SlideShare a Scribd company logo

Mobile Security Perspective for IoT

Download as PPTX, PDF
R
Romuald SZKUDLAREK

This is about the Mobile Application Security Verification Standard (MASVS) and the Mobile Security Testing Guide (MSTG) from OWASP. This relates my experience both as an author and a user of these resources and includes some practical examples of what mobile security means and why it is important in IoT. The whole set of documents can be found at https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide

Technology
1 of 38
A Perspective on Mobile Security in IoT and How OWASP can Help Romuald SZKUDLAREK, CISSP CCSP CSSLP C|EH romuald.szkudlarek@owasp.org
Agenda • Mobile Application Security in IoT Architecture • Mobile Application Security at OWASP MASVS MSTG • Practical Use Cases of MASVS and MSTG
INTRODUCTION
Who Am I? • Romuald SZKUDLAREK • Senior Cyber Security Architect • CISSP, CCSP, CSSLP, CEH credentials holder • Member of OWASP • Co-Author of Mobile Security Testing Guide (MSTG)
MOBILE APPLICATION SECURITY IN AN IOT ARCHITECTURE
Technical Architecture of an IoT solution IoT device collecting data on the field (for instance in smart xyz), OS is often Android or iOS Cloud services Including Authentication, IAM, Analytics, Moniroting, Storage, Device management and Data visualization API Edge computing API End user Using an application (web, mobile, …) for Remote management, Supervision, …
IoT Attack Surface A significant part of the attack surface is made by mobile: • Local storage • Insecure communications • Insecure cryptography • Insecure authentication • Reverse engineering • …
A few facts and figures • Majority have little to no knowledge of the number and type of installed mobile apps • 79% think that using mobile apps increases security risks (Ponemon 2017 Study on Mobile and Internet of Things Application Security) • Few mobile apps go through security testing • Focus on usability
Mobile Application Security (M -> I) What can go wrong? Well, • Mobile to IoT device: Study reports that « Mobile App Flaws […] Could Allow Hackers To Target Critical Infrastructure» https://securityaffairs.co/wordpress/67701/iot/scada-mobile-security.html • IoT device to Mobile
Mobile Application Security (I -> M) What can go wrong? Well, • Mobile to IoT device • IoT device to Mobile: Belkin WeMo devices used to attack mobile phones (Black Hat Europe, 2016)
And think about it… What about your smart lock / smart fridge / security cam / [take virtually any smart device]? Hint: The architecture is the same!!!
MOBILE SECURITY AT OWASP - IMPROVE THE SECURITY POSTURE OF MOBILE APPS WITH MASVS AND MSTG
OWASP • https://www.owasp.org • The Open Web Application Security Project is a non-for-profit worldwide organization (US-based) that support application security with hundreds of chapters worldwide and thousands of members • All OWASP tools / Documents / forums / chapters are free • Participating in projects is FREE and everyone is welcome!
OWASP • Not linked to any commercial company • Organizes and sponsors world-class security events • Technical audience • Meritocracy, core values are: Open, Innovation, Global, Integrity
Why Mobile Application Security? • Different Attack Surface Local storage Local authentication OS interaction • Different Vulnerabilities Reverse engineering Secret storage Fewer (through frameworks like Cordova) to no XSS and CSRF (in native apps) • 16 vulnerabilities per mobile app in average • Malware also exists on mobile • Anyway, « Hackers are able to penetrate mobile devices exactly in the same way they accessed to our confidential data on our computer.» Pierluigi Paganini, ENISA
Mobile Security at OWASP • https://www.owasp.org/index.php/OWASP_M obile_Security_Testing_Guide • Main deliverables are Testing guide (MSTG) List of requirements (MASVS) Checklist for security assessment
A few words on… MASVS • Mobile Application Security Verification Standard • Provides 3 levels of requirements in 8 domains: - Baseline (MASVS-L1, 43 reqs) - Defense-In-Depth (MASVS-L2, 19 reqs) - Adds advanced reqs on resiliency against reverse engineering and tampering (MASVS-R, 12 reqs) • Fork of ASVS dedicated to mobile • Provides scalability in security requirements management Available Download at
MASVS requirements (extracts)
A few words on… MSTG • Mobile Security Testing Guide • Risk-based approach • Promote the use of SDLC* • Maps directly to MASVS requirements • Native Android and iOS applications • Use OWASP Testing Guide for the security of server side components • Use cases Available *SDLC = Secure Development Life Cycle Download at
MSTG (table of content)
Security Testing with MSTG (extracts)
MASVS and MSTG in SDLC • Support « Shifting left » and « Security by design », promotes security in DevOps • MASVS early in app creation • MSTG in Testing phase MASVS MSTG Checklist
