It is an interesting time for security professionals all over the world. Their job is making the headlines.
But it is also very scary at it means that a lot of organizations are at risk because of potential security flaws on their product and infrastructure.
It makes the headlines very often. So when it is reaching a tech blog or a « non tech focused » newspaper, that means that the flaw or security breach was there for a long long time. And possibly used by malicious individuals.
As a security professional, my job is to test the security of some products and infrastructure and try to hack them so that we can identify the potential flaws and then correct them before the service actually get hacked.
So you have to move from reactive security to proactive security.
This is what is called now the « Security by Design » process that is growing in companies at the moment.
That is the theory. But in practice it is hard to do Security by design on all the products and services.
Why is this so important?
Security is something that your organization should definitely consider as the devices and services are always connected to the internet, you open your service to the world. So that means that the « bad guys » could have a direct access to your infrastructure.
People that are not looking to security on a daily basis don’t know how easy it can be to have access to some critical part of your infrastructure if you did not follow some very standard security principles.
How could we achieve this following the industry best practices?
The industry has a lot of guidelines that you could follow regarding security practices.
It covers the organization part (which is very important) and moves to the more technical part.
The ISO/IEC 27000 family of standards helps organizations keep information assets secure.
EBIOS is a method for analysis, evaluation and action on risks relating to information systems.
Both of these methods focuses on the Risk analysis of your Information System and your organization and how to secure your digital assets.
The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
The OWASP has a lot of interesting publications about security in order to secure develop your app, to test it appropriately in terms of security but also deploy your service and respond to a security breach.
But I am going to speak only about the most interesting OWASP publication of you are a beginner in the terms of security.
It is the OWASP Top 10 that is regularly updated. It represents a broad consensus about the most critical security risks to web applications.
That means that if you minimize these risks, you cover a lot of very common flaws. So the work to bring your system down is going to be much more complicated to an attacker.
I am going to focus on Android phones in the rest of this article.
The OWASP has a document about the Top 10 flaws on mobile.
Let’s start on Android
You can do a lot with a simple Android phone. It is not required to root your Android phone in order to test the security of your application.
Let’s review the OWASP Top 10 mobile.
- M1 — Improper Platform Usage
- M2 — Insecure Data Storage
- M3 — Insecure Communication
- M4 — Insecure Authentication
- M5 — Insufficient Cryptography
- M6 — Insecure Authorization
- M7 — Client Code Quality
- M8 — Code Tampering
- M9 — Reverse Engineering
- M10 — Extraneous Functionality
Following all of this, I often check the insecure data storage first as it is the easiest part of all. You only need to download the app, register, play with it a little in order to fill the data and then you look at the stored files and look for anything valuable from it on a security perspective.
In order to do this, you are going to need the Android Debug Bridge (adb) from Google.
You can now download an app from the Play Store or take one that is already on your phone so you can start playing with it and testing its security.
I am going to test an application that is made on purpose to have security flaws, Insecure Bank, on my next article so you can have some hints on how to do security testing.