SlideShare a Scribd company logo

Mobile Application Security

Download as PPTX, PDF
Lenin Aboagye, profile picture
Lenin Aboagye

This document discusses security risks associated with mobile apps. It begins with an introduction to the presenters and an overview of the growth of mobile apps and associated security concerns. It then identifies the top 3 risks as side channel data leakage, insecure transport and server controls, and insecure data storage. Examples are provided for each. The document recommends countermeasures like secure programming practices, encryption of data, and secure design principles. It also discusses strategies for mobile security including mobile information management, mobile application management, and mobile device management and the challenges associated with each.

Technology
Related topics:
Mobile App InsightsMobile Security Insights
1 of 39
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Mobile Apps Security Risk Assessment Kartik Trivedi / Lenin Aboagye
For the Demo… please download and install the following apps on your mobile device and create an account 2
Who are we? • Kartik Trivedi – Co-founder of Symosis – Author / Speaker / Interviews - Forbes, Security Focus, Tech world, Security News, etc – Golfer (Advanced Amateur? ) • Lenin Aboagye – Security Architect Apollo group – Cloud / Mobile security expert – Media & Television, Education, Health, Real Estate and Energy industries experience 3
Agenda Introduction Growth / Revenue Security Concerns Mobile Apps Top 3 Risks Countermeasures & Risk Management 4
There is an App for that! 5
There is an App for that! • Pay bills • Small Business Payroll • File income taxes • Pay invoice • Pay property tax • Location based check in • Scan & Shop • Personal finance • Deposit checks • Investments & 401k • Transfer money • Health & Fitness • Store medical records • Productivity • Refill prescription • Facebook / twitter • Manage health information • Place bets on sports • Remember your meds • Utilities • Book flight / hotel • Store passwords • Medscape / pharmacopia • Document storage 6
7
53% of Fortune 500 companies have mobile apps 8
Business Case for Mobile Presence • Networking / communication - unprecedented level of connectivity between employees, vendors, and/or customers • Instant Feedback - sharing information through this medium allows businesses to get immediate feedback on products and services from customers. • Marketing - SMS (text) messaging, mobile websites, mobile applications, banner ads, QR codes, IVR messaging and more. • Commerce – Mobile ticketing, vouchers, coupons, loyalty cards, content purchase, delivery, location based services, Information services, mobile banking, mobile brokerage, mobile purchase 9
Security Concerns • Side Channel Data Leakage • Activity monitoring and data retrieval • Insufficient Transport Layer Protection • Unauthorized dialing, SMS, and payments • Weak Server Side Controls • Unauthorized network connectivity (data exfiltration or command & control) • Insecure Data Storage • UI (unique identifier) impersonation • Client Side Injection • System modification (rootkit, APN proxy • Poor Authorization and configuration) Authentication • Mobile Malware • Improper Session Handling • Criminals Target and Infect App Stores • Security Decisions Via Untrusted Inputs • Social-Engineering • Geolocation compromise • Broken Cryptography • Security Regulatory Compliance • Sensitive Information Disclosure • Device Risk • Hardcoded password/keys • BYOD / MDM • Privacy compliance • Application management • Identity exposure • Installation of un-verified / unsigned 3rd party apps 10
Agenda Introduction Growth / Revenue Security Concerns Mobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data Storage Countermeasures & Risk Management 11
Side Channel Data Leakage Data leakage via platform defaults, use of third party libraries, logging, etc • SnapShot (ie- iOS backgrounding) • Plist files Sometimes result of programmatic flaws
Demo 13
14
15
Agenda Mobile Platform Risks Mobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data Storage Countermeasures & Risk Management 16
Insecure Transport/Server Controls Failing to encrypt sensitive network traffic consisting of sensitive data Insecure server controls - web, application and backend API - can lead to security compromise
Demo 18
Mobile Application Security
20
TOC Mobile Platform Risks Mobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data Storage Countermeasures & Risk Management 21
Insecure Data Storage Locally stored data both on native and browser based apps that includes • SQLite / Cache files • Keychain – Is this really secure? 22
Demo 23
24
Risk & Impact: High Sensitive Data exposure • Username & password • PII, SSN, Health Information • Device ID, Application configuration • Account Number, Credit Card, Financial Information Loss of Data Confidentiality & Integrity Data Tempering Man-in-the-Middle (MITM attack) Impersonation Unauthorized access to application data or functionality Privacy Violations / reputation damage
