Presentation is loading. Please wait.

Presentation is loading. Please wait.

INTRODUCTION CHARLES MUIRURI

Published byErick Flowers Modified over 6 years ago

Similar presentations

Presentation on theme: "INTRODUCTION CHARLES MUIRURI"— Presentation transcript:

1

2 INTRODUCTION CHARLES MUIRURI twiitter: @icrackthecode
Security researcher. Mobile developer. I enjoy breaking to build and building to make the world a better place Recently released a bug on iOS platform Blog: icrackthecode.github.io

3 APPS , APPS AND MORE APPS Local sectors have embraced mobile applications to the point that almost every problem is solved via an app

4 Thinking deep But what problems are introduced?

5 Brief history of mobile security
2016 Risks 2015 – Applications followed developer guidelines. (less impact on security) Early- Mid Large implementations of SSL pinning( Credits to Emmanuel’s AHCON 2016 talk) Mid 2016 – Reverse Engineering made easy ( Credits to Christian and Chrispus for the MARA Framework) Risks information were less with regard to user.

6 WHAT ABOUT 2017? Let’s rant about reverse engineering and function hooking threats

7 Function Hooking Function call hooking refers to a range of techniques used to intercept calls to pre-existing functions and wrap around them to modify the function's behavior at runtime

8 Reverse Engineering The reproduction of another manufacturer's product following detailed examination of its construction or composition

9 How it should be Static code injection Runtime code injection
Risks Static code injection Runtime code injection Reverse Engineering

10 Infrastructure attacks Data violation(data leaks)
Risks Infrastructure attacks Data violation(data leaks) Application monitoring Application Escalation

11 DEMO

12 HOW TO BE SAFE Installer app - Use package manager to ensure the installing app is the play/amazon app store Emulator check - Check system properties for telltale signs the app is being run on emulator which outside of dev could indicate attack/tampering Debuggable check - Use package manager to check the debuggable flag, this should be off in product so could indicate attack/tampering Signing certificate check - Use package manager to verify the app is signed with your developer certificate (this would be broken if someone unpacked and repacked/resigned the app)

13 Other issues (Credits to Christian to his previous research)
MOBILE (Client Side) Communication Channel OWASP Top 10 Mobile Vulnerabilities Hardcoded information such a certificates, API keys, URLs                  Insecure SSL implementation of the mobile app Weak of cryptography technologies Allow app backup Use of insecure random number generation Reverse engineering attacks Application code injection attacks Insecure implementation of 3rd party services Internal IP address exposure Risks information were less with regard to user.

14 More issues OWASP Top 10 Web Vulnerabilities
Server side OWASP Top 10 Web Vulnerabilities Running services and version Insecure Transport Layer Security (TLS)/Secure Sockets Layer (SSL) implementation Multiple TLS/SSL based vulnerabilities Insecure Application Program Interface (API) implementation  User login enumeration via brute forcing  Use of vulnerable web services and applications

15 THANK YOU

Download ppt "INTRODUCTION CHARLES MUIRURI"

Similar presentations

Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Print Verifier Ashwin Needamangala Senior Test Development Lead Documents and Printing Team

Print Verifier Ashwin Needamangala Senior Test Development Lead Documents and Printing Team
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
The Study of Security and Privacy in Mobile Applications Name: Liang Wei

The Study of Security and Privacy in Mobile Applications Name: Liang Wei
Security Framework For Cloud Computing -Sharath Reddy Gajjala.

Security Framework For Cloud Computing -Sharath Reddy Gajjala.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
Architecture Planning and designing a successful system Use tried and tested techniques Easy to maintain Robust and long lasting.

Architecture Planning and designing a successful system Use tried and tested techniques Easy to maintain Robust and long lasting.
An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman.

An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman.
EVALUATING SECURITY OF SMART PHONE MESSAGING APPLICATIONS PRESENTED BY SUDHEER AKURATHI.

EVALUATING SECURITY OF SMART PHONE MESSAGING APPLICATIONS PRESENTED BY SUDHEER AKURATHI.

Similar presentations

Ads by Google