How to become your app’s “Security Champion” (Android Worldwide Jan 2023)

Slide 1

Slide 1 text

@sp4ghetticode - spght.dev How to become your app’s “Security Champion” Ed-Holloway George @ Android Worldwide Jan 2023

Slide 2

Slide 2 text

@sp4ghetticode - spght.dev Ed Holloway-George Senior Android @ ASOS & Android GDE • Mobile security enthusiast • I like to tweet/toot/blog/talk about interesting things* Follow me for more! #androidww * Your experience may differ 2 spght.dev/talks That’s not! That’s me!

Slide 3

Slide 3 text

@sp4ghetticode - spght.dev What’s coming up Talk overview This talk covers: • A reminder of why mobile security is important • How to begin a security champion program • How to become a ‘security champion’ 👑

Slide 4

Slide 4 text

@sp4ghetticode - spght.dev What’s coming up Talk overview This talk is: 1. Not endorsed by my employer (or anyone else!) 2. For educational purposes only 3. A more ‘strategic’ talk about mobile security 4. Recorded, but slides available already online

Slide 5

Slide 5 text

@sp4ghetticode - spght.dev Why should developers care about mobile security?

Slide 6

Slide 6 text

@sp4ghetticode - spght.dev Why should we care? 1. The mobile attack surface is HUGE and growing • Android most recently announced 3 billion active devices • Doesn’t include devices using ‘alternative stores’ • Myriad of devices running Android forks, new form factors etc. Sources: • Google I/O 22

Slide 7

Slide 7 text

@sp4ghetticode - spght.dev Why should we care? 2. Growing financial incentives for malicious actors • Recent rise of ‘Web 3.0’ / Crypto • $2.0 billion in cryptocurrencies stolen (+60% 2021) • 70% all fraud occurs on mobile Sources: • AppDome • Guardsquare

Slide 8

Slide 8 text

@sp4ghetticode - spght.dev Why should we care? 3. Implementing basic mobile security is not difficult • “It takes years to build a reputation and a few minutes of a cyber-incident to ruin it.” Quote: • Stéphane Nappo

Slide 9

Slide 9 text

@sp4ghetticode - spght.dev It’s also quite neglected 😅 Sources: • My followers! • Twitter No shame in 2nd place 🥈 ✨ ✨ ✨ ✨ 🥇 🥈

Slide 10

Slide 10 text

@sp4ghetticode - spght.dev Things do go wrong… e.g. Walgreens 2020 Sources: • Bleeping Computer • threatpost

Slide 11

Slide 11 text

@sp4ghetticode - spght.dev Things do go wrong… e.g. Walgreens 2020 Sources: • Bleeping Computer • threatpost Sued $5m+

Slide 12

Slide 12 text

@sp4ghetticode - spght.dev Things do go wrong… e.g. Klarna 2021 Source: • Twitter

Slide 13

Slide 13 text

@sp4ghetticode - spght.dev Things do go wrong… e.g. Klarna 2021 Source: • Twitter Lots of very angry customers

Slide 14

Slide 14 text

@sp4ghetticode - spght.dev People are d*cks… 🦆 e.g. Bad actors exist on Google Play Store That’s what I mean of course! Source: • McAfee • McAfee recently found 16 malicious app with 20m+ downloads • All 16 contained auto-clicker ‘adware’ • All originally passed Play Store safety checks (but are removed now)

Slide 15

Slide 15 text

@sp4ghetticode - spght.dev People are d*cks… 🦆 e.g. ‘Attack of the Clones’ That’s what I mean of course! Source: • Google • Reddit

Slide 16

Slide 16 text

@sp4ghetticode - spght.dev What the heck is a security champion anyway? 16

Slide 17

Slide 17 text

@sp4ghetticode - spght.dev 17 In an ideal world… CyberSec

Slide 18

Slide 18 text

@sp4ghetticode - spght.dev 18 In an ideal world… CyberSec Other Teams

Slide 19

Slide 19 text

@sp4ghetticode - spght.dev 19 In an ideal world… CyberSec Other Teams You are here (probably)

Slide 20

Slide 20 text

@sp4ghetticode - spght.dev 20 In an ideal world… CyberSec Other Teams 👑 Champions

Slide 21

Slide 21 text

@sp4ghetticode - spght.dev 21 Surprise: You are already one

Slide 22

Slide 22 text

@sp4ghetticode - spght.dev But, just not yet… The lifecycle of a security champion • The beginning • Someone interested in mobile security • Looking to improve the security culture in your organisation • Someone willing to learn and/or lead by example • Pass on knowledge to others internally

Slide 23

Slide 23 text

@sp4ghetticode - spght.dev But, just not yet… The lifecycle of a security champion • What we want to gain • Knowledge of the key areas in mobile security • Write code with security in mind • Follow security best practises • Your app is more secure as a result

Slide 24

Slide 24 text

@sp4ghetticode - spght.dev But, just not yet… The lifecycle of a security champion • The end goals • 🥉 Full leadership buy-in • 🥈 Non-security people performing security-related tasks • 🥇 A self-sufficient Security Champion ✨ ‘program’ ✨

