mobile app security techniques and traps - goto conference · mobile app security techniques and...
TRANSCRIPT
![Page 1: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/1.jpg)
Mobile App Security Techniques and Traps
Graham Lee / @secboffinSmartphone Security Boffin, The Lab @O2
Tuesday, 22 May 12
![Page 2: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/2.jpg)
No code
Tuesday, 22 May 12
![Page 3: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/3.jpg)
No code
Tuesday, 22 May 12
![Page 4: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/4.jpg)
State of the Union
Tuesday, 22 May 12
![Page 5: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/5.jpg)
State of the Union
• 1875: UK patent application for telephone
Tuesday, 22 May 12
![Page 6: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/6.jpg)
State of the Union
• 1875: UK patent application for telephone
• 2007: Phones got good enough to be useful
Tuesday, 22 May 12
![Page 7: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/7.jpg)
State of the Union
• 1875: UK patent application for telephone
• 2007: Phones got good enough to be useful
• 2009ish: Cell networks got good enough to use phones on
Tuesday, 22 May 12
![Page 8: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/8.jpg)
State of the Union
• 1875: UK patent application for telephone
• 2007: Phones got good enough to be useful
• 2009ish: Cell networks got good enough to use phones on
• Despite apparent novelty, most security problems already existed:
Tuesday, 22 May 12
![Page 9: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/9.jpg)
The problems
Tuesday, 22 May 12
![Page 10: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/10.jpg)
The problems
• Who gets to see/change my data?
Tuesday, 22 May 12
![Page 11: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/11.jpg)
The problems
• Who gets to see/change my data?
• I like sharing things, but only on my terms.
Tuesday, 22 May 12
![Page 12: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/12.jpg)
The problems
• Who gets to see/change my data?
• I like sharing things, but only on my terms.
• (these are the same problem stated twice)
Tuesday, 22 May 12
![Page 13: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/13.jpg)
Tuesday, 22 May 12
![Page 14: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/14.jpg)
What are my concerns?
Tuesday, 22 May 12
![Page 15: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/15.jpg)
What are my concerns?To how much effort will I go?
Tuesday, 22 May 12
![Page 16: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/16.jpg)
What are my concerns?To how much effort will I go?
Will no-one think of the children?
Tuesday, 22 May 12
![Page 17: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/17.jpg)
What are my concerns?To how much effort will I go?
Will no-one think of the children?
Tuesday, 22 May 12
![Page 18: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/18.jpg)
Tuesday, 22 May 12
![Page 19: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/19.jpg)
Tuesday, 22 May 12
![Page 20: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/20.jpg)
Tuesday, 22 May 12
![Page 21: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/21.jpg)
Tuesday, 22 May 12
![Page 22: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/22.jpg)
Tuesday, 22 May 12
![Page 23: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/23.jpg)
Tuesday, 22 May 12
![Page 24: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/24.jpg)
Top Tips
Tuesday, 22 May 12
![Page 25: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/25.jpg)
Top Tips
• Express security issues as (testable) user stories
Tuesday, 22 May 12
![Page 26: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/26.jpg)
Top Tips
• Express security issues as (testable) user stories
• Iterate
Tuesday, 22 May 12
![Page 27: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/27.jpg)
Top Tips
• Express security issues as (testable) user stories
• Iterate
• Plan your response strategy (particularly release management)
Tuesday, 22 May 12
![Page 28: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/28.jpg)
Top Tips
• Express security issues as (testable) user stories
• Iterate
• Plan your response strategy (particularly release management)
• Don’t leave it to the pen tester
Tuesday, 22 May 12
![Page 29: Mobile App Security Techniques and Traps - GOTO Conference · Mobile App Security Techniques and Traps Graham Lee / @secboffin Smartphone Security Boffin, The Lab @O2 Tuesday, 22](https://reader033.vdocuments.net/reader033/viewer/2022050315/5f7780b8f37c0b5f8a2e67ee/html5/thumbnails/29.jpg)
Further Reading
Graham Lee / @secboffinSmartphone Security Boffin, The Lab @O2
•OWASP Mobile: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project•GSMA Privacy Guidelines: http://www.gsma.com/publicpolicy/mobile-and-privacy/design-guidelines/
Tuesday, 22 May 12