In-App Protection For Android: Selecting the Right Platform - Patience Mpofu

hello and welcome to this talk on in-app security for android mobile applications we're going to be discussing how to select the right vendor platform to protect your application and make sure it is secure and available for use for the general public so a little bit about me my name is patience bofo and my discord handle is at pidgin boho i've been a software developer for the past eight to nine years most of my experience has been in the financial services industry i have had um because of the nature of the financial services industry a lot of exposure to securing mobile and web applications but my favorite topic the one that i'm more passionate about is android development so that's what

i'm going to be talking about today um i always like to connect with people and i like to find out more about their own journey in security so please feel free to reach out to me on linkedin my name is patiencepofu and the picture on the left there is the one that i'm currently using on linkedin so i look forward to hearing more about where your journey has taken you in security and how it intersects with the talk that i've shared with you today so when we talk about mobile application vulnerabilities what exactly are we looking to secure um i'm sure most of you are familiar with the os 10 top 10 mobile application vulnerabilities so i'll go over

some of them here and just explain a few here and there that really stand out so the most important thing is we want to make sure that the application that we're releasing to the general public cannot be reverse engineered um because once a hacker is able to pick up our application and reverse engineer it it just leads to everything else that's listed underneath there the first thing being obviously identity theft for financial applications the large majority of them would store credit card information names account numbers and this kind of information is easily retrievable once someone is able to reverse engineer your code so you want to make sure that that doesn't happen um the other thing that

would cause a vulnerability in the application is a data leakage whereby developers unintentionally store information on the actual device that the mobile application is running and from there a hacker developer user can retrieve that data and use it in a way that it wasn't intended to be used the other thing is once your application is reverse engineerable it means a hacker can just inject their own code in there and make your application perform whichever way they decide and you want to cut against that the other thing is which probably ties into unintended data leakages would be insecure data storage once again storing important information confidential information on the device we should open you up to um

attacks from hackers developers users people who just try to break you up for fun um the other thing would be the lack of binary protection um this would lead to obviously runtime threats such as people who adding hooks to your code people adding malware to your code uh people running your device on a jailbroken people running your application a jailbroken device uh people running a debugger against your application in order to reverse engineer it and the last one would be weak encryption which would be usually in the financial services space would be the use of outdated algorithms or encryption mechanisms that have already been broken and i've seen this around in a couple of applications where you get there and the

application is using some old encryption system that was broken a long time ago that everybody knows actually how to break into and just nobody has gotten on to the point where they changed that um and so once you release your application with that weak encryption you're just opening it up to hackers getting in there getting your code making whatever changes they like and accessing whatever they like in your system so you want to guard against vulnerabilities such as these um so when we are assessing different types of vendor solutions that we could use to protect our application we want to look at what kind of basic protection they should be providing in order for us

to be satisfied that our application is safe enough for people to use the number one thing obviously is obfuscation and obfuscation would be the scrambling of code so that it is unreadable to the naked eye without a map or some kind of guide that would help you to decrypt how it has been encrypted um and this is just a basic thing it it's a must-have you need it it helps reduce the possibility of reverse engineering for your application so it definitely has to be there the second thing is log stripping um this will be removing any and all logs in your production application before it is shipped out and this is important because logs actually

are part of the unintended data leakages that i referred to earlier because this is where developers will log whatever is going on in the app and while it just seems harmless it's a method by which hackers can take a look at your logs detect what's being called where reverse engineer it and next thing you know they've gained control of your app and they're in your system the third thing that we would expect from a solution that i provide that a vendor provides us with would be runtime thread detection we want to be able to know if someone is running a debugger against our code in production because that should not happen we want to know if someone is running

our application on a jailbroken device because that should not happen we also want to know if someone has added hooks of a sword to our application because that should not happen too we want to know if a user has added some form of malware because that is something that should not also happen so these are the kinds of things that we would expect to be detected straight off as soon as they start happening so that we can take action um the fourth thing that we would expect from a vendor would be threat analysis reports and from these we would be able to find better ways to model threats we would find better ways to gather

statistics on how well our security is working um areas of improvement how often we're attacked by whom what we need to gut against the most uh it's also a way for us to detect new ways in which your application is being attacked that we weren't aware of and take action on those um so that's just that's a great thing to have with the solution that you get um the other thing is we want to make sure that the signature is checked every time we upload our apk to um the google play store or wherever we're uploading it to or sharing it to want to make sure the signature has not changed and once the signature has changed we know that our

apk has been tampered with which means that we right away need to jump in and make sure that that threat is resolved the other thing is we want to make sure the resources we provided with our initial application are still the same and we don't want a hacker developer user whatever putting their own resources in there and using those instead of ours because that would open us up to risk as well um so definitely regardless of whatever solution you choose you at least want these as the minimum possible protections that can be provided by your application by your solution for your application other additional considerations to uh think of would be the price uh because

most of these solutions are proprietary they have a license that comes with them and that license ends up becoming an additional cost that the user has to carry and you don't want the price to become a deterrent for users for use from using your application so you want to keep the price as low as possible which means you want to go as cheap cheapest possible vendor but get the best security possible for the price you're paying um so the maximum possible protection available ties into the price as well because you want to have a careful balance for that if you go too cheap then you might end up with weak encryption lack of binary protection next thing you

know your application has been has been reverse engineered and um it results in financial and reputational loss for you on the other hand if it's too expensive then your users are carrying the price and your application is expensive and people don't want to use it and there you are still financial loss but at least you have your reputation so the next thing you also want to look at is how complex it will be for you to implement this encryption on your application if it's a solution that's as easy as just running a few command lines in a terminal some way and your application is shielded that's great but if it's one of those where your

developers need to sit in run multiple sprints coordinate with external developers you would need to decide things along the lines of do we have the time to implement this and are we going to have to do this every time we need to upgrade our um protection um the other thing is agree you can't underestimate the value of great customer service because these solutions once again are proprietary you can't exactly go on the internet and be like well i am trying to do this but how do i do that you cannot find this information on the internet so if you're using a solution and this customer service is poor the experience will not be great and additionally you might miss a couple

of points here and there because you're new to the service or you're just not aware of it or they've provided a ton of documentation there a couple of solutions that will like just drown you in documentation and you can't wait through all of it so you miss a few things and your application ends up not being fully secure and there's a vulnerability that gets exploited you know you somewhere along the line you just need that great customer service to keep you going the other thing you want to think of is application performance some of these solutions once you've applied them will make your app marginally slower because they encrypt a lot of the information that you have in your

app and they have a lookup map that they would use to pick up what's mapped to what and that that translation of what is mapping to what can take quite a long time so your application will begin to start slower you may when a user is navigating it may be a little slower so you want to consider um if that's something that you want to sacrifice for the amount of uh protection that you're adding um so you might want to leave out maybe a couple of core functional classes and make sure those are protected in a different way so that your application performs faster the final thing is you want to make sure as well that um

[Music] your solution meets industry standard requirements it's just it's useless for you to implement a solution added to your application claim that your application is secured and when you take it for assessment and the result comes back and it's not meeting standard requirements so you want to make sure that whatever solution you end up going with matches with this requirements for your industry so that's it from me on this talk i hope um you enjoyed it and i hope you learned a little bit i'm always really looking to hear more about your own experiences so please feel free to connect with me my discord is pgmpo4 and i am on linkedin that's my linkedin link right at the

bottom there thank you so much for your time and i look forward to hearing from you