SlideShare a Scribd company logo

OWASP Mobile Top 10

NowSecure
NowSecure

Learn about the OWASP Top 10 Mobile Risks and best practices to avoid mobile application security pitfalls such as insecure data storage, insecure communication, reverse engineering, and more. These slides were originally presented on a webinar November 2016. Watch the presentation here: https://youtu.be/LuDe3u0cSVs

Technology
1 of 40
Download to read offline
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Mobile pitfalls to avoid: Breaking down the OWASP Top 10 Mobile Risks
Katie Strzempka Director of Services © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Keith Mokris Product Marketing Manager
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1 Improper Platform Usage OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Misuse of a platform feature or lack of platform security controls for the Android or iOS operating systems. Issues may include incorrect use of the keychain on iOS or Android intents.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Android - Implement intents carefully Intents are used for inter-component signaling. Improper implementation could result in data leakage, restricted functions being called and program flow being manipulated. https://books.nowsecure.com/secure-mobile-development/en/ android/implement-intents-carefully.html iOS - Use the keychain carefully iOS provides the keychain for secure data storage. However, in several scenarios, the keychain can be compromised and subsequently decrypted. https://books.nowsecure.com/secure-mobile-development/en/ios/ use-the-keychain-carefully.html Best practice(s):
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 2 Insecure Data Storage OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Vulnerabilities that leak personal information and provide access to hackers.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 in 10apps leak private, sensitive data like email, username, or password NowSecure: 2016 NowSecure Mobile Security Report Data from testing 400,000 mobile apps
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Implement secure data storage Transmit and display but do not persist to memory. Ensure that an analog leak does not present itself where screenshots of the data are written to disk. Store only in RAM (clear at application close). https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/ implement-secure-data-storage.html Securely store data in RAM Do not keep sensitive data (e.g., encryption keys) in RAM longer than required. Nullify any variables that hold keys after use. https://books.nowsecure.com/secure-mobile-development/en/ios/use-the-keychain-carefully.html Best practice(s):
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 3Insecure Communication OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Insecure communication refers to communications being sent in cleartext as well as other insecure methods.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Implement secure transmission of sensitive data Best practices call for app providers to use SSL/TLS effectively to secure the transmission of passwords, login IDs, and other sensitive data over the network, and even go further and leverage app-layer encryption to protect user data. https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/ implement-secure-network-transmission-of-sensitive-data.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 4Insecure Authentication OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile apps need to securely identify a user and maintain that user’s identity, especially when users are calling and sending sensitive data such as financial information.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Hide account numbers and use tokens Given the widespread use of mobile apps in public places, displaying partial numbers (e.g. *9881) can help ensure maximum privacy for this information. Unless there is a need to store the complete number on the device, store the partially hidden numbers. https://books.nowsecure.com/secure-mobile-develo pment/en/sensitive-data/hide-account-numbers- and-use-tokens.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● India’s largest startup with $1.1B in funding was hacked to allow unlimited free rides ● Hacker used MITM Proxy to view API calls over HTTP ● No OAuth token mechanism or encryption was in place to guard APIs Source: The Next Web Example: Ola
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 5Insufficient Cryptography OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. The process behind encryption and decryption may allow a hacker to decrypt sensitive data. The algorithm behind encryption and decryption may be weak in nature.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Implement secure data storage If storing sensitive data on the device is a requirement, add an additional layer of verified, third-party encryption. By adding another layer of encryption, you have more control over the implementation and mitigate attacks focused on the main OS encryption classes. https://books.nowsecure.com/secure-mobile-developme nt/en/sensitive-data/implement-secure-data-storage.ht ml Best practice(s):
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 6Insecure Authorization OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Insecure authorization refers to the failure of a server to properly enforce identity and permissions as stated by the mobile app.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Implement proper web server configuration Certain settings on a web server can increase security. One commonly overlooked vulnerability on a web server is information disclosure. Information disclosure can lead to serious problems because every piece of information attackers can gain from a server makes staging an attack easier. https://books.nowsecure.com/secure-mobile-d evelopment/en/servers/ web-server-configuration.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 7 Client Code Quality OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Risks that come from vulnerabilities like buffer overflows, format-string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Vulnerabilities in the Vitamio SDK NowSecure Blog: World Writable Code Is Bad, MMMMKAY Best practice(s): Test third-party libraries Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code. https://books.nowsecure.com/secure-mobile-d evelopment/en/coding-practices/ test-third-party-libraries.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 8Code Tampering OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third-party app marketplaces.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● 50M downloads in 19 days on Android alone ● Within 3 days of initial release, malicious DroidJack software found on third-party app stores ● Remote Access Tool (RAT) can open a silent, backdoor for hackers Source: NowSecure Blog Example: PokemonGO
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Implement anti-tampering techniques Employ anti-tamper and tamper-detection techniques to prevent illegitimate applications from executing. Use checksums, digital signatures, and other validation mechanisms to help detect file tampering. https://books.nowsecure.com/secure-mobile-development/en/coding-practices/ anti-tamper-techniques.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 9Reverse Engineering OWASP MOBILE TOP 10 2016 DRAFT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Reverse engineering refers to the analysis of a final binary to determine its source code, libraries, algorithms, and more.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Hackers decompiled mobile app and recompiled it so they didn’t have to pay for premium content ● If it is possible, hackers will find a way Source: Forbes Example: Tinder
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Increase code complexity and use obfuscation Reverse engineering apps can provide valuable insight into how your app works. Making your app more complex internally makes it more difficult for attackers to see how the app operates, which can reduce the number of attack vectors. https://books.nowsecure.com/secure-mobile-development/en/coding-practices/ code-complexity-and-obfuscation.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1 Extraneous Functionality OWASP MOBILE TOP 10 2016 DRAFT0
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Developers frequently include hidden backdoors or security controls they do not plan on releasing into production. This error creates risk when a feature is released to the wild that was never intended to be shared.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Manufacturer of hardware chips and processors for mobile devices ● A debug tool, left open for carriers to test network connections, was left open on shipped devices Source: The Hacker News Example: MediaTek
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Carefully manage debug logs Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. https://books.nowsecure.com/secure-mobile-development/en/caching-logging/ carefully-manage-debug-logs.html
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Review the NowSecure Secure Mobile Development Best Practices in their entirety: Read Now
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. You can view the GitHub repository here: https://github.com/nowsecure/ secure-mobile-development Contribute to the Secure Mobile Development Best Practices

