Bitbar, profile picture
Uploaded byBitbar
PPTX, PDF2,893 views

How to Test Security and Vulnerability of Your Android and iOS Apps

The document is a transcript of a webinar discussing security testing for mobile applications, specifically focusing on Android and iOS platforms. It highlights the importance of evaluating third-party components for vulnerabilities and licensing issues, emphasizing that most mobile apps rely heavily on external libraries. The session also covers best practices for testing and securing mobile applications, including the use of tools like Codenomicon AppCheck integrated with TestDroid.

Embed presentation

Downloaded 65 times
How to Test Security and Vulnerability of Your Android and iOS Apps 4 December 2013 Ville-Veikko Helppi Antti Häyrynen Technical Product Manager Security Specialist ville-veikko.helppi@bitbar.com antti.hayrynen@codenomicon.com
webinar Agenda • Mobile Apps & Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 2
webinar Agenda • Mobile Apps & Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 3
webinar Security Testing for Mobile Apps • How to test something you don’t know it exists? • Security testing doesn’t replace white/black box testing but can complement it very well • e.g. Android protects • User data • System resources • Application isolation • Security at the OS level © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 4
webinar Hot debate about Android security • Open Platform – All source code available • Linux security (e.g. users, process isolation, IPC) • Filesystem permissions • Cryptography (API) • Memory management • 1.5 -> 4.2 • Application security • Android has defenses to protect itself – not data! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 5
webinar Mobile Apps & Open Source Components Blurred Blurred © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 6
webinar Mobile Apps & Third-Party Components • Majority of today’s applications consist largely of third-party code/libraries and application-specific glue to hold everything together • This is a prudent and well-accepted development practice that offloads the task of developing code for non-core functions of the application • Each piece of third-party code has an associated license whose terms can affect the distribution and licensing of your application © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 7
webinar Mobile Apps & Third-Party Components • Identifying 3rd party code, its vulnerabilities and its licenses, is critical in order to understand your security exposure and your liability: • • • • • Know those 3rd party components/libs used in your app Identify binding software licenses for 3rd party code Identify vulnerabilities in 3rd party components that could be security risks in your application (and its users) 3rd party components evolve and change – it’s important to know what is new and what makes your app vulnerable Instant way of checking any app (Android & iOS) will enable you to focus on your core activities © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 8
webinar Agenda • Mobile Apps & Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 9
webinar Apps for Mobile Subverticals Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile • Testdroid has helped thousands of app developers in these subverticals! • What are the critical elements in each these verticals? • How are the security requirements different in each subvertical? © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 10
webinar Apps for Mobile Subverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –User Experience! –Resource consumption & validation (CPU, Mem…) –Fully utilizing hardware – e.g. Touch screen –Access to graphics APIs (e.g. OpenGL ES) •Open source license © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 11
webinar Apps for Mobile Subverticals •Top requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Usability! –Functional and Behavioral testing –Metrics analysis for all captured data (e.g. logs, screenshots, perf stats) –Relation to other apps •Open source license © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 12
webinar Apps for Mobile Subverticals •Top requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Performance! –Connectivity, robustness and durability –Screen orientation (portrait vs. landscape) –Graphics quality, streaming capabilities –User profiles •Security & Vulnerability © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 13
webinar Apps for Mobile Subverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Security! –Secure connectivity with back-end systems –Top Quality – extremely brand sensitive vertical –Compliances and verification between real devices and infrastructure •Security is the no. 1 thing © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 14
webinar Apps for Mobile Subverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Data! –Connectivity and data connection with back-ends –Configurability of the app –Bad quality WILL hurt the brand and make customers leave your app •Security, Licenses © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 15
webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 16
Is your mobile app safe? Codenomicon AppCheck
