SlideShare une entreprise Scribd logo
1  sur  40
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks
contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or
entity is not an endorsement by AT&T.
Doug Sillars
Mobile App Security: How Secure
is Your App?
ARO Technical Lead
@Dougsillars
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Gain Customers
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Keep Them Happy
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Receive Payments
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
If We Forget to Protect Our Customers
• Data Breaches happen every day
• Few are publically announced
• Announcements seem to occur several times a
week
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Are You Protecting Your Customer’s Data?
http://www.geograph.org.uk/photo/2958201
https://www.flickr.com/photos/emdot/145432
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Securing Mobile Apps is Hard
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Easy Moderate Hard
http://ibm.co/1EPVh8i
https://www.flickr.com/photos/mscheltgen/219606006
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
How Do you Test Your App?
http://ibm.co/1EPVh8i
25%
14%
13%
10%
38%
0% 10% 20% 30% 40%
Proprietary
software/…
Open
Souce…
Cloud
Services
Pen testing
Do Not
Test…
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
App Security is a Problem
http://ibm.co/1EPVh8i
52% of apps are NOT tested
63% of those tested HAVE issues
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
What Do We Need to Secure Our App?
• Knowledge
• What are common issues?
• Tooling?
• How do I learn about new
vulnerabilities?
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Giving up too much information
• Exposing data in logs
• Not locking down Activities/Intents
• Encryption
• Network Transmissions
• Local Data Storage
• Secure Encryption
• Heartbleed
• POODLE
• Etc….
What Are Common Issues?
3rd Party SDKs
too!
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Logs are not protected
• Ice Cream Sandwich
• Rooted devices
• Data seen in logs:
• Lat/Lon
• Logins/passwords
• Credit Card numbers
• Passport numbers
Giving Up Too Much Information
Exposing Data in Logs
https://www.flickr.com/photos/knowmybackyard/5314941146
Leak of Privileged data!
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Exposing Data in Logs
Example
(18468): Preference updated:com.analytics.MIN_BATCH_INTERVAL
(18468): PushService startService
(18468): *Received GCM Registration ID: <Yes, the GCM Cloud registration ID was here>*
(18468): Saving preference: com.analytics.push.APP_VERSION value: 22
(18468): Adding event: {"data":{"push_enabled":true,"carrier":"AT&T",
"session_id":"240d5059-c976-4fb3-b59d-44553649b08c",
"transport":"GCM","connection_type":"wifi","apid":”xxxxxx-xxxx-xxx-xxxx-xxxxxxxx"},
"type":"push_service_started","event_id":"171da614-50f9-468c-b60a-
1a97d39e226c","time":"1424166468"}
3rd Party
SDK!
Try it on your phone:
Adb logcat –v thread
Search for terms like your lat/lon (“48.”) or
usernames: “dougsillars”
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Ensure that you remove logging in Proguard when
you perform your final build:
-assumenosideeffects class android.util.Log {
<methods>;
}
• Protect your Customer’s data
Exposing Data in Logs
Solution
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Activities, processes, Intents
should be locked to your
application, and not publically
accessible
• Publically accessible activities
can be accessed without
authentication.
You built a fence, but your data
can still pass through it.
Giving Up Too Much Information
Locking Down Activities
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Drozer: Free/Open Source Penetration testing tool
• PC tool with agent on Android device
• https://www.mwrinfosecurity.com/products/drozer/
• Finds potential attack surfaces in your app
Locking Down Activities
Example
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Sample app Sieve: Password manager app with 3
exposed activities:
Locking Down Activities
Example
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Sample app Sieve: Password manager app with 3
exposed activities:
Locking Down Activities
Example
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• PWList seems interesting…
Locking Down Activities
Example/Solution
Lock Down Your Activities!
AndroidManifest.xml:
android:exported="false"
