Debunking the Top 5 Myths About Mobile AppSec

© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
DEBUNKING THE TOP
5 MYTHS ABOUT
MOBILE APPSEC

© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
ALL THINGS MOBILE DEVSECOPS
Subscribe Here
https://www.nowsecure.com/go/subscribe/
Semi-monthly Newsletter
Delivered 1st & 3rd Wednesday of the month
Resources for the Mobile DevSecOps journey

© Copyright 2019 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.3
ASK A QUESTION ANY TIME
Use the “Ask a Question” tab below the slides

ALAN SNYDER
CHIEF EXECUTIVE OFFICER
NOWSECURE
AGENDA
INTRODUCTIONS
MOBILE TRENDS
THE 5 MYTHS
KEY TAKEAWAYS
Q&A
PICK A PRIZE WINNER!
SPEAKER
4
BRIAN REED
CHIEF MOBILITY OFFICER
NOWSECURE
MODERATOR

THE WORLD’S MOBILE APP ECONOMY
42.6 3MILLION
Mobile Apps
US App Stores
BILLION
Mobile Device
Users
MILLION
Shortage in Cyber
Security Professionals
12MILLION
Mobile App
Developers
5
sources: Statista, (ISC)2
, BusinessOfApps (2018/2019)
5

MCDONALDS SPENDING $6BN ON TRANSFORMATION

MOBILE APPS DOMINATE USAGE, BRINGS THE ATTACKERS

Mobile apps are secure because
Apple and Google test them.
8
MYTH #1

MOBILE APP RISKS ARE REAL AND PAINFULLY EXPOSED

MOBILE PRIVACY 250 STUDY - 70% LEAK DATA
10
www.nowsecure.com/go/protectmydata

DEVELOPERS MUST TEST THEIR OWN SOFTWARE
11
▪ Secure Development (Certiﬁcates, HTTPS, etc)
▪ App Data Leakage (Privacy)
▪ 3rd Party Libraries (Privacy or Vulnerabilities)
▪ App Functionality and Dynamic Code
Apple App Store®
Google Play™ Store
WHAT APPLE & GOOGLE CHECK
▪ Guideline/API Compliance, Malware, Static Vulnerabilities
▪ Apple Dev Guidelines:
▪ You are responsible for making sure everything in your app complies with these
guidelines, including ad networks, analytics services, and third-party SDKs, so review
and choose them carefully.
▪ 1.6 Data Security - Apps should implement appropriate security measures to
ensure proper handling of user information collected pursuant to the Apple Developer
Program License Agreement and these Guidelines (see Guideline 5.1 for more
information) and prevent its unauthorized use, disclosure, or access by third parties.
WHAT APPLE & GOOGLE DON’T CHECK

Testing mobile apps is
the same as web apps.
12
MYTH #2

FUNDAMENTAL DIFFERENCES
13
WEB APP MOBILE APP
Browser inherent isolation from client machine Full operating system underlies the app AND
apps can interact
Majority of code on server behind firewall and
other protections
Substantial code, IP logic, data on the client
device
Browser handles SSL/HTTPS AppDev must properly code network calls
Browser isolates data from local machine
memory and files
AppDev must properly code to handle local
memory and files
Test frameworks can be loaded directly into
browser environments
Locked down iOS/Android operating systems
and containerization dramatically raises
complexity

OWASP TOP 10 COMPARISON
1. Improper Platform Usage
2. Insecure Data Storage
3. Insecure Communication
4. Insecure Authentication
5. Insufficient Cryptography
6. Insecure Authorization
7. Client Code Quality
8. Code Tampering
9. Reverse Engineering
10. Extraneous Functionality
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities
5. Broken Access Control
6. Security Misconfiguration
7. Cross Site Scripting
8. Insecure Deserialization
9. Using Vulnerable Components
10. Insufficient Logging/Monitoring
Mobile Web

NOWSECURE ATTACKER POV
iOS
APPS
TEST
APP
Dynamic to monitor
dynamic code loading
from the network
Dynamic to test
MITM
Only NowSecure uniquely takes the Attacker
POV to test across app, compiler, data at rest,
data in motion, OS, HW & SW during and after
running the mobile app on real devices
iOS FRAMEWORKS
iOS NATIVE
LIBRARIES
iOS Mach/XNU
KERNEL
iOS HAL
HARDWARE
15
Data Center
& App Backend
Network &
Cloud Services
Behavioral to test
active memory
Dynamic to taint &
trace sensor data
from HAL
Dynamic to test
persistent storage
Behavioral to
determine app to
app vulns
Dynamic to track
interaction with
contacts
Dynamic & Behavioral to
test Certiﬁcate Pinning
Dynamic to track
interaction
with ﬁle system
Dynamic to test
SSL Stripping
Behavioral to to
track interaction
with Keychain
Dynamic to track
interaction with
Microphone