Mobile software •Software development is increasingly shifting into mobile •Android and iOS dominant platforms, followed by WP and Qt –All different, even on preferred programming language level •Volumes larger than traditionally, average revenue per user much lower
Mobile software paradigm •Traditionally software opens files and handles them. –Only Android supports this properly via registering as content handler •The modern way is to have client / server architecture –Mobile device is a client. Payload is usually json, protobuf, xml or media.
Traditional Threats •Open malicious file / content (via email, web etc) that contains an exploit -> target popped. •In Android, content handlers can have these issues. –Platform somewhat limits what the attacker can do unless privilege escalation is possible. –For example PDF readers, video players etc.
Modern threats •In the modern app paradigm, the mobile client “enriches” content from pre-defined server –Usually SSL protected –Certificate checks? •Cert pinning? •Attacks somewhat limited to either –Man in the middle –Injecting malice via server
IOS apps •IOS apps are Mach binaries usually written in Objective-C •Packaging follows the common paradigm – manifest, code and resources inside zip •Inside the device executable code is usually encrypted, but in clear before blessed by Apple. –Can be decrypted on jailbroken devices. •Allows mixing of C into apps -> common OSS libs can be used.
Anatomy of an Android app •The simplest form: simple java application. –Manifest, .dex, resource files •Manifest has meta data (app name, permissions, content handler registrations etc) •DEX contains java byte code –With or without proguard obfuscation. •Resource files contain images etc. •Optionally native code (usually just ARM) in lib/
Native code •Sometimes java is not enough. –~15% of android apps contain native code •.so’s in lib/ –Among popular apps, the amount is much higher •If the native code processes untrusted data, it’s out of dalvik supervision. –Can corrupt memory and contain exploitable bugs.
Third party code •Modern world contains plenty of ready components either as open source or licensable. •People use them to –Avoid re-inventing the wheel –Save time and costs –Create better software – many of those components are actually great at what they do. •Apps that use them inherit the bugs they have. •Since there’s no “package management” in Android like in Linux distros, apps bundle third party code with them. –Fixing 3rd party bugs require actions from app vendor
Third party code in Android apps •There are different types of 3rd party libs popular in Android, for example –Ad networks –Protocol clients –Content decoders/encoders –Shiny UI widgets –Cross-platform app frameworks –Most of the Java 3rd party libs usable in Android •Either Java or native
Introducing Appcheck •Codenomicon Appcheck makes it easy and fast to increase your application security •Integrated into Testdroid •Works on binaries, no source code necessary. •Main idea is to look for third party code from apps and categorize them.
Vulnerabilities •Third party libraries may contain vulnerabilities that endanger application security •Common pitfalls in android libraries include for example missing certificate checks, missing crypto, privacy issues •In native libraries common native code problems persist. •Vulnerability feeds provide vulnerability information on common components –http://nvd.nist.gov/ –Appcheck performs matching against vulnerability feeds
Ad networks •Ad networks vary from benign to outright evil –Some replace dial tone –Some have critical vulnerabilities –Some may send more information than user is willing to accept •Appcheck detects all the common ad networks.
Licenses •Third party code sometimes comes with some strings attached in form of licenses –Eg. GPL requires you to distribute source code of derivative works –Apache license requires some attribution –GPLv3 forbids DRM •Common pitfall in Android would be to bundle for example LGPL lib in on .so with rest of the native code •Appcheck makes all the used licenses visible
Improving security •By being aware of security issues of reusable third party components in their apps, developers can take action to fix issues •If you source software, you can use Appcheck to check what supplier has actually bundled inside the app.
Conclusions •Mobile applications face threats and risks stemming from bundled 3rd party code. •Third party code scanning gives you actionable results to –Remove or mitigate known vulnerabilities –Eliminate license risk –Remove overlapping and unwanted functionality such as privacy leaks
webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 33
webinar Testdroid Products Complete Solution for Mobile Apps/Games Testing © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 34
webinar Testdroid & Appcheck – Get Your App an Insurance for Security & Vulnerability! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 35
webinar Testdroid Blog and Webinars – Because it is important to how to automate your testing! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 36
webinar Codenomicon Website and Events © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 37
webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 38
webinar Agenda •Mobile Apps & Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 39
webinar © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 40

