Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to become your app’s “Security Champion”

Ed George
October 28, 2022

How to become your app’s “Security Champion”

In this session, we will take an introductory look at mobile security, the threats we face as mobile developers and the steps you can take to become a 'security champion' for your app to protect your business and, most importantly, your users.

Visit spght.dev/talks for more

Ed George

October 28, 2022
Tweet

More Decks by Ed George

Other Decks in Technology

Transcript

  1. @sp4ghetticode - spght.dev How to become your app’s “Security Champion”

    Ed-Holloway George @ Droidcon London 2022
  2. @sp4ghetticode - spght.dev Ed Holloway-George Senior Android @ ASOS •

    Mobile security enthusiast • I like to tweet/blog/talk about interesting things* Follow me for more! #dcldn22 * Your experience may differ 2 spght.dev/talks That’s not! That’s me!
  3. @sp4ghetticode - spght.dev Why should developers care about mobile security?

  4. @sp4ghetticode - spght.dev Why should we care? 1. The mobile

    attack surface is HUGE and growing • Android most recently announced 3 billion active devices • Doesn’t include devices using ‘alternative stores’ • Myriad of devices running Android forks, new form factors etc. Sources: • Google I/O 21
  5. @sp4ghetticode - spght.dev Why should we care? 2. Growing financial

    incentives for malicious actors • Recent rise of ‘Web 3.0’ / Crypto • $2.0 billion in cryptocurrencies stolen (+60% 2021) • 70% all fraud occurs on mobile Sources: • AppDome • Guardsquare
  6. @sp4ghetticode - spght.dev Why should we care? 3. Implementing basic

    mobile security is not difficult • “It takes years to build a reputation and a few minutes of a cyber-incident to ruin it.” Quote: • Stéphane Nappo
  7. @sp4ghetticode - spght.dev It’s also quite neglected 😅 Sources: •

    My followers! • Twitter No shame in 2nd place
  8. @sp4ghetticode - spght.dev Things do go wrong… e.g. Walgreens 2020

    Sources: • Bleeping Computer • threatpost
  9. @sp4ghetticode - spght.dev Things do go wrong… e.g. Walgreens 2020

    Sources: • Bleeping Computer • threatpost Sued $5m+
  10. @sp4ghetticode - spght.dev Things do go wrong… e.g. Klarna 2021

    Source: • Twitter
  11. @sp4ghetticode - spght.dev Things do go wrong… e.g. Klarna 2021

    Source: • Twitter Lots of very angry customers
  12. @sp4ghetticode - spght.dev People are d*cks… 🦆 e.g. Bad actors

    exist on Google Play Store That’s what I mean of course! Source: • McAfee • McAfee recently found 16 malicious app with 20m+ downloads • All 16 contained auto-clicker ‘adware’ • All originally passed Play Store safety checks (but are removed now)
  13. @sp4ghetticode - spght.dev People are d*cks… 🦆 e.g. ‘Attack of

    the Clones’ That’s what I mean of course! Source: • Google • Reddit
  14. @sp4ghetticode - spght.dev What the heck is a security champion

    anyway? 14
  15. @sp4ghetticode - spght.dev 15 In an ideal world… CyberSec

  16. @sp4ghetticode - spght.dev 16 In an ideal world… CyberSec Other

    Teams
  17. @sp4ghetticode - spght.dev 17 In an ideal world… CyberSec Other

    Teams You are here (probably)
  18. @sp4ghetticode - spght.dev 18 In an ideal world… CyberSec Other

    Teams 👑 Champions
  19. @sp4ghetticode - spght.dev 19 Surprise: You are already one

  20. @sp4ghetticode - spght.dev But, just not yet… The lifecycle of

    a security champion • The beginning • Someone interested in mobile security • Looking to improve the security culture in your organisation • Someone willing to learn and/or lead by example • Pass on knowledge to others internally
  21. @sp4ghetticode - spght.dev But, just not yet… The lifecycle of

    a security champion • What we want to gain • Knowledge of the key areas in mobile security • Write code with security in mind • Follow security best practises • Your app is more secure as a result
  22. @sp4ghetticode - spght.dev But, just not yet… The lifecycle of

    a security champion • The end goals • 🥉 Full leadership buy-in • 🥈 Non-security people performing security-related tasks • 🥇 A self-sufficient Security Champion ‘program’
  23. @sp4ghetticode - spght.dev How do we set a security champion

    program up? 😅
  24. @sp4ghetticode - spght.dev How to set up a champion program?

