DeviceSec vs. AppSec

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

1 hour 12 minutes
Video Transcription
Hey, folks, this is mobile app. Sec. Wanna one? I am Tony Ramirez and I am a senior application security analyst at now Secure. Today we're going into our third video device sectors APP, sec. We're gonna cover some interesting things today.
So I was like just said, We're getting into some interesting topics and it mainly is around the differences between device and APP security and really how they differ. And you know how app developers have this dilemma of trust within the app store with devices and with their users. But not only that, we're going to talk about the importance of rooted in jail broken devices,
four ab security and really, they are kind of the cornerstone
for doing successful mobile security.
So, like I said before, we really want to dig into this issue of, you know,
device and mobile WEP security being two different things,
and they really are two worlds apart.
They have different goals. You have to have different skills to do one over the other. And it comes down to this idea that you really have very little control, a snap developer,
and when I say very little control, it's actually dig in tow What that actually means?
It really starts off with
what device Europe is going to be installed on. You know you don't have control if it's gonna be an old device, not updated jail, broken rooted. And there's other things that come to mind because oh, EMS change things. They have issues in their devices. And really, you don't have control over that.
The device your APP is going to be installed on is out of control of the enterprise.
The other thing you have no control is the other acts that are on that device. People can put militias VPN, APS they can put malware on their device is they can even put market data apse where they're giving up market data from their device to some other app for something in return.
And that's more common than you think. Those air wraps that could be on the IOS or Android app store. And again they could be violating the privacy of your users
from Europe because they're collecting data from your app.
The other end is where that device connects. The big challenge with mobile is mobile devices air really convenient. You can carry them anywhere they fit in your pocket. It also means that it's really convenient to connect to any WiFi or malicious charger that might be out. There are other dangerous peripherals, so one example of a dangerous peripheral might be
recently at the last Def con. They were talking about how
people were creating fake chargers that could collect information from your device these militias USB chargers that could collect not only device logs but other things as well. And they could do other stuff.
And that's a perfect example of something else that you would have no control over as a developer when developing your app. Because again, what that device connects to, how that device connects is really a gun out of your control
and at least two another one who uses that device you have no control over. That could be, You know, somebody a little older who doesn't really understand. Security is, you know, just trying to get by. You have curious kids, you have reverse engineers, and then you have real criminals,
really, people who want to understand how that app runs because there is some financial gain.
Two breaking an app stealing that I p doing something and these air, all possible issues. You can have a user who really doesn't know what they're doing. And they could be connecting to that malicious WiFi or not updating their device. Or, you know, having a device that six or seven years old.
And that's a possibility.
And those are things you just wouldn't have any control over.
And that brings us to this topic of,
you know, jail broken android devices. Um,
if you're not familiar with them,
it's really good to understand them because they are crucial to mobile application security testing. We'll get to why in a moment. But before we actually talk about why they're important, let's talk a little bit about like how they're used today because again, there really prevalent.
There's a lot of forums out there that explain how to use them, what to use them for, how people are using them today and really, it comes down to just a few things.
People are trying to customize their devices, you know, they're hackers, breakers there, builders, and they just want to do special things. I want to play, you know, old Rahm's on them. Not only that, but they want to customize the you why they want to make their device look like something from, like a fallout game or something. They might be trying to just developed malware. They might be trying to see how
they can create malware that
does certain specific, malicious things on a device. They want a carrier unlock their device. That's another reason somebody might root or jailbreak their device to get around those protections or those controls that prevent them from doing other things that they might want to dio. And that leads into a really common one, which is piracy. If you have a paid for app and you want to get around that pay for barrier
piracy on a jail, broken rooted devices really common.
But there's one that's really important. And we have to keep this in mind because these air tools and their tools for security researchers they're incredibly important. And really they are kind of the cornerstone for successful security.
The thing with these jail broken devices and rooted devices are they giving privileged access privilege access means getting access to private folders on that device that the user wouldn't otherwise have access to on a non rooted or jail broken device getting access to Key chain, which is hardware back storage
or being able to bypass deal s protections because we want to look at what's in that tea less tunnel
that the APP is creating. Looking at what's in the process. The memory. Seeing how a P I calls are being performed and actually debug the runtime of your application and just instrument it. And these are things that rooted in jail. Broken devices offer us because really, they're things that are difficult to do without. You can't always do them with emulators. It can't always do them
with devices
that, you know you might get through the developer tools and they're just an advantage. And the thing, too, is that people are creating tools to use these tools. So jail broken rooted devices. Yes, they can be used for malicious means, but they are just another tool in the security researchers fault.
So one major tip I will give you
for AB security if you're really interested in building your program, is by a device by a mobile APP security testing device and what I mean by that by a device that's not only jail breakable or writable, depending on you know, if it's android or IOS. Jailbreak is typically an IOS term route
is an android term, But I also recommend, you know, looking at different versions of those devices looking at you know how those devices get updated because jailbreaks are actually really complicated. You have to be on a certain version of the OS
versus on Android. You know, sometimes certain devices air locked because the Oyens create them in such a way that they don't want you rooting them or jail breaking them are getting access to folders
that are, you know, in their control.
The other thing, too, is like tablet APS are different than you know, typical device app, so you may find that you also need a tablet.
But my other tip is avoid emulators because emulators can run your act differently than they would run on a regular device. And having you know a real device
is really an important thing for AP SEC. If you're really interested in mobile applications security, you need these devices need to be able to jailbreak them and root them, and it's a crucial part of security testing
to conclude our video. We covered a lot of topics. Today. We talked a little bit about device security versus AB security and really, why There's this whole complicated notion of trust and ab security and how we really can't trust their device. We can't trust our users, and we can't trust the other acts on that device. So really, we have to test our APS and in a way that is useful to us.
And that means using jail broken android devices. Because,
really, that's the tools that are being created today. Use those.
The other thing, too, is making sure you have those tools and using the right ones to actually get the most out of mobile app security.
I hope this video was useful, and I look forward to seeing you in the next one.
Up Next