Monday, April 23, 2012

OWASP APAC 2012 Experience

This year OWASP APAC conference was held at Sydney from Apr 11 to 14. Paladion was invited yet again at the OWASP conference after Jaideep & Siddharth presented at Gold Coast in 2009.

This time Dinesh & myself were conducting a training class on “Mobile Applications & Security”, followed by a talk next day on “Advanced Mobile Application Code Review Techniques”.

About the Training: It was interesting to see some of the web/mobile app developers and the prospective mobile app developers in our class. We started with the mobile introductions and threat modeling. Rest of our session focused on Android & iOS. We taught Android architecture, development basics, security testing, demonstrated security vulnerability via a vulnerable application coded by our team. (The Android vulnerable application can be downloaded at Paladion Labs section at We did the same cycle for iOS applications. We concluded the class with a discussion on OWASP Mobile Top 10 Risks.

About the Talk:  We were discussing the mobile application vulnerabilities from the code base for half of the time, focusing on Android & iOS application vulnerabilities. Later we presented on automating the static analysis to discover these vulnerabilities at pace. We discussed the analysis logic & keywords for the vulnerabilities. We have developed a batch script for the Android, which we demonstrated during the talks. The same is also available for download at Paladion Labs.

We got some of the good feedbacks from attendees. This gives an enthusiastic & satisfactory feeling about the work we have been doing for a while. We met some of the well known security guys, hackers & security enthusiasts. It was good to be the part of a global conference & attend the best talks in the industry. I personally loved Mike Park’s “Mobile Security on iOS & Android”, Jason Haddix’s “Pentesting iOS Applications”, Christian Frichot on BeEF and Justin Searle discussing Grid Apps Pentest. Jeremiah Grossman presented some of the useful statistics during his keynote. OWASP Panel Discussion & the OWASP sponsored Dinner were also enjoyed by maximum.

All presentations should be available online in a week at OWASP wiki. Paladion Android vulnerable application & the script for static analysis are available for download here. We look forward to participate more at global conferences.