Date post: | 23-Jan-2018 |
Category: |
Technology |
Upload: | nowsecure |
View: | 185 times |
Download: | 0 times |
5 Mobile App Security MUST-DOs in 2018
8X FASTER3X DEEPER
MOST TRUSTED© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
DEEP MOBILE SECURITY EXPERTISE
Open source
Books & Speaking
2
Mobile threat research is in our DNA▪ Dream team of security researchers▪ Every waking moment spent:
– Discovering critical vulns– Identifying novel attack vectors– Creating/maintaining renowned
open-source mobile security tools/projects
The NowSecure Mission▪ Save the world from unsafe mobile apps▪ Educate enterprises on the latest mobile threats▪ Maximize the security of apps enterprises
develop, purchase and use
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure #MobSec5Weekly mobile security news update
SUBSCRIBE NOW:www.nowsecure.com/go/subscribe
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
AGENDA + SPEAKERS
2017 Mobile AppSec Year in Review
2018 Mobile AppSec Must-Dos
Q & A
Brian ReedChief Mobility Officer
Andrew HoogFounder
Katie StrzempkaVP Cust. Success & Svcs
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
MOBILE APPSEC IN 2017:YEAR IN REVIEW
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
YEAR IN REVIEW: SECURITY VULNS
BROADPWN KRACKBOOTSTOMP
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
YEAR IN REVIEW: PRIVACY
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
YEAR IN REVIEW: COMPLIANCE
General Data Protection Regulation (GDPR)Takes effect May 2018
NY Cybersecurity Reqs. for Financial Services Companies
Took effect August 2017
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
YEAR IN REVIEW: PLATFORM UPDATES
Face ID on Apple iPhone X
Progress in authentication? Jury’s still out
Android 8Google Play Protect,
SafetyNet API,Project Treble, more
iOS 11Granular location services notifications, SOS mode, TLS improvements, more
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
LEGACYWAST
INSIDE THE MOBILE APP ATTACK SURFACE
▪GPS spoofing▪Buffer overflow▪allowBackup Flag▪allowDebug Flag▪Code Obfuscation▪Configuration manipulation▪Escalated privileges
▪URL schemes▪GPS spoofing▪Integrity/tampering/repacking▪Side channel attacks▪App signing key unprotected▪JSON-RPC▪Automatic Reference Counting
10
DATA AT REST
CODE FUNCTIONALITY DATA IN MOTION
API BACKEND
▪Data caching▪Data stored in application directory
▪Decryption of keychain▪Data stored in log files▪Data cached in memory/RAM▪Data stored in SD card
▪Platform vulnerabilities▪Server misconfiguration▪Cross-site scripting▪Cross-site request forgery ▪Cross origin resource sharing▪Brute force attacks▪Side channel attacks
▪SQL injection▪Privilege escalation▪Data dumping▪OS command execution▪Weak input validation▪Hypervisor attack▪VPN
▪OS data caching▪Passwords & data accessible▪No/Weak encryption▪TEE/Secure Enclave Processor▪Side channel leak▪SQLite database▪Emulator variance
▪Wi-Fi (no/weak encryption)▪Rogue access point▪Packet sniffing▪Man-in-the-middle▪Session hijacking▪DNS poisoning▪TLS Downgrade▪Fake TLS certificate▪Improper TLS validation
▪HTTP Proxies▪VPNs▪Weak/No Local authentication▪App transport security▪Transmitted to insecure server▪ Zip files in transit▪Cookie “httpOnly” flag▪Cookie “secure” flag
▪Android rooting/iOS jailbreak▪User-initiated code▪Confused deputy attack▪Multimedia/file format parsers▪Insecure 3rd party libraries▪World Writable Files▪World Writable Executables
▪Dynamic runtime injection▪Unintended permissions▪UI overlay/pin stealing▪Intent hijacking▪Zip directory traversal▪Clipboard data▪World Readable Files
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
MOBILE APPSECMUST-DOs FOR 2018
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
1General DataProtection Regulation(GDPR)
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
80% of firms will not comply by May 2018. 50% intentionally. The other 50% will fail. Any successful case against a well-known giant will change the risk/cost balance.Forrester - Predictions 2018
#1: General Data Protection Regulation (GDPR)
FINES
▪ Greater of: Up to 4% annual global revenue or €20 million pounds ($23,717,400 USD)
▪ Deadline: May 25, 2018
A FEW KEY CONCEPTS
▪ Purpose limitation▪ Data minimization▪ Limited storage periods▪ Data protection by design & default▪ Consent -- “Clear affirmative act”
GDPR
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
#1: NEAR TERM TO DO
▪ Audit personal data collected & pay special attention to mobile apps
▪ Review privacy policy and other communications and make necessary changes
▪ Review how you receive & manage consent
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
2 3rd-PartyLibraries / SDKs Risk
