Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to become your app’s “Security Champion” (n...

How to become your app’s “Security Champion” (nor(DEV):con 23)

In this session, we will take an introductory look at mobile security, the threats we face as mobile developers and the steps you can take to become a 'security champion' for your app to protect your business and, most importantly, your users.

Visit spght.dev/talks for more

Ed Holloway-George

February 24, 2023
Tweet

More Decks by Ed Holloway-George

Other Decks in Technology

Transcript

  1. @sp4ghetticode / spght.dev Who am I? • Snr. Android Dev

    @ ASOS • Android Google Dev Expert • Short lived iOS career building a “Facebook for Dogs” 😅 • I like to talk about mobile security a lot • Available on all good social media platforms (and Twitter) Introduction
  2. @sp4ghetticode / spght.dev Before we start… The legal boring bit

    • Not endorsed by my employer • For educational purposes only • A more ‘strategic’ talk about Mobile Security • Slides available online (but feel free to take pictures!)
  3. @sp4ghetticode / spght.dev What’s coming up Talk Overview Why Mobile

    Security is important What a security champion is
  4. @sp4ghetticode / spght.dev What’s coming up Talk Overview Why Mobile

    Security is important What a security champion is How to start your own champion program
  5. @sp4ghetticode / spght.dev What’s coming up Talk Overview security pion

    is How to start your own champion program More pictures of my dog? 🤷
  6. @sp4ghetticode / spght.dev What’s coming up Talk Overview Why Mobile

    Security is important What a security champion is How to start your own champion program
  7. @sp4ghetticode / spght.dev Why should we care? 1. The mobile

    attack surface is HUGE and growing • Android most recently announced 3 billion active devices • Doesn’t include devices using ‘alternative stores’ • Myriad of form factors, Android forks, etc. • iOS closing in on 2 billion active devices Sources: • Google I/O 22 • The Verge
  8. @sp4ghetticode / spght.dev Why should we care? 2. Growing financial

    incentives for malicious actors • Recent rise of ‘Web 3.0’/Crypto • Over $2 billion in cryptocurrencies stolen (+60% 2021) • 70% of all fraud now occurs on mobile Sources: • AppDome • GuardSquare
  9. @sp4ghetticode / spght.dev Why should we care? 3. Implementing basic

    mobile security is not difficult • Just not a common mobile dev specialism • Documentation fairly overwhelming • CyberSec teams neglect us too! Sources: • AppDome • GuardSquare
  10. @sp4ghetticode / spght.dev 🥇 🥈 What do mobile devs think?

    (well, my own subscribers) No shame in 2nd place 🥈 ✨ ✨ ✨ ✨
  11. @sp4ghetticode / spght.dev Things do go wrong… Walgreens 2020 Sources:

    • Bleeping Computer • threatpost SUED $5m+
  12. @sp4ghetticode / spght.dev People are d*cks… 🦆 Bad actors exist

    :( That’s what I mean of course! • McAfee recently found 16 malicious app with 20m+ downloads • All 16 contained auto-clicker ‘adware’ • All originally passed Play Store safety checks (but are removed now) Sources: • McAfee
  13. @sp4ghetticode / spght.dev People are d*cks… 🦆 Episode II: Attack

    of the Clones That’s what I mean of course! Sources: • Reddit • Google
  14. @sp4ghetticode / spght.dev What’s next… Talk Overview Why Mobile Security

    is important What a security champion is How to start your own champion program
  15. @sp4ghetticode / spght.dev What’s next… Talk Overview Why Mobile Security

    is important What a security champion is How to start your own champion program
  16. @sp4ghetticode / spght.dev But, just not yet… How to become

    your app’s security champion • The beginning • Someone interested in mobile security • Looking to improve the security culture in your organisation • Someone willing to learn and lead by example • Pass on knowledge to others internally
  17. @sp4ghetticode / spght.dev But, just not yet… How to become

