Snr. Android Dev @ ASOS • Short lived iOS career building a “Facebook for Dogs” 😅 • I like to talk about mobile security a lot • Find more talks/blogs on my website: 🍝 spght.dev/talks 🍝 Introduction
• Open Web Application Security Project • Non-profit founded in 2001 • Provides free security resources for all • Maintain ‘Top 10’ list(s) of the greatest security threats in tech • Current “Mobile Top 10” list created in 2016
to Mobile Security is you • Ever skipped reading docs? • Ever used a platform method incorrectly? • Ever just ‘LGTM’ a code-review and missed something? Incorrectly exported Intents/Services/etc Keychain access policy too weak
it • Have a solid ✅ code-review process • Use SAST tools like Snyk, AppSweep, SonarQube • Consider using the OWASP MASTG (for all threats!) • And if in doubt, just RTFM… 😅
data is quite important… • Storing data via platform is often insecure by default • Trivial to access data in certain locations • Commonly used incorrectly as storage for sensitive data SharedPreferences / DataStore UserDefaults
it • Avoid storing sensitive data in the first place! • Utilise storage backed by use of secure hardware • Consider root/jailbreak detection in extreme cases EncryptedSharedPreferences / KeyStore Keychain
is bad • Bluetooth, NFC, the internet & everything in-between • Sending data over HTTP and not HTTPS? • Are you pinning certificates? • Allowing self-signed / user certificates? • Or are you just printing traffic directly to the logs 🤪 Yes, I’ve seen the last one on prod apps many times…
• Assume all communication channels are insecure until you can prove otherwise • Utilise pinning / certificate transparency • Never allow self-signed or user certificates on prod StrictMode to penalize HTTP usage NSPinnedDomains in Info.plist
say you are? • How does your app know who you are? • APIs should utilise access tokens • Are you storing passwords or PINs locally • Password policies? How weak are they?
• Use revokable tokens in API calls • Don’t do any authentication locally if possible • PINs should be a minimum length of 5 (ideally more) • Don’t offer ‘remember-me’ functionality without an opt-in
cut it. • Do not use out-dated cryptography • SHA-1, MD5, RC2, etc - All exploitable in 2022 • Don’t confuse encryption with hashing • Hashing is 1-way algorithm to verify data • Encrypting is 2-way algorithm to secure data • Don’t come up with your own algorithm 😅
• Use decent crypto libs by people that know what they’re doing • E.g. Google - tink library • Use strong industry standard algortihms • AES-256 • RSA-2048 • Please, please don’t copy paste tutorial code… • Ask me about Hyundai after! 🚗🇰🇷
• Allowing a user to perform an action they don’t have permission for • User role verification on the device is bad • Telling the server what roles you have, also very bad
• User actions need authorised API calls • Don’t transmit the user’s role / perms to the server • Backend should be source-of-truth for identity • Always use min-amount of perms needed for an API call
• Your 💩 code is bad news for everyone 🍝 • Are you following coding best practises? • Know the pitfalls of your language • SQL Injection • Buffer Overflow • etc.
bugs while you’re there…” • The unwanted modification of your app’s code/resources • The unintended use of your app through the use of a ‘rooted/jailbroken’ device • More common in Android world • Used by malicious actors to distribute modded apps with spyware + more nasty surprises 😈
• Use root detection libraries • Use paid services to alert you of tampering attempts • Make sure you use decent code obfuscation DexGuard, RootBeer iXGuard
you did last summer and why… • First, decompiling your app to see how it works • Using that knowledge to exploit the app or your services • Recompiling with changes (i.e. code tampering) • Using other tools to exploit vulnerabilities
easter-egg hunt for hackers • Hackers look for ‘back-doors’ in your app’s code • Hidden feature flags • Hard-coded debug accounts/passwords/etc • Any other nice goodies you left behind…
• Don’t ship anything you wouldn’t want someone to enable by themselves • Ensure you strip out any hard-coded credentials or anything you use for QA-ing the app • Some SAST tools will pick this up • GOOD CODE REVIEWS! • “LGTM” 🤪
sp4ghetticode
yuki_ink
niwatakeru
hiyanger
miu_crescent
tkikuchi
chou500
salaboy
uhyo
negi111111
hogelog
oracle4engineer
akexorcist
tammielis
jponch
lara
chriscoyier
hatefulcrawdad
ufuk
brad_frost
62gerente
eitanlees
jonrohan
chrislema
