How to become your app’s “Security Champion” (nor(DEV):con 23)

Transcript

1. @sp4ghetticode / spght.dev How to become your app’s “Security Champion”

   Ed Holloway-George @ nor(DEV):con

2. @sp4ghetticode / spght.dev Who am I? • Snr. Android Dev

   @ ASOS • Android Google Dev Expert • Short lived iOS career building a “Facebook for Dogs” 😅 • I like to talk about mobile security a lot • Available on all good social media platforms (and Twitter) Introduction

3. @sp4ghetticode / spght.dev Before we start… The legal boring bit

   • Not endorsed by my employer • For educational purposes only • A more ‘strategic’ talk about Mobile Security • Slides available online (but feel free to take pictures!)

4. @sp4ghetticode / spght.dev What’s coming up Talk Overview Why Mobile

   Security is important

5. @sp4ghetticode / spght.dev What’s coming up Talk Overview Why Mobile

   Security is important What a security champion is

6. @sp4ghetticode / spght.dev What’s coming up Talk Overview Why Mobile

   Security is important What a security champion is How to start your own champion program

7. @sp4ghetticode / spght.dev What’s coming up Talk Overview security pion

   is How to start your own champion program More pictures of my dog? 🤷

8. @sp4ghetticode / spght.dev What’s coming up Talk Overview Why Mobile

   Security is important What a security champion is How to start your own champion program

9. @sp4ghetticode / spght.dev Why should developers care about mobile security?

10. @sp4ghetticode / spght.dev Why should we care? 1. The mobile

    attack surface is HUGE and growing • Android most recently announced 3 billion active devices • Doesn’t include devices using ‘alternative stores’ • Myriad of form factors, Android forks, etc. • iOS closing in on 2 billion active devices Sources: • Google I/O 22 • The Verge

11. @sp4ghetticode / spght.dev Why should we care? 2. Growing financial

    incentives for malicious actors • Recent rise of ‘Web 3.0’/Crypto • Over $2 billion in cryptocurrencies stolen (+60% 2021) • 70% of all fraud now occurs on mobile Sources: • AppDome • GuardSquare

12. @sp4ghetticode / spght.dev Why should we care? 3. Implementing basic

    mobile security is not difficult • Just not a common mobile dev specialism • Documentation fairly overwhelming • CyberSec teams neglect us too! Sources: • AppDome • GuardSquare

13. @sp4ghetticode / spght.dev 🥇 🥈 What do mobile devs think?

    (well, my own subscribers) No shame in 2nd place 🥈 ✨ ✨ ✨ ✨

14. @sp4ghetticode / spght.dev Convinced yet?

15. @sp4ghetticode / spght.dev Things do go wrong… Walgreens 2020 Sources:

    • Bleeping Computer • threatpost

16. @sp4ghetticode / spght.dev Things do go wrong… Walgreens 2020 Sources:

    • Bleeping Computer • threatpost SUED $5m+

17. @sp4ghetticode / spght.dev Things do go wrong… Klarna 2021 Sources:

    • Twitter

18. @sp4ghetticode / spght.dev Things do go wrong… Klarna 2021 Sources:

    • Twitter Lots of angry customers!

19. @sp4ghetticode / spght.dev People are d*cks… 🦆 Bad actors exist

    :( That’s what I mean of course! • McAfee recently found 16 malicious app with 20m+ downloads • All 16 contained auto-clicker ‘adware’ • All originally passed Play Store safety checks (but are removed now) Sources: • McAfee

20. @sp4ghetticode / spght.dev People are d*cks… 🦆 Episode II: Attack

    of the Clones That’s what I mean of course! Sources: • Reddit • Google

21. @sp4ghetticode / spght.dev What’s next… Talk Overview Why Mobile Security

    is important What a security champion is How to start your own champion program

22. @sp4ghetticode / spght.dev What’s next… Talk Overview Why Mobile Security

    is important What a security champion is How to start your own champion program

23. @sp4ghetticode / spght.dev In an ideal world… CyberSec

24. @sp4ghetticode / spght.dev In an ideal world… CyberSec Other Teams

25. @sp4ghetticode / spght.dev In an ideal world… CyberSec Other Teams

    You are here (maybe)

26. @sp4ghetticode / spght.dev In an ideal world… CyberSec Other Teams

    👑 Champions

27. @sp4ghetticode / spght.dev Surprise! You already are one…

28. @sp4ghetticode / spght.dev But, just not yet… How to become

    your app’s security champion • The beginning • Someone interested in mobile security • Looking to improve the security culture in your organisation • Someone willing to learn and lead by example • Pass on knowledge to others internally

29. @sp4ghetticode / spght.dev But, just not yet… How to become

    your app’s security champion • What we want to gain • Knowledge of the key areas within mobile security • Write code with security in mind • Follow security best practises • Having a more secure app as a result

30. @sp4ghetticode / spght.dev But, just not yet… How to become

    your app’s security champion • Our end goals • 🥉 Full leadership buy-in • 🥈 Encouraging others to perform security related tasks • 🥇 A self-sufficient ‘Security Champion program’ ✨

31. @sp4ghetticode / spght.dev What’s next… Talk Overview Why Mobile Security

    is important What a security champion is How to start your own champion program

32. @sp4ghetticode / spght.dev What’s next… Talk Overview urity nt What

    a security champion is How to start your own champion program

33. @sp4ghetticode / spght.dev How to set up a champion program?

