OWASP AppSec USA 2013

Advanced Mobile Application Code Review Techniques
 
Abstract:
Learn how Mobile experts blend their techniques in order to accelerate code reviews. While reviewing Windows Phone 8, Hybrid or HTML 5 applications, you will love these handy tricks that help in detecting famous and a few not-so-famous flaws. Using demonstrations and code snippets, we will highlight the benefits of blended techniques in comparison with those of simple scanning or manual testing. You will also learn how to reduce the time taken for review and obtain a ready-to-use checklist.
Objectives: • To give live demonstrations of the most common insecurities found in Windows Phone 8, HTML5 or Hybrid applications.
• To share tested and proven methods of discovering insecurities via code reviews.
• To learn how to efficiently conduct source code reviews for mobile applications.
• To develop a checklist for Mobile Code Reviews.

Outline:
An emerging trend is the use of smart phones for financial transactions. As usage of mobile devices grow, concerns on security for mobile transactions also grow. With the demand for M-Commerce and M-Banking applications rising, Mobile application developers should be aware of what flaws they may inadvertently introduce.
This presentation is intended to provide an insight into coding-related flaws present in mobile applications. It is aimed at providing you with a targeted and efficient approach towards the discovery of these flaws in your mobile application code. As Windows Phone 8, HTML 5 and Hybrid mobile technology are the latest popular mobile platforms or technology, we would focus on these areas during this presentation. The content of the talk is outlined below: • Introduction to Mobile Applications • Threats to mobile applications
• Advantages of "Mobile Code Reviews"

• Windows Phone Insecurities (with demonstrations using vulnerable code as well as secure code) • Attacks on data stored in the device 
• Malwares present in the application, which send unauthorized SMSs or make unauthorized calls.
• Incorrectly implemented application encoding and encryption.
• Tapjaking
• Other hacks

• HTML5 Insecurities (with demonstrations using vulnerable code as well as secure code) • Insecure Data validations and injection based attacks
• Client side data caching and storage
• Client side reflection based attacks
• Insecure Network Connections
• Other hacks

• Hybrid Technology Mobile Insecurities • A gist of the insecurities with respective discovery techniques and solutions.

• Advanced Mobile Code Reviews • The checklist compiled so far during the presentation
• Handy tricks for Mobile Code Reviews
• A quick demonstration of the discovery of vulnerabilities in a vulnerable application

• Conclusion