SlideShare a Scribd company logo
1 of 48
Download to read offline
Smart Phones Dumb Apps
           Dan Cornell




© Copyright 2011 Denim Group - All Rights Reserved
My Background
 • Dan Cornell, founder and CTO of Denim Group
 • Software developer by background (Java, .NET, etc)
 • OWASP San Antonio, Global Membership Committee

 • Denim Group
         – Build software with special security, performance, reliability
           requirements
         – Help organizations deal with the risk associated with their software
                  • Code reviews and application assessments
                  • SDLC consulting
                  • Secure development training – instructor-led and eLearning

© Copyright 2011 Denim Group - All Rights Reserved                                1
Agenda
 •     Generic Smartphone Threat Model
 •     Sample Application
 •     What an Attacker Sees (Android Edition)
 •     What About iPhones/iPads?
 •     Special Topic: Browser URL handling
 •     Closing Thoughts
 •     Questions




© Copyright 2011 Denim Group - All Rights Reserved   2
Tradeoffs: Value versus Risk
 • Mobile applications can create tremendous value for organizations
         – New classes of applications utilizing mobile capabilities: GPS, camera, etc
         – Innovating applications for employees and customers
 • Mobile devices and mobile applications can create tremendous risks
         – Sensitive data inevitably stored on the device (email, contacts)
         – Connect to a lot of untrusted networks (carrier, WiFi)


 • Most developers are not trained to develop secure applications
         – Fact of life, but slowing getting better
 • Most developers are new to creating mobile applications
         – Different platforms have different security characteristics and capabilities




© Copyright 2011 Denim Group - All Rights Reserved                                        3
Smart Phones, Dumb Apps
 • Lots of media focus on device and platform security
         – Important because successful attacks give tremendous attacker leverage
 • Most organizations:
         –     Accept realities of device and platform security
         –     Concerned about the security of their custom applications
         –     Concerned about sensitive data on the device because of their apps
         –     Concerned about network-available resources that support their apps


 • Who has smartphone application deployed for customers?

 • Who has had smartphone applications deployed without their
   knowledge?
         – *$!%$# marketing department…

© Copyright 2011 Denim Group - All Rights Reserved                                   4
Generic Mobile Application Threat Model




© Copyright 2011 Denim Group - All Rights Reserved   5
Some Assumptions for Developers
 • Smartphone applications are essentially thick-client applications
         –     That people carry in their pockets
         –     And drop in toilets
         –     And put on eBay when the new iPhone comes out
         –     And leave on airplanes
         –     And so on…


 • Attackers will be able to access:
         – Target user (victim) devices
         – Your application binaries


 • What else should you assume they know or will find out?


© Copyright 2011 Denim Group - All Rights Reserved                     6
A Sample Application
 • Attach to your brokerage account
 • Pull stock quotes
 • Make stock purchases

 • Application on mobile device supported by enterprise and 3rd party
   web services

 • (Apologies to anyone with any sense of UI design)

 • This is intentionally nasty, but is it unrealistic?



© Copyright 2011 Denim Group - All Rights Reserved                      7
So What Does a Bad Guy See? (Android Edition)
 • Install the application onto a device
 • Root the device
 • Pull the application’s APK file onto a workstation for analysis

 • APK files are ZIP files
 • They contain:
         – AndroidManifest.xml
         – Other binary XML files in res/
         – classes.dex DEX binary code




© Copyright 2011 Denim Group - All Rights Reserved                   8
Generic Android Application Threat Model




© Copyright 2011 Denim Group - All Rights Reserved   9
What’s Up With My XML Files?
                                                     • Binary encoding

                                                     • Use axml2xml.pl to
                                                       convert them to text




                                                     http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl



© Copyright 2011 Denim Group - All Rights Reserved                                                                               10
Much Better
 • Now we see:
         – Screens in application
         – Permissions required
           by the application
         – Intents applications is
           registered to consume
         – And so on




© Copyright 2011 Denim Group - All Rights Reserved   11
Do the Same Thing With the Rest of Them
 • Recurse through the res/ subdirectory
 • UI layouts, other resources




© Copyright 2011 Denim Group - All Rights Reserved   12
What About the Code?
 • All of it is stuffed in classes.dex

 • Android phones use DEX rather than Java bytecodes
         – Register-based virtual machine rather than stack-based virtual machine


 • Options:
         – Look at DEX assembly via de-dexing
         – Convert to Java bytecode and then to Java source code




© Copyright 2011 Denim Group - All Rights Reserved                                  13
De-Dex to See DEX Assembly
                                                     • DEX bytecode ~=
                                                       Java bytecode
                                                     • All code goes in one
                                                       file
                                                     • Disassemble to DEX
                                                       assembly with dedexer


                                                     http://dedexer.sourceforge.net/
© Copyright 2011 Denim Group - All Rights Reserved                                     14
Lots of Information
 • Like the fun-fun world
   of Java disassembly
   and decompilation
         – (We‟ll get to the DEX
           decompilation in a
           moment)
 • LOTS of information
   available


© Copyright 2011 Denim Group - All Rights Reserved   15
But Can I Decompile to Java?
 • Yes
 • We
 • Can

 • Convert to Java bytecodes with dex2jar
         – http://code.google.com/p/dex2jar/
         – (Now you can run static analysis tools like Findbugs)


 • Convert to Java source code with your favorite Java decompiler
         – Everyone has a favorite Java decompiler, right?




© Copyright 2011 Denim Group - All Rights Reserved                  16
DEX Assembly Versus Java Source Code
 • De-DEXing works pretty reliably
 • DEX assembly is easy to parse with grep
 • DEX assembly is reasonably easy to manually analyze

 • Java decompilation works most of the time
 • Java source code can be tricky to parse with grep
 • Java source code is very easy to manually analyze

 • Verdict:
         – Do both!
         – Grep through DEX assembly to identify starting points for analysis
         – Analyze Java source in detail

© Copyright 2011 Denim Group - All Rights Reserved                              17
So What Did We Learn?
 • Look at the string constants
         – URLs, hostnames, web paths


 • Look at the de-DEXed assembly
         – Method calls
         – Data flow


 • Developers: BAD NEWS
         – The bad guys have all your code
         – They might understand your app better than you
         – How much sensitive intellectual property do you want to embed in your mobile
           application now?


© Copyright 2011 Denim Group - All Rights Reserved                                        18
Is There Sensitive Data On the Device?
 • Look at the disassemled DEX code

 • Grep for “File”




© Copyright 2011 Denim Group - All Rights Reserved   19
What About Java Source Code?
 • Get the source code with JD-Gui
         – http://java.decompiler.free.fr/




© Copyright 2011 Denim Group - All Rights Reserved   20
Look for Files With Bad Permissions
 • Look for file open operations using
         – Context.MODE_WORLD_READABLE
         – (translates to “1”)




© Copyright 2011 Denim Group - All Rights Reserved   21
Next: What Is On the Server-Side
 • To access sensitive data on a device:
         – Steal a device
         – Want more data?
         – Steal another device


 • To access sensitive data from web services
         – Attack the web service


 • String constants for URLs, hostnames, paths

 • Examples:
         – 3rd party web services
         – Enterprise web services
© Copyright 2011 Denim Group - All Rights Reserved   22
So Now What?
 • 3rd Party Web Services
         – Is data being treated as untrusted?
         – Google promised to “not be evil”
                  • For everyone else…


 • Enterprise Web Services
         – Did you know these were deployed?
         – Have these been tested for possible security flaws?
         – Stealing records en-masse is preferable to stealing them one-at-a-time




© Copyright 2011 Denim Group - All Rights Reserved                                  23
Web Services Example
 • Trumped up example, but based on real life

 • Given a web services endpoint, what will a bad guy do?

 • Sequence:
         –     Request a junk method “abcd”
         –     Get a “No method „abcd‟ available”
         –     Request a method “<script>alert(„hi‟);</script>”
         –     Hilarity ensues…




© Copyright 2011 Denim Group - All Rights Reserved                24
What Is Wrong With the Example Application?
 •     Sensitive data stored on the device unprotected
 •     Trusts data from 3rd party web services
 •     Exposes enterprise web services to attackers
 •     Enterprise web services vulnerable to reflected XSS attacks
 •     And so on…

 • This is a trumped-up example with concentrated vulnerabilities, but…

 • All of these reflect real-world examples of vulnerabilities
         – Public breaches
         – Application assessments


© Copyright 2011 Denim Group - All Rights Reserved                        25
What About iPhones/iPads?
 • Objective-C compiled to ARMv6, ARMv7 machine code
         – Not as fun (easy) as Java compiled to DEX bytecode
         – But … subject to buffer overflows, memory handling issues, other native code fun


