BSidesBDX Keynote: The Phantom Menace
If you weren't already excited about having Rayna Stamboliyska give our opening keynote talk in a few days, the title and subject matter of her speech should really pique your interest. The title of her talk is The Phantom Menace and it focuses on the need for better mobile app analysis. Read for more details, but it will be an informative and fun talk.
Mobile apps are everywhere, and the app economy is thriving. Infosec professionals, however, still shy away from their analysis. Thus, we end up with ill-secured apps abusing permissions, data leaks and an increased attack surface for IoTs.
Then, we blame developers. Of course, it's their fault... isn't it? Yes, it is, at least to a significant part. Developers reuse known frameworks for apps with a diverse range of purposes, thus forcing an inadequate level of security on sensitive use cases. They also mobilise numerous SDKs which are the obvious, off-the-shelf component everyone uses to decrease costs and ease maintenance. Even more importantly, SDKs are what enables monetisation.
Everyone can use SDKs---malevolent actors do so, too, hiding therein whatever they wish to make money off you and your users. And with easily duplicable app frameworks comes the risk of seeing your app counterfeited and your app-generated revenue, diverted. Those risks and the risk management culture change organisations need to implement is what I have dubbed, the 'phantom menace'. We will, therefore, discuss the threats SDKs and counterfeited apps bear, and how to address them.