Session

Mobile App Decomposition - what exactly are your apps made of?

Software Composition Analysis (SCA) is an ever growing topic of concern amongst organisations looking to improve and maintain their security posture across their application portfolio. Software composition is a deep & complex rabbit hole and developers & security folks alike are regularly looking at ways to identify and track the bill of materials (BoM) from each application used within the organisation. As a developer, security team, or product owner, I need to know what software we own, maintain, and use, but also - what dependencies or components are utilised by each application? Furthermore, what dependencies are included by those dependencies? How many individual components does my app consist of? How many components are actively and adequately maintained? Are there known vulnerabilities in any of those components? Am I vulnerable to any legal issues pertaining to software licenses set out by these components? Are any projects hosted externally vulnerable to squatting attacks? How many of my apps, or apps used by the organisation are vulnerable to the new SDK vulnerability published last Friday?

Mobile apps are especially prone to such issues since mobile apps are constructed using large volumes of third party components, stretching across multiple ecosystems such as npm, cocoapods, maven, etc.

During this talk, we’ll discuss mobile SCA at length and detail some of the ways you can tear apart a mobile app and accumulate an understanding of what the bill of materials looks like and any issues therein. We’ll also look at metrics around mobile app component volume, identifiable issues, and other interesting stats in an effort to quantify just how challenging is mobile SCA.

Grant Douglas

Mobile Security Researcher, NowSecure

View Speaker Profile