 • Apps from iTunes Store
         – Encrypted
         – Used to be “easy” (well, mechanical) to break encryption with a jailbroken phone
           and a debugger
         – Now trickier (but likely not insurmountable)
         – And the default apps are not encrypted…




© Copyright 2011 Denim Group - All Rights Reserved                                            26
Run “strings” on the Binary
 • Web services endpoints: URLs, hostnames, paths

 • Objective-C calling conventions:

 [myThing doStuff:a second:b third:c];


 becomes

 obj_msgsend(myThing, “doStuff:second:third:” a, b, c);
                                             ,




© Copyright 2011 Denim Group - All Rights Reserved        27
Run “otool” on the Binary
 • otool –l <MyApp>
         – View the load commands
         – Segment info, encryption info, libraries in use


 • otool –t –v <MyApp>
         – Disassemble the text segment to ARMv6 assembly
         – If run on an encrypted application you get garbage


 • And so on…




© Copyright 2011 Denim Group - All Rights Reserved              28
Net Result for iPhone/iPad
 • More obscure
         – But does that mean more secure?


 • Can still retrieve a tremendous amount of information
 • Can still observe a running application

 • “Security” based on obscurity is not durable




© Copyright 2011 Denim Group - All Rights Reserved         29
Mobile Browser Content Handling
    • Many mobile platforms allow you to designate applications to handle
      content found in web pages
            – By URI protocol
            – By content type


    • Provide a “premium” experience for users who have the target app
      installed

    • Examples:
            – tel:// URLs initiating phone calls
            – maps:// URLs to display maps




© Copyright 2011 Denim Group - All Rights Reserved                          30
iPhone/iPad URL Schemes
 • iOS applications can
   be set up to “handle”
   certain URL schemes
 • Defined in the
   application’s Info.plist
 • Binary format:
   annoying



© Copyright 2011 Denim Group - All Rights Reserved   31
Decoding plist Files
                                                     • plutil -convert xml1 Info.plist
                                                     • Much nicer




© Copyright 2011 Denim Group - All Rights Reserved                                       32
iOS URL Handlers
 • XPath: Look for:
 /plist/dict/array/dict[key='CFBundleURLSchemes']/array/string
 • Now you know the URL Schemes the app handles

 • SANS blog post on this issue in iOS:
         – http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes-
           apples-
           ios/?utm_source%253Drss%2526utm_medium%253Drss%2526utm_campaign%2
           53Dinsecure-handling-url-schemes-apples-ios
         – Too long to type? http://bit.ly/ezqdK9




© Copyright 2011 Denim Group - All Rights Reserved                                            33
Android Intents
 • Intents are facilities for late-binding messaging between applications
         – http://developer.android.com/guide/topics/intents/intents-filters.html


 • One use is to allow applications to register to receive messages from
   the Browser when certain types of content are received
         – Like iOS URL Schemes but an even more comprehensive IPC mechanism




© Copyright 2011 Denim Group - All Rights Reserved                                  34
Intent Filter Example
 <intent-filter>
    <action android:name="android.intent.action.VIEW" />
    <category android:name="android.intent.category.DEFAULT" />
    <category android:name="android.intent.category.BROWSABLE" />
    <data android:scheme="danco" />
 </intent-filter>



 • Action: What to do?
 • Data: Scheme is URI “protocol” to handle
 • Category BROWSABLE: Allow this Action to be
   initiated by the browser
© Copyright 2011 Denim Group - All Rights Reserved                  35
Intent Filter Demo – Manual Launch, HTML Page




© Copyright 2011 Denim Group - All Rights Reserved   36
Intent Filter Demo – Anchor Launch, IFrame
 Launch




© Copyright 2011 Denim Group - All Rights Reserved   37
I’m a Security Tester. Why Do I Care?
 • URL handlers are remotely-accessible attack surface

 • This is a way for you to “reach out and touch” applications installed on
   a device if you can get a user to navigate to a malicious page
 • Send in arbitrary URLs via links or (easier) embedded IFRAMEs

 • Example: iOS Skype application used to automatically launch the
   Skype application and initiate a call when it encountered a skype://
   URL
         – Apple‟s native Phone handle for tel:// URLs would confirm before a call was made




© Copyright 2011 Denim Group - All Rights Reserved                                            38
I’m a Developer. Why Do I Care?
 • See the previous slide. Bad guys care. So should you. Please.

