AppSec Europe 2014

The mobile industry is now booming. According to Apple, the number of iOS apps in App Store reached 1,000,000 as of October 2013. In this highly competitive market, mobile app developers are required to develop a high-value, high-quality and high-performance app with a short time-to-market. Implementing security into earlier phases of such rapid pace agile development life cycle can be considered as one of the key success factors for organizations. 

We believe that adding an automated security measure into the Xcode IDE itself is essential and can help facilitate secure agile development cycles for iOS developers. Therefore, we are implementing our own security features on top of Xcode.

During the coding phase, developers will be able to automatically spot general security issues in iOS apps and thus prevent them from creating those issues. This can also help security testers to conduct white-box security testing in a shorter amount of time. We will also share the difficulties and problems we faced and how we overcame them during our research.

Has Android achieved the impossible? Do intents enable interprocess communications and inter-process collaboration that is actually securable? The answer, as in many platforms, is a definite ‘maybe’. Firstly, intents invite "new" attacks - attacks more traditionally associated with distributed systems - such as spoofing, hijacking, out of order execution and theft of data. Secondly, all is not always as it seems. Like so many things in in life, it is possible to do things right and still get it wrong. Securing intents properly requires a defensive approach of some old techniques plus an added step of validating some assumptions. This talk is aimed mainly at app developers - learn how intents work under the hood, how to secure your intents and how to secure your assumptions to achieve your goal of secure apps. 

Recently, there has been a new addition to the OWASP Mobile Top Ten; a lack of binary protections. At AppSec California, OWASP debuted it and briefly highlighted examples of the threats to mobile devices in this category. In this talk I will discuss the new category in much more depth, exploring reasons why this risk category has now been included in OWASP’s Top Ten Mobile Security Risks.

In 2013, consumers downloaded more than 83 billion applications from app stores worldwide, with revenues totalling $25 billion. According to Portio research, this is expected to grow to over 200 billion downloads per year by 2017. It is clear that the App Economy is not only thriving, but is driving new app-centric products and services across multiple industries and with the continued adoption of mobile computing, the threats to mobile and applications is continuing to grow.

Based on research conducted by Arxan, we found that over half of the top 100 iOS apps had been hacked or tampered with and made available for download on third party app stores. This included 53 percent of Android, and 23 percent of mobile banking and payment applications.

The talk will specifically highlight the risks that a lack of binary protections poses to mobile applications on both iOS and Android platforms. The speaker will discuss how to leverage specific OWASP projects to solve these issues and secure apps from tampering. By the end of the talk, attendees will have a solid understanding of the risks associated with lack of binary protections and how to begin thinking about incorporating app risk mitigation solutions to protect their applications. Risk mitigation approaches discussed will include how to incorporate processes that harden an app against binary-level integrity and reverse-engineering attacks launched at rest and run-time. 

Mobile application hacking and its security is becoming a major concern in today’s world specially with BYOD and user’s jailbreaking/rooting their devices. Scanning and vulnerabilities detections are two major areas for mobile applications in current state. Attacking techniques and exploit delivery on different platform are evolving, protection is even tougher as code base are different. The frequency of release for the mobile application is significantly higher than the web application. It is imperative to scan these applications before loading and launching for different platforms. 

Amongst the mobile attacks described in OWASP Mobile Top 10 project, Local storage being the key attack which affects the security and privacy of the user. Need for an hour is to have automated program to penetrate local storage in most widely used mobile platform (android and iOS). Interestingly, Android SDK provides an API which can be used to monitor file system. On the iOS, one needs to use jailbreak device to attack local storage. Along with presentation, new version of the free tools (Separate for android and iOS) will be released. Android tool uses API to monitor android file system where iOS tool relies on OS features. Methodology to perform application penetration testing using the tools will be demonstrated along with several different demonstrations on attacking local storage for both platforms along with defense strategies.

Mobile development is one of the largest growth areas in all of software. The last decade has seen an explosion of mobile devices, operating systems, development environments, libraries, toolkits and app stores. Organizations are racing to construct mobile applications that harness the power of the mobile paradigm. 

However, like in the early days of web development, security may be being overlooked or under-emphasized. In this talk, we will go through the array of mobile platforms available to developers, and discuss common security concerns that all platforms have in common. The talk will focuses on securing sensitive data on the phone, proper use of encryption, and proper use of TLS, along with several other security areas critical to writing secure mobile applications. A discussion of hybrid web apps, using frameworks like PhoneGap and the security concerns there, will also be discussed in detail. 

Participants will gain an understanding of the key differences between web and mobile security, and learn what they must do to ensure they are architecting and constructing secure mobile applications. 

"Wait, wait! Don't pwn Me!" is a live, security news game show that pits three security experts (Josh Corman, Chris Eng and Space Rogue) against each other in a game of wits. Host Mark Miller, selects topics from the week's security news, posing the news items as limericks, fill-in-the-blank, and audience participation questions. The panel competes against each other, and the audience, for speed and accuracy when answering the questions.

During the AppSec USA 2013 Conference, this was a rollicking, high spirited session, exposing the prevalence of security issues highlighted in the main stream news. It demonstrates how hard it is to keep up to date with security updates, even for the experts. Audience members should come prepared as we test their knowledge against the panel, trying to determine what is real news and what is fake. 

This is a fun filled session where panelists and audience members compete for prizes from the OWASP store. It is sure to put you in a good mood for the rest of the conference.