Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to become your app’s “Security Champion” (A...

How to become your app’s “Security Champion” (Android Worldwide Jan 2023)

In this session, we will take an introductory look at mobile security, the threats we face as mobile developers and the steps you can take to become a 'security champion' for your app to protect your business and, most importantly, your users.

Visit spght.dev/talks for more

Ed Holloway-George

February 02, 2023
Tweet

More Decks by Ed Holloway-George

Other Decks in Technology

Transcript

  1. @sp4ghetticode - spght.dev Ed Holloway-George Senior Android @ ASOS &

    Android GDE • Mobile security enthusiast • I like to tweet/toot/blog/talk about interesting things* Follow me for more! #androidww * Your experience may differ 2 spght.dev/talks That’s not! That’s me!
  2. @sp4ghetticode - spght.dev What’s coming up Talk overview This talk

    covers: • A reminder of why mobile security is important • How to begin a security champion program • How to become a ‘security champion’ 👑
  3. @sp4ghetticode - spght.dev What’s coming up Talk overview This talk

    is: 1. Not endorsed by my employer (or anyone else!) 2. For educational purposes only 3. A more ‘strategic’ talk about mobile security 4. Recorded, but slides available already online
  4. @sp4ghetticode - spght.dev Why should we care? 1. The mobile

    attack surface is HUGE and growing • Android most recently announced 3 billion active devices • Doesn’t include devices using ‘alternative stores’ • Myriad of devices running Android forks, new form factors etc. Sources: • Google I/O 22
  5. @sp4ghetticode - spght.dev Why should we care? 2. Growing financial

    incentives for malicious actors • Recent rise of ‘Web 3.0’ / Crypto • $2.0 billion in cryptocurrencies stolen (+60% 2021) • 70% all fraud occurs on mobile Sources: • AppDome • Guardsquare
  6. @sp4ghetticode - spght.dev Why should we care? 3. Implementing basic

    mobile security is not difficult • “It takes years to build a reputation and a few minutes of a cyber-incident to ruin it.” Quote: • Stéphane Nappo
  7. @sp4ghetticode - spght.dev It’s also quite neglected 😅 Sources: •

    My followers! • Twitter No shame in 2nd place 🥈 ✨ ✨ ✨ ✨ 🥇 🥈
  8. @sp4ghetticode - spght.dev Things do go wrong… e.g. Walgreens 2020

    Sources: • Bleeping Computer • threatpost
  9. @sp4ghetticode - spght.dev Things do go wrong… e.g. Walgreens 2020

    Sources: • Bleeping Computer • threatpost Sued $5m+
  10. @sp4ghetticode - spght.dev Things do go wrong… e.g. Klarna 2021

    Source: • Twitter Lots of very angry customers
  11. @sp4ghetticode - spght.dev People are d*cks… 🦆 e.g. Bad actors

    exist on Google Play Store That’s what I mean of course! Source: • McAfee • McAfee recently found 16 malicious app with 20m+ downloads • All 16 contained auto-clicker ‘adware’ • All originally passed Play Store safety checks (but are removed now)
  12. @sp4ghetticode - spght.dev People are d*cks… 🦆 e.g. ‘Attack of

    the Clones’ That’s what I mean of course! Source: • Google • Reddit
  13. @sp4ghetticode - spght.dev But, just not yet… The lifecycle of

    a security champion • The beginning • Someone interested in mobile security • Looking to improve the security culture in your organisation • Someone willing to learn and/or lead by example • Pass on knowledge to others internally
  14. @sp4ghetticode - spght.dev But, just not yet… The lifecycle of

    a security champion • What we want to gain • Knowledge of the key areas in mobile security • Write code with security in mind • Follow security best practises • Your app is more secure as a result
  15. @sp4ghetticode - spght.dev But, just not yet… The lifecycle of

    a security champion • The end goals • 🥉 Full leadership buy-in • 🥈 Non-security people performing security-related tasks • 🥇 A self-sufficient Security Champion ✨ ‘program’ ✨
  16. @sp4ghetticode - spght.dev How to set up a champion program?

    A lightning guide to its key principles ⚡ • Vision 🔮 • Participants🧑🍳👷👩🔬👩🔧 • Environment 🏦🏚 • Concept 📝 • Incentive 🧠 • Delivery 📬✨ • Tuning 🔧🔄 Source: • securitychampionsuccessguide.org
  17. @sp4ghetticode - spght.dev Quick wins • Find a handful of

    like-minded engineers or individuals • Start a regular lunch + learn / brown bag session • Make noise internally about what you are doing • Raise the profile of security tasks within your app • Speak to your manager and/or CISO! How to kick-off a security champion program today* * After the conference
  18. @sp4ghetticode - spght.dev Success Stories 👑 Security Champions • Fivetran

    - Global data warehousing company • Launched program in May 2022 • Initially focused on participation, training and awareness • Over time, increased emphasis on performing actions • Implemented gamification • 10% of entire company now signed-up 😱 Source: • Dustin Lehr
  19. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    30 1. Perform SAST on your app and discuss results 🔐
  20. @sp4ghetticode - spght.dev mobsf.github.io MobSF General ‘score’ and overview of

    security concerns Prioritised list of security issues with links to further info/resources
  21. @sp4ghetticode - spght.dev Next steps… • Take report to your

    team / management • Scare them. • Action high priority issues • Show measurable improvement in the long term • Actively monitor going forwards
  22. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    38 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍
  23. @sp4ghetticode - spght.dev playground.proguard.com ‘ProGuard Playground’ by GuardSquare Uploaded APK

    / JAR Classes, methods & fields Interactive display of your custom rules in action (No app building needed!) Editable ProGuard/R8 rules
  24. @sp4ghetticode - spght.dev Next steps… • Use the playground to

    improve your rules • Test for any unexpected behaviours • Explore the ProGuard documentation • Get smaller, optimised and securer builds
  25. @sp4ghetticode - spght.dev Some quick-ish ideas to get you started…

    44 1. Perform SAST on your app and discuss results 🔐 2. Ensure your ProGuard/R8 rules are strict enough ✍ 3. Decompile your app and take a poke around 🔧
  26. @Sp4ghettiCode / spght.dev Reverse Engineering 101 (Please use responsibly) •

    Your APK is just a ZIP file with ✨extra spice✨ • Rename app.apk to app.zip • Unzip it • ??? • Profit • A wild folder with lots of funky files appeared! 🤪
  27. @Sp4ghettiCode / spght.dev Reverse Engineering The innards of your APK

    • .dex files are Dalvik Executable files • Similar to Java .class files but run on Android’s JVM • Contains Dalvik byte code • Possible to convert back to its original source code (lossy process)
  28. @sp4ghetticode - spght.dev Next steps… • Use this approach to

    ensure you aren’t exposing yourself 🤭 • If you can reverse engineer your app, so can anyone! • Make extra sure your obfuscation is working • Look into other tools such as Snyk, SonarQube, AppSweep & more…