Presented at ekoparty 14 (2018)
Sept. 28, 2018, 11:50 a.m.
It's been 7 years since i had to test the security of a mobile application for the first time, having almost no experience in the subject.
During this time, i had the opportunity to experiment, learn and analyze a large number of applications in multiple platforms (J2ME, Android, iOS, Blackberry, Windows Phone), give talks and trainings, and was able to catch a view of the current state of security in mobile app development.
The idea behind this talk is to share with the attendees what I've learned during these years, the most common security vulnerabilities when developing for mobile devices, some real examples (FAILs) from projects I have worked on and show some live demonstrations.
The OWASP Mobile Top 10 project will be discussed and compared to the Web version.
The examples shown will be from different kinds of mobile apps that were tested by the speaker, and will cover the following kinds of vulnerabilities. All the examples will be taken from real applications.
Information Disclosure (Passwords found in the source code of a mobile banking app)
Insecure Storage (Banking and payment apps that stored sensitive information in cache and device logs)
Backup Enabled (Payment App lock screen bypass through PIN retrieval via App Data backup)
Weak Server Side Controls (Mobile Payment App discloses payment data through parameter manipulation)
Broken Cryptography (Mobile POS application using EMV compliant readers that leaked the DKUPT BDK through manipulation of the API)
Security Decisions Via Untrusted Inputs (Application PIN lock bypassing via function hooking on a Google application)
Attendees will leave the talk with the necessary knowledge to take the first steps into the mobile app security world, as well as knowing what kinds of vulnerabilities can affect software they use or develop.
Gustavo Sorondo is 33 years old and is CTO at Cinta Infinita. He has worked in more than 100 projects in his career, all related to information security in 6 different countries, he has delivered Penetration Testing, Web Apps Security, Wireless Security and Mobile Apps Security trainings. He has also given talks and workshops in security conferences such as Ekoparty, TROOPERS, PHDays, Segurinfo, OWASP Appsec / Latam Tours, Andsec, DragonJARCon and PampaSeg. He is a Snowboard trainer and in his free time he enjoys listening to music.