How To Become Your App’s ‘Security Champion’ (2025 Edition)

Transcript

1. @sp4ghetticode - spght.dev How to become your app’s “Security Champion”

   Ed Holloway-George | Android GDE | Mobile Tech Lead @ Kraken Tech

2. @sp4ghetticode - spght.dev Ed Holloway-George Mobile Tech Lead @ Kraken

   Tech 🐙 Android Google Dev Expert ✨🤖 Pomeranian Dad 🐶 Ex-ASOS, Hi Mum! Said Dad, Bopple 👨💻 2 That’s not! That’s me!

3. @sp4ghetticode - spght.dev Ed Holloway-George • Mobile security enthusiast •

   Android Dev first, but currently using KMP/CMP • I love to blog/talk about interesting things* Please follow me for more! * Your experience may differ 3 spght.dev/talks

4. @sp4ghetticode - spght.dev What’s coming up Talk overview This talk

   covers: • A reminder of why mobile security is important • How to begin a security champion program • How to become a ‘security champion’ 👑

5. @sp4ghetticode - spght.dev What’s coming up Talk overview Disclaimer, this

   talk is: 1. Not endorsed by my employer (past/present or anyone else for that matter!) 2. For educational purposes only 3. A more ‘strategic’ talk about mobile security 4. This talk is available online to recap later!

6. @sp4ghetticode - spght.dev Why should mobile developers care about security?

7. @sp4ghetticode - spght.dev Why should we care? 1. The mobile

   attack surface is HUGE and growing 📈 • Android most recently announced 3.6 billion active devices • Doesn’t include devices using ‘alternative stores’ • Myriad of devices running Android, new form factors etc. • iOS now has over 1 billion devices too With more and more devices in use, it’s a huge opportunity for malicious actors Sources: • Google I/O 22

8. @sp4ghetticode - spght.dev Why should we care? 2. Growing financial

   incentives 🤑 • E.g. Recent rise of ‘Web 3.0’ / Crypto • $2.2 billion in cryptocurrencies stolen (+20% YoY 2023) • 70% all fraud occurs on mobile Successful mobile exploits can garner huge financial results Sources: • Chainalysis • Guardsquare

9. @sp4ghetticode - spght.dev Why should we care? 3. Security incidents

   are (very) bad! “It takes years to build a reputation and a few minutes of a cyber-incident to ruin it.” Quote: • Stéphane Nappo

10. @sp4ghetticode - spght.dev A recent example: Tea App Hack -

    2025 Sources: • kammerath.com • Wikipedia • Women-only ‘dating safety’ mobile app • Used facial-analysis and photos of ID to ensure a women-only space • Discussed sensitive subjects such as intimate relationships, sexual activity, infidelity, etc

11. @sp4ghetticode - spght.dev A recent example: Tea App Hack -

    2025 Sources: • kammerath.com • Wikipedia • Exploited in July 2025 • Hackers decompiled the app and then abused Tea’s “vibe-coded” backend 😅 • PII and 72,000 personal images leaked on 4chan • 1.1 million private messages then leaked by another exploit in August 2025

12. @sp4ghetticode - spght.dev A recent example: Tea App Hack -

    2025 Sources: • kammerath.com • Wikipedia • Exploited in July 2025 • Hackers decompiled the app and then abused Tea’s “vibe-coded” backend 😅 • PII and 72,000 personal images leaked on 4chan • 1.1 million private messages then leaked by another exploit in August 2025 Current Status: 10+ Lawsuits

13. @sp4ghetticode - spght.dev Why should we care? 4. Security knowledge

    is neglected in our field 😅 • Perceived steep learning curve • Often misunderstood or totally ignored • Not seen as a ‘sexy’ subject • A common “It won’t happen to me” mentality And this keeps me awake at night… 🥲

14. @sp4ghetticode - spght.dev And you (devs) agree with me! Sources:

    • My followers! No shame in 2nd place 🥈 ✨ ✨ ✨ ✨ 🥇 🥈

15. @sp4ghetticode - spght.dev The solution? ✨ We need mobile security

    champions ✨

16. @sp4ghetticode - spght.dev “What the heck is a security champion

    anyway?” - You 16

17. @sp4ghetticode - spght.dev “Security Champions are non-security volunteers who act

    as liaisons in both directions; From security to their team, and from their team to security” - Dustin Lehr: Security Champion Success Guide

18. @sp4ghetticode - spght.dev 18 Surprise: You are already one

19. @sp4ghetticode - spght.dev But, just not yet… The lifecycle of

    a security champion • The beginning • Someone interested in mobile security ✅ • Looking to improve the security culture in your organisation ✅ • Someone willing to learn and/or lead by example 🤞 • Can pass on knowledge to others internally 🤞

20. @sp4ghetticode - spght.dev But, just not yet… The lifecycle of

    a security champion • What we want to gain • Knowledge of the key/relevant areas in mobile security • Write code with security in mind • Follow security best practises • Be able to demonstrate your app is more secure through our actions

21. @sp4ghetticode - spght.dev But, just not yet… The lifecycle of

    a security champion • Our end goals • 🥉 Full leadership buy-in • 🥈 Non-security people performing security-related tasks • 🥇 A self-sufficient Security Champion ✨ ‘program’ ✨

22. @sp4ghetticode - spght.dev How do we set a security champion

    program up? 😅

23. @sp4ghetticode - spght.dev 23 In an ideal world… CyberSec

24. @sp4ghetticode - spght.dev 24 In an ideal world… CyberSec Other

    Teams

25. @sp4ghetticode - spght.dev 25 In an ideal world… CyberSec Other

    Teams You are here (probably)

26. @sp4ghetticode - spght.dev 26 In an ideal world… CyberSec Other

    Teams 👑 Champions

27. @sp4ghetticode - spght.dev 27 In an ideal world… CyberSec Other

    Teams 👑 Champions 👑 👑 👑 👑

28. @sp4ghetticode - spght.dev 28 Maybe more realistically… The ‘scary’ world

    of Mobile Security Your Mobile Team(s) You 😅

29. @sp4ghetticode - spght.dev You can become a true rock idol…

    Sources: • The British Museum (Sorry Egypt!)