Agenda Introduction Mobile Apps Top 3 Risks Insecure Data Storage Insecure Transport / Server Controls Side Channel Leakage Countermeasures & Risk Management Tactical Strategic 26
Secure Programming / Education Disable Cache - Set the autocorrectionType property to UITextAutocorrectionNo for UITestField Disable Snapshot – Use applicationWillResignActive delegate method Disable Logs – Disable NSLog and NSAssert Disable Insecure HTTP - Use NSURLConnection along with canAuthenticateAgainstProtectionSpace 27
Encrypt Data Data Protection API - set the NSFileProtectionKey on an existing file Keychain – Apple recommends storing Sensitive data like passwords and keys in the Keychain CCCrypt - provides access to AES, DES, 3DES SQLCipher (IOS & Android) - transparent 256- bit AES encryption of database files 28
Secure Design / Architecture • Do not trust the client. Store sensitive data on the server • Perform server side data validation and canonicalization • Only collect and disclose data which is required for business use of the application • Define and deploy secure configuration • Establish common set of security requirements • Perform periodic security scans and audits • Protect sensitive data using HTTPS & SSL • Do not log credentials, PII and other sensitive data • Review all third party libraries before use 29
Agenda Mobile Platform Risks Mobile Apps Top 3 Risks Security Controls & Risk Management Tactical Strategic 30
Mobile Strategy & Challenges • The are 3 major components of a mobile strategy that most organizations have to apply – Mobile Information Management(MIM) – Mobile Application Management(MAM) – Mobile Device Management(MDM) 31
MIM • MIM refers to cloud-based services that syncs files and documents across different devices • MIM allows for sharing data of varying security classification across devices with varying degrees of trust • MIM intersects Cloud and Mobile Security • Public MIM services are Dropbox, Box, Microsoft SkyDrive, GoogleDrive • Corporate MIM solutions include Monodesk, WatchDox, Citrix ShareFile, Vmware Octopus • NFC technologies could be classified as MIM 32
Security Challenges -MIM • BYOD in corporate environments • Potential synching of corporate data across both corporate and non-corporate issued endpoints • Sensitive bi-directional data leakage from user’s private and personal data into corporate and vice-versa • Access and Identity Management • Data classification , identification and protection • Difficult to apply and enforce any corporate security configurations across mobile devices • No existing virtual segregation capabilities for corporate/user components to allow for different security policies to be applied based on risk 33
MDM • MDM involves downloading software that allows users/organizations to lock down • MDM allows controls like monitoring, encryption, policy enforcement , remote wiping etc.. • Addresses security at the device level as opposed to the application level • Especially challenging in BYOD era • One policy regardless of varying classification levels of applications on device – Policies like remote wiping could adversely affect user personal /private data 34
Security Issues-MDM • Addresses security of device only • Has little insight into security health of applications • Treats all applications and all data at the same classification level • Difficulties in adoption in corporate environments that allows BYOD • Does not affect or improve the security of applications 35
MAM • MAM solutions allow users and organizations to control the security of specific applications that are deployed on mobile endpoints • MAM can allow an organization to deliver applications like secure email, calendar, expense reporting • Allows security policies to be applied exclusively on specific applications based on their security classification – Encryption, remote wipe, remote application kill etc.. 36
Security Issues-MAM • MAM seems to have the answer for MIM’s security challenges • MAM should solve the BYOD challenges since it allows for security policies to be applied to corporate applications and their data and allows for non-visibility into personal user information • MAM solutions have several challenges: – Rewrite secure versions of vendor applications(functionality challenges) – Allow vendors plug into their security platform – Currently works only an a few apps – Create a wrapper around vendor applications (most vendors will not provide original packaged files to wrap with MAM tools) 37
Mobile Security Convergence MDM All mobile security strategies converge on these MIM approaches MAM Mobile Application Security 38
Thanks for listening… kartik@symosis.com / Lenin.Aboagye@apollogrp.edu Email info@symosis.com for a free seat to the Mobile Apps Top 10 Security Risk Training Course 39

