Speaker

Grant Douglas

Grant Douglas

Mobile Security Researcher, NowSecure

Grant Douglas is a security research engineer at mobile security provider NowSecure. Grant has worked in the software security industry for over a decade and has an academic background in offensive & defensive security testing activities including reverse engineering, design review, threat modelling, secure source code review, penetration testing, exploitation, and more. Grant specialised in mobile security in 2013 and has continued to contribute tools, talks, and ideas to the community. As of late, Grant now helps NowSecure pioneer in providing the best in class automated mobile security testing solutions - spending each day looking for new ways to automate complex workflows within apps and interactively identify vulnerabilities and privacy concerns through a combination of static and dynamic analysis.

Mobile App Decomposition - what exactly are your apps made of?

Software Composition Analysis (SCA) is an ever growing topic of concern amongst organisations looking to improve and maintain their security posture across their application portfolio. Software composition is a deep & complex rabbit hole and developers & security folks alike are regularly looking at ways to identify and track the bill of materials (BoM) from each application used within the organisation. As a developer, security team, or product owner, I need to know what software we own, maintain, and use, but also - what dependencies or components are utilised by each application? Furthermore, what dependencies are included by those dependencies? How many individual components does my app consist of? How many components are actively and adequately maintained? Are there known vulnerabilities in any of those components? Am I vulnerable to any legal issues pertaining to software licenses set out by these components? Are any projects hosted externally vulnerable to squatting attacks? How many of my apps, or apps used by the organisation are vulnerable to the new SDK vulnerability published last Friday?

Mobile apps are especially prone to such issues since mobile apps are constructed using large volumes of third party components, stretching across multiple ecosystems such as npm, cocoapods, maven, etc.

During this talk, we’ll discuss mobile SCA at length and detail some of the ways you can tear apart a mobile app and accumulate an understanding of what the bill of materials looks like and any issues therein. We’ll also look at metrics around mobile app component volume, identifiable issues, and other interesting stats in an effort to quantify just how challenging is mobile SCA.

Grant Douglas

Mobile Security Researcher, NowSecure