Mobile Application Security
|
|
- Wilfrid Preston
- 8 years ago
- Views:
Transcription
1 Mobile Application Security Jack Mannino Anand Vemuri June 25, 2015
2 About Us Jack Mannino CEO at nvisium UI and UX development impaired Enjoys: Scala, Elixir Tolerates: Java Allergic To: Cats, Pollen,.NET Anand Vemuri AppSec Consultant at nvisium Tech Junkie, JavaScript Ninja Wannabe Software Dev-turned-Hacker Bamboo Flute Player
3 Disclaimer: Mobile device management (MDM) is not mobile application security.
4 What is Mobile Security? Access Privacy Safety Apps are built for users, so as developers we must ensure that users are not compromised
5 What s the big deal? Integration with many other services IoT Wearables Payments Other API s
6 Mobile Architectures and Attack Surface
7 Mobile Architectures and Attack Surface
8 Mobile Architectures and Attack Surface
9 Secure Communications Not Just HTTP Other protocols NFC Bluetooth/Bluetooth LE Issues related to Ignoring certificate exceptions Trusting all certificates Fallback to plain text Improper key exchange Weak algorithms/ciphers
10 Public Key Infrastructure Registration Authorities validate user identity Certificate Authority verifies and issues certificate Validation Authority validates certificate
11 Self-Signed Certs User can sign the cert by themselves. If apps accept selfsigned certs then attackers can execute SSL MITM attacks.
12 Demo: MITM
13 Certificate Pinning Pin the client-certificate known to be used to the server Removes CA from the equation Prevents against Self-Signed Cert attacks Significantly reduces threat of rogue certs *Note: If you are pentesting apps with cert pinning you can use ios Kill Switch or Android s SSL bypass tool. Use at your own risk!
14 Securing Communications Disable HTTP endpoints and avoid falling back to plain-text If a request over TLS fails, kill the socket, don t default back to HTTP. Don t use self-signed certs just because it s easier Use Certificate Pinning Perfect Forward Secrecy Use HSTS, use TLS, avoid SSL
15 Data Storage and Privacy Sensitive Info Shared Preferences SQLite Storage Access Framework Logs, caches, temp files, etc. Privacy What to collect Who to share it with Ask for consent
16 Storing Sensitive Information Avoid storing sensitive information in SQLite or Shared Preferences Attackers can trivially dump these databases If sensitive data must be stored on a client device, then the data store should be properly encrypted External Storage has weaker permissions. net/sqlcipher/
17 Privacy Collect only whatever data is needed for the app Do you know what gets sent to your ad and analytics services? Children s online privacy protection act coppa.org/
18 Privacy
19 Privacy
20 Demo: Insecure Data Storage
21 Encryption Encryption Symmetric/Asymmetric Encryption weak hashing weak algorithms and ciphers (ECB etc) Key Storage Keystore ephemeral (bad) hardcode or store Hardware-Backed Storage
22 Encryption
23 Authentication To a device pin/password biometrics, Smart Unlock To the local application local passcode To a remote service username/password certificates 3rd party provider/api
24 Remote Authentication Correct: Users should properly authenticate to the application and be granted a session token. Incorrect: Your imagination is the limit. Identity management is complicated
25 Authorization : Insecure Direct Object Reference Common Web Vulnerability OWASP A4 Backend service does not restrict references to restricted resources.
26 App-To-App Authorization Permissions - required to use certain APIs or components Intent filter - Specifies the criteria for Intents it accepts based on the intent s action, data, category etc. Exported By Default - Android Studio exports Services and Broadcast Receivers by default Malicious apps can leverage misconfigured permissions to abuse components within other apps
27 Demo: Abusing Broadcast Receivers
28 Conclusions Secure all communications! Certificate Pinning Store your data securely Encrypt any sensitive data on client. Respect User Privacy AuthN & AuthZ Permissions & Identity Don t trust users!
29 Thank You Jack Mannino, CEO of nvisium Linkedin: Blog: Anand Vemuri, AppSec Consultant at nvisium Linkedin: Blog:
Best Practice Guide (SSL Implementation) for Mobile App Development 最 佳 行 事 指 引. Jointly published by. Publication version 1.
