Mobile Applications & Proxy Shenanigans

Presented at AppSec USA 2012, Oct. 25, 2012, 10 a.m. (45 minutes)

With over 5 Billion mobile devices presently in use, mobile applications enable new threats and attacks which introduce significant risks to organizations. As such, it is imperative that we perform our normal application security procedures on all mobile applications, including pen testing and code reviews. Pen testing mobile applications has proven to be difficult when typical application security testing practices are employed. Proxying mobile traffic for examination and modification is anything but straightforward and every application presents its own, unique challenges. David and Dan will explain the issues that arise when trying to proxy mobile application traffic. Join Dan and Dave as they provide guidance and a roadmap so that you may overcome these obstacles.

Presenters:

• Dan Amodio - Principal Consultant - Aspect Security
  As a Principal Consultant, Dan manages and defines Aspect Security's line of Assessment Services-- helping organizations quantify their security risks from design to implementation. He works with staff and clients to develop the team members and deliverables. Dan holds a security clearance and directly supports a variety of client projects. He leads mobile security efforts, security architecture and design reviews, code reviews, and penetration testing for clients in Government, educational, airline, and financial sectors. His expertise spans an array of IT disciplines including: application security, software development, systems administration, and technical support. He has over 10 years of programming experience in a variety of languages and actively participates in open source and software security communities. Outside of work, Dan enjoys spending time with his wife and daughter. He is a longtime musician, and does performing, recording and sound engineering.
• David Lindner - Managing Consultant and Global Practice Manager - Aspect Security
  David Lindner, a Managing Consultant and Global Practice Manager, Mobile Application Security Services at Aspect Security. David brings 15 years of IT experience including application development, network architecture design and support, IT security and consulting, and application security. David's focus has been in the mobile space including everything from mobile application penetration testing/code review, to analyzing MDM and BYOD solutions. David also specializes in performing application penetration tests utilizing commercial and freeware products as well as manual testing methods. David has written code in many different languages but specializes in Java/J2EE and Perl. David has supported many different clients including financial, government, automobile, healthcare, and retail. David holds an M.S. degree in Computer Engineering and Information Assurance from Iowa State University, recognized by the NSA as a National Center of Academic Excellence in Information Assurance Education. His Master's thesis was Creating Secure Web Applications and incorporating security throughout the Software Development Lifecycle. (SDLC). David completed his undergraduate work at Wartburg College in Waverly, IA where he received a B.A. with a triple major in Computer Science, Physics, and Mathematics.

Links:

• https://appsecusa2012.sched.com/event/150mCFZ/mobile-applications-proxy-shenanigans
• https://infocon.org/cons/OWASP/AppSecUSA 2012/Mobile Applications & Proxy Shenanigans.mp4

Similar Presentations:

• DEF CON 17 (2009) / Is your Iphone Pwned? Auditing, Attacking and Defending Mobile Devices
• AppSec USA 2013 / 2 Day Pre-Conference Training: Securing Mobile Devices & Applications Training
• AppSec USA 2013 / Advanced Mobile Application Code Review Techniques