1 00:00:06,520 --> 00:00:09,980 - The Open Web Application Security Project publishes 2 00:00:09,980 --> 00:00:12,490 the mobile app security checklist. 3 00:00:12,490 --> 00:00:14,910 And it can be used on both sides of the fence. 4 00:00:14,910 --> 00:00:16,680 So if you are a developer, 5 00:00:16,680 --> 00:00:18,707 you take a look at this security checklist and say, 6 00:00:18,707 --> 00:00:20,840 "Am I addressing all of these concerns?" 7 00:00:20,840 --> 00:00:25,830 It's a large Excel spreadsheet, xlsx format. 8 00:00:25,830 --> 00:00:28,830 This is the full spreadsheet on a 4k display. 9 00:00:28,830 --> 00:00:31,710 I've zoomed into the first two sections here. 10 00:00:31,710 --> 00:00:32,600 So for example, 11 00:00:32,600 --> 00:00:36,120 all security controls have a centralized implementation, 12 00:00:36,120 --> 00:00:38,940 explicit policy for cryptographic keys. 13 00:00:38,940 --> 00:00:40,990 So as I mentioned, both sides of the fence, 14 00:00:40,990 --> 00:00:43,860 if you are investigating an application, 15 00:00:43,860 --> 00:00:44,990 take a look at this list 16 00:00:44,990 --> 00:00:47,120 and see if that application complies 17 00:00:47,120 --> 00:00:50,200 with the security recommendations in this checklist. 18 00:00:50,200 --> 00:00:52,970 If you're the developer, it is highly recommended 19 00:00:52,970 --> 00:00:56,170 that you comply with the majority of these recommendations 20 00:00:56,170 --> 00:00:58,160 in the security checklist. 21 00:00:58,160 --> 00:01:01,960 As far as tools, in order to to sharpen your sword, 22 00:01:01,960 --> 00:01:05,150 with respect to investigating applications 23 00:01:05,150 --> 00:01:07,270 on both iOS and Android, 24 00:01:07,270 --> 00:01:10,870 there are some learning projects available to you 25 00:01:10,870 --> 00:01:12,190 starting off with 26 00:01:12,190 --> 00:01:16,230 the Open Web Application Security Projects, iGoat tool. 27 00:01:16,230 --> 00:01:19,310 This is an application that is known vulnerable. 28 00:01:19,310 --> 00:01:22,860 Similarly, the Damn Vulnerable iOS Application 29 00:01:22,860 --> 00:01:24,910 is known vulnerable. 30 00:01:24,910 --> 00:01:26,420 There's challenge categories here 31 00:01:26,420 --> 00:01:30,050 in the Damn Vulnerable iOS Application 32 00:01:30,050 --> 00:01:33,090 like insecure data storage, runtime manipulation. 33 00:01:33,090 --> 00:01:34,760 So they have the challenge 34 00:01:34,760 --> 00:01:37,390 and then an explanation of the findings. 35 00:01:37,390 --> 00:01:39,250 So it's very helpful in order to learn 36 00:01:39,250 --> 00:01:42,133 how to analyze these applications. 37 00:01:43,270 --> 00:01:46,030 For Android, there is another one as well. 38 00:01:46,030 --> 00:01:48,620 These Uncrackable Mobile Apps, 39 00:01:48,620 --> 00:01:50,640 we have four challenge levels for Android, 40 00:01:50,640 --> 00:01:53,893 two for iOS, available at this URL here.