ios and android security: differences you need to know
TRANSCRIPT
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
iOS and Android Security: Differences You Need to Know
August 22, 2016 | Security By Design Meetup
David WeinsteinDirector of Research@insitusec
● 10+ years of cybersecurity experience● Former senior engineer at MITRE
Email: [email protected]
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure: Forged in mobile from day one
Top engineers and researchers
OSS authors of Radare, Frida,
Santoku Linux, and Android VTS
Disclosed Samsung keyboard vulnerability
Impacting 650M+ devices
worldwide
Regular speaking appearances
Black Hat USA, RSA Conference,
OWASP AppSec USA & more
100+ customers
From banking, healthcare, tech,
government & more
Founded in Oak Park, IL
With a strong background in
forensics & enterprise security
2009
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information..
Risk extends deeper than what’s on the surface
What everyone is focused on: malware
The real security problem extends much deeper:
Mobile apps leaking sensitive data
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Mobile app security testing
● Fully automated static and dynamic analysis with results in minutes
● Analysis for iOS and Android performed on real devices
● Scalability and consistency via Cloud-based solution
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Problems we address:So you can succeed in testing mobile apps
1 Teams are overwhelmed with mobile app testing
2 Static testing returns too many false positives
3 Organizations lack a process for mobile
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Platform Security - Year In Review
Differential Privacy
Lock Screen Widgets`
image3/image4 no longer enc.
Personal ID Codesigning
App Transport Security
Keychain ACLs, TouchID
canOpenUrl changes
Hardened Webkit
usesCleartextTraffic
SE Android Enforcing, Breaking Apps
Instant Apps
Verified Boot
networkSecurityConfig
“Project Svelte”
Runtime Permissions
FS Permissions
Apple Android
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information.
Quick Stats
Top 50 free iOS apps:
- 80% using NSAllowsArbitraryLoads
- 34% using NSExceptionDomains
- 0 using MinimumTLSVersion exception
Top 50 free Android apps:
- Only Chrome using networkSecurityPolicy,
services with isolatedProcess
- None leaving debuggable flag enabled
- 66% set allowBackup true
© Copyright 2016 NowSecure, Inc. All Rights Reserved. Proprietary information..