SecAppDev 2019 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Mobile security [clear filter]
Tuesday, February 19


Using Android Webviews - moving web risks into the app
In recent years, Google has made significant changes to WebViews. While the security behavior of a WebView has improved, its introduction remains a significant change to the threat model.

The (Android) WebView is an embeddable component that powers the majority of internet-enabled of apps. WebViews are popular because they are flexible – offering cross-platform code reuse. However, Webviews transport problems of the Web model into the app and then add some new problems.

In this session, we explore some WebView-related problems. First, we focus on traditional web attacks, such as connection hijacking and XSS. Next, we focus on the underlying model of web-enabled mobile apps. The bundling of local resources and web-based content rendered in the same container has a significant impact. In this security model, a Same Origin Policy bypass extends to accessing the device file-system and stealing juicy user data. Even worse, such an attack may even remotely target other applications by using the WebView as a proxy. Finally, WebViews present a security management problem that is just as important to understand: which risks do I not control?

This session is intended for app testers and developers using WebViews.


Andrew Lee-Thorp

Principal consultant, Synopsys SIG

Tuesday February 19, 2019 09:00 - 10:30
Main building (room Lemaire)
Wednesday, February 20


Mobile is eating the world. But is it secure?
We are moving more sensitive data into mobile applications than ever before. However, at what cost to security? This talk provides an overview of how mobile apps are being attacked and what defenses exist.

As we surpass 2.5 billion smartphones in use worldwide, mobile application security is no longer a theoretical discussion. Mobile applications are suffering from major data breaches at a staggering rate. Mobile applications present a different set of challenges than traditional web apps. As such, we must prepare accordingly.

This talk is an introduction to attack and defense methods for both builder and breakers of Android and iOS applications. We will explore a number of topics that will better arm you to assess and improve the security of mobile applications. We will talk about the system security of Android and iOS. We will cover common security issues in mobile applications. You will learn about the available mobile application security controls. Finally, we also give an overview of how to test for security issues in mobile applications.

This session is intended for anyone involved in the development of mobile applications.


Jimmy Mesta

CTO, Manicode Security

Wednesday February 20, 2019 09:00 - 10:30
Main building (room Lemaire)