Explore the complexities of app security in this 59-minute conference talk by Rob Napier. Delve into the nuances of "security through obscurity" and learn why it's not as simple as conventional wisdom suggests. Discover the various attacks your app may be facing unknowingly and understand the distinctions between cryptography, obfuscation, and steganography. Gain practical insights on protecting users, services, and businesses through approachable techniques. Focus on mobile development and mobile-server communication issues, with examples primarily in iOS and Swift, but applicable to Android and back-end development. Learn about lock picking, encryption, risk management, bot prevention, API key storage, certificate pinning, secret knocks, app hardening, and debugging techniques. Understand how to monitor logs, hide secrets, use stronger strings, and implement real-life obfuscation strategies to enhance your app's security posture.
Secrets and Lies: Protecting Mobile Apps Through Cryptography and Obfuscation
Overview
Syllabus
Introduction
Lock Picking
Security Through obscurity
Navajo
Encryption
Risk Management
Raising the Bar
Bots
Strings
Tools
Avoid sensitive strings
Storing sensitive API keys
You cannot authenticate an app
Monitor your logs
Hide some secrets
Base64
ToolD
AES
Stronger strings
Random keys
Real strings
Real life obfuscation
When I hack programs
Random data
steganography
scanning for strings
using Charles
certificate pinning
certificate validator
secret knock
secret key
attack your app
Debugging
Hardening
Protect Data
Taught by
ChariotSolutions