Best Practice Guide (SSL Implementation) for Mobile App Development 流 動 應 用 程 式 (SSL 實 施 ) 最 佳 行 事 指 引 香 港 電 腦 事 故 協 調 中 心 ] Jointly published by [ 專 業 資 訊 保 安 協 會 ] Hong Kong Computer Emergency Response
More informationSSL implementieren aber sicher!
SSL implementieren aber sicher! Karlsruher Entwicklertag 2014 21.05.2014 Dr. Yun Ding SSL in the news 2011 2012 2013 2014 BEAST CRIME Lucky 13 Compromised CAs RC4 biases BREACH DRBG Backdoor Apple goto
More informationSSL BEST PRACTICES OVERVIEW
SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%
More informationMike Zusman 3/7/2011. OWASP Goes Mobile SANS AppSec Summit 2011
Mike Zusman 3/7/2011 OWASP Goes Mobile SANS AppSec Summit 2011 Agenda Introductions OWASP Summit Recap OWASP Mobile Top 10 v0.1 (DRAFT) 2 Who Are We Other than carbon-based multi-cellular life forms 3
More informationIndependent Security. Prepared for:
Independent Security Report (isr) Prepared for: isec Partners Final Report Independent Security Report (isr) Page 2 of 10 2014, isec Partners, Inc. Prepared by isec Partners, Inc. for Wickr. Portions of
More informationHow the Barracuda Web Application Firewall Secures Your Mobile and IoT Services. Whitepaper
How the Barracuda Web Application Firewall Secures Your Mobile and IoT Services Whitepaper Executive Summary The mobile application space has experienced an unprecedented growth in recent years, and it
More informationPenetration Testing for iphone Applications Part 1
Penetration Testing for iphone Applications Part 1 This article focuses specifically on the techniques and tools that will help security professionals understand penetration testing methods for iphone
More informationSecure Coding in Node.js
Secure Coding in Node.js Advanced Edition Copyright 2015 nvisium LLC 590 Herndon Parkway Suite 120, Herndon VA 20170 571.353.7551 www.nvisium.com 1 Introduction Seth Law VP of Research & Development @
More informationBuilding a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved
Building a Mobile App Security Risk Management Program Your Presenters Who Are We? Chris Salerno, Consultant, Security Risk Advisors Lead consultant for mobile, network, web application penetration testing
More informationIs Your SSL Website and Mobile App Really Secure?
Is Your SSL Website and Mobile App Really Secure? Agenda What is SSL / TLS SSL Vulnerabilities PC/Server Mobile Advice to the Public Hong Kong Computer Emergency Response Team Coordination Centre 香 港 電
More informationSECURING MOBILE APPLICATIONS
SECURING MOBILE APPLICATIONS Ulf Larson Göteborg ulf.larson@owasp.org ulf.larson@adecco.se A REAL WORLD EXAMPLE TO GET US STARTED Google ClientLogin Authentication Protocol https un/pw auth token... Google
More informationSSL and Browsers: The Pillars of Broken Security
SSL and Browsers: The Pillars of Broken Security Ivan Ristic Wolfgang Kandek Qualys, Inc. Session ID: TECH-403 Session Classification: Intermediate SSL, TLS, And PKI SSL (or TLS, if you prefer) is the
More informationAPPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK
APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK John T Lounsbury Vice President Professional Services, Asia Pacific INTEGRALIS Session ID: MBS-W01 Session Classification: Advanced
More informationSSL: Paved With Good Intentions. Richard Moore rich@westpoint.ltd.uk
SSL: Paved With Good Intentions Richard Moore rich@westpoint.ltd.uk Why do we need SSL? Privacy Online shopping Online banking Identity Protection Data Integrity Early SSL First public version was SSLv2
More informationImplementation Vulnerabilities in SSL/TLS
Implementation Vulnerabilities in SSL/TLS Marián Novotný novotny@eset.sk ESET, spol. s r.o. Bratislava, Slovak Republic Abstract SSL/TLS protocol has become a standard way for establishing a secure communication
More informationWorkday Mobile Security FAQ
Workday Mobile Security FAQ Workday Mobile Security FAQ Contents The Workday Approach 2 Authentication 3 Session 3 Mobile Device Management (MDM) 3 Workday Applications 4 Web 4 Transport Security 5 Privacy
More informationSecurity Testing Guidelines for mobile Apps
