Securing Mobile applications

Date: November 30th, 2012

Description:

  • Introduction: Attendees will first learn the basics of mobile applications followed by a brief background of Android and iOS platforms, their security models and an overview of their development basics.
  • Threat Modeling: They will then learn how to model a threat profile for mobile applications depending upon the type of application and the mobile architecture used.
  • Understanding Security Vulnerabilities in Mobile Applications: Here the attendees will get acquainted with some famous (OWASP Mobile Top 10) and a few not-so-famous flaws present in the Android and iOS applications. They would know the exact root cause and debugging techniques for them.
  • Detecting Security Vulnerabilities: Introduction to Mobile Security Code Reviews Here the attendees would learn how Mobile experts perform source code reviews to identify security flaws in the code base. Using demonstrations and code snippets, we will highlight the techniques to enumerate the security flaws in the Android and iOS applications. The attendees would then be introduced to a detailed code review approach via an exhaustive checklist for both the platforms.
  • Scope for Automation in Mobile Security Code Reviews: We will highlight the benefits of scripting techniques in comparison with those of simple scanning or manual testing. The attendees will also learn how to reduce the time taken for review by designing a custom script that automates the complete Android and iOS source code review process.
  • Designing Secure Mobile Applications: Here the attendees would learn how to implement the proper controls to mitigate the security vulnerabilities in mobile applications with the help of code snippets/API. We will also discuss the best practices that have to be followed for secure development of mobile applications.

 

Speaker 1: Dinesh Shetty

Dinesh Shetty is currently working as a Principle researcher in the Code review and Mobile Security Services team at Paladion Networks, and has performed Web & Mobile Application Audits, Penetration Testing and Vulnerability Assessments for many high profiled clients and wrote many articles for multiple InfoSec Magazines and international journals with Packet Storm, Exploit-DB, and PenTest Magazine among others. He has found flaws in leading Web and Mobile-based financial applications and helped the respective organizations fix those vulnerabilities.

As a core member of Mobile Application Security Testing Team at Paladion he has developed Paladion’s Android, iOS and BlackBerry GrayBox and Code review checklists and has trained 70+ engineers to find flaws in Mobile Applications. He has designed and created open source projects including Paladion’s InsecureBank Application and ScriptDroid, which is Advance Android and iOS Source code review tool.

He is a Certified Ethical Hacker, Certified Hacking Forensic Investigator and an IBM Certified AppScan Specialist amongst many of his certifications and has spoken and taken trainings at leading National and International conferences like OWASP AsiaPac2012 –
Sydney, National Institute of Bank Management – India, Quest Knowledge center and multiple organizations among others.

Speaker 2: Ashish Rao

Ashish Rao is a Senior Security Consultant at Paladion Networks Pvt. Ltd. He has a good application development background and is an expert in performing secure code reviews for J2EE and ASP.Net applications. He has reviewed many complex multi-tiered web and standalone applications of different frameworks and programming languages. He has authored articles and blogs about secure coding and security best practices. He has also worked closely with development teams across the globe and has helped them to secure applications at the design and architecture level.

He also has the working knowledge of many static code analysis tools and has contributed immensely to enhance Paladion’s automated review capabilities by writing various easy-to-use code review scripts. Other than secure code reviews, he possesses extensive knowledge regarding Penetration Tests and Vulnerability Assessment projects, and has conducted various internal and external trainings for Paladion. He had recently presented in OWASP India 2012 on Advanced Code Review.