5 mobile app security must-dos in 2018

5 Mobile App Security MUST-DOs in 2018

8X FASTER3X DEEPER

MOST TRUSTED© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

DEEP MOBILE SECURITY EXPERTISE

Open source

Books & Speaking

2

Mobile threat research is in our DNA▪ Dream team of security researchers▪ Every waking moment spent:

– Discovering critical vulns– Identifying novel attack vectors– Creating/maintaining renowned

open-source mobile security tools/projects

The NowSecure Mission▪ Save the world from unsafe mobile apps▪ Educate enterprises on the latest mobile threats▪ Maximize the security of apps enterprises

develop, purchase and use

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

NowSecure #MobSec5Weekly mobile security news update

SUBSCRIBE NOW:www.nowsecure.com/go/subscribe


AGENDA + SPEAKERS

2017 Mobile AppSec Year in Review

2018 Mobile AppSec Must-Dos

Q & A

Brian ReedChief Mobility Officer

Andrew HoogFounder

Katie StrzempkaVP Cust. Success & Svcs


MOBILE APPSEC IN 2017:YEAR IN REVIEW


YEAR IN REVIEW: SECURITY VULNS

BROADPWN KRACKBOOTSTOMP


YEAR IN REVIEW: PRIVACY


YEAR IN REVIEW: COMPLIANCE

General Data Protection Regulation (GDPR)Takes effect May 2018

NY Cybersecurity Reqs. for Financial Services Companies

Took effect August 2017


YEAR IN REVIEW: PLATFORM UPDATES

Face ID on Apple iPhone X

Progress in authentication? Jury’s still out

Android 8Google Play Protect,

SafetyNet API,Project Treble, more

iOS 11Granular location services notifications, SOS mode, TLS improvements, more


LEGACYWAST

INSIDE THE MOBILE APP ATTACK SURFACE

▪GPS spoofing▪Buffer overflow▪allowBackup Flag▪allowDebug Flag▪Code Obfuscation▪Configuration manipulation▪Escalated privileges

▪URL schemes▪GPS spoofing▪Integrity/tampering/repacking▪Side channel attacks▪App signing key unprotected▪JSON-RPC▪Automatic Reference Counting

10

DATA AT REST

CODE FUNCTIONALITY DATA IN MOTION

API BACKEND

▪Data caching▪Data stored in application directory

▪Decryption of keychain▪Data stored in log files▪Data cached in memory/RAM▪Data stored in SD card

▪Platform vulnerabilities▪Server misconfiguration▪Cross-site scripting▪Cross-site request forgery ▪Cross origin resource sharing▪Brute force attacks▪Side channel attacks

▪SQL injection▪Privilege escalation▪Data dumping▪OS command execution▪Weak input validation▪Hypervisor attack▪VPN

▪OS data caching▪Passwords & data accessible▪No/Weak encryption▪TEE/Secure Enclave Processor▪Side channel leak▪SQLite database▪Emulator variance

▪Wi-Fi (no/weak encryption)▪Rogue access point▪Packet sniffing▪Man-in-the-middle▪Session hijacking▪DNS poisoning▪TLS Downgrade▪Fake TLS certificate▪Improper TLS validation

▪HTTP Proxies▪VPNs▪Weak/No Local authentication▪App transport security▪Transmitted to insecure server▪ Zip files in transit▪Cookie “httpOnly” flag▪Cookie “secure” flag

▪Android rooting/iOS jailbreak▪User-initiated code▪Confused deputy attack▪Multimedia/file format parsers▪Insecure 3rd party libraries▪World Writable Files▪World Writable Executables

▪Dynamic runtime injection▪Unintended permissions▪UI overlay/pin stealing▪Intent hijacking▪Zip directory traversal▪Clipboard data▪World Readable Files


MOBILE APPSECMUST-DOs FOR 2018


1General DataProtection Regulation(GDPR)


80% of firms will not comply by May 2018. 50% intentionally. The other 50% will fail. Any successful case against a well-known giant will change the risk/cost balance.Forrester - Predictions 2018

#1: General Data Protection Regulation (GDPR)

FINES

▪ Greater of: Up to 4% annual global revenue or €20 million pounds ($23,717,400 USD)

▪ Deadline: May 25, 2018

A FEW KEY CONCEPTS

▪ Purpose limitation▪ Data minimization▪ Limited storage periods▪ Data protection by design & default▪ Consent -- “Clear affirmative act”

GDPR


#1: NEAR TERM TO DO

▪ Audit personal data collected & pay special attention to mobile apps

▪ Review privacy policy and other communications and make necessary changes

▪ Review how you receive & manage consent

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf


2 3rd-PartyLibraries / SDKs Risk


#2: CHOOSE 3RD-PARTY LIBS & SDKs WISELY

75%of GitHub Projectshave dependencies

Modern applications are largely “assembled,” not developed, and developers often download and use known vulnerable open-source components and frameworks.Gartner—DevSecOps: How to Seamlessly Integrate Security Into DevOps

