Securing Mobile Devices

Securing Mobile Devices Daiane Santos

Agenda Common Mobile Vulnerabilities OWASP Top 10 Mobile Securing Mobile
Apps Obfuscation Secure Coding 01 02 03 04 05

$whoami Autist - AH/SD Mobile Security Engineer @ Nubank CTF
Player and Captain @ RATF Neuroscience and Astronomy enthusiast

Common Mobile Vulnerabilities

OWASP Top 10 M1: Improper Platform Usage M2: Insecure Data
Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality

Unauthorized access and fraud; Intelectual property theft; Trust damaged; Negative
end-user experiences; Negative, potentially permanent impact on the brand’s reputation; Ongoing financial losses; Privacy related and confidencial/sensitive data theft. Business Impact

How do I know if I'm vulnerable?

Can someone code-decrypt your app?

Can someone reverse engineer this app with automated tools?

How to Secure Mobile Devices

Source Code Encryption Penetration Tests Secure the Data-in-transit Database Encryption
Cryptography 1. 2. 3. 4. 5.

6. High-level Authentication 7. Secure the Backend 8. Minimize Storage
of Sensitive Data 9. Be careful with Third-Party Services

GENERAL REMOTE ATTESTATION INTEGRITY CHECKS ROOT DETECTION DEVICE BINDING SSL
PINNING EMULATOR DETECTOR RESOURCES ENCRYPTION INTEGRITY CHECKS ANTI-TEMPERING APPLICATION CODE ENCRYPTION CODE OBFUSCATION ANTI-HOOK ANTI-TEMPERING CODE

Obfuscation

Secure Coding Best practices according to each programming language Map
security requirements at the beginning of the project Include SAST and DAST tools, and a Vulnerability Management process

References OWASP Mobile Top 10 Mobile Testing Guide Secure Coding
Practices

Thank you! If you have any questions, please feel free
to contact me!

Securing Mobile Devices

Securing Mobile Devices

Daiane Santos

More Decks by Daiane Santos

Featured

Transcript