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
#2: CHOOSE 3RD-PARTY LIBS & SDKs WISELY
75%of GitHub Projectshave dependencies
Modern applications are largely “assembled,” not developed, and developers often download and use known vulnerable open-source components and frameworks.Gartner—DevSecOps: How to Seamlessly Integrate Security Into DevOps
70%of vulns in free Android apps stemmed
from libraries (mostly 3rd-party) A Study on the Vulnerabilities of Mobile Apps associated with Software ModulesGitHub will soon warn developers of insecure dependencies
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
#2: NEAR TERM TO DO
Inventory 3rd-Party libraries and SDKs used
within apps you control/develop
Determine whether any of those versions in use
include vulns(GitHub dependencies)
Make devs aware of any identified vulns and
work on a plan to update/replace
1 2 3
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
3 DevSecOpsShifting Left
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
#3: DevSecOps: Security MUST SHIFT LEFT
245 : 1DEVS OUTNUMBER APPSEC Google Play Store New Apps/Month
Apple App Store - New Apps/Month
Integrate mobile AST with your broader AST program and use it as a trial or precursor for enterprise-wide DevOps.Gartner—Market Guide for MAST
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
#3: NEAR TERM TO DO
20
RAPIDTEST
DEVELOPED APPS
PR
OD
UC
TION
YOUR APPSEC FACTORY RAPID: PASSED
REQUIREMENTS DESIGN BUILD TEST
ANY TEST: FAILED
DEEP CERTIFICATION
DEEPTEST
DEEP: PASSED
1. Begin with just one dev team that has expressed interest in automation2. Begin with just one app, one build3. Use that success to build momentum & automation to move on to other teams/apps
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
4 Address thelow hanging fruit
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
#4: FLAWS W/ LOW EFFORT/HIGH RETURN FIXES
UP TO
75%UP TO
90%
of Android apps allow world-read/write/exec.
of Android apps allow backup check
UP TO
30%
of iOS apps don’t use ATS properly
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
#4: NEAR TERM TO DO
Perform basic security assessments of the
apps your organization controls/develops
Identify “low-hanging” security issues and
work with yourdevs to remediate
1 2
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
5 Risk in Apple App Store & Google Play store apps
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
#5: DON’T IGNORE 3RD-PARTY APP RISK
33% Haveat least 1 high risk flaw[CVSS score]
35% Haveun-encrypted data transmission
60% of orgsreport an insecure mobile app contributing to a breach
more likely to leak account credentials
BizApps 3X
68% of appscan expose sensitive data
50% Android Appsdynamically load code missed by static analysis
25
Sources: NowSecure Software and Research Data, Ponemon Institute 2016-2017
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
#5: TO DO IN THE NEAR TERM
Determine the 20 most prevalent apps within
your organization using Mobile Device
Management (MDM)
Perform quick mobile app security testing
scans to identify security, privacy, and
compliance issues
Identify proper remediation,
re-configuration, or removal policy for risky
mobile apps
1 2 3
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NowSecure INTELAlwaysOn AppStore Cloud Analysis
for EMM & Security teams
NowSecure AUTOOnDemand Fast Cloud Analysis
for Dev, QA & Security teams
NowSecure WORKSTATION
Deep Pen Testing Analysisfor Security Analysts
NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING
NowSecure SERVICESExpert Pen Testing, Training & Programs
for App Owners & Security teams
29
8X FASTER – 3X DEEPER – MOST TRUSTED
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
SHIFT LEFT WITH MOBILE APPSEC FACTORY
31
RAPIDTEST
DEVELOPED APPS PR
OD
UC
TION
YOUR APPSEC FACTORY
Rapid Test all apps in 15mins automatically…
RAPID: PASSED
REQUIREMENTS DESIGN BUILD TEST
Spend <1 hour deep testing any concerning rapid results or additional advanced/pre-release certification
DEEP CERTIFICATION
DEEPTEST
DEEP: PASSED
ANY TEST: FAILED
3RD PARTY APPSTORE APPS ONLINE: FAILED
ONLINE: PASSED
Instantly Vet 3rd Party App Risk
ONLINETEST
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NOWSECURE COMING ATTRACTIONS
AppSec CaliJanuary 30-31, 2018Come see NowSecurein Santa Monica, CA!
ShmooCon XIVJanuary 19-21, 2018
For those lucky enough to get a ticket...round 3 ticket sales are on Dec 10!
33
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OPEN Q & A
Brian ReedChief Mobility Officer
Andrew HoogFounder
Katie StrzempkaVP Cust. Success & Svcs
2017 Mobile AppSec Year in Review
2018 Mobile AppSec Must-Dos
Q & A