Canberra OWASP Chapter meeting Andrew Muller Canberra Chapter Leader andrew.muller@owasp.org 0400 481 179 19th July 2012

Chapter meetings First Wednesday every three months* Next meetings: 4th August 2012 ??? 5th September 2012 5th December 2012 6th March 2013*

Comms Subscribe to OWASP Canberra mailing list Speak

News Formspring – ~?,000,000 accounts Phandroid forums - ~1,000,000 accounts Nvidia forums - ~400,000 accounts Billabong - ~35,000 password Yahoo Voice – ~450,000 passwords billabong, 123456, 12345, passwords 123456, password, welcome, ninja Stored in plaintext FFS!

Mobile Security Project Threat Model Top Ten Risks Top Ten Controls Secure Development Security Testing (guide, GoatDroid, iGoat) Cheat Sheets https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

Top Ten Risks Insecure Data Storage Weak Server Side Controls Insufficient Transport Layer Protection Client Side Injection Poor Authorization and Authentication Improper Session Handling Security Decisions Via Untrusted Inputs Side Channel Data Leakage Broken Cryptography Sensitive Information Disclosure

Top Ten Controls Identify and protect sensitive data on the mobile devices Handle password credentials securely on the device Ensure sensitive data is protected in transit Implement user authentication, authorisation and session management correctly Keep the backend APIs and platform secure Secure data integration with third party services and applications Pay attention to collection and storage of consent for collection and use of user’s data Implement controls to prevent unauthorised access to paid-for resources Ensure secure distribution/provisioning of mobile applications Carefully check any runtime interpretation of code for errors

Guest Speaker Jacob West Director Software Security Research at HP Enterprise Security Products