70%of vulns in free Android apps stemmed

from libraries (mostly 3rd-party) A Study on the Vulnerabilities of Mobile Apps associated with Software ModulesGitHub will soon warn developers of insecure dependencies

https://arxiv.org/pdf/1702.03112.pdf

https://techcrunch.com/2017/10/11/github-will-soon-warn-developers-of-insecure-dependencies-adds-news-feed-team-chat-and-more/


#2: NEAR TERM TO DO

Inventory 3rd-Party libraries and SDKs used

within apps you control/develop

Determine whether any of those versions in use

include vulns(GitHub dependencies)

Make devs aware of any identified vulns and

work on a plan to update/replace

1 2 3


3 DevSecOpsShifting Left


#3: DevSecOps: Security MUST SHIFT LEFT

245 : 1DEVS OUTNUMBER APPSEC Google Play Store New Apps/Month

Apple App Store - New Apps/Month

Integrate mobile AST with your broader AST program and use it as a trial or precursor for enterprise-wide DevOps.Gartner—Market Guide for MAST


#3: NEAR TERM TO DO

20

RAPIDTEST

DEVELOPED APPS

PR

OD

UC

TION

YOUR APPSEC FACTORY RAPID: PASSED

REQUIREMENTS DESIGN BUILD TEST

ANY TEST: FAILED

DEEP CERTIFICATION

DEEPTEST

DEEP: PASSED

1. Begin with just one dev team that has expressed interest in automation2. Begin with just one app, one build3. Use that success to build momentum & automation to move on to other teams/apps


4 Address thelow hanging fruit


#4: FLAWS W/ LOW EFFORT/HIGH RETURN FIXES

UP TO

75%UP TO

90%

of Android apps allow world-read/write/exec.

of Android apps allow backup check

UP TO

30%

of iOS apps don’t use ATS properly


#4: NEAR TERM TO DO

Perform basic security assessments of the

apps your organization controls/develops

Identify “low-hanging” security issues and

work with yourdevs to remediate

1 2


5 Risk in Apple App Store & Google Play store apps


#5: DON’T IGNORE 3RD-PARTY APP RISK

33% Haveat least 1 high risk flaw[CVSS score]

35% Haveun-encrypted data transmission

60% of orgsreport an insecure mobile app contributing to a breach

more likely to leak account credentials

BizApps 3X

68% of appscan expose sensitive data

50% Android Appsdynamically load code missed by static analysis

25

Sources: NowSecure Software and Research Data, Ponemon Institute 2016-2017


#5: TO DO IN THE NEAR TERM

Determine the 20 most prevalent apps within

your organization using Mobile Device

Management (MDM)

Perform quick mobile app security testing

scans to identify security, privacy, and

compliance issues

Identify proper remediation,

re-configuration, or removal policy for risky

mobile apps

1 2 3


NEXT STEPS


NowSecure INTELAlwaysOn AppStore Cloud Analysis

for EMM & Security teams

NowSecure AUTOOnDemand Fast Cloud Analysis

for Dev, QA & Security teams

NowSecure WORKSTATION

Deep Pen Testing Analysisfor Security Analysts

NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING

NowSecure SERVICESExpert Pen Testing, Training & Programs

for App Owners & Security teams

29

8X FASTER – 3X DEEPER – MOST TRUSTED


SHIFT LEFT WITH MOBILE APPSEC FACTORY

31

RAPIDTEST

DEVELOPED APPS PR

OD

UC

TION

YOUR APPSEC FACTORY

Rapid Test all apps in 15mins automatically…

RAPID: PASSED

REQUIREMENTS DESIGN BUILD TEST

Spend <1 hour deep testing any concerning rapid results or additional advanced/pre-release certification

DEEP CERTIFICATION

DEEPTEST

DEEP: PASSED

ANY TEST: FAILED

3RD PARTY APPSTORE APPS ONLINE: FAILED

ONLINE: PASSED

Instantly Vet 3rd Party App Risk

ONLINETEST


NOWSECURE COMING ATTRACTIONS

AppSec CaliJanuary 30-31, 2018Come see NowSecurein Santa Monica, CA!

ShmooCon XIVJanuary 19-21, 2018

For those lucky enough to get a ticket...round 3 ticket sales are on Dec 10!

33


OPEN Q & A

Brian ReedChief Mobility Officer

Andrew HoogFounder

Katie StrzempkaVP Cust. Success & Svcs

2017 Mobile AppSec Year in Review

2018 Mobile AppSec Must-Dos

Q & A

Let’s talk

NowSecure+1 312.878.1100

@NowSecureMobilewww.nowsecure.com

Subscribe to #MobSec5 A digest of the week’s mobile security news that matters

https://www.nowsecure.com/go/subscribe

5 mobile app security must-dos in 2018

Technology