techopss

Mobile devices are relatively new to the connected world, yet the issues surrounding mobile app security have proven much more complex than those around web applications when it comes to threat modeling. With mobile, it's not just about code running on devices, but depends heavily on device security – taking into account different versions, interraging companies to be on the offense when it comes to mobile app security. Although mobile testing can be complex, we have identified trends in valid vulnerability submissions, and some of the top areas of interest in mobile app security testing. To start this conversation, we'll be holding a live webcast with Jason Haddix, Bugcrowd Director of Technical Operations, on July 16th at 11AM PDT. He will be discussing common mobile threats and how security teams can test for them.

Mobile Data Encryption at Rest:

Mobile platforms and development kits come with a plethora of options to securely store and encrypt data. The problem is that most developers don't utilize these API’s. Whether it’s storing passwords plaintext on the file system or leaking personal information via “features,” secure coding recommendations for iOS and Android are few and far between. On Apple’s iOS it’s important to understand what kind of data an attacker can get by stealing your device and what sort of API’s one can implement to be as secure as possible.

Since mobile devices are everywhere and connect to a large number of untrusted networks, encrypting traffic in transit is paramount. Even those who manage to use HTTPS when communicating to the web with a mobile app can mis-configure this protection. Here we’ll look at the common places you can miss encrypting sensitive data, how to ensure your connections are up to snuff, and talk about extra protections like certificate pinning.

Almost all mobile applications communicate with a backend. They can be pulling down a website's content, using an API, uploading and downloading files, etc. These backends are subject to the same web application security flaws that we have been battling as an industry for years. It’s a sad fact that they are usually forgotten and highly vulnerable to attack. Don’t fall into a false sense of security! Finding and hacking these backends are trivial and we will discuss the most often presented vulnerabilities as well as projects that outline good server side security controls as a baseline for your mobile backends.

As countless mobile apps are being created without sufficient security consideration, a new breed of breach has surfaced, impacting frameworks that implicate multiple issues in multiple apps. To prevent these breaches, developers and security teams must follow more unique testing guides that factor in both environmental and architectural analysis. That having been said, there are many ways you can make it harder for attackers to compromise your security.

Tune in on July 16th for "Mobile Application Security Threats through the Eyes of the Attacker" with Jason Haddix