ebook img

Deep Dive: PenTesting the Android and iPhone PDF

165 Pages·2011·10.68 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Deep Dive: PenTesting the Android and iPhone

Deep Dive: PenTesting the Android and iPhone Session 1 October 4th, 2011 11:00AM Max Veytsman & Subu Ramanathan Us Security Consultants from Toronto   Specialize in application security   Especially mobile security   [email protected]   @mveytsman   [email protected]   @subuonsecurity   MIS Training Institute Session 1 - Slide 2 © Security Compass 2011 You Security analysts, developers or QA testers   Fairly familiar with web application pentesting   Intrigued by mobile applications   Have attempted to root an Android or Jailbreak an iOS   device Some knowledge of programming   MIS Training Institute Session 1 - Slide 3 © Security Compass 2011 This Workshop Introducing ExploitMe Mobile   Mobile threat model   What you need to know about Android and iPhone   Intercepting traffic   Filesystem access   Static analysis   Runtime analysis (Bonus!)   Mobile cryptography pitfalls (Bonus!)   MIS Training Institute Session 1 - Slide 4 © Security Compass 2011 Demo INTRODUCING EXPLOITME MOBILE MIS Training Institute Session 1 - Slide 5 © Security Compass 2011 ExploitMe Mobile iPhone Labs   http://securitycompass.github.com/iPhoneLabs/   Android Labs   http://securitycompass.github.com/AndroidLabs/   Server   https://github.com/securitycompass/LabServer   MIS Training Institute Session 1 - Slide 6 © Security Compass 2011 MOBILE THREAT MODEL MIS Training Institute Session 1 - Slide 7 © Security Compass 2011 What can the developers get wrong? Backend implementation   Client behavior   Client-server communication   MIS Training Institute Session 1 - Slide 8 © Security Compass 2011 Backend Mobile backend implementations are all susceptible to   Authentication/Authorization issues   Privilege escalation   Input validation errors   Injection   Threat model is the same as a web app   MIS Training Institute Session 1 - Slide 9 © Security Compass 2011 Client Insecure data storage   Poor cryptography   Overzealous Logging   Eg. Old Android browser   Memory leakage   Input validation   Eg. Skype XSS bug   Threat includes lost/stolen phone and mobile malware   MIS Training Institute Session 1 - Slide 10 © Security Compass 2011

Description:
Deep Dive: PenTesting the. Android and iPhone. Session 1. October 4th, 2011. 11:00AM. Max Veytsman & Subu Ramanathan
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.