The Future of Mobile Security | Subho Halder | Be Fearless Podcast EP 15

SquareX

29 Sept 202417:11

Summary

TLDRIn this podcast, Sho, co-founder of Apno, discusses the company’s role in mobile app security and his 13-year journey in the field. He shares insights on mobile security trends, including the rise of mobile apps, digital transformation, and the importance of early-stage security integration through DevSecOps. Sho highlights the challenges posed by the shift to bring-your-own-device (BYOD) policies and the growing attack surface. He emphasizes the significance of passion in starting a cybersecurity career and offers practical advice for aspiring professionals, focusing on learning and hands-on experience.

Takeaways

📱 Apno focuses on mobile app security, conducting security assessments like SAS, DAST, API analysis, and more.
🚀 Sho, co-founder of Apno, started his mobile security journey 13 years ago after creating a mobile spyware tool.
🎤 Sho transitioned from hacking to helping fix security flaws, creating Apno to provide mobile app security solutions.
⚔️ Sho believes knowledge can be used for both good and bad, but it's essential to understand attacks to prevent them.
📈 The mobile security landscape has evolved dramatically, with mobile apps becoming central to businesses, especially in industries like banking.
🔒 The BYOD (Bring Your Own Device) trend has increased the attack surface for companies, requiring better device-level security.
🛠 Companies are shifting towards integrating security earlier in development through DevSecOps, which is now widely adopted.
🌐 Mobile browsers have basic inbuilt security, but apps often rely on developers to ensure security, which creates vulnerabilities.
🔍 Sho highlights the growing use of QR codes as an attack vector, especially as they become more ubiquitous in daily life.
🎓 Sho advises beginners in cybersecurity to focus on passion, explore online courses, and practice through bug bounties to build skills.

Q & A

What is Apno and what does it do?
-Apno is a company focused on mobile app security. They specialize in identifying security issues in mobile applications through techniques like Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), API analysis, and Software Bill of Materials (SBOM) analysis.
How did Sho, the co-founder of Apno, start his journey in mobile security?
-Sho's journey in mobile security began 13 years ago when he was in college and became interested in spying on messages using the first Google G1 phone. This led him to create one of the first spy tools based in India and develop a framework called Android Framework for Exploitation. He later presented this work at Black Hat and other conferences.
How has the mobile security landscape evolved over the past decade?
-The mobile security landscape has transformed significantly in the last 10-13 years. Initially, mobile was an emerging market, but now it is a core interface for many services, including banking, social media, and IoT. Companies are moving away from websites to mobile apps as the primary way to interact with users, creating new security challenges.
What challenges do organizations face with the 'Bring Your Own Device' (BYOD) policy?
-The BYOD policy increases the attack surface for organizations, as employees bring their personal devices into the corporate network. Companies need to implement policies to manage the security of these devices, especially since BYOD became more widespread during the COVID-19 pandemic.
What are Sho's views on the balance between offensive and defensive security?
-Sho believes that knowledge of offensive security, like hacking, is important to understand how attackers operate. However, defensive security, which focuses on identifying and fixing vulnerabilities before they can be exploited, is crucial. Attackers only need one weak point, while defenders must secure all potential vulnerabilities.
How have enterprises' attitudes toward mobile security changed?
-Enterprises have become more aware of mobile security as mobile apps have become integral to their operations. This is particularly true for highly regulated industries like banking, where customers can open accounts and conduct transactions solely through mobile apps, making it critical to secure mobile interfaces.
What is DevSecOps and how is it changing the way companies approach security?
-DevSecOps is the integration of security into the development and operations process from the start, rather than as an afterthought. By incorporating security in the early stages of development, companies can reduce the cost and complexity of fixing security issues later in production.
Why do some organizations still treat security as a secondary concern?
-Some organizations prioritize go-to-market speed and believe that security could slow down their operations. However, Sho points out that the cost of addressing security vulnerabilities after deployment is significantly higher, so companies are gradually adopting practices like DevSecOps to address security earlier in the development process.
How are attackers exploiting mobile devices using QR codes?
-Attackers are using malicious QR codes to trick users into scanning them with their mobile phones, leading to the execution of malicious links. This attack vector has become more common with the widespread use of QR codes for payments, tickets, and other services, making it a growing concern.
What advice does Sho give to students starting their careers in cybersecurity?
-Sho advises students to pursue cybersecurity with passion. He encourages them to take online courses, participate in bug bounty programs, and practice by hacking on platforms like Hack the Box. Hands-on experience and a deep understanding of security are key to succeeding in the field.