Mobile Testing Tools MSTG has a section dedicated to Mobile Security Testing Tools. Examples include • Both Android & iOS : MobSF & objection (Frameworks) Checkmarx, Fortify & Veracode (SAST) BurpSuite, OWASP ZAP & Wireshark (Network Analysis) • Android : Android Studio (IDE), Androguard / APKTool / Jadx (RE), Drozer (Dynamic Analysis), Xposed / Cydia (Certificate pinning bypass, …) • iOS : Xcode (IDE), Frida (Dynamic Instrumentation Toolkit), IDAPro (debugger), cycript, gdb (Dynamic Analysis), iOS TrustMe (Certificate pinning bypass, …)
Automating use of MASVS and MSTG Example using BDD (Behavior Driven Development) based on Calaba.sh : https://www.owasp.org/images/f/fb/V2_- _OWASP_Buscharest_Davide_Cioccia.pdf
Recognition • Referenced by • Governments are working on including MSTG in their standards • Used by many companies in many industries in the world (banks, finance, …) • Many requests for trainings received
Future of MASVS and MSTG Not static: • Bug fixing • Follow iOS / Android new versions • Add frameworks (Cordova, PhoneGap, …) • Code samples for SWIFT • As the guide is meant to evolve: milestoning and versioning strategy • … Volunteers are welcome! Easy: go to https://github.com/OWASP/owasp-mstg/milestone/1 , pick up any issue and submit your pull request!!!
Related OWASP projects • Mobile Top 10 https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 • Internet of Things https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project • Cloud Security https://www.owasp.org/index.php/OWASP_Cloud_Security_Project • Dependency Track https://www.owasp.org/index.php/OWASP_Dependency_Track_Project • DevSecOps Studio https://www.owasp.org/index.php/OWASP_DevSecOps_Studio_Project And so many others! Check at www.owasp.org
PRACTICAL USE CASES OF MASVS AND MSTG
Attack scenario – Reverse Engineering Scenario: An attacker wants to retrieve source code of your app to (pick one): - steal your IP - find secrets to penetrate your network - find flaws and manipulate your app - repackage your app with malware Attacker steps: • Installs your app on his mobile (use Google Play) • Retrieves it on his laptop (connect through USB / adb pull <package name>) • Reverse engineers it (apktool d –f <directory> <appname>.apk or d2j-dex2jar <file>.dex, unzip .jar and jad –o <file>.class)
MASVS Requirements – Reverse Engineering MASVS provides requirements (8.1 to 8.13) to mitigate such attacks : section 8 entitled «Resiliency Against Reverse Engineering Requirements”. And MSTG allows you to test the proper implementation of these requirements!
Attack scenario – Local storage Scenario: An attacker gets physical access to your mobile (unsupervised or stolen mobile) and wants to find Corporate secrets Attacker steps: Let’s assume the screen-locking protection is poor and has been circumvented: • Attacker connects his laptop through USB • Attacker performs a backup of your mobile / one of your apps (adb backup –f backup.ab <packageName>) • Attacker opens archive (java –jar abe.jar unpack backup.ab backup.tar and then opens with 7-zip) • Retrieve database / logs / preferences and analyse content
MASVS Requirements – Local storage MASVS provides requirements (2.1 to 2.12) to mitigate such attacks : section 2 entitled «Data Storage and Privacy Requirements”.
Security Testing with MSTG – Local Storage
Additional Attacks Include… - Starting an activity exported to the outside that contains sensitive informations (with tools like Drozer for Android) - Forensic analysis of screenshots (stored in Library/Caches/Snapshots/<your app> directory in iOS devices) - And so many more 
References • OWASP - https://www.owasp.org • MASVS and MSTG - https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide • iOS Application Security David THIEL no starch press • Ponemon Institute 2017 Study on Mobile and IoT Application Security - https://media.scmagazine.com/documents/282/2017_study_mobile_and_iot_70394.p df • IoT devices can hack phones - https://www.networkworld.com/article/3138050/internet-of-things/black-hat-europe- iot-devices-can-hack-phones.html • Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical Infrastructure - https://securityaffairs.co/wordpress/67701/iot/scada-mobile- security.html • Blackout: Critical Infrastructure Attacks Will Soar in 2018 - https://www.inc.com/adam- levin/next-hackers-target-industrial-plants-critical-infrastructure.html • Mobile malware evolution 2017 - https://securelist.com/mobile-malware-review- 2017/84139/ • Critical Infrastructure and Cyber Security - https://www.incapsula.com/blog/critical- infrastructure-cyber-security.html
Thanks to those who have supported me when writting all this material (private joke, cf MSTG foreword) Kudos to all OWASP authors and contributors!!! Credits
• Mobile security is an important attack vector in IoT systems • Significant variety of attacks • OWASP provide resources to support: - manufacturers in raising the security level of their offers - users to better understand risks and place requirements on suppliers Key takeaways
Thanks for your attention! Any question?

