Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How To Become Your App’s ‘Security Champion’ (...

How To Become Your App’s ‘Security Champion’ (2025 Edition)

In this session, we will take an introductory look at mobile security, the threats we face as mobile developers and the steps you can take to become a 'security champion' for your app to protect your business and, most importantly, your users.

This talk was presented at Leeds Mobile on 29 Sept 2025

Avatar for Ed Holloway-George

Ed Holloway-George

September 30, 2025
Tweet

More Decks by Ed Holloway-George

Other Decks in Technology

Transcript

  1. @sp4ghetticode - spght.dev How to become your app’s “Security Champion”

    Ed Holloway-George | Android GDE | Mobile Tech Lead @ Kraken Tech
  2. @sp4ghetticode - spght.dev Ed Holloway-George Mobile Tech Lead @ Kraken

    Tech 🐙 Android Google Dev Expert ✨🤖 Pomeranian Dad 🐶 Ex-ASOS, Hi Mum! Said Dad, Bopple 👨💻 2 That’s not! That’s me!
  3. @sp4ghetticode - spght.dev Ed Holloway-George • Mobile security enthusiast •

    Android Dev first, but currently using KMP/CMP • I love to blog/talk about interesting things* Please follow me for more! * Your experience may differ 3 spght.dev/talks
  4. @sp4ghetticode - spght.dev What’s coming up Talk overview This talk

    covers: • A reminder of why mobile security is important • How to begin a security champion program • How to become a ‘security champion’ 👑
  5. @sp4ghetticode - spght.dev What’s coming up Talk overview Disclaimer, this

    talk is: 1. Not endorsed by my employer (past/present or anyone else for that matter!) 2. For educational purposes only 3. A more ‘strategic’ talk about mobile security 4. This talk is available online to recap later!
  6. @sp4ghetticode - spght.dev Why should we care? 1. The mobile

    attack surface is HUGE and growing 📈 • Android most recently announced 3.6 billion active devices • Doesn’t include devices using ‘alternative stores’ • Myriad of devices running Android, new form factors etc. • iOS now has over 1 billion devices too With more and more devices in use, it’s a huge opportunity for malicious actors Sources: • Google I/O 22
  7. @sp4ghetticode - spght.dev Why should we care? 2. Growing financial

    incentives 🤑 • E.g. Recent rise of ‘Web 3.0’ / Crypto • $2.2 billion in cryptocurrencies stolen (+20% YoY 2023) • 70% all fraud occurs on mobile Successful mobile exploits can garner huge financial results Sources: • Chainalysis • Guardsquare
  8. @sp4ghetticode - spght.dev Why should we care? 3. Security incidents

    are (very) bad! “It takes years to build a reputation and a few minutes of a cyber-incident to ruin it.” Quote: • Stéphane Nappo
  9. @sp4ghetticode - spght.dev A recent example: Tea App Hack -

    2025 Sources: • kammerath.com • Wikipedia • Women-only ‘dating safety’ mobile app • Used facial-analysis and photos of ID to ensure a women-only space • Discussed sensitive subjects such as intimate relationships, sexual activity, infidelity, etc
  10. @sp4ghetticode - spght.dev A recent example: Tea App Hack -

    2025 Sources: • kammerath.com • Wikipedia • Exploited in July 2025 • Hackers decompiled the app and then abused Tea’s “vibe-coded” backend 😅 • PII and 72,000 personal images leaked on 4chan • 1.1 million private messages then leaked by another exploit in August 2025
  11. @sp4ghetticode - spght.dev A recent example: Tea App Hack -

    2025 Sources: • kammerath.com • Wikipedia • Exploited in July 2025 • Hackers decompiled the app and then abused Tea’s “vibe-coded” backend 😅 • PII and 72,000 personal images leaked on 4chan • 1.1 million private messages then leaked by another exploit in August 2025 Current Status: 10+ Lawsuits
  12. @sp4ghetticode - spght.dev Why should we care? 4. Security knowledge

    is neglected in our field 😅 • Perceived steep learning curve • Often misunderstood or totally ignored • Not seen as a ‘sexy’ subject • A common “It won’t happen to me” mentality And this keeps me awake at night… 🥲
  13. @sp4ghetticode - spght.dev And you (devs) agree with me! Sources:

