Sunday, 12 June 2016

Mobile app security checking in two parts with a lyrical afterword (Part II)

Part two: Attack Surface




So, we finally got a list with possible security issues.


What should we do next?


Definitely, we need someone who would examine this list:
  • To separate real issues from false positives;


Remark: What can be a false positive in our case? For example, Ignore SSL Certificate Error. It does not matter if the issue is found for, let’s say, a graphical redactor and does matter if it’s listed for a bank client app.
  • To perform necessary tests which cannot be done automatically (see the part one);
  • To localize vulnerabilities (it could be that there are some troubles with third party components);
  • To determine vectors of the most possible attacks (see Lyrical Afterword (it’s coming soon));
  • To compose a plan (recommendations) on how to improve security of the analyzed app.


Who can do it? What is the first thing that comes to your mind? Developers or QA guys which have been working on this app? Sure, that’s logical. It seems that they know the app best, doesn’t it? Unfortunately, they are not good at this type of tasks. Why?

There is a vulnerability in you app.
Agh.... that’s true. But it’s not in our app, it’s in a lib which we use in our app...



You may check this drammatic story about AFNetworking library.


Sometimes developers cannot even think that some things can be used maliously (there is an example of such a story).


Software devs are good at app creating, QA folks are good at app testing. Those who we want are specialists from information security field. They have an unusual vision of how an innocent (at first glance) app can be used in malicious ways. It is exactly what is needed. You may read this sad post with juicy details.


IT security guys are hackers but they are on our side of barricades. They have specific knowledge and specific mind set, which allows them to determine the most possible and profitable ways of invasion (attack surface) and they know how to improve app security. They work in IT security day by day and are very familiar with current security trends (you cannot expect that from devs, since they need to think of security twice in a year).


Large companies or companies offering IT security services may afford a full time security specialist or even a team of security specialists. In general, there is no need to have a security guy in your staff, since IT security expertise or advice is needed from time to time (for example, prior a new app release or a new release of an existing app). Analogy with physicians works well here. It’s good to be informed regarding your health and follow medical recommendations. Should you live in a hospital for it? When you need it, you consult with a specialist and follow his/her recommendations.

It is very common to drop security part during first stages of development. Neglect of security in general may cost a lot.


(Lyric afterword is coming soon)


30 comments:

  1. I truly appreciate this post. I’ve been looking all over for this! Thank goodness I found it on Bing. You have made my day! Thanks again! Keep update more excellent posts..

    Digital marketing company in Chennai

    ReplyDelete


  2. Truly a very good article on how to handle the future technology. After reading your post,thanks for taking the time to discuss this, I feel happy about and I love learning more about this topic.


    SEO Company in Chennai

    ReplyDelete

  3. That is very interesting; you are a very skilled blogger. I have shared your website in my social networks!

    SAP Training in Chennai

    ReplyDelete
  4. I truly appreciate this post. I’ve been looking all over for this! Thank goodness I found it on Bing. You have made my day! Thanks again! Keep update more excellent posts..

    Corporate Training in Chennai

    ReplyDelete
  5. Really nice and definitely it will be useful for many people. Kindly keep update like this.

    Email Marketing Chennai

    ReplyDelete
  6. Great information shared in this blog. Helps in gaining concepts about new information and concepts.Awsome information provided.Very useful for the beginners.
    SEO company in Chennai

    ReplyDelete
  7. The game controls are shown just under . Movement mechanisms primarily include acceleration and tilting controls.
    five nights at freddy's 2 | five nights at freddy's 4 |
    fireboy and watergirl 2 | 2048 game | red ball 5 | age of war

    ReplyDelete
  8. wow amazing post.The key points you mentioned here related to maintenance of car is really awesome.Checking all fluid levels,changing oil and of course the regular service of the car which is necessary to maintain our vehicle.Thank you for the information.

    bike spa services in mumbai

    ReplyDelete

  9. Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write.
    Thanks for sharing !
    five night at freddys 2 | five night at freddys 4 |
    2048 game online| fireboy and watergirl | tanki online 3

    ReplyDelete

  10. This blog explains the details about what happened after the expressions. This gives the details of the thinking next what to do. All that are discussed and provide a grateful talk.
    Back to original

    ReplyDelete
  11. Very Informative article with huge information our heartful thanks to the trainer who have shared this article regarding theses training.
    SAP QM Training in Chennai
    SAP SCM Training in Chennai

    ReplyDelete
  12. Excellent .. Amazing .. I will bookmark your blog and take the feeds additionally? I’m satisfied to find so many helpful information here within the put up, we want work out extra strategies in this regard, thanks for sharing..


    SEO Company in India|Digital Marketing Company in Chennai



    ReplyDelete
  13. Thanks for sharing the valuable information here. So i think i got some useful information with this content. Thank you and please keep update like this informative details.

    Painless Dental Treatment In Chennai

    Best Dental Clinic In Adyar

    ReplyDelete
  14. Here i had read the content you had posted. It is much interesting so please keep update like this. Infact it will be useful for the beginners to develop their knowledge along with . I am expecting much more posts from you

    SEO Company in India

    ReplyDelete
  15. Great post! Bookmarking your site and will visit it again. Keep sharing informative blog.

    iOS App Development Company

    ReplyDelete

  16. Being new to the blogging world I feel like there is still so much to learn. Your tips helped to clarify a few things for me as well as giving..
    Android App Development Company

    ReplyDelete
  17. I wondered upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon.
    iOS App Development Company

    ReplyDelete
  18. You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...
    Fitness SMS
    Fitness Text
    Salon SMS
    Salon Text
    Investor Relation SMS
    Investor Relation Text

    ReplyDelete
  19. The basic deduction given is exemplary.
    phone tracker

    ReplyDelete
  20. Truly a very good article on how to handle the future technology. After reading your post,thanks for taking the time to discuss this, I feel happy about and I love learning more about this topic.


    Dot Net Training Institute in Chennai

    ReplyDelete
  21. That is very interesting; you are a very skilled blogger. I have shared your website in my social networks!

    Regards:
    Nithya

    Android Training Institute in Chennai

    ReplyDelete
  22. great and nice blog thanks sharing..I just want to say that all the information you have given here is awesome...Thank you very much for this one.
    web design Company
    web development Company
    web design Company in chennai
    web development Company in chennai
    web design Company in India
    web development Company in India

    ReplyDelete
  23. شركة تنظيف فلل بخميس مشيط
    شركة عزل حمامات بخميس مشيط

    شركة تنظيف مجالس بخميس مشيط

    شركة تنظيف خزانات بخميس مشيط
    شركة تنظيف بخميس مشيط

    شركة كشف تسربات بخميس مشيط
    شركة نقل اثاث بخميس مشيط
    شركة عزل اسطح بخميس مشيط
    شركة مكافحة حشرات بخميس مشيط
    شركة عزل حمامات بخميس مشيط
    شركة تنظيف موكيت بخميس مشيط
    نور تامدينة خدمة متميزة فى كل المجالات من مكافحة حشرات وعزل وكشف الشركة هى الشركة الام فى المملكة لها خبرة كبيرة جعلتها فى الصدارة ولديها اسطول عمالة يعمل معها منذ عشرات السنون ولديها احدث اجهزة ومعدات للمكافحة والعزل والكشف الكترونيا اتصل بنا فى الحال عند احتياجك لاى تخصص من تخصصات شركتنا

    ReplyDelete