AppSec California 2017

How do you know how to build your application securely, or what to look for when you’re performing a security assessment of an application? One critical part of figuring this out is the application’s threat model. For many years, development teams and security teams have been dealing primarily with web applications that generally have a common threat model. We have gotten so used to this threat model that we often don’t even think about it.

As we are increasingly dealing with mobile applications, we need to rethink this approach. The mobile ecosystem is complex and there is no one threat model that applies to all mobile applications. Based on over twelve years of experience working in the mobile ecosystem (starting before smartphones were a thing) and testing thousands of mobile applications, we have developed a variety of threat models for different types of mobile applications as well as mobile operating systems.

With mobile applications, we’re no longer running inside a mature client application (browser) that provides many security features to us like secure communication, same origin policy, etc. that cannot be overridden by web applications. This has interesting security implications. There are many more security issues that we need to be aware of when developing and testing mobile applications. Without understanding the security issues in different types of mobile applications, we are inevitably going to produce vulnerable applications and even waste money on unnecessary controls. This talk will demystify the mobile ecosystem and will outline how to develop threat models for your mobile applications. It will dig into technical details such as how security features Android and iOS, as well as in cross-platform development frameworks like Apache Cordova are implemented, and how that impacts mobile applications.