Lecture about security of mobile applications "Hacking systems for fun and profit"

lecture Oct 15, 2019
blog post image

An essential factor in the workflow of an IT company is team motivation and education. After all, everyone knows the simple truth that the key to the success of a digital project is highly qualified, motivated, and successful developers. ITOMYCH STUDIO pays special attention to both factors because we are interested in our team players’ growth. We understand that only a strong team can create premium-quality mobile and web applications. Among the methods, we use to ensure expertise growth is a series of public lectures on up-to-the-minute and engaging topics for the team.

On the one hand, public speaking allows experience and knowledge sharing, and on the other hand, lectures diversify working routine.

So, on Friday, September 13, ITOMYCH STUDIO hosted a lecture on the security of mobile and web applications by Igor Tomych. It is worth noting that a speaker is not only a founder of several companies but also an experienced and skillful developer. Igor has profound knowledge of security, as he graduated from the Information Security with Restricted Access Department of the Kharkiv National University of Radio Electronics. The education is the base which helps a speaker to be a competent architect and CTO at the challenger bank — Dozens ( the UK).

Security is a vital point of our business activity because ITOMYCH STUDIO develops a wide range of applications for multiple industries that work with personal and commercial data. Our portfolio includes fintech projects, messengers, social networks, retail loyalty, and warehouse management systems, etc. Therefore, the security and protection of information from attacks and data breaches is the critical task of the development process.

So what was the lecture about? As a speech opening, Igor highlighted the importance of a low-level understanding of a system. Every software could not work without hardware, and every system starts with a processor. There are three types of processors — ARM, Intel, and MIPS. So, first, we learned how systems work and what they are in general. We’ve reviewed the x86 architecture as the basic architecture of many processors, and learned about main modes: the protected mode, virtual 8086 mode, real mode, and system management mode.

The security system can be represented as protection rings. Four levels underpin information security architecture. These layers separate the root and user access to a system:

  • Zero ring (core) — the maximum access to the system resources.
  • First ring — drivers of a device (limited access).
  • Second ring — drivers of a device (limited access).
  • Third ring — applications (limited access).

Then we received information on what exploits are and what their types are. Knowledge about how local and remote exploitation work ensures the implementation of the correct protection of applications and systems against frequent attacks such as DDOS and Evil Made. Listeners found out definitions of the frequent attacks. DDOS is a standard attack by a large number of requests carried out simultaneously, thereby disrupting the overall functioning of the system. Evil Made — attacks a device when it is unattended, causing device access errors and data corruption.

The lecture continued with an explanation of the difference between viruses and rootkits. Among the surprising discoveries, ordinary viruses can disrupt the system only partially and are not life-threatening, while rootkit is a special kind of system infection that targets to earn money for the stolen data. Igor stressed the significance of authorization, identification, and authentication. After all, multi-factor authentication can protect a system and personal data of users. And the correct implementation of the login/sign-in process influences how easy it is to enter a system.

The speech culminates in the information about cryptography. It is a study about methods which ensure confidentiality, data integrity, and authentification. The most common methods are encryption and hashing, however, even not every developer understands the difference between them. Thus, a particular focus was paid at this point.

To sum up, the lecture was useful not only for developers, but also for QA, DevOps engineers, and our managers.

However, this lecture is not the full list of the exciting activities at ITOMYCH STUDIO. Within a week, an outstanding private hackathon will take place for the team only. Anyone from the team will be able to try their hand at breaking systems. That is why the knowledge obtained at the lecture may be helpful.

ITOMYCH STUDIO targets to host interesting meetups, skill-ups, lectures, and hackathons, as such activity helps to improve team players’ skills, share experiences in short terms, and a long-time perspective to implement complicated, but sufficient mobile and web solutions.