SlideShare a Scribd company logo

More Apps More Problems

Tyler Shields, profile picture
Tyler Shields

The document discusses risk and defines it as the possibility of loss or injury. It then discusses crowd sourcing security testing and outlines some of the current inadequate solutions such as expensive security consultants, tools that don't scale, and developers who prioritize functionality over security. The document then summarizes the results of analyzing over 53,000 Android applications, finding most request GPS and contact permissions and lists the top third party libraries used. It concludes by proposing a whitelisting approach to security testing using static analysis and an unbiased third party.

Technology
1 of 39
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
More Apps More Problems
More Apps More Problems
More Apps More Problems
Risk - noun `risk The possibility of loss or injury
• • • • • • • • • • • • • • • • • • • • •
• • • • • • • • • • • • • • • • •
More Apps More Problems
More Apps More Problems
More Apps More Problems
• • • • •
• • • • • •
• • • • •
• • • • • • •
More Apps More Problems
More Apps More Problems
More Apps More Problems
• • • • • •
• • • •
• ‣ ‣ • ‣ ‣
• ‣ • ‣ ‣
More Apps More Problems
More Apps More Problems
More Apps More Problems
More Apps More Problems
More Apps More Problems
• ‣ ‣ •
More Apps More Problems
More Apps More Problems
More Apps More Problems
Crowd Sourced Current Solutions Inadequate Internal Teams Developers Dev Site A Dev Site B Security Consultants • Very expensive • In short supply iPhone • Time to results too long Dev Site C Apps Crowd Internal Sourcing Tools • Do not scale across sites Open 3rd Party • Very high noise ratio Source Open Software Software Vendors • Can not test 3rd party code Source SYMC MSFT • Separation of duties issue Outsourced Developers Offshore • Do not know how to write Oracle secure code Provider • Prioritize time-to-ship, functionality over security Processes • Difficult to implement Eastern China • Years to fine tune Europe India • Low adoption (< 1% of US Contractors companies CMMI Level 5 certified) Unknown Skills
53,000 Applications Analyzed  Android Market: ~48,000  3rd Party Markets: ~5,000 Permissions Requested  Average: 3  Most Requested: 117 Top “Interesting” Permissions  GPS information: 24% (11,929)  Read Contacts: 8% (3,626)  Send SMS: 4% (1,693)  Receive SMS: 3% (1262)  Record Audio: 2% (1100)  Read SMS: 2% (832)  Process Out Calls: 1% (323)  Use Credentials : 0.5% (248)
More Apps More Problems
52,000 Applications Analyzed • Android Market: • 3rd Party Markets: Third Party Libraries • Total Third Party Libraries: • Top Shared Libraries - - - - - - - -
More Apps More Problems
• • ‣ • •
• • •
Whitelisting • Conduct static analysis of candidate applications • Create a whitelist • Use an unbiased 3rd party • Enforcement via mobile policy
More Apps More Problems
More Apps More Problems

More Related Content

PDF
IT Hot Topics - Mobile Security Threats at Every Layer
Tyler Shields
 
PPT
Security Best Practices for Mobile Development @ Dreamforce 2013
Tom Gersic
 
PDF
CarolinaCon 2005 Web Application Hacking 101
Tyler Shields
 
PPTX
2011 celebration
mhmayer
 
PPTX
Defending Behind the Mobile Device
Tyler Shields
 
PDF
Owasp Ireland - The State of Software Security
Tyler Shields
 
PDF
Shmoocon 2010 - The Monkey Steals the Berries
Tyler Shields
 
PDF
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
Tyler Shields
 
IT Hot Topics - Mobile Security Threats at Every Layer
Tyler Shields
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Tom Gersic
 
CarolinaCon 2005 Web Application Hacking 101
Tyler Shields
 
2011 celebration
mhmayer
 
Defending Behind the Mobile Device
Tyler Shields
 
Owasp Ireland - The State of Software Security
Tyler Shields
 
Shmoocon 2010 - The Monkey Steals the Berries
Tyler Shields
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
Tyler Shields
 

Similar to More Apps More Problems (20)

PDF
Dirty Little Secret - Mobile Applications Invading Your Privacy
Tyler Shields
 
PDF
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
e2-labs
 
PPTX
Fortify On Demand and ShadowLabs
jasonhaddix
 
PDF
Bug hunting through_reverse_engineering
arif
 
PPT
Mazenet
naveenmazenet
 
PPT
Agile software development for startups
Hemant Elhence
 
PDF
Sql injection to enterprise Owned - K.K. Mookhey
OWASP-Qatar Chapter
 
PPTX
Testing banking apps
Christian Ramirez
 
PDF
LocWorld: Building an Internationalization Plan; October 2011
Lingoport (www.lingoport.com)
 
PDF
Senior Manager Engineer
KarolHoutman
 
PDF
Going Remote: User experiences at a distance
linoleumjet
 
PPTX
What Does a Full Featured Security Strategy Look Like?
Precisely
 
PDF
Application Assessment Techniques
Denim Group
 
PPTX
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
PDF
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 
PPTX
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
PDF
Mobile Security
Xavier Mertens
 
PPT
Mobile Apps Security
Xavier Mertens
 
PDF
Vulnerability Management In An Application Security World
Denim Group
 
PPTX
Cloud connect - Delivering Enterprise Scale Applications on Cloud
aravindajju
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Tyler Shields
 
