the everyone is Canada Hill Master Instructor Ovary Cy Berry. In this video, we're gonna talk about mobile security.
So just a quick pre assessment question here week Server side controls is a top item listed on the US Mobile. Top 10 from 2016 is a true or false.
All right, so that's actually false. It was actually the 2014 list that one was on on. And that's a pretty easy question. If you're familiar at all with the Iowa stopped 10 for mobile threats.
So here's our listing here. We're gonna talk through all of these just a little bit.
So a proper platform usage is number one. So things like Android intends. Permissions touch. I d key chain eso again. Just really an attacker improperly using these different items to gain access to your device or to install something on your device.
Interviewer Data storage, as the name implies, and then also alongside that data leakage eso We don't want your device leaking out.
You know your personal data or if it's a company own device, we don't want that leaking out any proprietary information
insecure communications. So things like poor handshakes using the wrong SSL versions weaken negotiations and then sending information and clear text which we should never, ever be doing
and secure authentication eso you know, not identifying users to make sure that this user is actually legitimate on dhe, then also not continuously identifying right? So just because someone says yes, it's me doesn't mean that they're always it's gonna actually be them.
And then also poor session management as well.
So insufficient Cryptography s Oh, this one here is actually
specifically for cryptography being attempted but not being sufficient as the name implies. Right? So this doesn't apply to cryptography. So, for example, in app using cryptography and it's and it fails to do so, This this particular one for the OSS doesn't cover that.
But this one does cover
the fact that the app you know, apple, whatever has used a east attempted to use photography, and it is not sufficient for the needs.
So this could be things like using weaker protocols, that sort of stuff
insecure authorization. So, you know, things like forced browsing or ah, different attacks on the client side.
Client could quality. So that's where we talk about things like buffer overflows, formatting string vulnerabilities. And obviously the solution here is just rewriting code if there's any type of code level vulnerability that we have with our applications
code tampering. So talking about things like binary, patching, modifying, look, a resource is doing things like method hooking. It's whistling and then dynamic memory of modifications as well.
And then we get into reverse engineering. So with an attack or what they're trying to do is look it and find the source code. Take a look at the libraries and used Look at the algorithms. I mean, you could do that sort of stuff with a couple of ah binary review tools. I d. A Pro Hopper. There's some other ones out there as well.
Extraneous functionality. So this is where the developer might leave a back door in, or a password listed in the comments or some other authentication information listed in the comments of the code. A cz well, loza, uh,
software developer, disabling security measures. So, for example, during the key way process or software testing process, maybe they disabled like multi factor authentication or two factor authentication. So this would be an example there,
and of course, that allows an attacker to then get access through that application, get access to our mobile device.
So how do we secure all this stuff? Well, there's many things that we as like an end user can do, right. We could put a screen knock on her phone, so that way, somebody can't physically access the device. We can use strong passwords. So, as an example, if I, you know, use a password on my email that I have set up on my mobile device, I want to make sure that it's a strong password or not. The
traditional password. 1234
By the way, if that's your password, go change it right now because it's a very weak password,
also using things like encryption. So, you know, encrypting our data in communication as well is that rest on having things like remote wipe GPS tracking. So if somebody steals our device or if we just lose it, we can track it down. Controlling applications what applications can actually be downloaded on the device
segmenting our storage. So if we're using the device for both work and our personal life, it's our personal device. For example, segmented segmenting out the different storage ing. So that way, if we are our business stuff is not stolen by the attacker. Only our personal information is
and then specifically using things like mobile device management
s. So that way we can, you know, do many of these things right. We can do GPS tracking. We can push out updates to the operating system, the firmware updates, you know, so thinking of like, Iowa says an example, happens pretty good about automatically updating or at least giving you the option to push out updates. Where's Android? Users
generally have to go seek out that information
to be able to update their devices and do it. It's a much more manual process of an android advice. Hence the reason why a lot of android devices get attacked because people are lazy and they don't go update their stuff.
Also, with MGM, you know, in addition to doing things that GPS or pushing out updates, it also allows us as an organization to enroll and authenticate our devices. We could also use a similar image on the different devices. So, for example, if I've got a bunch of people in my sales team and I image devices for mobile devices for them. I have a certain
thing that we want to put on there for them, maybe a sales force, apple, whatever.
And then, as new people come on the sales team, I can easily push out new devices to them. Using the MGM
and in addition to that with the MGM before we jump into our post is such a big question here. We can also do things like the remote wipe as well with that. So I definitely encourage you if your ah organization out there and you haven't incorporated that for some reason, and you do have mobile devices or you do allow for B Y o d. Or bring your own devices of your employees.
You definitely want explore those options out there to help keep your organization
a little more secure. Nothing 100% but just a little more secure.
All right, let's jump into our post assessment question here. So attacker analyzing for source code.
So we're what a what level of the lost top 10 with this occur. So the old last mobile top 10. What level With this occur
our guest reverse engineering, you are correct. So again, that's where the attacker is gonna be trying to analyze things like this source code or the libraries to take a look and hopefully crack our app and get into it and get access to our device or do something else. You know, maybe Rice, um, our that can attack us.