Slide 25

Slide 25 text

@sp4ghetticode - spght.dev How do we set a security champion program up? 😅

Slide 26

Slide 26 text

@sp4ghetticode - spght.dev How to set up a champion program? A lightning guide to its key principles ⚡ • Vision 🔮 • Participants🧑🍳👷👩🔬👩🔧 • Environment 🏦🏚 • Concept 📝 • Incentive 🧠 • Delivery 📬✨ • Tuning 🔧🔄 Source: • securitychampionsuccessguide.org

Slide 27

Slide 27 text

@sp4ghetticode - spght.dev Quick wins • Find a handful of like-minded engineers or individuals • Start a regular lunch + learn / brown bag session • Make noise internally about what you are doing • Raise the profile of security tasks within your app • Speak to your manager and/or CISO! How to kick-off a security champion program today* * After the conference

Slide 28

Slide 28 text

@sp4ghetticode - spght.dev Success Stories 👑 Security Champions • Fivetran - Global data warehousing company • Launched program in May 2022 • Initially focused on participation, training and awareness • Over time, increased emphasis on performing actions • Implemented gamification • 10% of entire company now signed-up 😱 Source: • Dustin Lehr

Slide 29

Slide 29 text

@sp4ghetticode - spght.dev Your brand new security champion program: Lunch + Learn #1 😅 29

Slide 30

Slide 30 text

@sp4ghetticode - spght.dev Some quick-ish ideas to get you started… 30 1. Perform SAST on your app and discuss results 🔐

Slide 31

Slide 31 text

@sp4ghetticode - spght.dev mobsf.github.io MobSF

Slide 32

Slide 32 text

@sp4ghetticode - spght.dev mobsf.github.io MobSF General ‘score’ and overview of security concerns

Slide 33

Slide 33 text

@sp4ghetticode - spght.dev mobsf.github.io MobSF General ‘score’ and overview of security concerns Prioritised list of security issues with links to further info/resources

Slide 34

Slide 34 text

@sp4ghetticode - spght.dev mobsf.github.io MobSF

Slide 35

Slide 35 text

@sp4ghetticode - spght.dev mobsf.github.io MobSF Overview of uploaded app

Slide 36

Slide 36 text

@sp4ghetticode - spght.dev mobsf.github.io MobSF Overview of uploaded app Perform dynamic analysis on your application

Slide 37

Slide 37 text

@sp4ghetticode - spght.dev Next steps… • Take report to your team / management • Scare them. • Action high priority issues • Show measurable improvement in the long term • Actively monitor going forwards

Slide 38

Slide 38 text

@sp4ghetticode - spght.dev Some quick-ish ideas to get you started… 38 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍

Slide 39

Slide 39 text

@sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare

Slide 40

Slide 40 text

@sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Editable ProGuard/R8 rules

Slide 41

Slide 41 text

@sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Uploaded APK / JAR Classes, methods & fields Editable ProGuard/R8 rules

Slide 42

Slide 42 text

@sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Uploaded APK / JAR Classes, methods & fields Interactive display of your custom rules in action (No app building needed!) Editable ProGuard/R8 rules

Slide 43

Slide 43 text

@sp4ghetticode - spght.dev Next steps… • Use the playground to improve your rules • Test for any unexpected behaviours • Explore the ProGuard documentation • Get smaller, optimised and securer builds

Slide 44

Slide 44 text

@sp4ghetticode - spght.dev Some quick-ish ideas to get you started… 44 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍ 3. Decompile your app and take a poke around 🔧

Slide 45

Slide 45 text

@Sp4ghettiCode / spght.dev Reverse Engineering 101 (Please use responsibly) • Your APK is just a ZIP file with ✨extra spice✨ • Rename app.apk to app.zip • Unzip it • ??? • Profit • A wild folder with lots of funky files appeared! 🤪

Slide 46

Slide 46 text

@Sp4ghettiCode / spght.dev Reverse Engineering The innards of your APK • .dex files are Dalvik Executable files • Similar to Java .class files but run on Android’s JVM • Contains Dalvik byte code • Possible to convert back to its original source code (lossy process)

Slide 47

Slide 47 text

@sp4ghetticode - spght.dev github.com/skylot/jadx JADX Decompiles Android files .apk .aar .class .dex .smali And more…

Slide 48

Slide 48 text

@sp4ghetticode - spght.dev github.com/skylot/jadx JADX Show decompiled file packages, classes & methods

Slide 49

Slide 49 text

@sp4ghetticode - spght.dev github.com/skylot/jadx JADX Show decompiled file packages, classes & methods Java representation of your code

Slide 50

Slide 50 text

@sp4ghetticode - spght.dev Next steps… • Use this approach to ensure you aren’t exposing yourself 🤭 • If you can reverse engineer your app, so can anyone! • Make extra sure your obfuscation is working • Look into other tools such as Snyk, SonarQube, AppSweep & more…

Slide 51

Slide 51 text

@sp4ghetticode - spght.dev Visit securitychampionsuccessguide.org If you do one thing today…