mobile app security: how secure is your mobile app

Download Mobile App Security: How Secure is your Mobile App

Post on 15-Jan-2017

426 views

Category:

Mobile

8 download

Embed Size (px)

TRANSCRIPT

PowerPoint Presentation

Doug SillarsMobile App Security: How Secure is Your App?ARO Technical Lead@Dougsillars

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

TK: Hi Everyone and Thank you for joining us. Today were going to be talking about App Performance, specifically well be looking at real examples of mistakes that some of the top apps make, so that you can avoid them. Well also give you a simple testing plan to improve your own app, before the app store reviews get ahold of them. 1

Gain Customers

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

Keep Them Happy

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

Receive Payments

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

If We Forget to Protect Our CustomersData Breaches happen every day

Few are publically announced

Announcements seem to occur several times a week

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

5

Are You Protecting Your Customers Data?

http://www.geograph.org.uk/photo/2958201https://www.flickr.com/photos/emdot/145432

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

http://www.geograph.org.uk/photo/2958201https://www.flickr.com/photos/emdot/1454326

Securing Mobile Apps is Hardhttp://ibm.co/1EPVh8ihttps://www.flickr.com/photos/mscheltgen/219606006

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

How Do you Test Your App?http://ibm.co/1EPVh8i

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

App Security is a Problem

http://ibm.co/1EPVh8i52% of apps are NOT tested

63% of those tested HAVE issues

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

What Do We Need to Secure Our App?KnowledgeWhat are common issues?Tooling?How do I learn about new vulnerabilities?

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

Giving up too much informationExposing data in logsNot locking down Activities/IntentsEncryptionNetwork TransmissionsLocal Data StorageSecure EncryptionHeartbleedPOODLEEtc.What Are Common Issues?3rd Party SDKs too!

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

Logs are not protectedIce Cream SandwichRooted devicesData seen in logs:Lat/LonLogins/passwordsCredit Card numbersPassport numbers

Giving Up Too Much InformationExposing Data in Logshttps://www.flickr.com/photos/knowmybackyard/5314941146Leak of Privileged data!

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

Travel app revealed Passport numbers in the log flle

12

Exposing Data in LogsExample(18468): Preference updated:com.analytics.MIN_BATCH_INTERVAL(18468): PushService startService(18468): *Received GCM Registration ID: *(18468): Saving preference: com.analytics.push.APP_VERSION value: 22(18468): Adding event: {"data":{"push_enabled":true,"carrier":"AT&T","session_id":"240d5059-c976-4fb3-b59d-44553649b08c","transport":"GCM","connection_type":"wifi","apid":xxxxxx-xxxx-xxx-xxxx-xxxxxxxx"},"type":"push_service_started","event_id":"171da614-50f9-468c-b60a-1a97d39e226c","time":"1424166468"}3rd Party SDK!Try it on your phone:Adb logcat v threadSearch for terms like your lat/lon (48.) or usernames: dougsillars

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

Travel app revealed Passport numbers in the log flle

13

Ensure that you remove logging in Proguard when you perform your final build:-assumenosideeffects class android.util.Log { ;}

Protect your Customers dataExposing Data in LogsSolution

2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T.

Activities, processes, Intents should be locked to your application, and not publically accessiblePublically accessible activities can be accessed without authentication.

You

View more >