ZSOLT NEMETH
@ZSOLT_NEMETH
MOBILE APPLICATION SECURITY
- STATE OF PLAY -
MOBILE APPLICATION SECURITY 2
SUMMARY
- CONFLICT OF INTEREST BETWEEN PLAYERS
DEVELOPERSSECURITY
CONSULTANTSVS.
- THEY DO NOT KNOW EACH OTHERS’ PLAYBOOKS
MOBILE APPLICATION SECURITY 3
ISSUES
SECURE CODINGMANUAL PENTESTS
ARE SLOW
LONG PATCHING
CYCLES
…
MOBILE APPLICATION SECURITY 4
CONCERNS OVER MOBILE APPS
1 2 3SOURCE: SECURITY AWARENESS FORRESTER
REPORT, 2015
CONCERN OVER MOBILE AND CLOUD-BASED APPLICATIONSBOTH INCREASED FROM LESS THAN 10% IN 2014 TO
DOMINATE THE NEXT TOP SPOTS IN 2015.
2013 24%
2014 35%
2015 DEC 63%
MOBILE APPLICATION SECURITY 5
TESTING METHODS
DASTDYNAMIC APPLICATION
SECURITY TESTING
SASTSTATIC APPLICATION
SECURITY TESTING
IASTINTERACTIVE
APPLICATION
SECURITY TESTING
FUZZING
FUZZING CODE
REVIEW
PENTEST
PENETRATION
TESTING
BOUNTY
BUG BOUNTY
PROGRAMMES
MOBILE APPLICATION SECURITY 5
TESTING METHODS
DASTDYNAMIC APPLICATION
SECURITY TESTING
SASTSTATIC APPLICATION
SECURITY TESTING
IASTINTERACTIVE
APPLICATION
SECURITY TESTING
FUZZING
FUZZING CODE
REVIEW
PENTEST
PENETRATION
TESTING
BOUNTY
BUG BOUNTY
PROGRAMMES
MOBILE APPLICATION SECURITY 6
SOURCE CODE AVAILABILITY
AVAILABLEPROPER CODE-AUDITING CAN BE DONE
HIGHER CHANCE TO SPOT AN ERROR
DEVELOPER CASES
ISSUE OF 3RD PARTY LIBRARIES
LESS PATCHING TIME
MISSINGREVERSE ENGINEERING NEEDED
APPROX. 65% OF TESTS CAN BE DONE
TELCO / RESELLER CASES
ISSUE OF 3RD PARTY DEVELOPERS
MOBILE APPLICATION SECURITY 7
MOBILE APPLICATION SECURITY STANDARDS
OWASP TOP 10
ISO 27034
NIST 800-53/64
MOBILE APPLICATION SECURITY 8
THE TOP 10 LIST1. ACTIVITY MONITORING AND DATA RETRIEVAL
2. UNAUTHORIZED DIALING, SMS AND PAYMENTS
3. UNAUTHORIZED NETWORK CONNECTIVITY (EXFILTRATION COMMAND & CONTROL)
4. UI IMPERSIONALIZATION
5. SYSTEM MODIFICATION (ROOTKIT, APN PROXY CONFIG)6. LOGIC OR TIME BOMB
7. SENSITIVE DATA LEAKAGE (INADVERTENT OR SIDE CHANNEL)8. UNSAFE SENSITIVE DATA STORAGE
9. UNSAFE SENSITIVE DATA TRANSMISSION
10. HARDCODED PASSWORD/KEYSSOURCE: HTTPS://WWW.OWASP.ORG/ IMAGES/9/94/MOBILETOPTEN.PDF
MOBILE APPLICATION SECURITY 9
MAIN DRIVERS
COMPLIANCE
ECONOMIC IMPACT ON COMPANY
DIRECT RESPONSE FOR A SECURITY
INCIDENT
MOBILE APPLICATION SECURITY 10
SOLUTIONS
PENETRATION TESTING
EXPENSIVE & SLOW
TIME CONSUMING
TRAINING – SAFE CODE ( W W W . SA FECO DE. O RG)
ONLY IF SOURCE CODE IS AVAILABLE
SOURCE CODE ANALYSIS
MOBILE APPLICATION SECURITY 11
AUTOMATED SOLUTIONS
VERACODE APPTHORITY APP-RAY
(FULLY AUTOMATED)
MOBILE APPLICATION SECURITY 12
HOW DOES IT WORK
MOBILE APPLICATION SECURITY 12
HOW DOES IT WORK
APP-RAY
(FULLY AUTOMATED)
BENEFITS: PATCHING TIME LOW
SPOTTING SERIOUS ISSUES
IMMEDIATELY
TIME & COST EFFICIENT
NO NEED OF SOURCE CODE
INTEGRATION INTO BUSINESS PROCESSES
LESS EXPERT WORKFORCE CAN DO IT
MOBILE APPLICATION SECURITY 12
HOW DOES IT WORK
APP-RAY
(FULLY AUTOMATED)
"26% OF DEFENDERS TOOK 2-7 DAYS TO DEPLOY PATCHES TO CRITICAL APPS
IN USE, WHILE ANOTHER 22% TOOK 8-30 DAYS, AND 14% NEEDED 31 DAYS
TO THREE MONTHS TO DEPLOY PATCHES SATISFACTORILY."
SOURCE: SECURITY AWARENESS REPORT, 2015
THANK YOU FOR YOUR ATTENTION
ZSOLT NEMETH, FOUNDER OF APP-RAY GMBH
WWW.APP-RAY.CO
TYPICAL CUSTOMER TYPES FOR APP-RAY
1. TELECOM COMPANIES
2. ENTERPRISE APP STORES
a) FOR EMPLOYEES (CREDIT AGRICOLE)H T T P S : / / W W W . CR EDIT A GR ICO LEST O RE . F R/
a) FOR CUSTOMERS (DEUTSCHE BANK, ETC)H T T P S : / / W W W . AU T O BAH N . D B. CO M / M ICR OS IT E / DO CS/A_ N E W_ GEN ERAT IO N_ O F_ GTB_ S ERVICE S_ FO R_ C O RP O RA T ES_ -
_ E X P E R IE N CE_ T H E_ A U T O BAH N_ A P P_ M A R K ET_ %28B R O CH U RE_ E N GLIS H%29 . P D F
a) BANKING APP STORES FOR CUSTOMERS
H T T P : / / E C. E U R O P A . E U/ FIN A NCE / P AY M ENT S/ D O CS/ FR AM EWO RK / P S D_ CO N SUM ERS / P SD_ EN. P D F
H T T P S : / / W W W . P IA P P B AN K . CO M . AU /A P PG R ID / A P PC A T A LOG UE . HT M