Abstract:In the past decade, mobile devices have led one of the most rapid and widespread technology shifts since the advent of the computer. Studies show that users rely heavily on their mobile devices for a variety of tasks—ranging from shopping to scheduling doctor’s appointments—that would have previously taken them to a laptop or desktop. In the near future, smartphone sales will surpass both feature phone sales in North America and PC sales worldwide. With less than ten percent of the world’s population left uncovered by cellular signals, the rate of adoption shows no sign of slowing.

As society’s reliance on mobile devices grows, so too does the risk posed by vulnerabilities in the software that drives them. In this talk we scrutinize the challenges involved in building secure mobile applications. Throughout, we call attention to differences and similarities between traditional software security assurance initiatives and those focused on mobile. We discuss how frequent reliance on outsourcing complicates security efforts and how the diversification of parties with an interest in mobile security makes assigning accountability for risks tenuous.

Despite lifecycle differences, many mobile applications are simply new clients backed by existing web applications or services and are therefore subject to the same threats they’ve always faced. We review old threats in the new mobile context and go on to discuss threats unique to the mobile landscape, including: attacks against client-side data persistence, MMS, or GPS; malicious inter-application communication; problems with new security features, such as confusing permission models. We conclude the talk with a frank assessment of what software development organizations can do to take control and avoid being the weakest link in the chain of mobile security.

Speaker Bio:

Jacob West is Director, Software Security Research for the Enterprise Security Products division of Hewlett-Packard. West is a world-recognized expert on software security and brings a technical understanding of the languages and frameworks used to build software together with extensive knowledge about how real-world systems fail. In 2007, he co-authored the book “Secure Programming with Static Analysis” with colleague and Fortify founder Brian Chess. Today, the book remains the only comprehensive guide to static analysis and how developers can use it to avoid the most prevalent and dangerous vulnerabilities in code. West is a frequent speaker at industry events, including RSA Conference, Black Hat, Defcon, OWASP, and many others. A graduate of the University of California, Berkeley, West holds dual-degrees in Computer Science and French and resides in San Francisco, California.