More Related Content

PDF
SmartDevCon - Katowice - 2013
Petr Dvorak
 
PDF
Tips and Tricks for Building Secure Mobile Apps
TechWell
 
PPTX
Webinar on Enterprise Security & android
Endeavour Software Technologies
 
PDF
2012 State of Mobile Survey Global Key Findings
Symantec
 
PDF
Mobile Security for Banking and Finance
Sierraware
 
PDF
BYOD / Mobile-Device Security Guidelines for CxO's
Patrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
 
PDF
Mobile Security for Smartphones and Tablets
Vince Verbeke
 
PDF
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Sierraware
 
SmartDevCon - Katowice - 2013
Petr Dvorak
 
Tips and Tricks for Building Secure Mobile Apps
TechWell
 
Webinar on Enterprise Security & android
Endeavour Software Technologies
 
2012 State of Mobile Survey Global Key Findings
Symantec
 
Mobile Security for Banking and Finance
Sierraware
 
BYOD / Mobile-Device Security Guidelines for CxO's
Patrick Angel - MBA, CISSP(c) CISM(c) CRISC(c) CISA(c)
 
Mobile Security for Smartphones and Tablets
Vince Verbeke
 
Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Sierraware
 

What's hot (20)

PDF
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
PDF
Session 4 Enterprise Mobile Security
Santosh Satam
 
PPTX
Webinar Express: Securing BYOD without MDM
Bitglass
 
PDF
WEBINAR - August 9, 2016: New Legal Requirements for Mobile Security
MobileIron
 
PDF
880 st011
Chandra Rao
 
PPTX
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
PPTX
Mobile Device Security Training
Bryan Len
 
PPTX
Mobile Device Managment
InnoTech
 
PDF
SierraVMI Virtual Mobile Infrastructure (VMI). Android-based VDI.
Sierraware
 
PDF
Cut BYOD Costs Using Virtual Mobile Infrastructure - VMI
Sierraware
 
PDF
IBM MaaS360 with watson
Prime Infoserv
 
PDF
Building secure mobile apps
Martin Vigo
 
PDF
Your Shortcut to BYOD Success
Sierraware
 
PPTX
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
 
PPTX
2015 Endpoint and Mobile Security Buyers Guide
Lumension
 
PPTX
IBM MaaS360 with Watson
Killian Delaney
 
PDF
BYOD: Device Control in the Wild, Wild, West
Jay McLaughlin
 
PPT
Mobile phone as Trusted identity assistant
Vladimir Jirasek
 
PPTX
Mobile Security for the Enterprise
Will Adams
 
PDF
Laptop management
Killian Delaney
 
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
Session 4 Enterprise Mobile Security
Santosh Satam
 
Webinar Express: Securing BYOD without MDM
Bitglass
 
WEBINAR - August 9, 2016: New Legal Requirements for Mobile Security
MobileIron
 
880 st011
Chandra Rao
 
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
Mobile Device Security Training
Bryan Len
 
Mobile Device Managment
InnoTech
 
SierraVMI Virtual Mobile Infrastructure (VMI). Android-based VDI.
Sierraware
 
Cut BYOD Costs Using Virtual Mobile Infrastructure - VMI
Sierraware
 
IBM MaaS360 with watson
Prime Infoserv
 
Building secure mobile apps
Martin Vigo
 
Your Shortcut to BYOD Success
Sierraware
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
 
2015 Endpoint and Mobile Security Buyers Guide
Lumension
 
IBM MaaS360 with Watson
Killian Delaney
 
BYOD: Device Control in the Wild, Wild, West
Jay McLaughlin
 
Mobile phone as Trusted identity assistant
Vladimir Jirasek
 
Mobile Security for the Enterprise
Will Adams
 
Laptop management
Killian Delaney
 
Ad

Viewers also liked (11)

PDF
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
 
PPTX
Top mobile security threats
RingtoIndia
 
PDF
Malicious android-applications-risks-exploitation 33578
skowshik
 
PDF
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
PDF
Threat Modelling
n|u - The Open Security Community
 
PPTX
Data and Message Security
Nrapesh Shah
 
PPTX
Client server security threats
rahul kundu
 
PPT
Types of attacks and threads
srivijaymanickam
 
PDF
SN-Security Architecture for Mobile Computing and IoT
Sukumar Nayak
 
PPTX
Data Network Security
Atif Rehmat
 
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
 
Top mobile security threats
RingtoIndia
 
Malicious android-applications-risks-exploitation 33578
skowshik
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Denim Group
 
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Threat Modelling
n|u - The Open Security Community
 
Data and Message Security
Nrapesh Shah
 
Client server security threats
rahul kundu
 
Types of attacks and threads
srivijaymanickam
 
SN-Security Architecture for Mobile Computing and IoT
Sukumar Nayak
 
Data Network Security
Atif Rehmat
 
Ad

Similar to Mobile Application Security (20)

PPT
Mobile Apps Security
Xavier Mertens
 
PPT
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
IBM Danmark
 
PPTX
Security and Mobile Application Management with Worklight
IBM WebSphereIndia
 
PDF
Developing Secure Mobile Applications
Denim Group
 
PDF
Websense: A 3-step plan for mobile security
arms8586
 
PDF
Mobile Security
Doug Robinson
 
PDF
Mobile Security
Fresh Digital Group
 
PDF
Mobile Security
Xavier Mertens
 
PDF
Mobile Application Security
Dirk Nicol
 
PDF
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
PDF
การสร้างเกราะป้องกันภัยคุกคาม ต่อข้อมูลความเป็นส่วนบุคคลในองค์กร
Software Park Thailand
 
