The secret life of Android apps
In his talk for the OWASP Zhytomyr community, Artur uncovers solutions to practical security issues every security engineer faces. The mobile application landscape is constantly changing – developers use new frameworks, Google demands new requirements and security features. Artur demonstrates the latest setup of a lab environment for security testing of Android apps. He uses it to illustrate how different apps implement specific OWASP MASVS requirements — like certificate pinning or root protection. Artur shows where to look to spot the missing security controls.
React Native security: addressing typical mistakes
Can React Native apps be secure? Is it a leaky abstraction? Julia went in details of React Native architecture, platform usage, and its dependencies. This security talk is designed specially for developers, decision-makers, and tech leads interested in addressing and preventing typical mistakes related to this cross-platform solution from Facebook.
Encryption export regulations. Why should mobile developers care?
Julia talks about US encryption export regulations - what they mean, which applications they affect, and what developers should do.
iOS vulnerabilities and how to fix them
In this talk, Julia invites app devs and architects to explore common iOS vulnerabilities, outlines popular requirements from OWASP MASVS, enlists examples and paths to make applications more secure.
End-to-end encrypted doesn't mean secure
End-to-end encryption doesn’t guarantee privacy and/or security of your data. Your favourite application can use e2ee and sell data to someone at the same time. Anastasiia explained the relationship between security, privacy and encryption, and how different encryption approaches protect users data from various events or threats.
Secure Authentication. Are you sure you do it right?
Julia unraveled security issues developers should keep in mind to implement SSDLC, gave clues to the secure authentication standards, and shared experience on how to avoid typical auth mistakes in iOS apps.
10 lines of encryption, 1500 lines of key management
Watch a story behind implementing end-to-end encryption for Bear application. Anastasiia explained the security engineering flow: protocol design, selecting cryptographic library, cryptocoding techniques, building defence-in-depth and preparing for incidents. Learn how to build an encryption engine for the app with 6M users.
Security, privacy and cryptography at WWDC19
Apple made many announcements on WWDC 2019 about cryptography, cybersecurity and privacy. Anastasiia highlighted important changes for developers – including new CryptoKit framework, data privacy regulations, new app permissions.
Secure software development: from rookie to hardcore in 90 minutes [workshop]
A workshop for iOS developers that illustrates typical mistakes they do trying to implement security into their apps. Anastasiia showed an actionable to-do list of things developers might want to improve in their apps, and gave a set of key management techniques for mobile apps.
Zero Knowledge Architecture Approach for Mobile Developers [workshop]
A workshop for iOS developers that illustrates how to implement end-to-end encryption of Firebase notes application. Zero knowledge algorithms and protocols ensure that no keys, passwords, files, or any other sensitive material ever gets transferred in an unencrypted or reversible form. Workshop code contains two encryption schemes and set of general recommendations of improving security of any iOS application.
X things you need to know before implementing cryptography
A “tips and tricks” talk for mobile developers. Even when developers create apps with security in mind, (at least try to) protect user secrets, and don’t reveal unencrypted data, attackers can still find ways to bypass these security measures by exploiting architectural weaknesses and non-obvious, yet very simple vulnerabilities. The talk is about all the tiny bits and pieces that are necessary for making your app secure against simple attacks way before focusing on the hard things (like cryptography).
Zero-knowledge architectures for mobile applications
The talk focused on real-world problems that ZKA counters, typical cryptographic designs and progress in different spheres of ZKA. The talk also explained the practical approaches useful for mobile developers (implementing data sharing and user collaboration on data in a cloud in a way that makes a mobile app provably secure).
Key management approaches for mobile applications
Trust is built around various trust tokens: keys, passwords, secrets, biometric properties, things you have and things you know. Key management is complicated when done the right way.