Recommended

How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 

Recommended

How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill ChainPuma Security, LLC
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxMITRE ATT&CK
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101Atlassian
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsSven Schleier
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applicationsOWASP
 

More Related Content

What's hot

ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxMITRE ATT&CK
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101Atlassian
 

What's hot (20)

Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Xss attack
Xss attackXss attack
Xss attack
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/Linux
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 

Similar to Mobile Security Perspective for IoT

Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsSven Schleier
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applicationsOWASP
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdPawel Rzepa
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Mobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersMobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersAlberto Aguzzi
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...POSSCON
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita Ionel
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorjtmelton
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyBlack Duck by Synopsys
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Deborah Schalm
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps.com
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps for Enterprise Systems
 

Similar to Mobile Security Perspective for IoT (20)

Null singapore - Mobile Security Essentials
Null singapore - Mobile Security EssentialsNull singapore - Mobile Security Essentials
Null singapore - Mobile Security Essentials
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Owasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opdOwasp for testing_mobile_apps_opd
Owasp for testing_mobile_apps_opd
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Mobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersMobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net Developers
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
2014 09-04-pj
2014 09-04-pj2014 09-04-pj
2014 09-04-pj
 
Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...Application Security on a Dime: A Practical Guide to Using Functional Open So...
Application Security on a Dime: A Practical Guide to Using Functional Open So...
 
Chirita ionel owasp europe tour
Chirita ionel owasp europe tourChirita ionel owasp europe tour
Chirita ionel owasp europe tour
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and WhyFilling your AppSec Toolbox - Which Tools, When to Use Them, and Why
Filling your AppSec Toolbox - Which Tools, When to Use Them, and Why
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...
 

Recently uploaded

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Mobile Security Perspective for IoT