Static Source Code Analysis (SAST) is good
enough for mobile
16
MYTH #3

SUMMARY STATIC SOURCE VS DYNAMIC BINARY
STATIC
SOURCE
DYNAMIC
BINARY
CODE ISSUES YES YES
DATA AT REST YES
DATA IN MOTION YES
FIND MiTM VULN YES
FIND IP ADDRESSES YES
FIND 3rd PARTY LIBS YES
17

INSIDE THE MOBILE ATTACK SURFACE
iOS
APPS
iOS FRAMEWORKS
iOS NATIVE LIBRARIES
iOS Mach/XNU KERNEL
iOS HAL
HARDWARE
CODE FUNCTIONALITY
DATA AT REST DATA IN MOTION
Data Center
& App Backend
Network &
Cloud Services
TEST
APP
▪ GPS spoofing
▪ Buffer overflow
▪ allowBackup Flag
▪ allowDebug Flag
▪ Code Obfuscation
▪ Configuration manipulation
▪ Escalated privileges
▪ URL schemes
▪ GPS Leaking
▪ Integrity/tampering/repacking
▪ Side channel attacks
▪ App signing key unprotected
▪ JSON-RPC
▪ Automatic Reference Counting
▪ Dynamic runtime injection
▪ Unintended permissions
▪ UI overlay/pin stealing
▪ Intent hijacking
▪ Zip directory traversal
▪ Clipboard data
▪ World Readable Files
▪ Data caching
▪ Data stored in application directory
▪ Decryption of keychain
▪ Data stored in log files
▪ Data cached in memory/RAM
▪ Data stored in SD card
▪ OS data caching
▪ Passwords & data accessible
▪ No/Weak encryption
▪ TEE/Secure Enclave Processor
▪ Side channel leak
▪ SQLite database
▪ Emulator variance
▪ Wi-Fi (no/weak encryption)
▪ Rogue access point
▪ Packet sniffing
▪ Man-in-the-middle
▪ Session hijacking
▪ DNS poisoning
▪ TLS Downgrade
▪ Fake TLS certificate
▪ Improper TLS validation
▪ HTTP Proxies
▪ VPNs
▪ Weak/No Local authentication
▪ App transport security
▪ Transmitted to insecure server
▪ Zip files in transit
▪ Cookie “httpOnly” flag
▪ Cookie “secure” flag
18
▪ Android rooting/iOS jailbreak
▪ User-initiated code
▪ Confused deputy attack
▪ Media/file format parsers
▪ Insecure 3rd party libraries
▪ World Writable Files
▪ World Writable Executables
WEB + SAST VENDORS

NOWSECURE APPSEC TESTING COVERAGE CHECKLIST
✓ Man in the Middle: Cert Validation
✓ Man in the Middle: Cert Pinning
✓ Man in the Middle: HTTP Connections
✓ SSL Downgrade
✓ Unprotected TLS traffic
✓ Cookie integrity
✓ Certificate Validity
✓ App Transport Security
✓ …
✓ App files & Log Files
✓ Keychain
✓ SD Card
✓ World Writable Files
✓ World Readable Files
✓ RAM
✓ Unencrypted credential storage
✓ SQLite Databases
✓ Secure Enclave Processor
✓ …
✓ Development flags
✓ Automatic Reference Counting
✓ Stack Smashing
✓ Bad Authentication/Authorization
✓ Root access
✓ Path Traversal
✓ SQL Injection
✓ Vulnerable 3rd party libraries
✓ Heartbleed
✓ Bad cryptography
✓ Obfuscation
✓ …
CODE FUNCTIONALITY DATA IN MOTIONDATA AT REST
Data Center
& App Backend
Network &
Cloud Services
iOS
APPS
iOS FRAMEWORKS
iOS NATIVE LIBRARIES
iOS Mach/XNU KERNEL
iOS HAL
HARDWARE
TEST
APP
19
AUTOMATED MOBILE APP SECURITY TESTING ON REAL DEVICES
analyzes the binary post-compilation
to discover vulnerabilities including
those in third-party libraries
STATIC TESTING
attacks the binary & network environment
to discover vulnerabilities within the app
with near zero false positives
BEHAVIORAL TESTING
observes the binary at runtime to
discover vulnerabilities within
the app
DYNAMIC TESTING

Penetration testing once a year is enough
to mitigate risk.
20
MYTH #4

CURRENT STATE OF THE ART
TESTING: Manual Security Testing
TIME: 1-2 weeks @ 1 per year
COST: $15,000 per manual PEN test
MOBILE APPSEC TESTING IN THE DARK AGES

THE COMPOUNDING RISK OF MONTHLY RELEASES
22
Security Testing
Peak Protection
Dev
Release
cycle
Annual
Pen Test

MANAGING YOUR POOL OF MOBILE RISK
$ Millions in mobile security risk
SAST 1 PEN TEST UNKNOWN + UNMITIGATED RISK
SAST NS PEN TEST NS AUTO PEN TESTING SW
Dramatically Reduced Risk
Broader Visibility and Control
Critical Gap to Address