Recommended

OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 

Recommended

OWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DiveOWASP Mobile Top 10 Deep-Dive
OWASP Mobile Top 10 Deep-DivePrathan Phongthiproek
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014n|u - The Open Security Community
 

More Related Content

What's hot

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavRomansh Yadav
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbolapidays
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 

What's hot (20)

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Mobile security
Mobile securityMobile security
Mobile security
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Security testing
Security testingSecurity testing
Security testing
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle BotbolAPIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
APIsecure 2023 - Android Applications and API Hacking, Gabrielle Botbol
 
Android Security
Android SecurityAndroid Security
Android Security
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 

Viewers also liked

Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
 
It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016NowSecure
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M85h1vang
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet5h1vang
 
FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO, PKI & beyond: Where Authentication Meets Identification FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO, PKI & beyond: Where Authentication Meets IdentificationFIDO Alliance
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...FIDO Alliance
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014viaForensics
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxviaForensics
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017 Dinis Cruz
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAlec Tucker
 
OWASP Top 10 2013
OWASP Top 10 2013OWASP Top 10 2013
OWASP Top 10 2013markstory
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! Prathan Phongthiproek
 

Viewers also liked (20)

Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016It's not about you: Mobile security in 2016
It's not about you: Mobile security in 2016
 
Mobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the CodeMobile Penetration Testing: Episode II - Attack of the Code
Mobile Penetration Testing: Episode II - Attack of the Code
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8Owasp Mobile Top 10 - M7 & M8
Owasp Mobile Top 10 - M7 & M8
 
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null MeetOwasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet
 
FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO, PKI & beyond: Where Authentication Meets Identification FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO, PKI & beyond: Where Authentication Meets Identification
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Addressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using XamarinAddressing the OWASP Mobile Security Threats using Xamarin
Addressing the OWASP Mobile Security Threats using Xamarin
 
OWASP Top 10 2013
OWASP Top 10 2013OWASP Top 10 2013
OWASP Top 10 2013
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 

Similar to OWASP Mobile Top 10

How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsNowSecure
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsNowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowNowSecure
 
Five mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseFive mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseNowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
Best practices for privileged access & secrets management in the cloud - DEM0...
Best practices for privileged access & secrets management in the cloud - DEM0...Best practices for privileged access & secrets management in the cloud - DEM0...
Best practices for privileged access & secrets management in the cloud - DEM0...Amazon Web Services
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceNowSecure
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookNowSecure
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfFuGenx Technologies
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
Make Good Apps great - Using IBM MobileFirst Foundation
Make Good Apps great - Using IBM MobileFirst FoundationMake Good Apps great - Using IBM MobileFirst Foundation
Make Good Apps great - Using IBM MobileFirst FoundationAjay Chebbi
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testingNowSecure
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 

Similar to OWASP Mobile Top 10 (20)

How to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’tsHow to make Android apps secure: dos and don’ts
How to make Android apps secure: dos and don’ts
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 
iOS and Android security: Differences you need to know
iOS and Android security: Differences you need to knowiOS and Android security: Differences you need to know
iOS and Android security: Differences you need to know
 
Five mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseFive mobile security challenges facing the enterprise
Five mobile security challenges facing the enterprise
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 
Best practices for privileged access & secrets management in the cloud - DEM0...
Best practices for privileged access & secrets management in the cloud - DEM0...Best practices for privileged access & secrets management in the cloud - DEM0...
Best practices for privileged access & secrets management in the cloud - DEM0...
 