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Encryption
Communicating to a Remote Server
OR: Why did the chicken cross the road?
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Encryption
Communicating to a Remote Server
• HTTP: Not secure. Any eavesdropping tool can read
• Sports League sending login/password/DOB unencrypted
https://www.flickr.com/photos/compujeramey/244345344/
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Encryption
Communicating to a Remote Server
• HTTP Connection every 15 minutes
with Lat/Lon
3rd Party
SDK
https://en.wikipedia.org/wiki/Wolf_Chess#/media/File:Grey_wolf_P1130270.jpg
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Communicating to a Remote Server
Solution
• HTTPS
• Secure for 99% of activities
• Port 443: data encrypted from basic infiltration
https://www.flickr.com/photos/compujeramey/244345344/
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Android local storage is
sandboxed
• Only accessible to the
application for use
• UNLESS
• Device is rooted
• Backup of user data is made
Encryption
Keeping Stored Data Safe
https://pixabay.com/en/garbage-can-dustbin-waste-garbage-231881/
https://www.flickr.com/photos/photocindy/4301171521
https://commons.wikimedia.org/wiki/File:Brown_wood_fence.JPG
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• App sandbox is
/data/data/<yourappname>
• Generally secure
• Applications with Root access can
read or write in your app’s
sandbox
• Application Backups store all app
data
Keeping Stored Data Safe
No file system is 100% safe
from hiding login data/keys
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Adb backup –all
• Android Backup Extractor
• https://github.com/nelenkov/android-backup-extractor
Keeping Stored Data Safe
Backups
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• SQLite Database
• Easily readable
• Encrypt sensitive
data
Keeping Stored Data Safe
Databases
No file system is 100% safe
from hiding login data/keys
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Key stores in sandbox are not safe
• Key manipulation in apps are not safe: Apps can be decompiled
• Ex. Tools: Dex2jar, APKtool
Keeping Stored Data Safe
App Decompilation
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Your code can be decompiled.
• Make it harder to read – Obfuscation
• Proguard tools in Android Studio
App Decompilation
Obfuscation
NOTE: This will not stop a hacker,
but you will slow him/her down
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Read the Terms and Conditions:
• Verify the Terms and Conditions:
3rd Party SDKs
“encrypted values of your email address and phone
number. We encrypt such information on your device
before collecting it, so we do not ever collect your actual
email address or phone number. We will maintain such
information in encrypted form and will not attempt to re-
identify it.”
&longitude=-122.1232254&latitude=47.6694187&
<snip>
&email=drstest1%40gmail.com&phonenumber=1425xxxxxxxx
&language=English&country=United+States&zip=98052&
Your customer’s
data MAY be at
risk!
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Data Loss and Testing Schedules
No Matter how safe your Coop is – if the hens are escaping…
Coop
Run
Barn
Goat
field
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
• Usernames/Passwords
• Location
• Contacts
• Read Phone logs
• Read SMS
• Biometrics – step
counts/heart rate
• Use camera/Microphone
• Photo gallery
Commonly Collected Customer Data
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Security Testing
Test Early – And Often
http://ibm.co/1EPVh8i
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Test Early – And Often
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Test Early – And Often
http://ibm.co/1EPVh8i
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Protect Your Customers
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
You Will Be Rewarded
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
http://bit.ly/HighPerfAndroidApps
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other
marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a
specific company or entity is not an endorsement by AT&T.
Q&A
http://developer.att.com/application-resource-optimizer
http://bit.ly/HighPerfAndroidApps
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks
contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or
entity is not an endorsement by AT&T.
Thank You

