Removing Secrets to Make Mobile Apps More MASVS-Secure

Learn how to enhance the security of mobile applications by removing secrets and adhering to MASVS (Mobile Application Security Verification Standard) guidelines in this 48-minute conference talk from Global AppSec Dublin. Explore various attack surfaces and defense mechanisms, including static analysis, obfuscation, Play Integrity, certificate pinning, and channel hardening. Discover a proposed architecture for secure user authentication, first-party API calls, and remote secrets storage. Gain insights into implementing app authentication as a service and achieving MASVS resilience to create more secure mobile applications.

Intro
Danger - Hardcoded API Keys
Mobile Attack Surfaces
Attack: Static Analysis
Defense: Obfuscation
Defense: Play Integrity
Attack: Manipulator in the Middle
Defense: Certificate Pinning
Attack: Bypass Certificate Pinning
Defense: Harden Channel
Hide & Seek Observations
How Do We Authenticate Our Users?
Design Objectives
Proposed Architecture
Making a 1st Party API Call
Changing the Signing Secret
Remote Secrets Storage
Managing Certificate Pinning
Signing a Message
Updating Security Live
MASVS Resilience
App Auth as a Service