More Related Content

PPTX
Testdroid: Release Perfect Apps with Mobile Visual Testing in the Cloud
byApplitools
 
PPTX
Build a Large Scale In-House Test Lab for Mobile Apps
byBitbar
 
PDF
Which One Works You The Best: In-House or Cloud-Based Development Environment
byBitbar
 
PPTX
Best Practices for DevOps in Mobile App Testing
byBitbar
 
PPTX
Hassle-Free Continuous Integration with Real Device Testing
byBitbar
 
PDF
The Status of Android Hardware and Software - From App Developer's Point of View
byBitbar
 
PDF
Fight back android fragmentation
byBitbar
 
PPTX
Ensure Your Mobile Channels Generate Revenue on Holiday Peak Days
byBitbar
 
Testdroid: Release Perfect Apps with Mobile Visual Testing in the Cloud
byApplitools
 
Build a Large Scale In-House Test Lab for Mobile Apps
byBitbar
 
Which One Works You The Best: In-House or Cloud-Based Development Environment
byBitbar
 
Best Practices for DevOps in Mobile App Testing
byBitbar
 
Hassle-Free Continuous Integration with Real Device Testing
byBitbar
 
The Status of Android Hardware and Software - From App Developer's Point of View
byBitbar
 
Fight back android fragmentation
byBitbar
 
Ensure Your Mobile Channels Generate Revenue on Holiday Peak Days
byBitbar
 

What's hot

PPTX
Parallel Test Runs with Appium on Real Mobile Devices – Hands-on Webinar
byBitbar
 
PDF
Introduction To Mobile-Automation
byMindfire Solutions
 
PPTX
TechTalk: Get to Know Perfecto
byLizzy Guido (she/her)
 
PPTX
Everything You Need To Know about Appium and Selenium
byLizzy Guido (she/her)
 
PDF
Top Best Practices for Successful Mobile Test Automation
byFred Beringer
 
PPTX
Do You Enjoy Espresso in Android App Testing?
byBitbar
 
PPTX
Selenium training
byShivaraj R
 
PPTX
Mobile performance metrics and performance monitoring meetup 2017 05 10
byBitbar
 
PPTX
Parallel testing with appium
bymoizjv
 
PPTX
Best Practices in Mobile Game Testing
byBitbar
 
PPTX
Testing Strategy for Progressive Web Apps
byPerfecto by Perforce
 
PPTX
How to Leverage Appium in Your Mobile App Testing
byBitbar
 
PPTX
Appium vs. Appium with Perfecto
byLizzy Guido (she/her)
 
PPTX
Webinar: Appium & Perfecto: A Perfect Match
byLizzy Guido (she/her)
 
PDF
Mobile Test Automation
byLee Barnes
 
PPTX
Different Android Test Automation Frameworks - What Works You the Best?
byBitbar
 
PDF
Exercising and Scaling Up Mobile DevOps in the Enterprise
byBitbar
 
PPTX
How to Reliably Measure and Optimize Graphics Performance of Your Android Games
byBitbar
 
PDF
Accelerating Digital Transformation With API Lifecycle & Test Automation
byPerfecto by Perforce
 
PDF
Test Automation for Mobile Applications: A Practical Guide
byTechWell
 
Parallel Test Runs with Appium on Real Mobile Devices – Hands-on Webinar
byBitbar
 
Introduction To Mobile-Automation
byMindfire Solutions
 
TechTalk: Get to Know Perfecto
byLizzy Guido (she/her)
 
Everything You Need To Know about Appium and Selenium
byLizzy Guido (she/her)
 
Top Best Practices for Successful Mobile Test Automation
byFred Beringer
 
Do You Enjoy Espresso in Android App Testing?
byBitbar
 
Selenium training
byShivaraj R
 
Mobile performance metrics and performance monitoring meetup 2017 05 10
byBitbar
 
Parallel testing with appium
bymoizjv
 
Best Practices in Mobile Game Testing
byBitbar
 
Testing Strategy for Progressive Web Apps
byPerfecto by Perforce
 
How to Leverage Appium in Your Mobile App Testing
byBitbar
 
Appium vs. Appium with Perfecto
byLizzy Guido (she/her)
 
Webinar: Appium & Perfecto: A Perfect Match
byLizzy Guido (she/her)
 
Mobile Test Automation
byLee Barnes
 
Different Android Test Automation Frameworks - What Works You the Best?
byBitbar
 
Exercising and Scaling Up Mobile DevOps in the Enterprise
byBitbar
 
How to Reliably Measure and Optimize Graphics Performance of Your Android Games
byBitbar
 
Accelerating Digital Transformation With API Lifecycle & Test Automation
byPerfecto by Perforce
 
