5 things you must know to crush mobile security bugs

Five things you MUST knowto CRUSH mobile security bugs

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.

Connect with us

Follow us on Twitter @NowSecureMobile

—

Subscribe to #MobSec5 our weekly mobile security news digest

http://mobsec5.nowsecure.com/

—

Visit our website https://www.nowsecure.com

http://twitter.com/nowsecuremobile



https://www.nowsecure.com

Jake Van DykeMobile Security Researcher


Jeff NolanVP Marketing


Contents

● Intro discussion

● 5 things you must know

● Questions


There are a lot of mobile bugs out there on major OSes

325 Lifetime Android CVEs by type (130 in 2015) 897 Lifetime iOS CVEs by type (385 in 2015)

Source: CVE Details Source: CVE Details

http://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224

http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49

http://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49


Known vulnerabilities on Android and iOS in 2016

154vulnerabilities in

Google Android in 2016

84vulnerabilities in

Apple iOS in 2016

Leaving users exposed

Source: CVE DetailsSource: CVE Details

https://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49

https://www.cvedetails.com/product/15556/Apple-Iphone-Os.html?vendor_id=49




25% of mobile apps have at least one high risk security or privacy flaw

NowSecure: 2016 NowSecure Mobile Security Report

https://www.nowsecure.com/resources/mobile-security-report/en/index.html


Introductory questions

● What is a security bug, flaw, vulnerability, exploit?

● What benefit and harm can arise from embedding security personnel

in a development team?

● How do you prioritize the dramatically increasing number of mobile

vulnerabilities and best practices?


1. Focus on the data


Data best practices

Implement Secure Data Storage

NowSecure

Validate SSL / TLS

NowSecure

Certificate and Public Key Pinning

OWASP

https://www.nowsecure.com/resources/secure-mobile-development/handling-sensitive-data/implement-secure-data-storage/

https://www.nowsecure.com/resources/secure-mobile-development/handling-sensitive-data/implement-secure-data-storage/

https://www.nowsecure.com/resources/secure-mobile-development/handling-sensitive-data/fully-validate-ssl-tsl/

https://www.nowsecure.com/resources/secure-mobile-development/handling-sensitive-data/fully-validate-ssl-tsl/

https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning


2. Thwart reverse-engineering

Making your app more complex internally makes it more difficult for attackers to see how the app operates, which can reduce the number of attack vectors.

NowSecure: Secure Mobile Development Best Practices

https://www.nowsecure.com/resources/secure-mobile-development/coding-practices/code-complexity-and-obfuscation/

Strip debugging information in your release build.

Android Studio: https://developer.android.com/studio/build/shrink-code.html

https://developer.android.com/studio/build/shrink-code.html


3. Consider security part of quality

Automate or Die: Achieving continuous mobile app security & performance testing

Because tests occur later in the app development cycle, fixing the inevitable bugs that arise are more difficult and expensive. Legacy testing workflows create delays between the availability of test results and when engineers last worked on their code.

“

”

https://www.nowsecure.com/blog/2016/06/07/automate-or-die-achieving-continuous-mobile-app-security-and-performance-testing/

https://www.nowsecure.com/blog/2016/06/07/automate-or-die-achieving-continuous-mobile-app-security-and-performance-testing/


4. Embrace least privilege


Permissions are:An access control mechanism to allow mobile applications access to device resources.


50%of popular apps integrate an Ad-

library

* Some to as many as 16 different ad networks


Talking Tom app from Outfit7

Integrates with 8 Ad libraries 500M installsSusceptible to RCE

NowSecure: A Pattern for Remote Code Execution Using Arbitrary File Writes and MultiDex Applications

https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/


5. Monitor 3rd-party protocols, code libraries, and standards implementations

80-90% of mobile software consists of re-used libraries.

Olli Jarva, Codenomicon: Third Party Components in Applications: Understanding Application Security

http://www.rsaconference.com/writable/presentations/file_upload/mbs-w08-third-party-components-in-applications-understanding-application-security_copy1.pdf



© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

of apps referencing open-source components used the latest version of some library

TechBeacon: Third-Party libraries are one of the most insecure parts of an application

http://techbeacon.com/third-party-libraries-are-one-most-insecure-parts-application

© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

A quick recap:

1

2

3

4

5

Focus on the data

Thwart reverse-engineering

Consider security part of quality

Embrace least privilege

Monitor 3rd-party protocols, code libraries, and standards implementations

Let’s talk

+1 [email protected]

Keep tabs on the state of mobile security. Subscribe to #MobSec5 - a collection of the week’s mobile news that

matters - http://mobsec5.nowsecure.com/

Technology

5 things you must know to crush mobile security bugs