Explore the seven most common security mistakes in mobile app development in this revealing conference talk. Delve into the critical area of session management, uncovering vulnerabilities that can compromise user authentication and data security. Learn about the dangers of trusting the client, improper use of NONCE, and other risky practices that make mobile apps susceptible to attacks. Discover practical strategies to avoid these "Seven Deadly Sins" and strengthen your mobile application's security. Gain insights from real-world examples, including demonstrations using tools like WiFi Pineapple and analysis of AMF (Action Message Format) traffic. Understand the importance of encryption, proper session handling, and protecting against altered requests. Walk away with actionable knowledge to enhance your mobile app development practices and create more secure applications.
Seven Deadly Sins of Mobile Application Development - Unlocking Mobile Hacking Vulnerabilities
Overview
Syllabus
Intro
Overview
Hacking Mobile Apps: WiFi Pineapple
Hacking Mobile Apps: The ideal setup
Hacking AMF: Raw traffic AMF is a binary format
Trusting the client
Not requiring encryption • Mobile traffic is easy to hijack & sniff . Most mobile apps are not using SSL - A gasp of horror is appropriate • Many of the ones that use SSL do it wrong!
Allowing lifetime sessions
Not keeping secrets • Session tokens/cookies are sent with each request - Easy to steal • Mobile app can store local data unlike web browser - Web browsers always send their cookies in each request
Allowing repeat requests
No curfew for requests As discussed, sessions last a long time • Individual requests allowed to stay out partying too long
Failing to prevent altered requests
Hacking Mobile Apps: Fantasy Football
Hacking Mobile Apps: Examples
Avoiding the 7 Deadly Sins
Taught by
OWASP Foundation