 • Content passed in via these handlers must be treated as untrusted
         – Positively validate
         – Enforce proper logic restrictions


 • All:
         – Should a malicious web page be able to cause this behavior?
                  • Make phone call, transmit location, take photo, start audio recording, etc
 • iOS:
         – Validate inputs to handleOpenURL: message
 • Android:
         – Validate data brought in from Action.getIntent() method
© Copyright 2011 Denim Group - All Rights Reserved                                               39
So What Should Developers Do?
 • Threat model your smartphone applications
         – More complicated architectures -> more opportunities for problems


 • Watch what you store on the device
         – May have PCI, HIPAA implications


 • Be careful consuming 3rd party services
         – Who do you love? Who do you trust?


 • Be careful deploying enterprise web services
         – Very attractive target for bad guys
         – Often deployed “under the radar”


© Copyright 2011 Denim Group - All Rights Reserved                             40
Secure Mobile Development Reference
 • Platform-specific recommendations
 • Key topic areas

 • Provide specific, proscriptive guidance to developers building mobile
   applications




© Copyright 2011 Denim Group - All Rights Reserved                         41
Specific Platforms
 •     iOS (iPhone, iPad)
 •     Android
 •     Blackberry (in progress)
 •     Windows Phone 7 (in progress)
         – Windows Mobile 6.5 (?)
 • Symbian (?)
 • Others (?)

 • Will be guided by demand, which is focused by new development
   activity



© Copyright 2011 Denim Group - All Rights Reserved                 42
Topics Areas
 • Topic Areas
         –     Overview of Application Development
         –     Overview of Secure Development
         –     Defeating Platform Environment Restrictions
         –     Installing Applications
         –     Application Permissions Model
         –     Local Storage
         –     Encryption APIs
         –     Network Communications
         –     Protecting Network Communications
         –     Native Code Execution
         –     Application Licensing and Payments
         –     Browser URL Handling


© Copyright 2011 Denim Group - All Rights Reserved           43
So What Should Security People Do?
 • Find out about smartphone projects
         – Not always done by your usual development teams
         – R&D, “Office of the CTO,” Marketing


 • Assess the security implications of smartphone applications
         – What data is stored on the device?
         – What services are you consuming?
         – Are new enterprise services being deployed to support the application?




© Copyright 2011 Denim Group - All Rights Reserved                                  44
Resources
 • axml2xml.pl (Convert Android XML files to normal XML)
         – http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl
 • Dedexer (Convert DEX bytecodes into DEX assembler)
         – http://dedexer.sourceforge.net/
 • Dex2jar (Convert DEX bytecode in Java bytecode)
         – http://code.google.com/p/dex2jar/
 • JD-GUI (Convert Java bytecode to Java source code)
         – http://java.decompiler.free.fr/
 • otool (Get information about iPhone binaries)
         –     http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/otool.1.html




© Copyright 2011 Denim Group - All Rights Reserved                                                                 45
Online
 • Code, slides and videos online:

         www.smartphonesdumbapps.com




© Copyright 2011 Denim Group - All Rights Reserved   46
Questions?
 Dan Cornell
 dan@denimgroup.com
 Twitter: @danielcornell

 www.denimgroup.com
 (210) 572-4400




© Copyright 2011 Denim Group - All Rights Reserved   47

More Related Content

What's hot

Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldDenim Group
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsDenim Group
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Denim Group
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramDenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesDenim Group
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramDenim Group
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Denim Group
 

What's hot (20)

Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy WorldThe Need For Open Software Security Standards In A Mobile And Cloudy World
The Need For Open Software Security Standards In A Mobile And Cloudy World
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
SecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security ProsSecDevOps: Development Tools for Security Pros
SecDevOps: Development Tools for Security Pros
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3Secure DevOps with ThreadFix 2.3
Secure DevOps with ThreadFix 2.3
 
ThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security ProgramThreadFix 2.1 and Your Application Security Program
ThreadFix 2.1 and Your Application Security Program
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Using ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application VulnerabilitiesUsing ThreadFix to Manage Application Vulnerabilities
Using ThreadFix to Manage Application Vulnerabilities
 
Structuring and Scaling an Application Security Program
Structuring and Scaling an Application Security ProgramStructuring and Scaling an Application Security Program
Structuring and Scaling an Application Security Program
 
Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)Running a Software Security Program with Open Source Tools (Course)
Running a Software Security Program with Open Source Tools (Course)
 

Similar to Smart Phones Dumb Apps

Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile AppsDenim Group
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content HandlingDenim Group
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsDenim Group
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1Nikhil Kulkarni
 