Dynamic testing can’t be automated.
24
MYTH #5

THE MOBILE TRIFECTA
FREQUENCY
USAGE
COM
PLEXITY
My
App
25

SCALING TESTING CAPACITY & RISK OVER TIME
26
TIME
Mobile App Release
volume and frequency as
you scale
SCALE
NowSecure Automation for
scales as app release and
volume scales
Current Manual testing
capacity
Critical Gap
to Address

CURRENT STATE OF THE ART
TESTING: Manual Security Testing
TIME: 1-2 weeks @ 1 per year
COST: $15,000 per manual PEN test
NOWSECURE SOLUTIONS
TESTING: Automated Security Testing
TIME: <15mins every build, every day
COST: $40 per daily test
MODERN MOBILE APPSEC TESTING

NOWSECURE POWERS YOUR MOBILE APPSEC TESTING
Auto-Generate
Issue Tickets
28
Build
Binary
Code
Commit
Test
Binary
</>
Stage Deploy
Auto-Test
Every Build
Test
On-Demand
MOBILE
Dev
Cycle
Triage &
Monitor
Production
Urgent /
Periodic
Pen Test

AUTOMATION WINS: CASE IN POINT
LEGACY
AST
NOWSECURE
AUTOMATION
Time to
complete
10 days 7 minutes
Vulns
Found
0 Found All 3
CC skimming
Data Leakage
Cert failure
CHALLENGE RESULTS
Large fast growing
multi-divisional company
Need reliable, deep, automated
mobile AST for Dev Pipeline
Bake-oﬀ: iOS Mobile App with
intentionally inserted vulns

1. Seek to build in security through Dev + Sec partnership
2. Model the risk level of your mobile apps and test appropriately
3. Mobile Security Standards ⇒ OWASP Mobile Top 10
4. Ensure DAST is core part of mobile appsec testing strategy
5. Plug automated security testing into your SDLC Toolchain
30
KEY TAKEAWAYS

NOWSECURE APPROACH

NOWSECURE DELIVERS THE SECURE VELOCITY YOU NEED
FREQUENCY OF RELEASE
FOR MOBILE APP(s)
VALUE
Rapid enhancements drive higher
mobile app business value faster
MOBILE BUSINESS VALUE CURVE
FREQUENCY OF RELEASE
TESTING EVERY RELEASE
COST
RISK
MOBILE BUSINESS COST & RISK CURVE
Manual pen testing
every release drives
costs exponentially
Pen testing only once
a year drives risk
exponentially
NowSecure Predictably
Flattens Cost & Risk

NOWSECURE SOLUTION
Data
Repository
Dashboards &
Reports
Advanced
Conﬁguration
Device
Farm
Compliance
Mapping
Analysis
Engine
33
NowSecure SOFTWARE NowSecure SERVICES
For Dev, QA & Security Teams
Automated Security Testing
Dynamic Testing Across Full Lifecycle
Scales to Continuous Testing & Monitoring
For App Owners, Dev & Security Teams
Expert Pen Testing Programs
Training & App Security Programs
Enterprise Mobile App Risk Assessments
Internal/Outsourced Development
On-Demand, API or CI/CD Integrated
on-prem or cloud

INSIDE NOWSECURE MOBILE APP RISK SCORING
34

CASE STUDY: ADOPTING THE NOWSECURE PLATFORM
Manual Testing
Test
PRE RELEASE
Test
ON DEMAND
Full CI/CD
Integration
Increasing Volume of apps
Integrate with SDLC infrastructure
Test every build every day
Auto-generate tickets from
ﬁndings in local ticketing tool
Auto-route reports to risk &
compliance stakeholders
Auto-route results & trends to
management dashboard
Perform deep dive investigations
when needed
Extended program to proactively
monitor app store 3rd party risk
1 mo 3 mo 6 mo 12 mo
Maximizing Value &
Performance
Increasing Frequency of releases
35

Automated Mobile AppSec Testing Software
Expert Pen Testing & Security Services
Powers Security in Agile & DevOps Teams
World-Class Security Research Team
(builders of FRIDA & RADARE)
Advanced Engineering & DevOps Teams
from High Frequency Trading Companies
Wrote the book on mobile forensics
TRUSTED BY THE WORLD’S HIGHEST SECURITY ORGANIZATIONS
36

NOWSECURE COMING ATTRACTIONS
ATARC Federal Mobile Summit
Aug 6, 2019 | Washington, DC
Black Hat USA (Training + Conference)
Aug 2-8, 2019 | Las Vegas, NV
DevOps World/Jenkins World
Aug 12-15, 2019 | San Francisco, CA
[Webinar] Coming Soon: Android Q &
iOS 13 Privacy Enhancements
Jul 18, 2019
OWASP Global AppSec - DC
Sep 9-13, 2019 | Washington, DC

OPEN Q&A
Use the “Ask a Question” tab below the slides
BRIAN REED
CMO, NOWSECURE
ALAN SNYDER
CEO, NOWSECURE

Debunking the Top 5 Myths About Mobile AppSec

More Related Content

What's hot (20)

Similar to Debunking the Top 5 Myths About Mobile AppSec (20)

More from NowSecure (13)

Recently uploaded (10)

Debunking the Top 5 Myths About Mobile AppSec