PDF
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 
PDF
Jerry Romanek series mobile development 2012 year end review
Leigh Williamson
 
PPTX
Outside the Office: Mobile Security
McKonly & Asbury, LLP
 
PDF
Mobile Apps and Security Attacks: An Introduction
Nagarro
 
PDF
Security In A Hybrid MAM and MDM World
Apperian
 
PDF
CNIT 128 8: Mobile development security
Sam Bowne
 
PDF
Securing Mobile Apps: New Approaches for the BYOD World
Apperian
 
PPTX
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
Masha Geller
 
PDF
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
Mobile Apps Security
Xavier Mertens
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
IBM Danmark
 
Security and Mobile Application Management with Worklight
IBM WebSphereIndia
 
Developing Secure Mobile Applications
Denim Group
 
Websense: A 3-step plan for mobile security
arms8586
 
Mobile Security
Doug Robinson
 
Mobile Security
Fresh Digital Group
 
Mobile Security
Xavier Mertens
 
Mobile Application Security
Dirk Nicol
 
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
การสร้างเกราะป้องกันภัยคุกคาม ต่อข้อมูลความเป็นส่วนบุคคลในองค์กร
Software Park Thailand
 
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 
Jerry Romanek series mobile development 2012 year end review
Leigh Williamson
 
Outside the Office: Mobile Security
McKonly & Asbury, LLP
 
Mobile Apps and Security Attacks: An Introduction
Nagarro
 
Security In A Hybrid MAM and MDM World
Apperian
 
CNIT 128 8: Mobile development security
Sam Bowne
 
Securing Mobile Apps: New Approaches for the BYOD World
Apperian
 
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
Masha Geller
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
KodekX | Application Modernization Development
KodekX
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Approach and Philosophy of On baking technology
30anthuong17
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 