Contenu connexe

En vedette

Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Erez Metula
 
CS3C - Justin Magno
CS3C - Justin MagnoCS3C - Justin Magno
CS3C - Justin MagnoPog Arenas
 
csr report DEEPAK R GORAD
csr report DEEPAK R GORAD csr report DEEPAK R GORAD
csr report DEEPAK R GORAD Deepak R Gorad
 
Aricles of FII
Aricles of FIIAricles of FII
Aricles of FIIvinod1505
 
Bad Implementations of Good Ideas: How Systematic Inattention to Performance ...
Bad Implementations of Good Ideas: How Systematic Inattention to Performance ...Bad Implementations of Good Ideas: How Systematic Inattention to Performance ...
Bad Implementations of Good Ideas: How Systematic Inattention to Performance ...Doug Sillars
 

En vedette (13)

Mobile_app_security
Mobile_app_securityMobile_app_security
Mobile_app_security
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016
 
Abstract8
Abstract8Abstract8
Abstract8
 
CS3C - Justin Magno
CS3C - Justin MagnoCS3C - Justin Magno
CS3C - Justin Magno
 
Electronics
ElectronicsElectronics
Electronics
 
csr report DEEPAK R GORAD
csr report DEEPAK R GORAD csr report DEEPAK R GORAD
csr report DEEPAK R GORAD
 
Mechanical projects
Mechanical projectsMechanical projects
Mechanical projects
 
Aricles of FII
Aricles of FIIAricles of FII
Aricles of FII
 
Bad Implementations of Good Ideas: How Systematic Inattention to Performance ...
Bad Implementations of Good Ideas: How Systematic Inattention to Performance ...Bad Implementations of Good Ideas: How Systematic Inattention to Performance ...
Bad Implementations of Good Ideas: How Systematic Inattention to Performance ...
 
What is Blubbr?
What is Blubbr?What is Blubbr?
What is Blubbr?
 

Similaire à Mobile App Security: How Secure is your Mobile App

Multi-Network Location & SMS APIs
Multi-Network Location & SMS APIsMulti-Network Location & SMS APIs
Multi-Network Location & SMS APIsJonathan Spinney
 
AT&T Mobile App Hackathon - Seattle
AT&T Mobile App Hackathon - SeattleAT&T Mobile App Hackathon - Seattle
AT&T Mobile App Hackathon - SeattleEd Donahue
 
Securing the Internet of Things: What the CEO Needs to Know
Securing the Internet of Things: What the CEO Needs to KnowSecuring the Internet of Things: What the CEO Needs to Know
Securing the Internet of Things: What the CEO Needs to KnowAT&T
 
AT&T Mobile App Hackathon (Smart City) - Berkeley
AT&T Mobile App Hackathon (Smart City) - BerkeleyAT&T Mobile App Hackathon (Smart City) - Berkeley
AT&T Mobile App Hackathon (Smart City) - BerkeleyEd Donahue
 
Secure Connectivity to your Salesforce Applications
Secure Connectivity to your Salesforce ApplicationsSecure Connectivity to your Salesforce Applications
Secure Connectivity to your Salesforce ApplicationsSalesforce Developers
 
Bonding Your Private Network to Salesforce Clouds
Bonding Your Private Network to Salesforce CloudsBonding Your Private Network to Salesforce Clouds
Bonding Your Private Network to Salesforce CloudsSalesforce Developers
 
(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced API(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced APIAmazon Web Services
 
Seattle AT&T Hackathon
Seattle AT&T HackathonSeattle AT&T Hackathon
Seattle AT&T HackathonDoug Sillars
 
Not If, But When: A CEO's Guide to Cyberbreach Response
Not If, But When: A CEO's Guide to Cyberbreach ResponseNot If, But When: A CEO's Guide to Cyberbreach Response
Not If, But When: A CEO's Guide to Cyberbreach ResponseAT&T
 
Digital You - KC Coalition for Digital Inclusion - Dec 4, 2015
Digital You - KC Coalition for Digital Inclusion - Dec 4, 2015Digital You - KC Coalition for Digital Inclusion - Dec 4, 2015
Digital You - KC Coalition for Digital Inclusion - Dec 4, 2015KC Digital Drive
 
ARO For Developers
ARO For DevelopersARO For Developers
ARO For DevelopersDoug Sillars
 
