How to become your app’s “Security Champion”

@sp4ghetticode - spght.dev How to become your app’s “Security Champion”
Ed-Holloway George @ Droidcon London 2022

@sp4ghetticode - spght.dev Ed Holloway-George Senior Android @ ASOS •
Mobile security enthusiast • I like to tweet/blog/talk about interesting things* Follow me for more! #dcldn22 * Your experience may differ 2 spght.dev/talks That’s not! That’s me!

@sp4ghetticode - spght.dev Why should developers care about mobile security?

@sp4ghetticode - spght.dev Why should we care? 1. The mobile
attack surface is HUGE and growing • Android most recently announced 3 billion active devices • Doesn’t include devices using ‘alternative stores’ • Myriad of devices running Android forks, new form factors etc. Sources: • Google I/O 21

@sp4ghetticode - spght.dev Why should we care? 2. Growing financial
incentives for malicious actors • Recent rise of ‘Web 3.0’ / Crypto • $2.0 billion in cryptocurrencies stolen (+60% 2021) • 70% all fraud occurs on mobile Sources: • AppDome • Guardsquare

@sp4ghetticode - spght.dev Why should we care? 3. Implementing basic
mobile security is not difficult • “It takes years to build a reputation and a few minutes of a cyber-incident to ruin it.” Quote: • Stéphane Nappo

@sp4ghetticode - spght.dev It’s also quite neglected 😅 Sources: •
My followers! • Twitter No shame in 2nd place

@sp4ghetticode - spght.dev Things do go wrong… e.g. Walgreens 2020
Sources: • Bleeping Computer • threatpost

@sp4ghetticode - spght.dev Things do go wrong… e.g. Walgreens 2020
Sources: • Bleeping Computer • threatpost Sued $5m+

@sp4ghetticode - spght.dev Things do go wrong… e.g. Klarna 2021
Source: • Twitter

@sp4ghetticode - spght.dev Things do go wrong… e.g. Klarna 2021
Source: • Twitter Lots of very angry customers

@sp4ghetticode - spght.dev People are d*cks… 🦆 e.g. Bad actors
exist on Google Play Store That’s what I mean of course! Source: • McAfee • McAfee recently found 16 malicious app with 20m+ downloads • All 16 contained auto-clicker ‘adware’ • All originally passed Play Store safety checks (but are removed now)

@sp4ghetticode - spght.dev People are d*cks… 🦆 e.g. ‘Attack of
the Clones’ That’s what I mean of course! Source: • Google • Reddit

@sp4ghetticode - spght.dev What the heck is a security champion
anyway? 14

@sp4ghetticode - spght.dev 15 In an ideal world… CyberSec

@sp4ghetticode - spght.dev 16 In an ideal world… CyberSec Other
Teams

Teams You are here (probably)

Teams 👑 Champions

@sp4ghetticode - spght.dev 19 Surprise: You are already one

@sp4ghetticode - spght.dev But, just not yet… The lifecycle of
a security champion • The beginning • Someone interested in mobile security • Looking to improve the security culture in your organisation • Someone willing to learn and/or lead by example • Pass on knowledge to others internally

a security champion • What we want to gain • Knowledge of the key areas in mobile security • Write code with security in mind • Follow security best practises • Your app is more secure as a result

a security champion • The end goals • 🥉 Full leadership buy-in • 🥈 Non-security people performing security-related tasks • 🥇 A self-sufficient Security Champion ‘program’

@sp4ghetticode - spght.dev How do we set a security champion
program up? 😅

@sp4ghetticode - spght.dev How to set up a champion program?
A lightning guide to its key principles ⚡ • Vision 🔮 • Participants🧑🍳👷👩🔬👩🔧 • Environment 🏦🏚 • Concept 📝 • Incentive 🧠 • Delivery 📬✨ • Tuning 🔧🔄 Source: • securitychampionsuccessguide.org