    • My followers! No shame in 2nd place 🥈 ✨ ✨ ✨ ✨ 🥇 🥈
  14. @sp4ghetticode - spght.dev “Security Champions are non-security volunteers who act

    as liaisons in both directions; From security to their team, and from their team to security” - Dustin Lehr: Security Champion Success Guide
  15. @sp4ghetticode - spght.dev But, just not yet… The lifecycle of

    a security champion • The beginning • Someone interested in mobile security ✅ • Looking to improve the security culture in your organisation ✅ • Someone willing to learn and/or lead by example 🤞 • Can pass on knowledge to others internally 🤞
  16. @sp4ghetticode - spght.dev But, just not yet… The lifecycle of

    a security champion • What we want to gain • Knowledge of the key/relevant areas in mobile security • Write code with security in mind • Follow security best practises • Be able to demonstrate your app is more secure through our actions
  17. @sp4ghetticode - spght.dev But, just not yet… The lifecycle of

    a security champion • Our end goals • 🥉 Full leadership buy-in • 🥈 Non-security people performing security-related tasks • 🥇 A self-sufficient Security Champion ✨ ‘program’ ✨
  18. @sp4ghetticode - spght.dev You can become a true rock idol…

    Sources: • The British Museum (Sorry Egypt!)
  19. @sp4ghetticode - spght.dev You can become a true rock idol…

    Sources: • The British Museum (Sorry Egypt!) 🌸 🌸 🌸 ✨ ✨
  20. @sp4ghetticode - spght.dev How to set up a champion program?

    A lightning guide to its key principles ⚡ • Vision 🔮 • Participants🧑🍳👷👩🔬👩🔧 • Environment 🏦🏚 • Concept 📝 • Incentive 🧠 • Delivery 📬✨ • Tuning 🔧🔄 Source: • securitychampionsuccessguide.org
  21. @sp4ghetticode - spght.dev Quick wins • Find a handful of

    like-minded engineers or individuals • Start a regular lunch + learn / brown bag session • Make noise internally about what you are doing (and why) • Raise the profile of security tasks within your app • Speak to your engineering-manager and/or CISO! How to kick-off a security champion program today* * After the conference
  22. @sp4ghetticode - spght.dev Success Stories 👑 Security Champions • Fivetran

    - Global data warehousing company • Launched program in May 2022 • Initially focused on participation, training and awareness • Over time, increased emphasis on performing actions • Implemented gamification • 10% of entire company now signed-up 😱 (Over 100+ people) Source: • Dustin Lehr
  23. @sp4ghetticode - spght.dev Epic Fails 😅 Being a Security Chump?!

    • Me (in a previous role) • Took on all the responsibility myself • Became an information silo • Didn’t share my domain knowledge effectively • Missed opportunities to up-skill enthusiastic teammates • When 💩 hit the 🪭, guess who was on holiday! • Prompted me to write this talk… Source: • Dustin Lehr
  24. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    36 1. Perform SAST on your app and discuss results 🔐
  25. @sp4ghetticode - spght.dev Common Examples SAST Tooling • MobSF -

    Free - iOS/Android • AppSweep - Free/Paid - iOS/Android • Veracode - Paid - iOS/Android • SonarQube - Paid - iOS/Android • Snyk - Free/Paid - iOS/Android • And many many more…
  26. @sp4ghetticode - spght.dev mobsf.github.io MobSF General ‘score’ and overview of

    security concerns Prioritised list of security issues with links to further info/resources
  27. @sp4ghetticode - spght.dev Next steps… • Take report to your

    team / management • Scare them with your results 😱 • Action high priority issues • Show measurable improvement in the long term • Actively monitor going forwards
  28. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    45 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍
  29. @sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Uploaded APK

    / JAR Classes, methods & fields Interactive display of your custom rules in action (No app building needed!) Editable ProGuard/R8 rules
  30. @sp4ghetticode - spght.dev Next steps… • Use the playground to

    improve your rules • Test for any unexpected behaviours • Explore the ProGuard documentation • Get smaller, optimised and securer builds • Android only (sorry!)
  31. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    51 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍ 3. Decompile your app and take a poke around 🔧
  32. @Sp4ghettiCode / spght.dev Android Reverse Engineering 101 (Please use responsibly)

    • Your APK is just a ZIP file with ✨ extra spice ✨ • Rename app.apk to app.zip • Unzip it • ??? • Profit • A wild folder with lots of funky files appeared! 🤪
  33. @Sp4ghettiCode / spght.dev Reverse Engineering The innards of your APK

    • .dex files are Dalvik Executable files • Similar to Java .class files but run on Android’s JVM • Contains Dalvik byte code • Possible to convert back to its original source code (lossy process)
  34. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    57 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍ 3. Decompile your app and take a poke around 🔧 4. Check out my other talks!