The OWASP Foundation http://www.owasp.org Security Testing Guidelines for mobile Apps Florian Stahl Johannes Ströher AppSec Research EU 2013 Who we are Florian Stahl Johannes Ströher Lead Consultant for
More informationMobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus
Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques
More informationProject X Mass interception of encrypted connections
Project X Mass interception of encrypted connections What? SSL/TLS interception TOR interception ...a thorny path Common Issues Public Key Pinning avoids rogue CA to sign certs Common Issues Google and
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationSSL Interception Proxies. Jeff Jarmoc Sr. Security Researcher Dell SecureWorks. and Transitive Trust
SSL Interception Proxies Jeff Jarmoc Sr. Security Researcher Dell SecureWorks and Transitive Trust About this talk History & brief overview of SSL/TLS Interception proxies How and Why Risks introduced
More informationCompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001
CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001 INTRODUCTION This exam will certify that the successful candidate has the knowledge and skills required
More informationTLS/SSL in distributed systems. Eugen Babinciuc
TLS/SSL in distributed systems Eugen Babinciuc Contents 1. Introduction to TLS/SSL 2. A quick review of cryptography 3. TLS/SSL in distributed systems 4. Conclusions Introduction to TLS/SSL TLS/SSL History
More informationMobile Security Framework
Automated Mobile Application Security Testing with Mobile Security Framework Ajin Abraham About Me! Security Consultant @ Yodlee! Security Engineering @ IMMUNIO! Next Gen Runtime Application Self Protection
More informationUsing Foundstone CookieDigger to Analyze Web Session Management
Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.
More informationMobile Application Threat Analysis
The OWASP Foundation http://www.owasp.org Mobile Application Threat Analysis Ari Kesäniemi Nixu Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under
More informationCompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001
CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001 INTRODUCTION This exam will certify that the successful candidate has the knowledge and skills required
More informationDashlane Security Whitepaper
Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.
More informationSecuring ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH
Securing ios Applications Dr. Bruce Sams, OPTIMAbit GmbH About Me President of OPTIMAbit GmbH Responsible for > 200 Pentests per Year Ca 50 ios Pentests and code reviews in the last two years. Overview
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More informationMobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager
Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords Mika Devonshire Associate Product Manager 1 Agenda 2 What is Cybersecurity? Quick overview of the core concepts 3 Cybercrime
More informationWhen Security Gets in the Way. PenTesting Mobile Apps That Use Certificate Pinning
When Security Gets in the Way PenTesting Mobile Apps That Use Certificate Pinning Justine Osborne Alban Diquet Outline What is Certificate Pinning? Definition and Background Consequences for Mobile Blackbox
More informationMobile Security Attacks
AppSec IL 2014 Mobile Security Attacks A Glimpse From the Trenches Yair Amit CTO & Co-Founder Skycure @YairAmit Adi Sharabani CEO & Co-Founder Skycure @AdiSharabani About the Presenters Adi Sharabani Yair
More informationMobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus
Mobile Application Hacking for ios 3-Day Hands-On Course Syllabus Course description ios Mobile Application Hacking 3-Day Hands-On Course This course will focus on the techniques and tools for testing
More informationCriminal charges are not pursued: Hacking PKI
Criminal charges are not pursued: Hacking PKI Mike Zusman Principal Consultant mike.zusman@intrepidusgroup.com About the Title From StartCom Critical Event Report https://blog.startcom.org/?p=161 Thanks