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceDelivering secure mobile financial services (MFS) - "Frictionless" vs diligence
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligence
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Preparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbookPreparing for the inevitable: The mobile incident response playbook
Preparing for the inevitable: The mobile incident response playbook
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Tips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdfTips To Protect Your Mobile App from Hackers.pdf
Tips To Protect Your Mobile App from Hackers.pdf
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Make Good Apps great - Using IBM MobileFirst Foundation
Make Good Apps great - Using IBM MobileFirst FoundationMake Good Apps great - Using IBM MobileFirst Foundation
Make Good Apps great - Using IBM MobileFirst Foundation
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testing
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 

More from NowSecure

iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsNowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowNowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskNowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechNowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowNowSecure
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsNowSecure
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNowSecure
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...NowSecure
 

More from NowSecure (19)

iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 
Vetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security EssentialsVetting Mobile Apps for Corporate Use: Security Essentials
Vetting Mobile Apps for Corporate Use: Security Essentials
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
Mobile App Crashworthiness - Securing Vehicle-to-Device (V2D) Interfaces and ...
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

OWASP Mobile Top 10

  • 1. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Mobile pitfalls to avoid: Breaking down the OWASP Top 10 Mobile Risks
  • 2. Katie Strzempka Director of Services © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Keith Mokris Product Marketing Manager
  • 3. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1 Improper Platform Usage OWASP MOBILE TOP 10 2016 DRAFT
  • 4. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Misuse of a platform feature or lack of platform security controls for the Android or iOS operating systems. Issues may include incorrect use of the keychain on iOS or Android intents.
  • 5. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Android - Implement intents carefully Intents are used for inter-component signaling. Improper implementation could result in data leakage, restricted functions being called and program flow being manipulated. https://books.nowsecure.com/secure-mobile-development/en/ android/implement-intents-carefully.html iOS - Use the keychain carefully iOS provides the keychain for secure data storage. However, in several scenarios, the keychain can be compromised and subsequently decrypted. https://books.nowsecure.com/secure-mobile-development/en/ios/ use-the-keychain-carefully.html Best practice(s):
  • 6. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 2 Insecure Data Storage OWASP MOBILE TOP 10 2016 DRAFT
  • 7. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Vulnerabilities that leak personal information and provide access to hackers.
  • 8. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. 1 in 10apps leak private, sensitive data like email, username, or password NowSecure: 2016 NowSecure Mobile Security Report Data from testing 400,000 mobile apps
  • 9. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Implement secure data storage Transmit and display but do not persist to memory. Ensure that an analog leak does not present itself where screenshots of the data are written to disk. Store only in RAM (clear at application close). https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/ implement-secure-data-storage.html Securely store data in RAM Do not keep sensitive data (e.g., encryption keys) in RAM longer than required. Nullify any variables that hold keys after use. https://books.nowsecure.com/secure-mobile-development/en/ios/use-the-keychain-carefully.html Best practice(s):
  • 10. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 3Insecure Communication OWASP MOBILE TOP 10 2016 DRAFT
  • 11. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Insecure communication refers to communications being sent in cleartext as well as other insecure methods.
  • 12. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Implement secure transmission of sensitive data Best practices call for app providers to use SSL/TLS effectively to secure the transmission of passwords, login IDs, and other sensitive data over the network, and even go further and leverage app-layer encryption to protect user data. https://books.nowsecure.com/secure-mobile-development/en/sensitive-data/ implement-secure-network-transmission-of-sensitive-data.html
  • 13. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 4Insecure Authentication OWASP MOBILE TOP 10 2016 DRAFT
  • 14. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Mobile apps need to securely identify a user and maintain that user’s identity, especially when users are calling and sending sensitive data such as financial information.
  • 15. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Hide account numbers and use tokens Given the widespread use of mobile apps in public places, displaying partial numbers (e.g. *9881) can help ensure maximum privacy for this information. Unless there is a need to store the complete number on the device, store the partially hidden numbers. https://books.nowsecure.com/secure-mobile-develo pment/en/sensitive-data/hide-account-numbers- and-use-tokens.html