    your app’s security champion • What we want to gain • Knowledge of the key areas within mobile security • Write code with security in mind • Follow security best practises • Having a more secure app as a result
  18. @sp4ghetticode / spght.dev But, just not yet… How to become

    your app’s security champion • Our end goals • 🥉 Full leadership buy-in • 🥈 Encouraging others to perform security related tasks • 🥇 A self-sufficient ‘Security Champion program’ ✨
  19. @sp4ghetticode / spght.dev What’s next… Talk Overview Why Mobile Security

    is important What a security champion is How to start your own champion program
  20. @sp4ghetticode / spght.dev What’s next… Talk Overview urity nt What

    a security champion is How to start your own champion program
  21. @sp4ghetticode / spght.dev How to set up a champion program?

    A lightning guide to its key principles ⚡ • Vision 🔮 • Participants🧑🍳👷👩🔬👩🔧 • Environment 🏦🏚 • Concept 📝 • Incentive 🧠 • Delivery 📬✨ • Tuning 🔧🔄 Source: securitychampionsuccessguide.org
  22. @sp4ghetticode / spght.dev Quick wins How to kick-off a security

    champion program today* • Find a handful of like-minded engineers or individuals • Start a regular lunch + learn / brown bag session • Make noise internally about what you are doing • Raise the profile of security tasks within your app • Speak to your manager and/or CISO! * After the conference
  23. @sp4ghetticode / spght.dev Success Stories 👑 Security Champions • Fivetran

    - Global data warehousing company • Launched program in May 2022 • Initially focused on participation, training and awareness • Over time, increased emphasis on performing actions • Implemented gamification • 10% of entire company now signed-up 😱
  24. @sp4ghetticode / spght.dev Some quick-ish ideas to get you started…

    1. Perform SAST on your app and discuss the results 🔬
  25. @sp4ghetticode / spght.dev MobSF mobsf.github.io General ‘score’ and overview of

    security concerns Prioritised list of security issues with links to further info/resources
  26. @sp4ghetticode / spght.dev MobSF mobsf.github.io Overview of uploaded app Perform

    dynamic analysis on your application ✨ Works for Android and iOS ✨
  27. @sp4ghetticode / spght.dev Next steps… • Take report to your

    team / management • Scare them 😱😱😱 • Action high priority issues • Show measurable improvement in the long term • Actively monitor going forwards
  28. @sp4ghetticode / spght.dev Some quick-ish ideas to get you started…

    1. Perform SAST on your app and discuss the results 2. Ensure your obfuscation rules are strict enough ✍
  29. @sp4ghetticode / spght.dev ProGuard Playground playground.proguard.com Editable ProGuard/R8 rules Uploaded

    app (APK / JAR) Classes, methods & fields Interactive display of your custom rules in action (No app building needed!)
  30. @sp4ghetticode / spght.dev ProGuard Playground playground.proguard.com Editable ProGuard/R8 rules Uploaded

    app (APK / JAR) Classes, methods & fields Interactive display of your custom rules in action (No app building needed!) ✨ Works for Android and iOS (soon) ✨
  31. @sp4ghetticode / spght.dev Next steps… • Use the playground to

    improve your rules • Test for any unexpected behaviours • Explore the ProGuard/iXGuard documentation • Get smaller, optimised and securer builds
  32. @sp4ghetticode / spght.dev Some quick-ish ideas to get you started…

    1. Perform SAST on your app and discuss the results 2. Ensure your obfuscation rules are strict enough 3. Decompile your app and take a poke around 🔧
  33. @sp4ghetticode / spght.dev Android Reverse Engineering 101 (Please use responsibly)

    • Your APK is just a ZIP file with ✨extra spice✨ • Rename app.apk to app.zip • Unzip it • ??? • Profit • A wild folder with lots of funky files appeared! 🤪
  34. @sp4ghetticode / spght.dev Next steps… • Use this approach to

    ensure you aren’t exposing yourself 🤭 • If you can reverse engineer your app, so can anyone! • Make extra sure your obfuscation is working • Look into other tools such as Snyk, SonarQube, AppSweep & more…