No content

Securing Mobile Devices Daiane Santos

Agenda Common Mobile Vulnerabilities OWASP Top 10 Mobile Securing Mobile Apps Obfuscation Secure Coding 01 02 03 04 05

$whoami Autist - AH/SD Mobile Security Engineer @ Nubank CTF Player and Captain @ RATF Neuroscience and Astronomy enthusiast

Common Mobile Vulnerabilities

OWASP Top 10 M1: Improper Platform Usage M2: Insecure Data Storage M3: Insecure Communication M4: Insecure Authentication M5: Insufficient Cryptography M6: Insecure Authorization M7: Client Code Quality M8: Code Tampering M9: Reverse Engineering M10: Extraneous Functionality

Unauthorized access and fraud; Intelectual property theft; Trust damaged; Negative end-user experiences; Negative, potentially permanent impact on the brand’s reputation; Ongoing financial losses; Privacy related and confidencial/sensitive data theft. Business Impact

How do I know if I'm vulnerable?

Can someone code-decrypt your app?

Can someone reverse engineer this app with automated tools?

How to Secure Mobile Devices

Source Code Encryption Penetration Tests Secure the Data-in-transit Database Encryption Cryptography 1. 2. 3. 4. 5.

6. High-level Authentication 7. Secure the Backend 8. Minimize Storage of Sensitive Data 9. Be careful with Third-Party Services

GENERAL REMOTE ATTESTATION INTEGRITY CHECKS ROOT DETECTION DEVICE BINDING SSL PINNING EMULATOR DETECTOR RESOURCES ENCRYPTION INTEGRITY CHECKS ANTI-TEMPERING APPLICATION CODE ENCRYPTION CODE OBFUSCATION ANTI-HOOK ANTI-TEMPERING CODE

Obfuscation

No content

No content

No content

No content

No content

Secure Coding Best practices according to each programming language Map security requirements at the beginning of the project Include SAST and DAST tools, and a Vulnerability Management process

References OWASP Mobile Top 10 Mobile Testing Guide Secure Coding Practices

Thank you! If you have any questions, please feel free to contact me!