Test Automation for Mobile Applications: A Practical Guide
byTechWell
 

Similar to How to Test Security and Vulnerability of Your Android and iOS Apps

PPTX
Building a Mobile Security Program
byDenim Group
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
PPTX
Security testing of mobile applications
byGTestClub
 
PPTX
Mobile platform security models
byPrachi Gulihar
 
PPTX
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
byRomansh Yadav
 
PPTX
Android Penetration Testing - OWASP Chapter (June 2016)
bySandeep Jayashankar
 
PPTX
18-mobile-malware.pptx
bysundar110567
 
PPTX
Android village @nullcon 2012
byhakersinfo
 
PDF
Introduction to Android Development and Security
byKelwin Yang
 
PDF
Mobile Defense-in-Dev (Depth)
byPrathan Phongthiproek
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
PPTX
Untitled 1
bySergey Kochergan
 
PPTX
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
PDF
Brief Tour about Android Security
byNational Cheng Kung University
 
PDF
Reading Group Presentation: Why Eve and Mallory Love Android
byMichael Rushanan
 
PPTX
17-Android.pptx
byPRANAVKUMAR699137
 
PDF
CNIT 128 7. Attacking Android Applications (Part 2)
bySam Bowne
 
PPTX
19-f15-mobile-security.pptx
byJhansigali
 
PPTX
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
byTestDevLab
 
PDF
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 
Building a Mobile Security Program
byDenim Group
 
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
Security testing of mobile applications
byGTestClub
 
Mobile platform security models
byPrachi Gulihar
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
byRomansh Yadav
 
Android Penetration Testing - OWASP Chapter (June 2016)
bySandeep Jayashankar
 
18-mobile-malware.pptx
bysundar110567
 
Android village @nullcon 2012
byhakersinfo
 
Introduction to Android Development and Security
byKelwin Yang
 
Mobile Defense-in-Dev (Depth)
byPrathan Phongthiproek
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
Untitled 1
bySergey Kochergan
 
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
Brief Tour about Android Security
byNational Cheng Kung University
 
Reading Group Presentation: Why Eve and Mallory Love Android
byMichael Rushanan
 
17-Android.pptx
byPRANAVKUMAR699137
 
CNIT 128 7. Attacking Android Applications (Part 2)
bySam Bowne
 
19-f15-mobile-security.pptx
byJhansigali
 
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)
byTestDevLab
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
byAbhinav Mishra
 

More from Bitbar

PDF
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
byBitbar
 
PPTX
Android testing
byBitbar
 
PPTX
Getting Started with XCTest and XCUITest for iOS App Testing
byBitbar
 
PPTX
Testing Your Android and iOS Apps with Appium in Testdroid Cloud
byBitbar
 
PPTX
Maximize the Benefits from Your Test Automation Investment
byBitbar
 
PPTX
The Best of Both Worlds - Combining Performance and Functional Mobile App Tes...
byBitbar
 
PPTX
The Powerful and Comprehensive API for Mobile App Development and Testing
byBitbar
 
LDNSE: Testdroid for Mobile App and Web Testing (London Selenium Meetup)
byBitbar
 
Android testing
byBitbar
 
Getting Started with XCTest and XCUITest for iOS App Testing
byBitbar
 
Testing Your Android and iOS Apps with Appium in Testdroid Cloud
byBitbar
 
Maximize the Benefits from Your Test Automation Investment
byBitbar
 
The Best of Both Worlds - Combining Performance and Functional Mobile App Tes...
byBitbar
 
The Powerful and Comprehensive API for Mobile App Development and Testing
byBitbar
 

Recently uploaded

PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
PPTX
IT Leaders Generative AI Implementation Roadmap
byChristine Shepherd
 
PDF
The Future of Database Diagnostics is a Conversation with Oracle AHF Fleet In...
bySandesh Rao
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PPTX
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
IT Leaders Generative AI Implementation Roadmap
byChristine Shepherd
 
The Future of Database Diagnostics is a Conversation with Oracle AHF Fleet In...
bySandesh Rao
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 

