Presentation Material

Abstract

Video’s for the talk are listed below

• Part 1
• Part 2

Recent studies show that the attacks on mobile applications are on the rise. With mobile applications now used for payments, securing Mobile applications is of utmost importance.

The presentation briefs the audience on “Penetration Testing the Mobile applications” to assess the level of security built into them. Key aspects in the mobile applications space include-

1. Reading the application stored data on devices.
2. Capturing the requests and manipulating the parameters.
3. Reverse Engineering the application package.
4. Mobile Platform Specific issues.

The presentation further delves into similarities and differences in the manifestation of above issues in Andriod and iOS platforms. The differences are mainly because of how the platform works, for e.g. the iPhone may store data in the plist files but there is no plist concept in other mobiles. Similarly, the solutions and the Platform specific issues call for specific implementations.

The presentation also demonstrates- • Configuring a proxy for the phone. • Reading stored data (iOS and Android).

These are presented based on the internal research work done on these platforms, auditing and pentesting real world mobile applications. Takeaway: • Vulnerabilities or Insecurities in mobile applications. • Techniques to find mobile application vulnerabilities. • Securing mobile applications.

AI Generated Summary^{may contain errors}

ONE SENTENCE SUMMARY: The speaker discusses the importance of mobile application penetration testing, highlighting four key aspects: data storage, communication, platform-specific issues, and hardcoded sensitive information.

SUMMARY:

The speaker emphasizes the need for mobile application penetration testing, covering four essential areas:

1. Data Storage: Sensitive information should not be hardcoded or stored locally; instead, use secure storage methods like encryption.
2. Communication: Insecure communication channels can be exploited; ensure secure data transfer using HTTPS and SSL/TLS protocols.
3. Platform-Specific Issues: iOS and Android have unique security concerns, such as URL schemes and screenshot casting issues, which must be addressed.
4. Hardcoded Sensitive Information: Avoid hardcoding sensitive information like API keys or credentials, as they can be easily extracted.

The speaker also shares best practices for secure mobile application development, including:

• Implementing proper authentication schemes
• Sanitizing user inputs to prevent common web attacks
• Encrypting data storage and transmission
• Using prepared statements to prevent SQL injection

Additionally, the speaker references the Mobile Top 10 risk list, which highlights insecure data storage as a top concern.