Hey, folks, this is mobile app. Sec. Wanna one? I'm Tony Ramirez, and this is a cyber recourse on mobile application security testing.
This course is made for people who are getting into mobile application security testing. Maybe have some experience and Web, or trying to build policy for their organization on how to handle their mobile EPS. This is also great if your student who has not really been introduced to the application security world and kind of want to understand what's going on in mobile. There's a great introductory course,
and I hope you watch it and I hope you enjoy.
I am Tony Repairs senior application security analyst at Now Secure I pen test mobile app. So help people learn how to pen test mobile laps and help them build policy and baselines for their APS in house.
Also enjoyed cooking and guitar playing, and you can reach out to me on my email or Twitter. If you want to hit me up, please do. If you have any questions about mobile or anything else, please hit me up. I'm more than happy to respond and talk to you. I really enjoy what we're doing here and you know any of your questions more than happy to help
before we dive in. I think it's important to kind of cover some course materials that will be useful for you. As you try. Teoh, start your journey and mobile, and what I found really helpful are guidelines that oh, auspice creating, along with some understanding of what the attack surfaces and mobile and some other things that are pretty helpful.
These course materials aren't necessary to complete the course,
but I will say that as you finish the videos up and you start learning more about mobile and try testing APS yourselfer building policy yourself, these air really good documents to kind of understand where to go next, and we'll talk about them in later videos. But I thought would be useful to introduce them earlier on.
Today's video is just an introduction to mobile application, security testing and mobile. In general, we're gonna cover some brief topics about issues in mobile and the differences between Web application security and mobile applications to start off. I think it's really important to understand why mobile is so important today, and it's actually a really simple reason
Mobile has become incredibly prevalent.
Everyone has a mobile device today, everyone's using them and a lot of people are using them not only for their own personal use, but for business uses and various other uses. Really, 10 years ago, if you had said, you know, Mobile was gonna be more prevalent than desktops you might have been laughed at, I would have left at you. In fact, I
posted this quote from Steve Jobs that I thought was kind of funny when I heard it.
He thought that, you know, PC's were gonna be a thing of the past, but best top computers were gonna get replaced.
And the truth is, is that looking 10 years back?
This is really true. There are so many mobile devices and the amount of mobile devices compared Teoh standard desktops is really changing. Like we're seeing more and more people using mobile for not only just their own use, but business uses well, and that's not gonna go away.
So for any change, there's always kind of another change that happens after that. So, yeah, mobile is really prevalent, and as a result, we're seeing a lot more mobile application security issues. One thing we're seeing is a lot more breaches. A lot more app issues a lot more over the last few years. I can tell you
from personal experience. In West
2.5 years, the amount of mobile in the news has really grown a lot,
and that's not going to go away. As we've seen more mobile devices, more mobile, APS, we're gonna keep seeing more mobile issues, and we're gonna see more mobile in the news. And really, you don't want that to happen you.
Another thing we're noticing is that a lot of the apse and the APP stores air just not secure. We're finding that 85% of APS on the APP store have at least one security vulnerability, and almost half have a privacy issue. That means that there's at least probably one app on your device that has a privacy issue today.
There's a least one app on your device that has some vulnerability on there,
and you know, that's really frightening because that tells you that
the vetting that's being done by the APP store may not be enough to protect you as a user, but now only you as a user, us somebody who runs an enterprise and puts APS on, you know, workforce devices. And that is a major issue.
What kind of ads on to that whole issue is it isn't just
no low risk vulnerability issues.
Ah, lot of the issues we're finding are, in fact, high risk issues, but not only high risk issues, issues that should be found pretty early on in testing processes of code review processes and a perfect example of one that should be caught in the code review.
His use of system logs applications are written and they're tested, and system long is a great way to debug gaps.
