Mobile App Security Fails and How To Survive Them
This talk will introduce the audience to Mobile Application security and the vulnerabilities affecting mobile software today. Multiple real world vulnerabilities found by the speaker will be discussed.
It’s been 7 years since i had to test the security of a mobile application for the first time, having almost no experience in the subject.
During this time, i had the opportunity to experiment, learn and analyze a large number of applications in multiple platforms (J2ME, Android, iOS, Blackberry, Windows Phone), give talks and trainings, and was able to catch a view of the current state of security in mobile app development.
The idea behind this talk is to share with the attendees what i’ve learned during these years, the most common security vulnerabilities when developing for mobile devices, some real examples (FAILs) from projects i have worked on and show some live demonstrations.
The OWASP Mobile Top 10 project will be discussed and compared to the Web version.
The examples shown will be from different kinds of mobile apps that were tested by the speaker, and will cover the following kinds of vulnerabilities. All the examples will be taken from real applications.
- Information Disclosure (Passwords found in the source code of a mobile banking app)
- Insecure Storage (Banking and payment apps that stored sensitive information in cache and device logs)
- Backup Enabled (Payment App lock screen bypass through PIN retrieval via App Data backup)
- Weak Server Side Controls (Mobile Payment App discloses payment data through parameter manipulation)
- Broken Cryptography (Mobile POS application using EMV compliant readers that leaked the DKUPT BDK through manipulation of the API)
- Security Decisions Via Untrusted Inputs (Application PIN lock bypassing via function hooking on a Google application)
Attendees will leave the talk with the necessary knowledge to take the first steps into the mobile app security world, as well as knowing what kinds of vulnerabilities can affect software they use or develop.