More informationA Study of What Really Breaks SSL HITB Amsterdam 2011
A Study of What Really Breaks SSL HITB Amsterdam 2011 v1.0 Ivan Ristic Michael Small 20 May 2011 Agenda 1. State of SSL 2. Quick intro to SSL Labs 3. SSL Configuration Surveys 4. Survey of Actual SSL Usage
More informationWestcon Presentation on Security Innovation, Opportunity, and Compromise
Westcon Presentation on Security Innovation, Opportunity, and Compromise Christian A. Christiansen Program Vice President IDC Security Products & Services What s Happening with Threats? 1.5B 80% 33% $1.3M
More informationThe Seven Habits of State-of-the-Art Mobile App Security
#mstrworld The Seven Habits of State-of-the-Art Mobile App Security Mobile Security 8 July 2014 Anand Dwivedi, Product Manager, MicroStrategy strworld Agenda - Seven Habits of State of the Art Mobile App
More informationUNITED STATES OF AMERICA FEDERAL TRADE COMMISSION
UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION 132 3091 COMMISSIONERS: Edith Ramirez, Chairwoman Julie Brill Maureen K. Ohlhausen Joshua D. Wright ) In the Matter of ) DOCKET NO. ) Credit Karma, Inc.,
More informationSascha Fahl, Marian Harbach, Matthew Smith. Usable Security and Privacy Lab Leibniz Universität Hannover
Hunting Down Broken SSL in Android Apps Sascha Fahl, Marian Harbach, Matthew Smith Usable Security and Privacy Lab Leibniz Universität Hannover OWASP AppSec 2013 Seite 1 Appification There s an App for
More informationMobile Device Mismanagement Vulnerabili*es in MDM Solu*ons and their impact
Mobile Device Mismanagement Vulnerabili*es in MDM Solu*ons and their impact Stephen Breen 06 AUG 2014 Bios Stephen Breen Senior Consultant Christopher Camejo Director of Assessment Services 2 Contents
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationBUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations
BUILDING SECURITY IN Analyzing Mobile Single Sign-On Implementations Analyzing Mobile Single Sign-On Implementations 1 Introduction Single sign-on, (SSO) is a common requirement for business-to-employee
More informationAn Analysis of Twitter s App Based Two- Factor Authentication and Recovery System
An Analysis of Twitter s App Based Two- Factor Authentication and Recovery System By Alexander Tong December 2014 Abstract This paper attempts to analyze the potential of app based two- factor authentication
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationSSL Server Rating Guide
SSL Server Rating Guide version 2009j (20 May 2015) Copyright 2009-2015 Qualys SSL Labs (www.ssllabs.com) Abstract The Secure Sockets Layer (SSL) protocol is a standard for encrypted network communication.
More informationSecurity Protocols/Standards
Security Protocols/Standards Security Protocols/Standards Security Protocols/Standards How do we actually communicate securely across a hostile network? Provide integrity, confidentiality, authenticity
More informationPentesting Android Apps. Sneha Rajguru (@Sneharajguru)
Pentesting Android Apps Sneha Rajguru (@Sneharajguru) About Me Penetration Tester Web, Mobile and Infrastructure applications, Secure coding ( part time do secure code analysis), CTF challenge writer (at
More informationUnderstanding and evaluating risk to information assets in your software projects
Understanding and evaluating risk to information assets in your software projects ugh.. what a mouthful Dana Epp Windows Security MVP Who am I? Microsoft Windows Security MVP Information Security Professional
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationSpirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明
Spirent Abacus SIP over TLS Test 编 号 版 本 修 改 时 间 说 明 1 1. TLS Interview (Transport Layer Security Protocol) (1) TLS Feature Introduction: 1. TLS is a successor of Secure Sockets Layer (SSL), a cryptographic
More informationA brief on Two-Factor Authentication
Application Note A brief on Two-Factor Authentication Summary This document provides a technology brief on two-factor authentication and how it is used on Netgear SSL312, VPN Firewall, and other UTM products.