Mobile trends and impressions
Mobile trends and impressionsMobile trends and impressions
Mobile trends and impressionsShafaq Abdullah
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Denim Group
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...Denim Group
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalRobin Lutchansky
 
BLUG 2013 - Mobile Application Delivery - Choices, choices, choices
BLUG 2013 - Mobile Application Delivery - Choices, choices, choicesBLUG 2013 - Mobile Application Delivery - Choices, choices, choices
BLUG 2013 - Mobile Application Delivery - Choices, choices, choicesRené Winkelmeyer
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Securing User Data with SQLCipher
Securing User Data with SQLCipherSecuring User Data with SQLCipher
Securing User Data with SQLCipherCommonsWare
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Denim Group
 
Midweek breather hybridapps
Midweek breather hybridappsMidweek breather hybridapps
Midweek breather hybridappsstrider1981
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
Managing content in_a_mobile_world
Managing content in_a_mobile_worldManaging content in_a_mobile_world
Managing content in_a_mobile_worldQuestexConf
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IRelayware
 

Similar to Smart Phones Dumb Apps (20)

Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content Handling
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Skeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited ApplicationsSkeletons in the Closet: Securing Inherited Applications
Skeletons in the Closet: Securing Inherited Applications
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1
 
Mobile trends and impressions
Mobile trends and impressionsMobile trends and impressions
Mobile trends and impressions
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
The Self Healing Cloud: Protecting Applications and Infrastructure with Autom...
 
Thread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final FinalThread Fix Tour Presentation Final Final
Thread Fix Tour Presentation Final Final
 
BLUG 2013 - Mobile Application Delivery - Choices, choices, choices
BLUG 2013 - Mobile Application Delivery - Choices, choices, choicesBLUG 2013 - Mobile Application Delivery - Choices, choices, choices
BLUG 2013 - Mobile Application Delivery - Choices, choices, choices
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Securing User Data with SQLCipher
Securing User Data with SQLCipherSecuring User Data with SQLCipher
Securing User Data with SQLCipher
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Gl android platform
Gl android platformGl android platform
Gl android platform
 
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
Hybrid Analysis Mapping: Making Security and Development Tools Play Nice Toge...
 
Midweek breather hybridapps
Midweek breather hybridappsMidweek breather hybridapps
Midweek breather hybridapps
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
Managing content in_a_mobile_world
Managing content in_a_mobile_worldManaging content in_a_mobile_world
Managing content in_a_mobile_world
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
 

More from Denim Group

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4JDenim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleDenim Group
 
Application Asset Management with ThreadFix
 Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramDenim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportDenim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsDenim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsDenim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
AppSec in a World of Digital Transformation
 AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceDenim Group
 

More from Denim Group (20)

Long-term Impact of Log4J
Long-term Impact of Log4JLong-term Impact of Log4J
Long-term Impact of Log4J
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at ScaleOptimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
 
Application Asset Management with ThreadFix
 Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA ProgramAppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team SportUsing Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your OrganizationSecurity Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
An Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT SystemsAn Updated Take: Threat Modeling for IoT Systems
An Updated Take: Threat Modeling for IoT Systems
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native ApplicationsThe As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
AppSec in a World of Digital Transformation
 AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation
 
Enumerating Enterprise Attack Surface
Enumerating Enterprise Attack SurfaceEnumerating Enterprise Attack Surface
Enumerating Enterprise Attack Surface
 

Recently uploaded

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 

Recently uploaded (20)

