Cybersecurity - Mobile Application Security
-
Upload
eryk-budi-pratama -
Category
Technology
-
view
259 -
download
2
Transcript of Cybersecurity - Mobile Application Security
![Page 1: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/1.jpg)
E R Y K B U D I P R A T A M A , C E H
C Y B E R S E C U R I T Y C O N S U L T A N T E R N S T & Y O U N G ( E Y )
Mobile Application Security
![Page 2: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/2.jpg)
Application Security Risk
![Page 3: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/3.jpg)
![Page 4: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/4.jpg)
![Page 5: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/5.jpg)
![Page 6: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/6.jpg)
![Page 7: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/7.jpg)
![Page 8: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/8.jpg)
Lack of Binary Protection
Obfuscation
Code modification
Recommendations :
• Obfuscator (ProGuard, DexGuard)
• Jailbreak Detection Controls
• Checksum Controls
• Debugger Detection Controls
• Renewing Secret Tokens
![Page 9: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/9.jpg)
![Page 10: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/10.jpg)
Weak Server Side Controls
Logic flaws
Weak authentication
Weak Session Management
Insecure web server configuration
Injection (SQL, XSS, Command)
Local and Remote Files Control
Input validation for API
![Page 11: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/11.jpg)
Insecure Data Storage
SQLite databases
Log Files
XML Data Stores or Manifest Files
Binary data stores
Cookie stores
SD Card
Recommendations:
• Ensure any shared preferences properties are NOT MODE_WORLD_READABLE
• Avoid exclusively relying upon hardcoded encryption or decryption keys
![Page 12: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/12.jpg)
Insufficient Transport Layer Protection
Recommendations:
Use TLS
Certificate Pinning
Strong cipher suite
Usage of Secure flag for Session Cookies
Usage of HTTP Strict Transport Security (HSTS)
• Lack of Certificate Inspection
• Weak Handshake Negotiation (cipher suite)
• Privacy Information Leakage (via non secure channel)
![Page 13: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/13.jpg)
Unintended Data Leakage
API or encryption keys
Passwords
Internal company information
Debugging or maintenance information
Recommendations:
Store sensitive application data server-side
Avoid hardcoding information in the application
![Page 14: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/14.jpg)
Poor Authorization and Authentication
Recommendations:
Unique identifiers as additional (not only) factors
Differentiate client-side passcode vs. server authentication
Hardware-independent identifiers (ie. Not IMSI, serial, etc.)
Multi-factor authentication, depending on risk
Define & enforce password length, strength & uniqueness
No password, just unique ID
Plain text password
Using GET method
![Page 15: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/15.jpg)
Broken Cryptography
Hardcoded key
Insecure encryption algorithm
RC2
MD4
MD5
SHA1
![Page 16: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/16.jpg)
Client Side Injection
SQL Injection
Local File Inclusion
Javascript Injection (XSS)
Recommendations:
Using parameterized queries
Verify that JavaScript and Plugin support is disabled for any WebViews
Verify that File System Access is disabled for any WebViews
![Page 17: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/17.jpg)
Improper Session Handling
Failure to Invalidate Sessions on the Backend
Lack of Adequate Timeout Protection
Failure to Properly Rotate Cookies
Insecure Token Creation
![Page 18: Cybersecurity - Mobile Application Security](https://reader033.fdocuments.us/reader033/viewer/2022051710/5a66aa207f8b9a7c6f8b4635/html5/thumbnails/18.jpg)
Thank You