  • 1. A Perspective on Mobile Security in IoT and How OWASP can Help Romuald SZKUDLAREK, CISSP CCSP CSSLP C|EH romuald.szkudlarek@owasp.org
  • 2. Agenda • Mobile Application Security in IoT Architecture • Mobile Application Security at OWASP MASVS MSTG • Practical Use Cases of MASVS and MSTG
  • 4. Who Am I? • Romuald SZKUDLAREK • Senior Cyber Security Architect • CISSP, CCSP, CSSLP, CEH credentials holder • Member of OWASP • Co-Author of Mobile Security Testing Guide (MSTG)
  • 5. MOBILE APPLICATION SECURITY IN AN IOT ARCHITECTURE
  • 6. Technical Architecture of an IoT solution IoT device collecting data on the field (for instance in smart xyz), OS is often Android or iOS Cloud services Including Authentication, IAM, Analytics, Moniroting, Storage, Device management and Data visualization API Edge computing API End user Using an application (web, mobile, …) for Remote management, Supervision, …
  • 7. IoT Attack Surface A significant part of the attack surface is made by mobile: • Local storage • Insecure communications • Insecure cryptography • Insecure authentication • Reverse engineering • …
  • 8. A few facts and figures • Majority have little to no knowledge of the number and type of installed mobile apps • 79% think that using mobile apps increases security risks (Ponemon 2017 Study on Mobile and Internet of Things Application Security) • Few mobile apps go through security testing • Focus on usability
  • 9. Mobile Application Security (M -> I) What can go wrong? Well, • Mobile to IoT device: Study reports that « Mobile App Flaws […] Could Allow Hackers To Target Critical Infrastructure» https://securityaffairs.co/wordpress/67701/iot/scada-mobile-security.html • IoT device to Mobile
  • 10. Mobile Application Security (I -> M) What can go wrong? Well, • Mobile to IoT device • IoT device to Mobile: Belkin WeMo devices used to attack mobile phones (Black Hat Europe, 2016)
  • 11. And think about it… What about your smart lock / smart fridge / security cam / [take virtually any smart device]? Hint: The architecture is the same!!!
  • 12. MOBILE SECURITY AT OWASP - IMPROVE THE SECURITY POSTURE OF MOBILE APPS WITH MASVS AND MSTG
  • 13. OWASP • https://www.owasp.org • The Open Web Application Security Project is a non-for-profit worldwide organization (US-based) that support application security with hundreds of chapters worldwide and thousands of members • All OWASP tools / Documents / forums / chapters are free • Participating in projects is FREE and everyone is welcome!
  • 14. OWASP • Not linked to any commercial company • Organizes and sponsors world-class security events • Technical audience • Meritocracy, core values are: Open, Innovation, Global, Integrity
  • 15. Why Mobile Application Security? • Different Attack Surface Local storage Local authentication OS interaction • Different Vulnerabilities Reverse engineering Secret storage Fewer (through frameworks like Cordova) to no XSS and CSRF (in native apps) • 16 vulnerabilities per mobile app in average • Malware also exists on mobile • Anyway, « Hackers are able to penetrate mobile devices exactly in the same way they accessed to our confidential data on our computer.» Pierluigi Paganini, ENISA
  • 16. Mobile Security at OWASP • https://www.owasp.org/index.php/OWASP_M obile_Security_Testing_Guide • Main deliverables are Testing guide (MSTG) List of requirements (MASVS) Checklist for security assessment
  • 17. A few words on… MASVS • Mobile Application Security Verification Standard • Provides 3 levels of requirements in 8 domains: - Baseline (MASVS-L1, 43 reqs) - Defense-In-Depth (MASVS-L2, 19 reqs) - Adds advanced reqs on resiliency against reverse engineering and tampering (MASVS-R, 12 reqs) • Fork of ASVS dedicated to mobile • Provides scalability in security requirements management Available Download at
  • 19. A few words on… MSTG • Mobile Security Testing Guide • Risk-based approach • Promote the use of SDLC* • Maps directly to MASVS requirements • Native Android and iOS applications • Use OWASP Testing Guide for the security of server side components • Use cases Available *SDLC = Secure Development Life Cycle Download at
  • 20. MSTG (table of content)
  • 21. Security Testing with MSTG (extracts)
  • 22. MASVS and MSTG in SDLC • Support « Shifting left » and « Security by design », promotes security in DevOps • MASVS early in app creation • MSTG in Testing phase MASVS MSTG Checklist
  • 23. Mobile Testing Tools MSTG has a section dedicated to Mobile Security Testing Tools. Examples include • Both Android & iOS : MobSF & objection (Frameworks) Checkmarx, Fortify & Veracode (SAST) BurpSuite, OWASP ZAP & Wireshark (Network Analysis) • Android : Android Studio (IDE), Androguard / APKTool / Jadx (RE), Drozer (Dynamic Analysis), Xposed / Cydia (Certificate pinning bypass, …) • iOS : Xcode (IDE), Frida (Dynamic Instrumentation Toolkit), IDAPro (debugger), cycript, gdb (Dynamic Analysis), iOS TrustMe (Certificate pinning bypass, …)