  • 16. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● India’s largest startup with $1.1B in funding was hacked to allow unlimited free rides ● Hacker used MITM Proxy to view API calls over HTTP ● No OAuth token mechanism or encryption was in place to guard APIs Source: The Next Web Example: Ola
  • 17. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 5Insufficient Cryptography OWASP MOBILE TOP 10 2016 DRAFT
  • 18. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. The process behind encryption and decryption may allow a hacker to decrypt sensitive data. The algorithm behind encryption and decryption may be weak in nature.
  • 19. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Implement secure data storage If storing sensitive data on the device is a requirement, add an additional layer of verified, third-party encryption. By adding another layer of encryption, you have more control over the implementation and mitigate attacks focused on the main OS encryption classes. https://books.nowsecure.com/secure-mobile-developme nt/en/sensitive-data/implement-secure-data-storage.ht ml Best practice(s):
  • 20. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 6Insecure Authorization OWASP MOBILE TOP 10 2016 DRAFT
  • 21. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Insecure authorization refers to the failure of a server to properly enforce identity and permissions as stated by the mobile app.
  • 22. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Implement proper web server configuration Certain settings on a web server can increase security. One commonly overlooked vulnerability on a web server is information disclosure. Information disclosure can lead to serious problems because every piece of information attackers can gain from a server makes staging an attack easier. https://books.nowsecure.com/secure-mobile-d evelopment/en/servers/ web-server-configuration.html
  • 23. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 7 Client Code Quality OWASP MOBILE TOP 10 2016 DRAFT
  • 24. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Risks that come from vulnerabilities like buffer overflows, format-string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.
  • 25. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Vulnerabilities in the Vitamio SDK NowSecure Blog: World Writable Code Is Bad, MMMMKAY Best practice(s): Test third-party libraries Third-party libraries can contain vulnerabilities and weaknesses. Many developers assume third-party libraries are well-developed and tested, however, issues can and do exist in their code. https://books.nowsecure.com/secure-mobile-d evelopment/en/coding-practices/ test-third-party-libraries.html
  • 26. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 8Code Tampering OWASP MOBILE TOP 10 2016 DRAFT
  • 27. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. When attackers tamper with or install a backdoor on an app, re-sign it and publish the malicious version to third-party app marketplaces.
  • 28. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● 50M downloads in 19 days on Android alone ● Within 3 days of initial release, malicious DroidJack software found on third-party app stores ● Remote Access Tool (RAT) can open a silent, backdoor for hackers Source: NowSecure Blog Example: PokemonGO
  • 29. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Implement anti-tampering techniques Employ anti-tamper and tamper-detection techniques to prevent illegitimate applications from executing. Use checksums, digital signatures, and other validation mechanisms to help detect file tampering. https://books.nowsecure.com/secure-mobile-development/en/coding-practices/ anti-tamper-techniques.html
  • 30. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 9Reverse Engineering OWASP MOBILE TOP 10 2016 DRAFT
  • 31. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Reverse engineering refers to the analysis of a final binary to determine its source code, libraries, algorithms, and more.
  • 32. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Hackers decompiled mobile app and recompiled it so they didn’t have to pay for premium content ● If it is possible, hackers will find a way Source: Forbes Example: Tinder
  • 33. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Increase code complexity and use obfuscation Reverse engineering apps can provide valuable insight into how your app works. Making your app more complex internally makes it more difficult for attackers to see how the app operates, which can reduce the number of attack vectors. https://books.nowsecure.com/secure-mobile-development/en/coding-practices/ code-complexity-and-obfuscation.html
  • 34. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. 1 Extraneous Functionality OWASP MOBILE TOP 10 2016 DRAFT0
  • 35. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Developers frequently include hidden backdoors or security controls they do not plan on releasing into production. This error creates risk when a feature is released to the wild that was never intended to be shared.
  • 36. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. ● Manufacturer of hardware chips and processors for mobile devices ● A debug tool, left open for carriers to test network connections, was left open on shipped devices Source: The Hacker News Example: MediaTek
  • 37. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Best practice(s): Carefully manage debug logs Debug logs are generally designed to be used to detect and correct flaws in an application. These logs can leak sensitive information that may help an attacker create a more powerful attack. https://books.nowsecure.com/secure-mobile-development/en/caching-logging/ carefully-manage-debug-logs.html
  • 38. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
  • 39. Review the NowSecure Secure Mobile Development Best Practices in their entirety: Read Now
  • 40. © Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. You can view the GitHub repository here: https://github.com/nowsecure/ secure-mobile-development Contribute to the Secure Mobile Development Best Practices