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14Rustici Software
 
The CEO’s Guide to Cyberbreach Response
The CEO’s Guide to Cyberbreach ResponseThe CEO’s Guide to Cyberbreach Response
The CEO’s Guide to Cyberbreach ResponseAT&T
 
Mobile Portfolio of Cole's Experience with AT&T Teams
Mobile Portfolio of Cole's Experience with AT&T TeamsMobile Portfolio of Cole's Experience with AT&T Teams
Mobile Portfolio of Cole's Experience with AT&T TeamsCole Whitney
 
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...Amazon Web Services
 
June 27 top_10_techtrends_dcearley_176465
June 27 top_10_techtrends_dcearley_176465June 27 top_10_techtrends_dcearley_176465
June 27 top_10_techtrends_dcearley_176465Kirill Goncharuk
 
TAG IoT Summit - Why You Need a Strategy for the Internet of Things
TAG IoT Summit - Why You Need a Strategy for the Internet of ThingsTAG IoT Summit - Why You Need a Strategy for the Internet of Things
TAG IoT Summit - Why You Need a Strategy for the Internet of ThingsEric Sineath
 
Day1 Ed Davalos AT&T Smart Cities
Day1 Ed Davalos AT&T Smart CitiesDay1 Ed Davalos AT&T Smart Cities
Day1 Ed Davalos AT&T Smart CitiesUS-Ignite
 

Similaire à Mobile App Security: How Secure is your Mobile App (20)

Multi-Network Location & SMS APIs
Multi-Network Location & SMS APIsMulti-Network Location & SMS APIs
Multi-Network Location & SMS APIs
 
AT&T Mobile App Hackathon - Seattle
AT&T Mobile App Hackathon - SeattleAT&T Mobile App Hackathon - Seattle
AT&T Mobile App Hackathon - Seattle
 
Securing the Internet of Things: What the CEO Needs to Know
Securing the Internet of Things: What the CEO Needs to KnowSecuring the Internet of Things: What the CEO Needs to Know
Securing the Internet of Things: What the CEO Needs to Know
 
AT&T Mobile App Hackathon (Smart City) - Berkeley
AT&T Mobile App Hackathon (Smart City) - BerkeleyAT&T Mobile App Hackathon (Smart City) - Berkeley
AT&T Mobile App Hackathon (Smart City) - Berkeley
 
Secure Connectivity to your Salesforce Applications
Secure Connectivity to your Salesforce ApplicationsSecure Connectivity to your Salesforce Applications
Secure Connectivity to your Salesforce Applications
 
Bonding Your Private Network to Salesforce Clouds
Bonding Your Private Network to Salesforce CloudsBonding Your Private Network to Salesforce Clouds
Bonding Your Private Network to Salesforce Clouds
 
(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced API(NET202) Connectivity Using Software-Defined Networking & Advanced API
(NET202) Connectivity Using Software-Defined Networking & Advanced API
 
IPSec VPN Basics
IPSec VPN BasicsIPSec VPN Basics
IPSec VPN Basics
 
Seattle AT&T Hackathon
Seattle AT&T HackathonSeattle AT&T Hackathon
Seattle AT&T Hackathon
 
Not If, But When: A CEO's Guide to Cyberbreach Response
Not If, But When: A CEO's Guide to Cyberbreach ResponseNot If, But When: A CEO's Guide to Cyberbreach Response
Not If, But When: A CEO's Guide to Cyberbreach Response
 
Digital You - KC Coalition for Digital Inclusion - Dec 4, 2015
Digital You - KC Coalition for Digital Inclusion - Dec 4, 2015Digital You - KC Coalition for Digital Inclusion - Dec 4, 2015
Digital You - KC Coalition for Digital Inclusion - Dec 4, 2015
 
ARO For Developers
ARO For DevelopersARO For Developers
ARO For Developers
 
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14
Webinar: How AT&T is Using Tin Can to Enhance Compliance Training 8/27/14
 
