Advanced Mobile Application Code Review Techniques

Presented at AppSec USA 2013, Nov. 20, 2013, 3 p.m. (50 minutes).

Advanced Mobile Application Code Review Techniques   Abstract: Learn how Mobile experts blend their techniques in order to accelerate code reviews. While reviewing Windows Phone 8, Hybrid or HTML 5 applications, you will love these handy tricks that help in detecting famous and a few not-so-famous flaws. Using demonstrations and code snippets, we will highlight the benefits of blended techniques in comparison with those of simple scanning or manual testing. You will also learn how to reduce the time taken for review and obtain a ready-to-use checklist. Objectives: • To give live demonstrations of the most common insecurities found in Windows Phone 8, HTML5 or Hybrid applications. • To share tested and proven methods of discovering insecurities via code reviews. • To learn how to efficiently conduct source code reviews for mobile applications. • To develop a checklist for Mobile Code Reviews. Outline: An emerging trend is the use of smart phones for financial transactions. As usage of mobile devices grow, concerns on security for mobile transactions also grow. With the demand for M-Commerce and M-Banking applications rising, Mobile application developers should be aware of what flaws they may inadvertently introduce. This presentation is intended to provide an insight into coding-related flaws present in mobile applications. It is aimed at providing you with a targeted and efficient approach towards the discovery of these flaws in your mobile application code. As Windows Phone 8, HTML 5 and Hybrid mobile technology are the latest popular mobile platforms or technology, we would focus on these areas during this presentation. The content of the talk is outlined below: • Introduction to Mobile Applications • Threats to mobile applications • Advantages of "Mobile Code Reviews" • Windows Phone Insecurities (with demonstrations using vulnerable code as well as secure code) • Attacks on data stored in the device  • Malwares present in the application, which send unauthorized SMSs or make unauthorized calls. • Incorrectly implemented application encoding and encryption. • Tapjaking • Other hacks • HTML5 Insecurities (with demonstrations using vulnerable code as well as secure code) • Insecure Data validations and injection based attacks • Client side data caching and storage • Client side reflection based attacks • Insecure Network Connections • Other hacks • Hybrid Technology Mobile Insecurities • A gist of the insecurities with respective discovery techniques and solutions. • Advanced Mobile Code Reviews • The checklist compiled so far during the presentation • Handy tricks for Mobile Code Reviews • A quick demonstration of the discovery of vulnerabilities in a vulnerable application • Conclusion

Presenters:

  • sreenarayan a - Information Security Consultant - Independant Consultant
    Sreenarayan is currently working as an Independant Information Security Consultant. He was the principal researcher in the Mobile Application Security Team at Paladion, having developed Paladion's Android, iOS, Windows Mobile, BlackBerry Gray Box and Code Review checklists, and has trained 30+ engineers to detect security flaws in mobile applications. He has found flaws in leading Mobile-based financial applications and helped the respective organizations fix those vulnerabilities. He has authored many white papers on information security and network-related research, which have been published in multiple information security magazines and international journals such as Hacki9 and Palisade magazines among others. He has conducted technical trainings and provide Experts Talk about various platforms for multiple banking & finance customers and reputed institutes in the Mumbai University. He is a Certified Ethical Hacker, Certified Security Analyst and Certified Forensics Investigator.

Links:

Similar Presentations: