Securely storing & transmitting information on mobile/IoT devices

Nicolas Boeckh, a Swiss developer, infosec amateur, coffee lover and student. Academically, started in the French system, where he acquired a Scientific Baccalaureate (specialization in Computer and Digital Sciences) upon high school graduation. Currently enrolled in a BSc in Information and Services Science at the University of Geneva (Geneva, Switzerland) where he is completing his last year of his Bachelors degree. On the side, he started working in development, writing programs for fun and got familiar with a slew of different languages (Python, Java, Scala, Ruby, Dart, C, C#, ...) and environments (Linux, Windows, Android). He always been interested in Infosec but only got more involved within the community when COVID started, as he had time and stumbled upon a budding CTF Discord server, where he slowly integrated the community, leading to where he is today. Developers are the backbone of the industrial mobile & IoT development industry. Without them, it would take more time and/or effort to use services from afar or interact with an IoT environment. However, they may put the end-users of applications they’ve developed at risk by not taking into consideration the security of the information being sent over the wire. Going off on the assumption that not all developers are InfoSec specialists, or even InfoSec adjacent or InfoSec aware, this talk aims to give some background on uses for mobile information storage and transmission and then move on to discussing the foremost off-the-shelf vulnerabilities. Although it is important to know of the existence of problem(s), we must discuss how to minimize points of failure by using existing features, including (but not limited to) restricted environments, encryption, memory unicity, etc. Coming from a person working in InfoSec, such recommendations can come off as an attempt at fearmongering by managers and/or the developers. They have a plethora of phrases they can – in their mind – use to justify not solving a “non-issue”. The final bout of this talk would be to discuss these common pitfalls as snippets of a conversation that are frequently heard as justification. #BSidesIslamabad2020