How to Test Security and Vulnerability of Your Android and iOS Apps

  • 1.
    How to TestSecurity and Vulnerability of Your Android and iOS Apps 4 December 2013 Ville-Veikko Helppi Antti Häyrynen Technical Product Manager Security Specialist [email protected] [email protected]
  • 2.
    webinar Agenda • Mobile Apps& Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 2
  • 3.
    webinar Agenda • Mobile Apps& Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 3
  • 4.
    webinar Security Testing forMobile Apps • How to test something you don’t know it exists? • Security testing doesn’t replace white/black box testing but can complement it very well • e.g. Android protects • User data • System resources • Application isolation • Security at the OS level © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 4
  • 5.
    webinar Hot debate aboutAndroid security • Open Platform – All source code available • Linux security (e.g. users, process isolation, IPC) • Filesystem permissions • Cryptography (API) • Memory management • 1.5 -> 4.2 • Application security • Android has defenses to protect itself – not data! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 5
  • 6.
    webinar Mobile Apps &Open Source Components Blurred Blurred © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 6
  • 7.
    webinar Mobile Apps &Third-Party Components • Majority of today’s applications consist largely of third-party code/libraries and application-specific glue to hold everything together • This is a prudent and well-accepted development practice that offloads the task of developing code for non-core functions of the application • Each piece of third-party code has an associated license whose terms can affect the distribution and licensing of your application © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 7
  • 8.
    webinar Mobile Apps &Third-Party Components • Identifying 3rd party code, its vulnerabilities and its licenses, is critical in order to understand your security exposure and your liability: • • • • • Know those 3rd party components/libs used in your app Identify binding software licenses for 3rd party code Identify vulnerabilities in 3rd party components that could be security risks in your application (and its users) 3rd party components evolve and change – it’s important to know what is new and what makes your app vulnerable Instant way of checking any app (Android & iOS) will enable you to focus on your core activities © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 8
  • 9.
    webinar Agenda • Mobile Apps& Third-Party Components • Security, Open Source and Licenses on Different Mobile Subverticals • Is Your Mobile App Safe? • Testdroid Update • Demonstration • Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 9
  • 10.
    webinar Apps for MobileSubverticals Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile • Testdroid has helped thousands of app developers in these subverticals! • What are the critical elements in each these verticals? • How are the security requirements different in each subvertical? © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 10
  • 11.
    webinar Apps for MobileSubverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –User Experience! –Resource consumption & validation (CPU, Mem…) –Fully utilizing hardware – e.g. Touch screen –Access to graphics APIs (e.g. OpenGL ES) •Open source license © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 11
  • 12.
    webinar Apps for MobileSubverticals •Top requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Usability! –Functional and Behavioral testing –Metrics analysis for all captured data (e.g. logs, screenshots, perf stats) –Relation to other apps •Open source license © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 12
  • 13.
    webinar Apps for MobileSubverticals •Top requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Performance! –Connectivity, robustness and durability –Screen orientation (portrait vs. landscape) –Graphics quality, streaming capabilities –User profiles •Security & Vulnerability © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 13
  • 14.
    webinar Apps for MobileSubverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Security! –Secure connectivity with back-end systems –Top Quality – extremely brand sensitive vertical –Compliances and verification between real devices and infrastructure •Security is the no. 1 thing © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 14
  • 15.
    webinar Apps for MobileSubverticals •Top Requirements Games Utilities & Tools Video Streaming & Multimedia Banking & Payment Retail & Travel Mobile –Data! –Connectivity and data connection with back-ends –Configurability of the app –Bad quality WILL hurt the brand and make customers leave your app •Security, Licenses © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 15
  • 16.
    webinar Agenda •Mobile Apps &Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 16
  • 17.
    Is your mobileapp safe? Codenomicon AppCheck
  • 18.
    Mobile software •Software developmentis increasingly shifting into mobile •Android and iOS dominant platforms, followed by WP and Qt –All different, even on preferred programming language level •Volumes larger than traditionally, average revenue per user much lower
  • 19.
    Mobile software paradigm •Traditionallysoftware opens files and handles them. –Only Android supports this properly via registering as content handler •The modern way is to have client / server architecture –Mobile device is a client. Payload is usually json, protobuf, xml or media.