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 

Smart Phones Dumb Apps

  • 1. Smart Phones Dumb Apps Dan Cornell © Copyright 2011 Denim Group - All Rights Reserved
  • 2. My Background • Dan Cornell, founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training – instructor-led and eLearning © Copyright 2011 Denim Group - All Rights Reserved 1
  • 3. Agenda • Generic Smartphone Threat Model • Sample Application • What an Attacker Sees (Android Edition) • What About iPhones/iPads? • Special Topic: Browser URL handling • Closing Thoughts • Questions © Copyright 2011 Denim Group - All Rights Reserved 2
  • 4. Tradeoffs: Value versus Risk • Mobile applications can create tremendous value for organizations – New classes of applications utilizing mobile capabilities: GPS, camera, etc – Innovating applications for employees and customers • Mobile devices and mobile applications can create tremendous risks – Sensitive data inevitably stored on the device (email, contacts) – Connect to a lot of untrusted networks (carrier, WiFi) • Most developers are not trained to develop secure applications – Fact of life, but slowing getting better • Most developers are new to creating mobile applications – Different platforms have different security characteristics and capabilities © Copyright 2011 Denim Group - All Rights Reserved 3
  • 5. Smart Phones, Dumb Apps • Lots of media focus on device and platform security – Important because successful attacks give tremendous attacker leverage • Most organizations: – Accept realities of device and platform security – Concerned about the security of their custom applications – Concerned about sensitive data on the device because of their apps – Concerned about network-available resources that support their apps • Who has smartphone application deployed for customers? • Who has had smartphone applications deployed without their knowledge? – *$!%$# marketing department… © Copyright 2011 Denim Group - All Rights Reserved 4
  • 6. Generic Mobile Application Threat Model © Copyright 2011 Denim Group - All Rights Reserved 5
  • 7. Some Assumptions for Developers • Smartphone applications are essentially thick-client applications – That people carry in their pockets – And drop in toilets – And put on eBay when the new iPhone comes out – And leave on airplanes – And so on… • Attackers will be able to access: – Target user (victim) devices – Your application binaries • What else should you assume they know or will find out? © Copyright 2011 Denim Group - All Rights Reserved 6
  • 8. A Sample Application • Attach to your brokerage account • Pull stock quotes • Make stock purchases • Application on mobile device supported by enterprise and 3rd party web services • (Apologies to anyone with any sense of UI design) • This is intentionally nasty, but is it unrealistic? © Copyright 2011 Denim Group - All Rights Reserved 7
  • 9. So What Does a Bad Guy See? (Android Edition) • Install the application onto a device • Root the device • Pull the application’s APK file onto a workstation for analysis • APK files are ZIP files • They contain: – AndroidManifest.xml – Other binary XML files in res/ – classes.dex DEX binary code © Copyright 2011 Denim Group - All Rights Reserved 8
  • 10. Generic Android Application Threat Model © Copyright 2011 Denim Group - All Rights Reserved 9
  • 11. What’s Up With My XML Files? • Binary encoding • Use axml2xml.pl to convert them to text http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl © Copyright 2011 Denim Group - All Rights Reserved 10
  • 12. Much Better • Now we see: – Screens in application – Permissions required by the application – Intents applications is registered to consume – And so on © Copyright 2011 Denim Group - All Rights Reserved 11
  • 13. Do the Same Thing With the Rest of Them • Recurse through the res/ subdirectory • UI layouts, other resources © Copyright 2011 Denim Group - All Rights Reserved 12
  • 14. What About the Code? • All of it is stuffed in classes.dex • Android phones use DEX rather than Java bytecodes – Register-based virtual machine rather than stack-based virtual machine • Options: – Look at DEX assembly via de-dexing – Convert to Java bytecode and then to Java source code © Copyright 2011 Denim Group - All Rights Reserved 13
  • 15. De-Dex to See DEX Assembly • DEX bytecode ~= Java bytecode • All code goes in one file • Disassemble to DEX assembly with dedexer http://dedexer.sourceforge.net/ © Copyright 2011 Denim Group - All Rights Reserved 14
  • 16. Lots of Information • Like the fun-fun world of Java disassembly and decompilation – (We‟ll get to the DEX decompilation in a moment) • LOTS of information available © Copyright 2011 Denim Group - All Rights Reserved 15
  • 17. But Can I Decompile to Java? • Yes • We • Can • Convert to Java bytecodes with dex2jar – http://code.google.com/p/dex2jar/ – (Now you can run static analysis tools like Findbugs) • Convert to Java source code with your favorite Java decompiler – Everyone has a favorite Java decompiler, right? © Copyright 2011 Denim Group - All Rights Reserved 16