But leaving debug code in a production app is a big no no, because it's unnecessary, it's experience functionality, and it is data security leakage. So when we're seeing applications do that, that's telling us that nobody is reviewing the zaps. The other thing is, we're seeing a lot of use of http and we all know, http, is bad and should go away, and it's
you know, 2020 and are all 2020. Goal is to never use a T
But the truth is that 15 android Epps is using Http today, and one in seven IOS app is using a cheeky people, and these are things you would expect to get caught during a security test or some security analysis. And they're not getting caught these air absolute ending up on the APP store.
So enterprises are not spending enough time testing the exact
and reviewing their code so we can determine that there's a big issue here.
There's another challenge that I think people forget to talk about, and it's that there's a skill gap for a lot of people getting into Web and moving to mobile is a big change. It isn't something that happens overnight, and it isn't something that I can say is 100% transferrable. So
there are some major differences and we're gonna cover those right now.
So if you're not familiar with the O s Top 10 the Lost pop 10 is a guideline. It's basically a list of gate these air 10 vulnerabilities that we're seeing more common than any others. There's a mobile list, and there's a Web list. This has been going on for
quite a while now, and if you're not familiar with it, I highly recommend checking it out because it's a great document to share with developers and security people to understand what the big issues are. So when we look at the mobile cop 10 and we look at the Web top 10 we see that
they're pretty different. And not only that, but, like the issues don't have a lot of overlap. There is a lot of differences here, and it means that, you know, there are some major divides between mobile and Web Mobile Libre really different
when we actually investing time in determining what is different between mobile and Web.
We can really break it down to a few things, and I think the 1st 1 that really comes to mind is where your code exists. In mobile, you're installing an app on the device that has your source code. It's a binary, and it's running on that device in Web. It's running on a server. It's going somewhere else
that servers usually owned by the organization that's developing that code
and mobile. You know you're putting that code out in the wild and it's there, and if any I P exists there, any type of you know things that you don't have control over exists on that client side. You really don't have control. That's the challenge. On top of that, you know, Web has the advantage of browser security and, you know,
is kind of a totally different animal than mobile, and I'm not gonna comment too much on it. But when you go to a website that isn't using https correctly, what do you see?
You see a big red screen that says, Don't go here. This is an insecure connection and mobile. As it turns out, it's really up to the developer. If they want to tell you something's going on like Are you being man in the middle? Is something happening that's incorrect?
We're gonna talk a little bit about that topic later on in these videos, but that is a major part of the Web versus mobile thing that a lot of stuff on the mobile side has to be done by the developer, and it has to be verified by the developer before that that goes out into production. Everything is there's a huge
layer of data security that goes into mobile because you're storing data on that device you're cashing files, you're using memory. You're using assets and resource is on the device and a browser security. It's pretty isolated. Not only that, but whether applications air, all isolated from one another in mobile
applications, can speak to one another. Applications could be used toe offended Cato one another. Applications can share data between one another and that really kind of create some chaos That creates another level. Ah, layer off difficulty when you're doing your testing when you're considering how your actions interact with one another.
And that's just a whole layer to the attack surface that would never exist in web.
So that kind of leads us to this point. Like, what do we have to learn to become mobile applications security experts
And to become a mobile security expert? We really need to consider what the tools we want to use our what guidelines. We should be following baselines and methodologies. And, you know, I'm I use this picture here because really, you know, I'm chucking all these balls at you, and you know you're going to be hearing a lot of stuff, but we're gonna be going over this in the next few videos
and, you know, don't get overwhelmed because you can always had pause, you know, Is it replay? You can always rewind, and we're gonna cover all these topics. And you know, I'm here to help you.
So to summarize this video, we covered the mobile security issue and how it's in the news today, how it's growing and how it's really common for these applications. Security issues to exist in the APP store. But not only that. There's this divide between mobile and web, and it could be a challenge for people who are in the Web world
to transition into mobile either. If they're developer, security analyst
and we're gonna dig into all these things were gonna make you into an expert. And this is just the first video of the journey I hope to see in the next video.