century

STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century

STROLLING INTO RING-0 via i/o kit drivers @patrickwardle WHOIS security for the 21st century leverages the best combination of humans and technology to discover security vulnerabilities in our customers web apps, mobile apps, IoT

648 views • 47 slides
Secure Communication in Client-Server Android Apps With a bias towards mobile banking

Secure Communication in Client-Server Android Apps With a bias towards mobile banking

Secure Communication in Client-Server Android Apps With a bias towards mobile banking applications. AFRICA HACKON CONFERENCE, 2016. Convergent Security. whoami Masters Candidate Ethical Hacker Web Developer Jazz fan

599 views • 20 slides
Mobile Apps for Use in the City a living lab event about smart city mobile apps 26-27 January

Mobile Apps for Use in the City a living lab event about smart city mobile apps 26-27 January

Mobile Apps for Use in the City a living lab event about smart city mobile apps 26-27 January 2013, Sofia Dr Stavri Nikolov Digital Spaces Living Lab Founding Director stavri.nikolov@digitalspaces.info Digital Spaces Living Lab (DSLL) PLAYS

307 views • 29 slides
X A M A R I N . F O R M S F O R B E G I N N E R S A B O U T M E Tom Soderling Sr. Mobile Apps

X A M A R I N . F O R M S F O R B E G I N N E R S A B O U T M E Tom Soderling Sr. Mobile Apps

X A M A R I N . F O R M S F O R B E G I N N E R S A B O U T M E Tom Soderling Sr. Mobile Apps Developer @ Polaris Industries; Ride Command Xamarin.Forms enthusiast DevOps hobbyist & machine learning beginner 4 year XCMD Blog:

607 views • 43 slides
Mobile and Touch-Based Web Applications Corsin Decurtins Welcome Please switch off your mobile

Mobile and Touch-Based Web Applications Corsin Decurtins Welcome Please switch off your mobile

Mobile und Touch-Basierte Web Applikationen Mobile and Touch-Based Web Applications Corsin Decurtins Welcome Please switch off your mobile phones ... No wait! Introduction Mobile Applications Apps Web Apps Facebook cnn.com Gmail Twitter

797 views • 53 slides
School&Apps Parents(are(mobile.( Their(schools(should(be(too!

School&Apps Parents(are(mobile.( Their(schools(should(be(too!

School&Apps Parents(are(mobile.( Their(schools(should(be(too! Customized&app&for&your&school& Your%app%will%be% available%on%Apple%store% and%Google%play% SaasMicro School%Apps%provide%a%versatile%and%instant%way%for%

614 views • 19 slides

More recommend