  • 24. Automating use of MASVS and MSTG Example using BDD (Behavior Driven Development) based on Calaba.sh : https://www.owasp.org/images/f/fb/V2_- _OWASP_Buscharest_Davide_Cioccia.pdf
  • 25. Recognition • Referenced by • Governments are working on including MSTG in their standards • Used by many companies in many industries in the world (banks, finance, …) • Many requests for trainings received
  • 26. Future of MASVS and MSTG Not static: • Bug fixing • Follow iOS / Android new versions • Add frameworks (Cordova, PhoneGap, …) • Code samples for SWIFT • As the guide is meant to evolve: milestoning and versioning strategy • … Volunteers are welcome! Easy: go to https://github.com/OWASP/owasp-mstg/milestone/1 , pick up any issue and submit your pull request!!!
  • 27. Related OWASP projects • Mobile Top 10 https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 • Internet of Things https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project • Cloud Security https://www.owasp.org/index.php/OWASP_Cloud_Security_Project • Dependency Track https://www.owasp.org/index.php/OWASP_Dependency_Track_Project • DevSecOps Studio https://www.owasp.org/index.php/OWASP_DevSecOps_Studio_Project And so many others! Check at www.owasp.org
  • 28. PRACTICAL USE CASES OF MASVS AND MSTG
  • 29. Attack scenario – Reverse Engineering Scenario: An attacker wants to retrieve source code of your app to (pick one): - steal your IP - find secrets to penetrate your network - find flaws and manipulate your app - repackage your app with malware Attacker steps: • Installs your app on his mobile (use Google Play) • Retrieves it on his laptop (connect through USB / adb pull <package name>) • Reverse engineers it (apktool d –f <directory> <appname>.apk or d2j-dex2jar <file>.dex, unzip .jar and jad –o <file>.class)
  • 30. MASVS Requirements – Reverse Engineering MASVS provides requirements (8.1 to 8.13) to mitigate such attacks : section 8 entitled «Resiliency Against Reverse Engineering Requirements”. And MSTG allows you to test the proper implementation of these requirements!
  • 31. Attack scenario – Local storage Scenario: An attacker gets physical access to your mobile (unsupervised or stolen mobile) and wants to find Corporate secrets Attacker steps: Let’s assume the screen-locking protection is poor and has been circumvented: • Attacker connects his laptop through USB • Attacker performs a backup of your mobile / one of your apps (adb backup –f backup.ab <packageName>) • Attacker opens archive (java –jar abe.jar unpack backup.ab backup.tar and then opens with 7-zip) • Retrieve database / logs / preferences and analyse content
  • 32. MASVS Requirements – Local storage MASVS provides requirements (2.1 to 2.12) to mitigate such attacks : section 2 entitled «Data Storage and Privacy Requirements”.
  • 33. Security Testing with MSTG – Local Storage
  • 34. Additional Attacks Include… - Starting an activity exported to the outside that contains sensitive informations (with tools like Drozer for Android) - Forensic analysis of screenshots (stored in Library/Caches/Snapshots/<your app> directory in iOS devices) - And so many more 
  • 35. References • OWASP - https://www.owasp.org • MASVS and MSTG - https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide • iOS Application Security David THIEL no starch press • Ponemon Institute 2017 Study on Mobile and IoT Application Security - https://media.scmagazine.com/documents/282/2017_study_mobile_and_iot_70394.p df • IoT devices can hack phones - https://www.networkworld.com/article/3138050/internet-of-things/black-hat-europe- iot-devices-can-hack-phones.html • Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical Infrastructure - https://securityaffairs.co/wordpress/67701/iot/scada-mobile- security.html • Blackout: Critical Infrastructure Attacks Will Soar in 2018 - https://www.inc.com/adam- levin/next-hackers-target-industrial-plants-critical-infrastructure.html • Mobile malware evolution 2017 - https://securelist.com/mobile-malware-review- 2017/84139/ • Critical Infrastructure and Cyber Security - https://www.incapsula.com/blog/critical- infrastructure-cyber-security.html
  • 36. Thanks to those who have supported me when writting all this material (private joke, cf MSTG foreword) Kudos to all OWASP authors and contributors!!! Credits
  • 37. • Mobile security is an important attack vector in IoT systems • Significant variety of attacks • OWASP provide resources to support: - manufacturers in raising the security level of their offers - users to better understand risks and place requirements on suppliers Key takeaways
  • 38. Thanks for your attention! Any question?