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
e2-labs
 
Fortify On Demand and ShadowLabs
jasonhaddix
 
Bug hunting through_reverse_engineering
arif
 
Mazenet
naveenmazenet
 
Agile software development for startups
Hemant Elhence
 
Sql injection to enterprise Owned - K.K. Mookhey
OWASP-Qatar Chapter
 
Testing banking apps
Christian Ramirez
 
LocWorld: Building an Internationalization Plan; October 2011
Lingoport (www.lingoport.com)
 
Senior Manager Engineer
KarolHoutman
 
Going Remote: User experiences at a distance
linoleumjet
 
What Does a Full Featured Security Strategy Look Like?
Precisely
 
Application Assessment Techniques
Denim Group
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Digital Defense Inc
 
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Kelly Robertson
 
Mobile Security
Xavier Mertens
 
Mobile Apps Security
Xavier Mertens
 
Vulnerability Management In An Application Security World
Denim Group
 
Cloud connect - Delivering Enterprise Scale Applications on Cloud
aravindajju
 
Ad

More from Tyler Shields (20)

PDF
Avoiding the Pandora Pitfall
Tyler Shields
 
PPTX
Social and Mobile and Cloud - OH MY!
Tyler Shields
 
PPTX
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Tyler Shields
 
PDF
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Tyler Shields
 
PDF
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Tyler Shields
 
PDF
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Tyler Shields
 
PDF
Software Developers Forum 2010 - The Monkey Steals the Berries
Tyler Shields
 
PDF
Raleigh ISSA 2010 - The Monkey Steals the Berries
Tyler Shields
 
PDF
Static Detection of Application Backdoors
Tyler Shields
 
PDF
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Tyler Shields
 
PDF
Anti-Debugging - A Developers View
Tyler Shields
 
PDF
Praetorian Veracode Webinar - Mobile Privacy
Tyler Shields
 
PDF
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
Tyler Shields
 
PDF
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
Tyler Shields
 
PPTX
IQT 2010 - The App Does That!?
Tyler Shields
 
PDF
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Tyler Shields
 
PDF
GovCert.NL - The Monkey Steals The Berries
Tyler Shields
 
PPTX
Intelligence on the Intractable Problem of Software Security
Tyler Shields
 
PDF
The Coming Wave of Smartphone Attacks - Texas DIR
Tyler Shields
 
PPTX
CarolinaCon 2009 Anti-Debugging
Tyler Shields
 
Avoiding the Pandora Pitfall
Tyler Shields
 
Social and Mobile and Cloud - OH MY!
Tyler Shields
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Tyler Shields
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Tyler Shields
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Tyler Shields
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Tyler Shields
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Tyler Shields
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Tyler Shields
 
Static Detection of Application Backdoors
Tyler Shields
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Tyler Shields
 
Anti-Debugging - A Developers View
Tyler Shields
 
Praetorian Veracode Webinar - Mobile Privacy
Tyler Shields
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
Tyler Shields
 
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
Tyler Shields
 
IQT 2010 - The App Does That!?
Tyler Shields
 
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Tyler Shields
 
GovCert.NL - The Monkey Steals The Berries
Tyler Shields
 
Intelligence on the Intractable Problem of Software Security
Tyler Shields
 
The Coming Wave of Smartphone Attacks - Texas DIR
Tyler Shields
 
CarolinaCon 2009 Anti-Debugging
Tyler Shields
 
Ad

Recently uploaded (20)

PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 

More Apps More Problems

  • 4. Risk - noun `risk The possibility of loss or injury
  • 5. • • • • • • • • • • • • • • • • • • • •
  • 6. • • • • • • • • • • • • • • • •
  • 17. • • • • •
  • 19. ‣ ‣ • ‣ ‣
  • 20. ‣ • ‣ ‣
  • 26. ‣ ‣ •
  • 30. Crowd Sourced Current Solutions Inadequate Internal Teams Developers Dev Site A Dev Site B Security Consultants • Very expensive • In short supply iPhone • Time to results too long Dev Site C Apps Crowd Internal Sourcing Tools • Do not scale across sites Open 3rd Party • Very high noise ratio Source Open Software Software Vendors • Can not test 3rd party code Source SYMC MSFT • Separation of duties issue Outsourced Developers Offshore • Do not know how to write Oracle secure code Provider • Prioritize time-to-ship, functionality over security Processes • Difficult to implement Eastern China • Years to fine tune Europe India • Low adoption (< 1% of US Contractors companies CMMI Level 5 certified) Unknown Skills
  • 31. 53,000 Applications Analyzed  Android Market: ~48,000  3rd Party Markets: ~5,000 Permissions Requested  Average: 3  Most Requested: 117 Top “Interesting” Permissions  GPS information: 24% (11,929)  Read Contacts: 8% (3,626)  Send SMS: 4% (1,693)  Receive SMS: 3% (1262)  Record Audio: 2% (1100)  Read SMS: 2% (832)  Process Out Calls: 1% (323)  Use Credentials : 0.5% (248)
  • 33. 52,000 Applications Analyzed • Android Market: • 3rd Party Markets: Third Party Libraries • Total Third Party Libraries: • Top Shared Libraries - - - - - - - -
  • 35. • • ‣ • •
  • 37. Whitelisting • Conduct static analysis of candidate applications • Create a whitelist • Use an unbiased 3rd party • Enforcement via mobile policy