The CEO’s Guide to Cyberbreach Response
The CEO’s Guide to Cyberbreach ResponseThe CEO’s Guide to Cyberbreach Response
The CEO’s Guide to Cyberbreach Response
 
truxtun banta
truxtun bantatruxtun banta
truxtun banta
 
Mobile Portfolio of Cole's Experience with AT&T Teams
Mobile Portfolio of Cole's Experience with AT&T TeamsMobile Portfolio of Cole's Experience with AT&T Teams
Mobile Portfolio of Cole's Experience with AT&T Teams
 
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
AWS re:Invent 2016: Cloud agility and faster connectivity with AT&T NetBond a...
 
June 27 top_10_techtrends_dcearley_176465
June 27 top_10_techtrends_dcearley_176465June 27 top_10_techtrends_dcearley_176465
June 27 top_10_techtrends_dcearley_176465
 
TAG IoT Summit - Why You Need a Strategy for the Internet of Things
TAG IoT Summit - Why You Need a Strategy for the Internet of ThingsTAG IoT Summit - Why You Need a Strategy for the Internet of Things
TAG IoT Summit - Why You Need a Strategy for the Internet of Things
 
Day1 Ed Davalos AT&T Smart Cities
Day1 Ed Davalos AT&T Smart CitiesDay1 Ed Davalos AT&T Smart Cities
Day1 Ed Davalos AT&T Smart Cities
 

Plus de Doug Sillars

Fastandbeautiful belfast
Fastandbeautiful belfastFastandbeautiful belfast
Fastandbeautiful belfastDoug Sillars
 
Fastandbeautiful gdg sacremento
Fastandbeautiful gdg sacrementoFastandbeautiful gdg sacremento
Fastandbeautiful gdg sacrementoDoug Sillars
 
Fastandbeautiful gd glittlerock
Fastandbeautiful gd glittlerockFastandbeautiful gd glittlerock
Fastandbeautiful gd glittlerockDoug Sillars
 
Fastandbeautiful webinale
Fastandbeautiful webinaleFastandbeautiful webinale
Fastandbeautiful webinaleDoug Sillars
 
Ai powered images-pythonljubjana
Ai powered images-pythonljubjanaAi powered images-pythonljubjana
Ai powered images-pythonljubjanaDoug Sillars
 
Fastandbeautiful zagrebtechsauna
Fastandbeautiful zagrebtechsaunaFastandbeautiful zagrebtechsauna
Fastandbeautiful zagrebtechsaunaDoug Sillars
 
Ai powered images-gdgtirana
Ai powered images-gdgtiranaAi powered images-gdgtirana
Ai powered images-gdgtiranaDoug Sillars
 
A rt gallery pantalks
A rt gallery pantalksA rt gallery pantalks
A rt gallery pantalksDoug Sillars
 
Ai powered images-sarajevo
Ai powered images-sarajevoAi powered images-sarajevo
Ai powered images-sarajevoDoug Sillars
 
A rt gallery hub387
A rt gallery hub387A rt gallery hub387
A rt gallery hub387Doug Sillars
 
Ai powered images-zurichpydata
Ai powered images-zurichpydataAi powered images-zurichpydata
Ai powered images-zurichpydataDoug Sillars
 
Fastandbeautiful vienna
Fastandbeautiful viennaFastandbeautiful vienna
Fastandbeautiful viennaDoug Sillars
 
Ai powered images-opieaivienna
Ai powered images-opieaiviennaAi powered images-opieaivienna
Ai powered images-opieaiviennaDoug Sillars
 
A rt gallery devfestlondon
A rt gallery devfestlondonA rt gallery devfestlondon
A rt gallery devfestlondonDoug Sillars
 
Fastandbeautiful devfest london
Fastandbeautiful devfest londonFastandbeautiful devfest london
Fastandbeautiful devfest londonDoug Sillars
 