  • 18. DEX Assembly Versus Java Source Code • De-DEXing works pretty reliably • DEX assembly is easy to parse with grep • DEX assembly is reasonably easy to manually analyze • Java decompilation works most of the time • Java source code can be tricky to parse with grep • Java source code is very easy to manually analyze • Verdict: – Do both! – Grep through DEX assembly to identify starting points for analysis – Analyze Java source in detail © Copyright 2011 Denim Group - All Rights Reserved 17
  • 19. So What Did We Learn? • Look at the string constants – URLs, hostnames, web paths • Look at the de-DEXed assembly – Method calls – Data flow • Developers: BAD NEWS – The bad guys have all your code – They might understand your app better than you – How much sensitive intellectual property do you want to embed in your mobile application now? © Copyright 2011 Denim Group - All Rights Reserved 18
  • 20. Is There Sensitive Data On the Device? • Look at the disassemled DEX code • Grep for “File” © Copyright 2011 Denim Group - All Rights Reserved 19
  • 21. What About Java Source Code? • Get the source code with JD-Gui – http://java.decompiler.free.fr/ © Copyright 2011 Denim Group - All Rights Reserved 20
  • 22. Look for Files With Bad Permissions • Look for file open operations using – Context.MODE_WORLD_READABLE – (translates to “1”) © Copyright 2011 Denim Group - All Rights Reserved 21
  • 23. Next: What Is On the Server-Side • To access sensitive data on a device: – Steal a device – Want more data? – Steal another device • To access sensitive data from web services – Attack the web service • String constants for URLs, hostnames, paths • Examples: – 3rd party web services – Enterprise web services © Copyright 2011 Denim Group - All Rights Reserved 22
  • 24. So Now What? • 3rd Party Web Services – Is data being treated as untrusted? – Google promised to “not be evil” • For everyone else… • Enterprise Web Services – Did you know these were deployed? – Have these been tested for possible security flaws? – Stealing records en-masse is preferable to stealing them one-at-a-time © Copyright 2011 Denim Group - All Rights Reserved 23
  • 25. Web Services Example • Trumped up example, but based on real life • Given a web services endpoint, what will a bad guy do? • Sequence: – Request a junk method “abcd” – Get a “No method „abcd‟ available” – Request a method “<script>alert(„hi‟);</script>” – Hilarity ensues… © Copyright 2011 Denim Group - All Rights Reserved 24
  • 26. What Is Wrong With the Example Application? • Sensitive data stored on the device unprotected • Trusts data from 3rd party web services • Exposes enterprise web services to attackers • Enterprise web services vulnerable to reflected XSS attacks • And so on… • This is a trumped-up example with concentrated vulnerabilities, but… • All of these reflect real-world examples of vulnerabilities – Public breaches – Application assessments © Copyright 2011 Denim Group - All Rights Reserved 25
  • 27. What About iPhones/iPads? • Objective-C compiled to ARMv6, ARMv7 machine code – Not as fun (easy) as Java compiled to DEX bytecode – But … subject to buffer overflows, memory handling issues, other native code fun • Apps from iTunes Store – Encrypted – Used to be “easy” (well, mechanical) to break encryption with a jailbroken phone and a debugger – Now trickier (but likely not insurmountable) – And the default apps are not encrypted… © Copyright 2011 Denim Group - All Rights Reserved 26
  • 28. Run “strings” on the Binary • Web services endpoints: URLs, hostnames, paths • Objective-C calling conventions: [myThing doStuff:a second:b third:c]; becomes obj_msgsend(myThing, “doStuff:second:third:” a, b, c); , © Copyright 2011 Denim Group - All Rights Reserved 27
  • 29. Run “otool” on the Binary • otool –l <MyApp> – View the load commands – Segment info, encryption info, libraries in use • otool –t –v <MyApp> – Disassemble the text segment to ARMv6 assembly – If run on an encrypted application you get garbage • And so on… © Copyright 2011 Denim Group - All Rights Reserved 28
  • 30. Net Result for iPhone/iPad • More obscure – But does that mean more secure? • Can still retrieve a tremendous amount of information • Can still observe a running application • “Security” based on obscurity is not durable © Copyright 2011 Denim Group - All Rights Reserved 29
  • 31. Mobile Browser Content Handling • Many mobile platforms allow you to designate applications to handle content found in web pages – By URI protocol – By content type • Provide a “premium” experience for users who have the target app installed • Examples: – tel:// URLs initiating phone calls – maps:// URLs to display maps © Copyright 2011 Denim Group - All Rights Reserved 30
  • 32. iPhone/iPad URL Schemes • iOS applications can be set up to “handle” certain URL schemes • Defined in the application’s Info.plist • Binary format: annoying © Copyright 2011 Denim Group - All Rights Reserved 31
  • 33. Decoding plist Files • plutil -convert xml1 Info.plist • Much nicer © Copyright 2011 Denim Group - All Rights Reserved 32
