02 February 2015

AppSec Cali: The Synack Experience

Patrick Wardle

OWASP’s AppSec California aims to be California’s leading app security conference. Going beyond security for security’s sake, it brings together the two worlds of application security professionals and business professionals in order to share and learn from one another. Recognizing Synack as experts in the mobile application security space, Synack was chosen to present two sessions at the conference!

The first session was presented on Wednesday by Colby Moore, one of the Synack R&D ninjas.

Colby presented on:

  • *How geo location leakage vulnerabilities occur in mobile applications
  • *How they can be detected
  • *What users and developers can do to protect themselves

He covered best practices in the areas of proper:

  • *Implementation of transport layer security
  • *Rate limiting and authentication of APIs
  • *Usage of overly precise location data
synack appsec california 2015 geolocation vulnerabilities

He demonstrated how seemingly simple vulnerabilities could be combined to geolocate and identify anonymous users through data harvesting, trilateration, and correlation.  To show that these geolocation-based vulnerabilities can lead to real-life consequences, Colby presented a detailed case study of geolocation vulnerabilities that Synack uncovered in a common social dating app. Through a variety of broad attacks, he was able to precisely locate and track the application’s user base world-wide and reverse engineer their true identities.  View and download the slides at http://syn.ac/appSecCaGeo!

On Thursday, Patrick Wardle, Synack’s director of R&D, presented technical deep-dive titled “Uncovering OWASP’s Mobile Risks in iOS Apps”.  The session addressed the issue that although mobile apps are ever more ubiquitous, their widespread adoption comes at a cost, as seemingly every week, a new vulnerability is discovered that jeopardizes the security and privacy of mobile users. Since app developers are having a difficult time writing secure apps, reverse-engineers are often the best way to vet the security of application.  Unfortunately, at least for iOS applications, reverse-engineering is still viewed by many as somewhat of a black art. The session detailed the process of reverse-engineering iOS apps in order to perform security audits and identified common mobile-specific vulnerabilities (e.g. OWASP Mobile Risks). Specifically, the talk described how to extract an application’s unencrypted binary code, analyze the ARM disassembly, and identify vulnerabilities that commonly affect iOS apps. Real-life cases from iOS applications in the App Store were presented to provide a more ‘hands-on’ feel to the reversing procedure and to show some actual security vulnerabilities.  Sounds awesome, right? You can check out the slides at:  syn.ac/AppSecCa