    A lightning guide to its key principles ⚡ • Vision 🔮 • Participants🧑🍳👷👩🔬👩🔧 • Environment 🏦🏚 • Concept 📝 • Incentive 🧠 • Delivery 📬✨ • Tuning 🔧🔄 Source: • securitychampionsuccessguide.org
  25. @sp4ghetticode - spght.dev Quick wins • Find a handful of

    like-minded engineers or individuals • Start a regular lunch + learn / brown bag session • Make noise internally about what you are doing • Raise the profile of security tasks within your app • Speak to your manager and/or CISO! How to kick-off a security champion program today* * After the conference
  26. @sp4ghetticode - spght.dev Success Stories 👑 Security Champions • Fivetran

    - Global data warehousing company • Launched program in May • Initially focused on participation, training and awareness • Over time, increased emphasis on performing actions • Implemented gamification • 10% of entire company now signed-up 😱 Source: • Dustin Lehr
  27. @sp4ghetticode - spght.dev Your brand new security champion program: Lunch

    + Learn #1 😅 27
  28. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    28 1. Perform SAST on your app and discuss results 🔐
  29. @sp4ghetticode - spght.dev mobsf.github.io MobSF

  30. @sp4ghetticode - spght.dev mobsf.github.io MobSF General ‘score’ and overview of

    security concerns
  31. @sp4ghetticode - spght.dev mobsf.github.io MobSF General ‘score’ and overview of

    security concerns Prioritised list of security issues with links to further info/resources
  32. @sp4ghetticode - spght.dev mobsf.github.io MobSF

  33. @sp4ghetticode - spght.dev mobsf.github.io MobSF Overview of uploaded app

  34. @sp4ghetticode - spght.dev mobsf.github.io MobSF Overview of uploaded app Perform

    dynamic analysis on your application
  35. @sp4ghetticode - spght.dev Next steps… • Take report to your

    team / management • Scare them. • Action high priority issues • Show measurable improvement in the long term • Actively monitor going forwards
  36. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    36 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍
  37. @sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare

  38. @sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Editable ProGuard/R8

    rules
  39. @sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Uploaded APK

    / JAR Classes, methods & fields Editable ProGuard/R8 rules
  40. @sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Uploaded APK

    / JAR Classes, methods & fields Interactive display of your custom rules in action (No app building needed!) Editable ProGuard/R8 rules
  41. @sp4ghetticode - spght.dev Next steps… • Use the playground to

    improve your rules • Test for any unexpected behaviours • Explore the ProGuard documentation • Get smaller, optimised and securer builds • Droidcon bonus: Visit their booth downstairs 🥰
  42. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    42 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍ 3. Decompile your app and take a poke around 🔧
  43. @Sp4ghettiCode / spght.dev Reverse Engineering 101 (Please use responsibly) •

    Your APK is just a ZIP file with ✨extra spice✨ • Rename app.apk to app.zip • Unzip it • ??? • Profit • A wild folder with lots of funky files appeared! 🤪
  44. @Sp4ghettiCode / spght.dev Reverse Engineering The innards of your APK

    • .dex files are Dalvik Executable files • Similar to Java .class files but run on Android’s JVM • Contains Dalvik byte code • Possible to convert back to its original source code (lossy process)
  45. @sp4ghetticode - spght.dev github.com/skylot/jadx JADX Decompiles Android files .apk .aar

    .class .dex .smali And more…
  46. @sp4ghetticode - spght.dev github.com/skylot/jadx JADX Show decompiled file packages, classes

    & methods
  47. @sp4ghetticode - spght.dev github.com/skylot/jadx JADX Show decompiled file packages, classes

    & methods Java representation of your code
  48. @sp4ghetticode - spght.dev Next steps… • Use this approach to

    ensure you aren’t exposing yourself 🤭 • If you can reverse engineer your app, so can anyone! • Make extra sure your obfuscation is working • Look into other tools such as Snyk, SonarQube, AppSweep & more…
  49. @sp4ghetticode - spght.dev Visit securitychampionsuccessguide.org If you do one thing

    today…
  50. @sp4ghetticode - spght.dev Thank you for watching. 50

  51. @sp4ghetticode - spght.dev EOF spght.dev/talks 51