30. @sp4ghetticode - spght.dev You can become a true rock idol…

    Sources: • The British Museum (Sorry Egypt!) 🌸 🌸 🌸 ✨ ✨

31. @sp4ghetticode - spght.dev How to set up a champion program?

    A lightning guide to its key principles ⚡ • Vision 🔮 • Participants🧑🍳👷👩🔬👩🔧 • Environment 🏦🏚 • Concept 📝 • Incentive 🧠 • Delivery 📬✨ • Tuning 🔧🔄 Source: • securitychampionsuccessguide.org

32. @sp4ghetticode - spght.dev Quick wins • Find a handful of

    like-minded engineers or individuals • Start a regular lunch + learn / brown bag session • Make noise internally about what you are doing (and why) • Raise the profile of security tasks within your app • Speak to your engineering-manager and/or CISO! How to kick-off a security champion program today* * After the conference

33. @sp4ghetticode - spght.dev Success Stories 👑 Security Champions • Fivetran

    - Global data warehousing company • Launched program in May 2022 • Initially focused on participation, training and awareness • Over time, increased emphasis on performing actions • Implemented gamification • 10% of entire company now signed-up 😱 (Over 100+ people) Source: • Dustin Lehr

34. @sp4ghetticode - spght.dev Epic Fails 😅 Being a Security Chump?!

    • Me (in a previous role) • Took on all the responsibility myself • Became an information silo • Didn’t share my domain knowledge effectively • Missed opportunities to up-skill enthusiastic teammates • When 💩 hit the 🪭, guess who was on holiday! • Prompted me to write this talk… Source: • Dustin Lehr

35. @sp4ghetticode - spght.dev ✨ Congrats on your new champion program

    ✨ Now what? 35

36. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    36 1. Perform SAST on your app and discuss results 🔐

37. @sp4ghetticode - spght.dev Common Examples SAST Tooling • MobSF -

    Free - iOS/Android • AppSweep - Free/Paid - iOS/Android • Veracode - Paid - iOS/Android • SonarQube - Paid - iOS/Android • Snyk - Free/Paid - iOS/Android • And many many more…

38. @sp4ghetticode - spght.dev mobsf.github.io MobSF

39. @sp4ghetticode - spght.dev mobsf.github.io MobSF General ‘score’ and overview of

    security concerns

40. @sp4ghetticode - spght.dev mobsf.github.io MobSF General ‘score’ and overview of

    security concerns Prioritised list of security issues with links to further info/resources

41. @sp4ghetticode - spght.dev mobsf.github.io MobSF

42. @sp4ghetticode - spght.dev mobsf.github.io MobSF Overview of uploaded app

43. @sp4ghetticode - spght.dev mobsf.github.io MobSF Overview of uploaded app Perform

    dynamic analysis on your application

44. @sp4ghetticode - spght.dev Next steps… • Take report to your

    team / management • Scare them with your results 😱 • Action high priority issues • Show measurable improvement in the long term • Actively monitor going forwards

45. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    45 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍

46. @sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare

47. @sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Editable ProGuard/R8

    rules

48. @sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Uploaded APK

    / JAR Classes, methods & fields Editable ProGuard/R8 rules

49. @sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Uploaded APK

    / JAR Classes, methods & fields Interactive display of your custom rules in action (No app building needed!) Editable ProGuard/R8 rules

50. @sp4ghetticode - spght.dev Next steps… • Use the playground to

    improve your rules • Test for any unexpected behaviours • Explore the ProGuard documentation • Get smaller, optimised and securer builds • Android only (sorry!)

51. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    51 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍ 3. Decompile your app and take a poke around 🔧

52. @Sp4ghettiCode / spght.dev Android Reverse Engineering 101 (Please use responsibly)

    • Your APK is just a ZIP file with ✨ extra spice ✨ • Rename app.apk to app.zip • Unzip it • ??? • Profit • A wild folder with lots of funky files appeared! 🤪

53. @Sp4ghettiCode / spght.dev Reverse Engineering The innards of your APK

    • .dex files are Dalvik Executable files • Similar to Java .class files but run on Android’s JVM • Contains Dalvik byte code • Possible to convert back to its original source code (lossy process)

54. @sp4ghetticode - spght.dev github.com/skylot/jadx JADX Decompiles Android files .apk .aar

    .class .dex .smali And more…

55. @sp4ghetticode - spght.dev github.com/skylot/jadx JADX Show decompiled file packages, classes

    & methods

56. @sp4ghetticode - spght.dev github.com/skylot/jadx JADX Show decompiled file packages, classes

    & methods Java representation of your code

57. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    57 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍ 3. Decompile your app and take a poke around 🔧 4. Check out my other talks!

58. @sp4ghetticode - spght.dev spght.dev Talks and Blogs

59. @sp4ghetticode - spght.dev Visit securitychampionsuccessguide.org If you do one thing

    today…

60. @sp4ghetticode - spght.dev Thanks for having me! 60 Sorry for

    the coughing 🥲

61. @sp4ghetticode - spght.dev EOF spght.dev/talks 61