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationPowerChute TM Network Shutdown Security Features & Deployment
PowerChute TM Network Shutdown Security Features & Deployment By David Grehan, Sarah Jane Hannon ABSTRACT PowerChute TM Network Shutdown (PowerChute) software works in conjunction with the UPS Network
More informationSSL Report: ebfl.srpskabanka.rs (91.240.6.48)
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > SSL Report: (91.240.6.48) Assessed on: Sun, 03 Jan 2016 15:46:07 UTC HIDDEN Clear cache Scan Another» Summary Overall
More informationSalesforce1 Mobile Security Guide
Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationDEF CON 19: Getting SSLizzard. Nicholas J. Percoco Trustwave SpiderLabs Paul Kehrer Trustwave SSL
DEF CON 19: Getting SSLizzard Nicholas J. Percoco Trustwave SpiderLabs Paul Kehrer Trustwave SSL Agenda Introductions Primer / History: SSL and MITM Attacks Mobile SSL User Experience Research Motivations
More informationWeb Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict 2010. All rights reserved
Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010 Fedict 2010. All rights reserved What is Entity Authentication? Entity authentication is the process whereby one party
More informationSecurity Guide vcenter Operations Manager for Horizon View 1.5 TECHNICAL WHITE PAPER
Security Guide vcenter Operations Manager for Horizon View 1.5 TECHNICAL WHITE PAPER Contents Introduction... 2 Surface Area... 3 SSL Configuration... 5 Authentication... 6 Adapter... 6 Broker Agent...
More informationEmbracing BYOD. Without Compromising Security or Compliance. Sheldon Hebert SVP Enterprise Accounts, Fixmo. Sheldon.Hebert@fixmo.
Embracing BYOD Without Compromising Security or Compliance The Mobile Risk Management Company Sheldon Hebert SVP Enterprise Accounts, Fixmo Sheldon.Hebert@fixmo.com New Realities of Enterprise Mobility
More informationInternet Banking System Web Application Penetration Test Report
Internet Banking System Web Application Penetration Test Report Kiev - 2014 1. Executive Summary This report represents the results of the Bank (hereinafter the Client) Internet Banking Web Application
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationPentesting Mobile Applications
WEB 应 用 安 全 和 数 据 库 安 全 的 领 航 者! 安 恒 信 息 技 术 有 限 公 司 Pentesting Mobile Applications www.dbappsecurity.com.cn Who am I l Frank Fan: CTO of DBAPPSecurity Graduated from California State University as a Computer
More informationBYOD Guidance: BlackBerry Secure Work Space
GOV.UK Guidance BYOD Guidance: BlackBerry Secure Work Space Published 17 February 2015 Contents 1. About this guidance 2. Summary of key risks 3. Secure Work Space components 4. Technical assessment 5.
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationPentesting iphone Applications. Satishb3 http://www.securitylearn.net
Pentesting iphone Applications Satishb3 http://www.securitylearn.net Agenda iphone App Basics App development App distribution Pentesting iphone Apps Methodology Areas of focus Major Mobile Threats Who
More informationSecurity vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant
Security vulnerabilities in new web applications Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant $whoami Introduction Pavol Lupták 10+ years of practical experience in security and seeking vulnerabilities
More informationCloud Security is a First Principle:
Cloud Security is a First Principle: Elements of Private Cloud Security Table of Contents Why the Security Minded are Drawn to Private Cloud Deployments....2 Security is the Driver Behind Private Clouds...3
More informationSmart (and safe) Lighting:
Smart (and safe) Lighting: An Overview of Cyber Security October 29, 2015 Jason Brown CISO, Merit Network Agenda 2 The New Normal Discuss Methodologies of Security Recap Q & A Target Hack 3 40,000 credit
More informationTACKYDROID. Pentesting Android Applications in Style
TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING This talk IS NOT about Android platform itself This talk IS about how we want to contribute auditing apps that
More informationWhite Paper: Multi-Factor Authentication Platform
White Paper: Multi-Factor Authentication Platform Version: 1.4 Updated: 29/10/13 Contents: About zero knowledge proof authentication protocols: 3 About Pairing-Based Cryptography (PBC) 4 Putting it all
More informationSecurity Goals Services
1 2 Lecture #8 2008 Freedom from danger, risk, etc.; safety. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc. An assurance;
More informationSecuring the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs
OWASP AppSec APAC 2012 The OWASP Foundation http://www.owasp.org Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs
More informationWhitepaper on identity solutions for mobile devices
Whitepaper on identity solutions for mobile devices How software and hardware features of modern mobile devices can improve the security and user experience of your software Author: Jonas Lindstrøm The
More informationWeb Application Security
Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security
More informationTopics in Network Security
Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure
More informationIntroduction to Mobile Access Gateway Installation
Introduction to Mobile Access Gateway Installation This document describes the installation process for the Mobile Access Gateway (MAG), which is an enterprise integration component that provides a secure
More informationAuditing the Security of an SAP HANA Implementation
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. 2015 Wellesley Information Services. All rights reserved. Auditing the Security of an SAP HANA Implementation Juan Perez-Etchegoyen
More informationMobile Applications: The True Potential Risks Where to look for information when performing a Pentest on a Mobile Application
Mobile Applications: The True Potential Risks Where to look for information when performing a Pentest on a Mobile Application Since the introduction of the iphone, Apple has sold more than 315 million
More informationDevice-Centric Authentication and WebCrypto
Device-Centric Authentication and WebCrypto Dirk Balfanz, Google, balfanz@google.com A Position Paper for the W3C Workshop on Web Cryptography Next Steps Device-Centric Authentication We believe that the
More informationThreat Model for Mobile Applications Security & Privacy www.datatheorem.com
Overview Mobile applications (and the devices they run on) are powerful, as they can play music, check email, read documents, purchase products, get directions, play games, watch movies, scan barcodes,
More informationios 8 Security and Privacy Changes
ios 8 Security and Privacy Changes Alban Diquet December 5th, 2014 Agenda Data Protection in ios 8 HealthKit Custom Keyboards Local Authentication Privacy Changes Introduction ios 8.0 was released on September
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationVMware vrealize Operations for Horizon Security
VMware vrealize Operations for Horizon Security vrealize Operations for Horizon 6.2 This document supports the version of each product listed and supports all subsequent versions until the document is
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationKey & Data Storage on Mobile Devices
Key & Data Storage on Mobile Devices Advanced Computer Networks 2015/2016 Johannes Feichtner johannes.feichtner@iaik.tugraz.at Outline Why is this topic so delicate? Keys & Key Management High-Level Cryptography
More informationApache Milagro (incubating) An Introduction ApacheCon North America
Apache Milagro (incubating) An Introduction ApacheCon North America Apache Milagro will establish a new independent security framework for the Internet A Distributed Cryptosystem Secure the Future of the
More informationResco Mobile CRM Security
Resco Mobile CRM Security Out-of-the-box Security 1. Overview The Resco Mobile CRM application (client) communicates directly with the Dynamics CRM server. The communication uses standard Dynamic CRM Web
More informationSAS Mobile BI Security and the Mobile Device
SAS Mobile BI Security and the Mobile Device Version 1.0 April 24, 2015 Contents Introduction...1 Security Features Provided by SAS Mobile BI and SAS Visual Analytics...2 Introduction... 2 Lock the SAS
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationSecure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213
Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213 UNCLASSIFIED Example http ://www. greatstuf f. com Wants credit card number ^ Look at lock on browser Use https
More informationIntroduction to the EIS Guide
Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationProto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL. http://www.protonet.co.za/
Proto Balance SSL TLS Off-Loading, Load Balancing http://www.protonet.co.za/ User Manual - SSL Copyright c 2003-2010 Shine The Way 238 CC. All rights reserved. March 13, 2010 Contents 1. Introduction........................................................................
More informationAPI Architecture. for the Data Interoperability at OSU initiative
API Architecture for the Data Interoperability at OSU initiative Introduction Principles and Standards OSU s current approach to data interoperability consists of low level access and custom data models
More informationCTS2134 Introduction to Networking. Module 8.4 8.7 Network Security
CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by
More information