Description: Millions are installing mobile apps from ‘trusted’ app stores every day, but who has taken responsibility for ensuring that apps with vulnerabilities and privacy violations or even outright malicious code don’t slip through the cracks? App store gatekeepers? Vendors? Developers? Sadly, the answer is commonly ‘none of the above’. Mobile apps are largely a black box and it’s time to 'open the kimono'. When dealing with entirely new environments, without commonly available security tools, expecting even a security savvy end user to assess the risk posed by a mobile app is a tall order. We aim to change that.
The world of mobile apps is the Wild, Wild, West, with corporations rushing to deploy branded mobile apps in addition to their web-based offerings. Unfortunately, enterprises don’t have in-house expertise in the mobile arena and are therefore outsourcing the projects to 3rd parties and assuming that appropriate QA has been performed. What you can’t outsource is responsibility and sadly, many apps are being deployed without appropriate security testing, resulting in millions of end users leveraging apps with gaping security holes or blatant privacy violations.Attackers also appreciate the paradigm shift toward apps being deployed from a single source, such as the now dominant Apple, Google and Amazon app stores. Attackers understand what end users don’t – that the app store gatekeepers are doing far too little to ensure that malicious apps don’t see the light of day. Unfortunately, end users assume that an app downloaded from an official source is entirely safe and history shows that is a mistaken assumption.
In the course of our research, Zscaler ThreatLabZ has dedicated time to solving the challenge of not only assessing the risk of a given mobile application, but also developing tools and processes that can scale to tackle the hundreds of thousands of applications that are now available. In this talk we’ll discuss the techniques that we’ve found most valuable, call out apps with poor security and unveil a free web application that will allow anyone to conduct behavioral analysis on a mobile application. This will allow the general public to 'open the kimono' of mobile apps to better understand exactly what a given application is doing and the risk that it may pose. Is the app sending sensitive data to third parties, communicating without encryption, accessing data without authorization? This will be revealed and taken into account when determining the overall application risk. Users will also be able to freely assess the total security of all apps on their mobile device, by checking it against our ever-growing app fingerprinting database.
Tags: Zscalar , Opening , the , Kimo , Opening the Kimo , nullcon , null , nullcon Delhi , nullcon.net , null.co.in , Mobile apps behavioral analysis , Mobile apps security ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.