A rt gallery cardiff
A rt gallery cardiffA rt gallery cardiff
A rt gallery cardiffDoug Sillars
 
Ai powered images-mobileera
Ai powered images-mobileeraAi powered images-mobileera
Ai powered images-mobileeraDoug Sillars
 
Fastandbeautiful oredev
Fastandbeautiful oredevFastandbeautiful oredev
Fastandbeautiful oredevDoug Sillars
 

Plus de Doug Sillars (20)

Fastandbeautiful belfast
Fastandbeautiful belfastFastandbeautiful belfast
Fastandbeautiful belfast
 
Fastandbeautiful gdg sacremento
Fastandbeautiful gdg sacrementoFastandbeautiful gdg sacremento
Fastandbeautiful gdg sacremento
 
Fastandbeautiful gd glittlerock
Fastandbeautiful gd glittlerockFastandbeautiful gd glittlerock
Fastandbeautiful gd glittlerock
 
Fastandbeautiful webinale
Fastandbeautiful webinaleFastandbeautiful webinale
Fastandbeautiful webinale
 
Ai powered images-pythonljubjana
Ai powered images-pythonljubjanaAi powered images-pythonljubjana
Ai powered images-pythonljubjana
 
Fastandbeautiful zagrebtechsauna
Fastandbeautiful zagrebtechsaunaFastandbeautiful zagrebtechsauna
Fastandbeautiful zagrebtechsauna
 
Video js zagreb
Video js zagrebVideo js zagreb
Video js zagreb
 
Vkmdp cologne
Vkmdp cologneVkmdp cologne
Vkmdp cologne
 
Ai powered images-gdgtirana
Ai powered images-gdgtiranaAi powered images-gdgtirana
Ai powered images-gdgtirana
 
A rt gallery pantalks
A rt gallery pantalksA rt gallery pantalks
A rt gallery pantalks
 
Ai powered images-sarajevo
Ai powered images-sarajevoAi powered images-sarajevo
Ai powered images-sarajevo
 
A rt gallery hub387
A rt gallery hub387A rt gallery hub387
A rt gallery hub387
 
Ai powered images-zurichpydata
Ai powered images-zurichpydataAi powered images-zurichpydata
Ai powered images-zurichpydata
 
Fastandbeautiful vienna
Fastandbeautiful viennaFastandbeautiful vienna
Fastandbeautiful vienna
 
Ai powered images-opieaivienna
Ai powered images-opieaiviennaAi powered images-opieaivienna
Ai powered images-opieaivienna
 
A rt gallery devfestlondon
A rt gallery devfestlondonA rt gallery devfestlondon
A rt gallery devfestlondon
 
Fastandbeautiful devfest london
Fastandbeautiful devfest londonFastandbeautiful devfest london
Fastandbeautiful devfest london
 
A rt gallery cardiff
A rt gallery cardiffA rt gallery cardiff
A rt gallery cardiff
 
Ai powered images-mobileera
Ai powered images-mobileeraAi powered images-mobileera
Ai powered images-mobileera
 
Fastandbeautiful oredev
Fastandbeautiful oredevFastandbeautiful oredev
Fastandbeautiful oredev
 

Dernier

BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Pooja Nehwal
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPsychicRuben LoveSpells
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRnishacall1
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceanilsa9823
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7Pooja Nehwal
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceanilsa9823
 

Dernier (7)

BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 

Mobile App Security: How Secure is your Mobile App

  • 1. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Doug Sillars Mobile App Security: How Secure is Your App? ARO Technical Lead @Dougsillars
  • 2. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Gain Customers
  • 3. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Keep Them Happy
  • 4. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Receive Payments
  • 5. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. If We Forget to Protect Our Customers • Data Breaches happen every day • Few are publically announced • Announcements seem to occur several times a week
  • 6. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Are You Protecting Your Customer’s Data? http://www.geograph.org.uk/photo/2958201 https://www.flickr.com/photos/emdot/145432
  • 7. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Securing Mobile Apps is Hard 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Easy Moderate Hard http://ibm.co/1EPVh8i https://www.flickr.com/photos/mscheltgen/219606006
  • 8. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. How Do you Test Your App? http://ibm.co/1EPVh8i 25% 14% 13% 10% 38% 0% 10% 20% 30% 40% Proprietary software/… Open Souce… Cloud Services Pen testing Do Not Test…
  • 9. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. App Security is a Problem http://ibm.co/1EPVh8i 52% of apps are NOT tested 63% of those tested HAVE issues
  • 10. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. What Do We Need to Secure Our App? • Knowledge • What are common issues? • Tooling? • How do I learn about new vulnerabilities?
  • 11. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Giving up too much information • Exposing data in logs • Not locking down Activities/Intents • Encryption • Network Transmissions • Local Data Storage • Secure Encryption • Heartbleed • POODLE • Etc…. What Are Common Issues? 3rd Party SDKs too!
  • 12. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Logs are not protected • Ice Cream Sandwich • Rooted devices • Data seen in logs: • Lat/Lon • Logins/passwords • Credit Card numbers • Passport numbers Giving Up Too Much Information Exposing Data in Logs https://www.flickr.com/photos/knowmybackyard/5314941146 Leak of Privileged data!
  • 13. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Exposing Data in Logs Example (18468): Preference updated:com.analytics.MIN_BATCH_INTERVAL (18468): PushService startService (18468): *Received GCM Registration ID: <Yes, the GCM Cloud registration ID was here>* (18468): Saving preference: com.analytics.push.APP_VERSION value: 22 (18468): Adding event: {"data":{"push_enabled":true,"carrier":"AT&T", "session_id":"240d5059-c976-4fb3-b59d-44553649b08c", "transport":"GCM","connection_type":"wifi","apid":”xxxxxx-xxxx-xxx-xxxx-xxxxxxxx"}, "type":"push_service_started","event_id":"171da614-50f9-468c-b60a- 1a97d39e226c","time":"1424166468"} 3rd Party SDK! Try it on your phone: Adb logcat –v thread Search for terms like your lat/lon (“48.”) or usernames: “dougsillars”
  • 14. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Ensure that you remove logging in Proguard when you perform your final build: -assumenosideeffects class android.util.Log { <methods>; } • Protect your Customer’s data Exposing Data in Logs Solution
  • 15. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Activities, processes, Intents should be locked to your application, and not publically accessible • Publically accessible activities can be accessed without authentication. You built a fence, but your data can still pass through it. Giving Up Too Much Information Locking Down Activities
  • 16. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Drozer: Free/Open Source Penetration testing tool • PC tool with agent on Android device • https://www.mwrinfosecurity.com/products/drozer/ • Finds potential attack surfaces in your app Locking Down Activities Example
  • 17. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Sample app Sieve: Password manager app with 3 exposed activities: Locking Down Activities Example
  • 18. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Sample app Sieve: Password manager app with 3 exposed activities: Locking Down Activities Example
  • 19. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • PWList seems interesting… Locking Down Activities Example/Solution Lock Down Your Activities! AndroidManifest.xml: android:exported="false"
  • 20. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Encryption Communicating to a Remote Server OR: Why did the chicken cross the road?
  • 21. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Encryption Communicating to a Remote Server • HTTP: Not secure. Any eavesdropping tool can read • Sports League sending login/password/DOB unencrypted https://www.flickr.com/photos/compujeramey/244345344/
  • 22. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Encryption Communicating to a Remote Server • HTTP Connection every 15 minutes with Lat/Lon 3rd Party SDK https://en.wikipedia.org/wiki/Wolf_Chess#/media/File:Grey_wolf_P1130270.jpg
