Securing Mobile Apps - Threat Modeling, Whitebox, Blackbox testing

No ratings

Presented at OWASP BASC 2012 by

Securing mobile applications is a multi-dimensional problem space, carrying with it elements of desktop security, web application security, and network security. Coupled with a large attack space is the additional security issue of technological infancy. Since the mobile application space is still an emerging technology, the threat space is still being defined. This continuously growing, rapidly changing, and large threat space represents a significant risk to the enterprise. Developers can minimize this threat by introducing a number of secure development practices into the SDLC. Because the technologies behind mobile application development are changing rapidly, secure development tools are not yet comprehensive. However, good processes that combine these tools with design, development, and testing methodologies can bridge the security gap as the tools grow and become more effective. An effective security program will engage available tools across the SDLC. At a minimum, secure mobile application development should include threat modeling, static analysis/whitebox testing, and blackbox testing. This testing should focus on attacks against the network component, the server component, and the client component. The presentation will focus on implementing secure development methodologies with an emphasis on: Threat Modeling Threat modeling methodologies for Mobile Application development Threat modeling 3rd party applications Protecting PII on the device Whitebox Testing Static analysis availability, strengths, and limitations Whitebox testing tools Whitebox client side testing PII Storage issues Client side attack vectors Blackbox Testing Blackbox testing tools Blackbox proxy issues Blackbox server issues