  • 20.
    Traditional Threats •Open maliciousfile / content (via email, web etc) that contains an exploit -> target popped. •In Android, content handlers can have these issues. –Platform somewhat limits what the attacker can do unless privilege escalation is possible. –For example PDF readers, video players etc.
  • 21.
    Modern threats •In themodern app paradigm, the mobile client “enriches” content from pre-defined server –Usually SSL protected –Certificate checks? •Cert pinning? •Attacks somewhat limited to either –Man in the middle –Injecting malice via server
  • 22.
    IOS apps •IOS appsare Mach binaries usually written in Objective-C •Packaging follows the common paradigm – manifest, code and resources inside zip •Inside the device executable code is usually encrypted, but in clear before blessed by Apple. –Can be decrypted on jailbroken devices. •Allows mixing of C into apps -> common OSS libs can be used.
  • 23.
    Anatomy of anAndroid app •The simplest form: simple java application. –Manifest, .dex, resource files •Manifest has meta data (app name, permissions, content handler registrations etc) •DEX contains java byte code –With or without proguard obfuscation. •Resource files contain images etc. •Optionally native code (usually just ARM) in lib/
  • 24.
    Native code •Sometimes javais not enough. –~15% of android apps contain native code •.so’s in lib/ –Among popular apps, the amount is much higher •If the native code processes untrusted data, it’s out of dalvik supervision. –Can corrupt memory and contain exploitable bugs.
  • 25.
    Third party code •Modernworld contains plenty of ready components either as open source or licensable. •People use them to –Avoid re-inventing the wheel –Save time and costs –Create better software – many of those components are actually great at what they do. •Apps that use them inherit the bugs they have. •Since there’s no “package management” in Android like in Linux distros, apps bundle third party code with them. –Fixing 3rd party bugs require actions from app vendor
  • 26.
    Third party codein Android apps •There are different types of 3rd party libs popular in Android, for example –Ad networks –Protocol clients –Content decoders/encoders –Shiny UI widgets –Cross-platform app frameworks –Most of the Java 3rd party libs usable in Android •Either Java or native
  • 27.
    Introducing Appcheck •Codenomicon Appcheckmakes it easy and fast to increase your application security •Integrated into Testdroid •Works on binaries, no source code necessary. •Main idea is to look for third party code from apps and categorize them.
  • 28.
    Vulnerabilities •Third party librariesmay contain vulnerabilities that endanger application security •Common pitfalls in android libraries include for example missing certificate checks, missing crypto, privacy issues •In native libraries common native code problems persist. •Vulnerability feeds provide vulnerability information on common components –http://nvd.nist.gov/ –Appcheck performs matching against vulnerability feeds
  • 29.
    Ad networks •Ad networksvary from benign to outright evil –Some replace dial tone –Some have critical vulnerabilities –Some may send more information than user is willing to accept •Appcheck detects all the common ad networks.
  • 30.
    Licenses •Third party codesometimes comes with some strings attached in form of licenses –Eg. GPL requires you to distribute source code of derivative works –Apache license requires some attribution –GPLv3 forbids DRM •Common pitfall in Android would be to bundle for example LGPL lib in on .so with rest of the native code •Appcheck makes all the used licenses visible
  • 31.
    Improving security •By beingaware of security issues of reusable third party components in their apps, developers can take action to fix issues •If you source software, you can use Appcheck to check what supplier has actually bundled inside the app.
  • 32.
    Conclusions •Mobile applications facethreats and risks stemming from bundled 3rd party code. •Third party code scanning gives you actionable results to –Remove or mitigate known vulnerabilities –Eliminate license risk –Remove overlapping and unwanted functionality such as privacy leaks
  • 33.
    webinar Agenda •Mobile Apps &Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 33
  • 34.
    webinar Testdroid Products Complete Solutionfor Mobile Apps/Games Testing © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 34
  • 35.
    webinar Testdroid & Appcheck –Get Your App an Insurance for Security & Vulnerability! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 35
  • 36.
    webinar Testdroid Blog andWebinars – Because it is important to how to automate your testing! © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 36
  • 37.
    webinar Codenomicon Website andEvents © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 37
  • 38.
    webinar Agenda •Mobile Apps &Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 38
  • 39.
    webinar Agenda •Mobile Apps &Third-Party Components •Security, Open Source and Licenses on Different Mobile Subverticals •Is Your Mobile App Safe? •Testdroid Update •Demonstration •Q&A © Copyrights by Bitbar Technologies Ltd. 2013 All rights reserved. 39
  • 40.
    webinar © Copyrights byBitbar Technologies Ltd. 2013 All rights reserved. 40