@sp4ghetticode - spght.dev Quick wins • Find a handful of
like-minded engineers or individuals • Start a regular lunch + learn / brown bag session • Make noise internally about what you are doing • Raise the profile of security tasks within your app • Speak to your manager and/or CISO! How to kick-off a security champion program today* * After the conference

@sp4ghetticode - spght.dev Success Stories 👑 Security Champions • Fivetran
- Global data warehousing company • Launched program in May • Initially focused on participation, training and awareness • Over time, increased emphasis on performing actions • Implemented gamification • 10% of entire company now signed-up 😱 Source: • Dustin Lehr

@sp4ghetticode - spght.dev Your brand new security champion program: Lunch
+ Learn #1 😅 27

@sp4ghetticode - spght.dev Some quick-ish ideas to get you started…
28 1. Perform SAST on your app and discuss results 🔐

@sp4ghetticode - spght.dev mobsf.github.io MobSF

@sp4ghetticode - spght.dev mobsf.github.io MobSF General ‘score’ and overview of
security concerns

@sp4ghetticode - spght.dev mobsf.github.io MobSF General ‘score’ and overview of
security concerns Prioritised list of security issues with links to further info/resources

@sp4ghetticode - spght.dev mobsf.github.io MobSF

@sp4ghetticode - spght.dev mobsf.github.io MobSF Overview of uploaded app

@sp4ghetticode - spght.dev mobsf.github.io MobSF Overview of uploaded app Perform
dynamic analysis on your application

@sp4ghetticode - spght.dev Next steps… • Take report to your
team / management • Scare them. • Action high priority issues • Show measurable improvement in the long term • Actively monitor going forwards

36 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍

@sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare

@sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Editable ProGuard/R8
rules

@sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Uploaded APK
/ JAR Classes, methods & fields Editable ProGuard/R8 rules

@sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Uploaded APK
/ JAR Classes, methods & fields Interactive display of your custom rules in action (No app building needed!) Editable ProGuard/R8 rules

@sp4ghetticode - spght.dev Next steps… • Use the playground to
improve your rules • Test for any unexpected behaviours • Explore the ProGuard documentation • Get smaller, optimised and securer builds • Droidcon bonus: Visit their booth downstairs 🥰

42 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍ 3. Decompile your app and take a poke around 🔧

@Sp4ghettiCode / spght.dev Reverse Engineering 101 (Please use responsibly) •
Your APK is just a ZIP file with ✨extra spice✨ • Rename app.apk to app.zip • Unzip it • ??? • Profit • A wild folder with lots of funky files appeared! 🤪

@Sp4ghettiCode / spght.dev Reverse Engineering The innards of your APK
• .dex files are Dalvik Executable files • Similar to Java .class files but run on Android’s JVM • Contains Dalvik byte code • Possible to convert back to its original source code (lossy process)

@sp4ghetticode - spght.dev github.com/skylot/jadx JADX Decompiles Android files .apk .aar
.class .dex .smali And more…

@sp4ghetticode - spght.dev github.com/skylot/jadx JADX Show decompiled file packages, classes
& methods

@sp4ghetticode - spght.dev github.com/skylot/jadx JADX Show decompiled file packages, classes
& methods Java representation of your code

@sp4ghetticode - spght.dev Next steps… • Use this approach to
ensure you aren’t exposing yourself 🤭 • If you can reverse engineer your app, so can anyone! • Make extra sure your obfuscation is working • Look into other tools such as Snyk, SonarQube, AppSweep & more…

@sp4ghetticode - spght.dev Visit securitychampionsuccessguide.org If you do one thing
today…

@sp4ghetticode - spght.dev Thank you for watching. 50

@sp4ghetticode - spght.dev EOF spght.dev/talks 51

How to become your app’s “Security Champion”

How to become your app’s “Security Champion”

More Decks by Ed Holloway-George

Other Decks in Technology

Featured

Transcript