Siren Hofvander - Being Secure on a Mobile Platform
This great Øredev 2013 session focused on how to be secure on a mobile platform, with a bunch of great examples and concrete demos.
Siren Hofvander kicked off this session with some general good-to-knows, like how a cell phone is lost every 3 minutes. Adding this to the fact that 3 of 4 companies allow BYOD (Bring Your Own Device), a lot of sensitive information can get lost.
Siren talked about how apps we install may gain access to our personal data, free to do whatever they want with it unless we deny them that permission. According to her, 96% of iOS and 84% of Android apps get access to contacts, calendar, tracking information, etc.
Are we aware of which privileges we give these apps, or do we more or less allow anything to be able to play the latest game?
There are three types of mobile apps - native, mobile & hybrid. Each type presents security aspects to take into consideration when designing your app, with hybrid apps providing you with the sum of all risks. Also, the mobile platforms has different challenges. For instance, iOS suffer an amazingly low 0.7% of all malware, while Android is affected by 79%.
Working through a list of malicious activities, Siren stressed that developers can’t just build our apps based how we expect the user to use it. We must consider the hardware as well and how it’s used. We tend to focus on application security, but the stack consists of the OS, the hardware and the infrastructure as well. They must all be considered.
Siren went through various attack scenarios. For instance, don’t connect to the free Wi-Fi at an “art and security conference” :) She presented a set of test questions you should ask yourself when developing and also talked about spoofing, tampering and disclosure and how to keep your data safe from point A to point B.
This was a great talk. Check out the video here, then hurry to get that big boobs app!