  • 34. iOS URL Handlers • XPath: Look for: /plist/dict/array/dict[key='CFBundleURLSchemes']/array/string • Now you know the URL Schemes the app handles • SANS blog post on this issue in iOS: – http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes- apples- ios/?utm_source%253Drss%2526utm_medium%253Drss%2526utm_campaign%2 53Dinsecure-handling-url-schemes-apples-ios – Too long to type? http://bit.ly/ezqdK9 © Copyright 2011 Denim Group - All Rights Reserved 33
  • 35. Android Intents • Intents are facilities for late-binding messaging between applications – http://developer.android.com/guide/topics/intents/intents-filters.html • One use is to allow applications to register to receive messages from the Browser when certain types of content are received – Like iOS URL Schemes but an even more comprehensive IPC mechanism © Copyright 2011 Denim Group - All Rights Reserved 34
  • 36. Intent Filter Example <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="danco" /> </intent-filter> • Action: What to do? • Data: Scheme is URI “protocol” to handle • Category BROWSABLE: Allow this Action to be initiated by the browser © Copyright 2011 Denim Group - All Rights Reserved 35
  • 37. Intent Filter Demo – Manual Launch, HTML Page © Copyright 2011 Denim Group - All Rights Reserved 36
  • 38. Intent Filter Demo – Anchor Launch, IFrame Launch © Copyright 2011 Denim Group - All Rights Reserved 37
  • 39. I’m a Security Tester. Why Do I Care? • URL handlers are remotely-accessible attack surface • This is a way for you to “reach out and touch” applications installed on a device if you can get a user to navigate to a malicious page • Send in arbitrary URLs via links or (easier) embedded IFRAMEs • Example: iOS Skype application used to automatically launch the Skype application and initiate a call when it encountered a skype:// URL – Apple‟s native Phone handle for tel:// URLs would confirm before a call was made © Copyright 2011 Denim Group - All Rights Reserved 38
  • 40. I’m a Developer. Why Do I Care? • See the previous slide. Bad guys care. So should you. Please. • Content passed in via these handlers must be treated as untrusted – Positively validate – Enforce proper logic restrictions • All: – Should a malicious web page be able to cause this behavior? • Make phone call, transmit location, take photo, start audio recording, etc • iOS: – Validate inputs to handleOpenURL: message • Android: – Validate data brought in from Action.getIntent() method © Copyright 2011 Denim Group - All Rights Reserved 39
  • 41. So What Should Developers Do? • Threat model your smartphone applications – More complicated architectures -> more opportunities for problems • Watch what you store on the device – May have PCI, HIPAA implications • Be careful consuming 3rd party services – Who do you love? Who do you trust? • Be careful deploying enterprise web services – Very attractive target for bad guys – Often deployed “under the radar” © Copyright 2011 Denim Group - All Rights Reserved 40
  • 42. Secure Mobile Development Reference • Platform-specific recommendations • Key topic areas • Provide specific, proscriptive guidance to developers building mobile applications © Copyright 2011 Denim Group - All Rights Reserved 41
  • 43. Specific Platforms • iOS (iPhone, iPad) • Android • Blackberry (in progress) • Windows Phone 7 (in progress) – Windows Mobile 6.5 (?) • Symbian (?) • Others (?) • Will be guided by demand, which is focused by new development activity © Copyright 2011 Denim Group - All Rights Reserved 42
  • 44. Topics Areas • Topic Areas – Overview of Application Development – Overview of Secure Development – Defeating Platform Environment Restrictions – Installing Applications – Application Permissions Model – Local Storage – Encryption APIs – Network Communications – Protecting Network Communications – Native Code Execution – Application Licensing and Payments – Browser URL Handling © Copyright 2011 Denim Group - All Rights Reserved 43
  • 45. So What Should Security People Do? • Find out about smartphone projects – Not always done by your usual development teams – R&D, “Office of the CTO,” Marketing • Assess the security implications of smartphone applications – What data is stored on the device? – What services are you consuming? – Are new enterprise services being deployed to support the application? © Copyright 2011 Denim Group - All Rights Reserved 44
  • 46. Resources • axml2xml.pl (Convert Android XML files to normal XML) – http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl • Dedexer (Convert DEX bytecodes into DEX assembler) – http://dedexer.sourceforge.net/ • Dex2jar (Convert DEX bytecode in Java bytecode) – http://code.google.com/p/dex2jar/ • JD-GUI (Convert Java bytecode to Java source code) – http://java.decompiler.free.fr/ • otool (Get information about iPhone binaries) – http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/otool.1.html © Copyright 2011 Denim Group - All Rights Reserved 45
  • 47. Online • Code, slides and videos online: www.smartphonesdumbapps.com © Copyright 2011 Denim Group - All Rights Reserved 46
  • 48. Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 47