Global AppSec Dublin 2023

Secrets and credentials are hardcoded in mobile app packages, saved in persistent storage, exposed in API calls, and mistakenly left in project repos. Mobile has become the easiest place for hackers to steal what they need to abuse your APIs and backend services. It might seem odd that removing secrets from your apps improves your platform security, but not only is it safer, it lets your operations team centrally manage your credentials and security policies on the fly. In this session, you'll learn how to combine mobile app attestation techniques with cloud-based credential services and channel hardening to ensure secrets are never at rest inside your apps. These techniques are fully compatible with your existing API protocols and integrate easily into your app's networking stack. We'll demonstrate and then blunt common static analysis, rooting, instrumentation framework, and man-in-the middle attacks, showing how this approach meets many of the defense-in-depth and resiliency (L2+R) levels of the MASVS mobile app security verification standard.

Dates

Author

Conferences

Tags

Removing Secrets to Make Your Mobile Apps More MASVS-Secure

tldr - powered by Generative AI