    A lightning guide to its key principles ⚡ • Vision 🔮 • Participants🧑🍳👷👩🔬👩🔧 • Environment 🏦🏚 • Concept 📝 • Incentive 🧠 • Delivery 📬✨ • Tuning 🔧🔄 Source: securitychampionsuccessguide.org

34. @sp4ghetticode / spght.dev Quick wins How to kick-off a security

    champion program today* • Find a handful of like-minded engineers or individuals • Start a regular lunch + learn / brown bag session • Make noise internally about what you are doing • Raise the profile of security tasks within your app • Speak to your manager and/or CISO! * After the conference

35. @sp4ghetticode / spght.dev Success Stories 👑 Security Champions • Fivetran

    - Global data warehousing company • Launched program in May 2022 • Initially focused on participation, training and awareness • Over time, increased emphasis on performing actions • Implemented gamification • 10% of entire company now signed-up 😱

36. @sp4ghetticode / spght.dev Congrats! 
 You’re all set Ideas for

    your first lunch & learn 🥪

37. @sp4ghetticode / spght.dev Some quick-ish ideas to get you started…

    1. Perform SAST on your app and discuss the results 🔬

38. @sp4ghetticode / spght.dev MobSF mobsf.github.io

39. @sp4ghetticode / spght.dev MobSF mobsf.github.io General ‘score’ and overview of

    security concerns

40. @sp4ghetticode / spght.dev MobSF mobsf.github.io General ‘score’ and overview of

    security concerns Prioritised list of security issues with links to further info/resources

41. @sp4ghetticode / spght.dev MobSF mobsf.github.io Overview of uploaded app

42. @sp4ghetticode / spght.dev MobSF mobsf.github.io Overview of uploaded app Perform

    dynamic analysis on your application

43. @sp4ghetticode / spght.dev MobSF mobsf.github.io Overview of uploaded app Perform

    dynamic analysis on your application ✨ Works for Android and iOS ✨

44. @sp4ghetticode / spght.dev Next steps… • Take report to your

    team / management • Scare them 😱😱😱 • Action high priority issues • Show measurable improvement in the long term • Actively monitor going forwards

45. @sp4ghetticode / spght.dev Some quick-ish ideas to get you started…

    1. Perform SAST on your app and discuss the results 2. Ensure your obfuscation rules are strict enough ✍

46. @sp4ghetticode / spght.dev ProGuard Playground playground.proguard.com

47. @sp4ghetticode / spght.dev ProGuard Playground playground.proguard.com Editable ProGuard/R8 rules

48. @sp4ghetticode / spght.dev ProGuard Playground playground.proguard.com Editable ProGuard/R8 rules Uploaded

    app (APK / JAR) Classes, methods & fields

49. @sp4ghetticode / spght.dev ProGuard Playground playground.proguard.com Editable ProGuard/R8 rules Uploaded

    app (APK / JAR) Classes, methods & fields Interactive display of your custom rules in action (No app building needed!)

50. @sp4ghetticode / spght.dev ProGuard Playground playground.proguard.com Editable ProGuard/R8 rules Uploaded

    app (APK / JAR) Classes, methods & fields Interactive display of your custom rules in action (No app building needed!) ✨ Works for Android and iOS (soon) ✨

51. @sp4ghetticode / spght.dev Next steps… • Use the playground to

    improve your rules • Test for any unexpected behaviours • Explore the ProGuard/iXGuard documentation • Get smaller, optimised and securer builds

52. @sp4ghetticode / spght.dev Some quick-ish ideas to get you started…

    1. Perform SAST on your app and discuss the results 2. Ensure your obfuscation rules are strict enough 3. Decompile your app and take a poke around 🔧

53. @sp4ghetticode / spght.dev Android Reverse Engineering 101 (Please use responsibly)

    • Your APK is just a ZIP file with ✨extra spice✨ • Rename app.apk to app.zip • Unzip it • ??? • Profit • A wild folder with lots of funky files appeared! 🤪

54. @sp4ghetticode / spght.dev github.com/skylot/jadx JADX Decompiles Android files .apk .aar

    .class .dex .smali And more…

55. @sp4ghetticode / spght.dev github.com/skylot/jadx JADX Show decompiled file packages, classes

    & methods

56. @sp4ghetticode / spght.dev github.com/skylot/jadx JADX Show decompiled file packages, classes

    & methods Java representation of your code

57. @sp4ghetticode / spght.dev Next steps… • Use this approach to

    ensure you aren’t exposing yourself 🤭 • If you can reverse engineer your app, so can anyone! • Make extra sure your obfuscation is working • Look into other tools such as Snyk, SonarQube, AppSweep & more…

58. @sp4ghetticode / spght.dev Visit securitychampionsuccessguide.org If you do one thing

    today…

59. @sp4ghetticode / spght.dev spght.dev/talks For more in-depth Mobile Security talks/blogs

60. @sp4ghetticode / spght.dev Thanks! spght.dev/talks

61. @sp4ghetticode / spght.dev EOF spght.dev/talks