  • 23. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Communicating to a Remote Server Solution • HTTPS • Secure for 99% of activities • Port 443: data encrypted from basic infiltration https://www.flickr.com/photos/compujeramey/244345344/
  • 24. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Android local storage is sandboxed • Only accessible to the application for use • UNLESS • Device is rooted • Backup of user data is made Encryption Keeping Stored Data Safe https://pixabay.com/en/garbage-can-dustbin-waste-garbage-231881/ https://www.flickr.com/photos/photocindy/4301171521 https://commons.wikimedia.org/wiki/File:Brown_wood_fence.JPG
  • 25. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • App sandbox is /data/data/<yourappname> • Generally secure • Applications with Root access can read or write in your app’s sandbox • Application Backups store all app data Keeping Stored Data Safe No file system is 100% safe from hiding login data/keys
  • 26. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Adb backup –all • Android Backup Extractor • https://github.com/nelenkov/android-backup-extractor Keeping Stored Data Safe Backups
  • 27. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • SQLite Database • Easily readable • Encrypt sensitive data Keeping Stored Data Safe Databases No file system is 100% safe from hiding login data/keys
  • 28. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Key stores in sandbox are not safe • Key manipulation in apps are not safe: Apps can be decompiled • Ex. Tools: Dex2jar, APKtool Keeping Stored Data Safe App Decompilation
  • 29. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Your code can be decompiled. • Make it harder to read – Obfuscation • Proguard tools in Android Studio App Decompilation Obfuscation NOTE: This will not stop a hacker, but you will slow him/her down
  • 30. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Read the Terms and Conditions: • Verify the Terms and Conditions: 3rd Party SDKs “encrypted values of your email address and phone number. We encrypt such information on your device before collecting it, so we do not ever collect your actual email address or phone number. We will maintain such information in encrypted form and will not attempt to re- identify it.” &longitude=-122.1232254&latitude=47.6694187& <snip> &email=drstest1%40gmail.com&phonenumber=1425xxxxxxxx &language=English&country=United+States&zip=98052& Your customer’s data MAY be at risk!
  • 31. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Data Loss and Testing Schedules No Matter how safe your Coop is – if the hens are escaping… Coop Run Barn Goat field
  • 32. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. • Usernames/Passwords • Location • Contacts • Read Phone logs • Read SMS • Biometrics – step counts/heart rate • Use camera/Microphone • Photo gallery Commonly Collected Customer Data
  • 33. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Security Testing Test Early – And Often http://ibm.co/1EPVh8i
  • 34. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Test Early – And Often
  • 35. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Test Early – And Often http://ibm.co/1EPVh8i
  • 36. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Protect Your Customers
  • 37. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. You Will Be Rewarded
  • 38. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. http://bit.ly/HighPerfAndroidApps
  • 39. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Q&A http://developer.att.com/application-resource-optimizer http://bit.ly/HighPerfAndroidApps
  • 40. © 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Information contained herein is not an offer, commitment, representation or warranty by AT&T and is subject to change. Mention of a specific company or entity is not an endorsement by AT&T. Thank You

Notes de l'éditeur

  1. TK: Hi Everyone and Thank you for joining us. Today we’re going to be talking about App Performance, specifically we’ll be looking at real examples of mistakes that some of the top apps make, so that you can avoid them. We’ll also give you a simple testing plan to improve your own app, before the app store reviews get ahold of them.
  2. http://www.geograph.org.uk/photo/2958201 https://www.flickr.com/photos/emdot/145432
  3. Travel app revealed Passport numbers in the log flle
  4. Travel app revealed Passport numbers in the log flle
  5. Travel app revealed Passport numbers in the log flle
  6. Travel app revealed Passport numbers in the log flle
  7. Travel app revealed Passport numbers in the log flle
  8. Travel app revealed Passport numbers in the log flle
  9. Travel app revealed Passport numbers in the log flle
  10. Travel app revealed Passport numbers in the log flle
  11. Travel app revealed Passport numbers in the log flle
  12. Travel app revealed Passport numbers in the log flle
  13. DS