Mobile Application Security

  • 1. Mobile Apps Security Risk Assessment Kartik Trivedi / Lenin Aboagye
  • 2. For the Demo… please download and install the following apps on your mobile device and create an account 2
  • 3. Who are we? • Kartik Trivedi – Co-founder of Symosis – Author / Speaker / Interviews - Forbes, Security Focus, Tech world, Security News, etc – Golfer (Advanced Amateur? ) • Lenin Aboagye – Security Architect Apollo group – Cloud / Mobile security expert – Media & Television, Education, Health, Real Estate and Energy industries experience 3
  • 4. Agenda Introduction Growth / Revenue Security Concerns Mobile Apps Top 3 Risks Countermeasures & Risk Management 4
  • 5. There is an App for that! 5
  • 6. There is an App for that! • Pay bills • Small Business Payroll • File income taxes • Pay invoice • Pay property tax • Location based check in • Scan & Shop • Personal finance • Deposit checks • Investments & 401k • Transfer money • Health & Fitness • Store medical records • Productivity • Refill prescription • Facebook / twitter • Manage health information • Place bets on sports • Remember your meds • Utilities • Book flight / hotel • Store passwords • Medscape / pharmacopia • Document storage 6
  • 7. 7
  • 8. 53% of Fortune 500 companies have mobile apps 8
  • 9. Business Case for Mobile Presence • Networking / communication - unprecedented level of connectivity between employees, vendors, and/or customers • Instant Feedback - sharing information through this medium allows businesses to get immediate feedback on products and services from customers. • Marketing - SMS (text) messaging, mobile websites, mobile applications, banner ads, QR codes, IVR messaging and more. • Commerce – Mobile ticketing, vouchers, coupons, loyalty cards, content purchase, delivery, location based services, Information services, mobile banking, mobile brokerage, mobile purchase 9
  • 10. Security Concerns • Side Channel Data Leakage • Activity monitoring and data retrieval • Insufficient Transport Layer Protection • Unauthorized dialing, SMS, and payments • Weak Server Side Controls • Unauthorized network connectivity (data exfiltration or command & control) • Insecure Data Storage • UI (unique identifier) impersonation • Client Side Injection • System modification (rootkit, APN proxy • Poor Authorization and configuration) Authentication • Mobile Malware • Improper Session Handling • Criminals Target and Infect App Stores • Security Decisions Via Untrusted Inputs • Social-Engineering • Geolocation compromise • Broken Cryptography • Security Regulatory Compliance • Sensitive Information Disclosure • Device Risk • Hardcoded password/keys • BYOD / MDM • Privacy compliance • Application management • Identity exposure • Installation of un-verified / unsigned 3rd party apps 10
  • 11. Agenda Introduction Growth / Revenue Security Concerns Mobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data Storage Countermeasures & Risk Management 11
  • 12. Side Channel Data Leakage Data leakage via platform defaults, use of third party libraries, logging, etc • SnapShot (ie- iOS backgrounding) • Plist files Sometimes result of programmatic flaws
  • 13. Demo 13
  • 14. 14
  • 15. 15
  • 16. Agenda Mobile Platform Risks Mobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data Storage Countermeasures & Risk Management 16
  • 17. Insecure Transport/Server Controls Failing to encrypt sensitive network traffic consisting of sensitive data Insecure server controls - web, application and backend API - can lead to security compromise
  • 18. Demo 18
  • 20. 20
  • 21. TOC Mobile Platform Risks Mobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data Storage Countermeasures & Risk Management 21
  • 22. Insecure Data Storage Locally stored data both on native and browser based apps that includes • SQLite / Cache files • Keychain – Is this really secure? 22
  • 23. Demo 23
  • 24. 24
  • 25. Risk & Impact: High Sensitive Data exposure • Username & password • PII, SSN, Health Information • Device ID, Application configuration • Account Number, Credit Card, Financial Information Loss of Data Confidentiality & Integrity Data Tempering Man-in-the-Middle (MITM attack) Impersonation Unauthorized access to application data or functionality Privacy Violations / reputation damage
  • 26. Agenda Introduction Mobile Apps Top 3 Risks Insecure Data Storage Insecure Transport / Server Controls Side Channel Leakage Countermeasures & Risk Management Tactical Strategic 26
  • 27. Secure Programming / Education Disable Cache - Set the autocorrectionType property to UITextAutocorrectionNo for UITestField Disable Snapshot – Use applicationWillResignActive delegate method Disable Logs – Disable NSLog and NSAssert Disable Insecure HTTP - Use NSURLConnection along with canAuthenticateAgainstProtectionSpace 27
  • 28. Encrypt Data Data Protection API - set the NSFileProtectionKey on an existing file Keychain – Apple recommends storing Sensitive data like passwords and keys in the Keychain CCCrypt - provides access to AES, DES, 3DES SQLCipher (IOS & Android) - transparent 256- bit AES encryption of database files 28
  • 29. Secure Design / Architecture • Do not trust the client. Store sensitive data on the server • Perform server side data validation and canonicalization • Only collect and disclose data which is required for business use of the application • Define and deploy secure configuration • Establish common set of security requirements • Perform periodic security scans and audits • Protect sensitive data using HTTPS & SSL • Do not log credentials, PII and other sensitive data • Review all third party libraries before use 29
  • 30. Agenda Mobile Platform Risks Mobile Apps Top 3 Risks Security Controls & Risk Management Tactical Strategic 30
  • 31. Mobile Strategy & Challenges • The are 3 major components of a mobile strategy that most organizations have to apply – Mobile Information Management(MIM) – Mobile Application Management(MAM) – Mobile Device Management(MDM) 31
  • 32. MIM • MIM refers to cloud-based services that syncs files and documents across different devices • MIM allows for sharing data of varying security classification across devices with varying degrees of trust • MIM intersects Cloud and Mobile Security • Public MIM services are Dropbox, Box, Microsoft SkyDrive, GoogleDrive • Corporate MIM solutions include Monodesk, WatchDox, Citrix ShareFile, Vmware Octopus • NFC technologies could be classified as MIM 32
  • 33. Security Challenges -MIM • BYOD in corporate environments • Potential synching of corporate data across both corporate and non-corporate issued endpoints • Sensitive bi-directional data leakage from user’s private and personal data into corporate and vice-versa • Access and Identity Management • Data classification , identification and protection • Difficult to apply and enforce any corporate security configurations across mobile devices • No existing virtual segregation capabilities for corporate/user components to allow for different security policies to be applied based on risk 33
  • 34. MDM • MDM involves downloading software that allows users/organizations to lock down • MDM allows controls like monitoring, encryption, policy enforcement , remote wiping etc.. • Addresses security at the device level as opposed to the application level • Especially challenging in BYOD era • One policy regardless of varying classification levels of applications on device – Policies like remote wiping could adversely affect user personal /private data 34
  • 35. Security Issues-MDM • Addresses security of device only • Has little insight into security health of applications • Treats all applications and all data at the same classification level • Difficulties in adoption in corporate environments that allows BYOD • Does not affect or improve the security of applications 35
  • 36. MAM • MAM solutions allow users and organizations to control the security of specific applications that are deployed on mobile endpoints • MAM can allow an organization to deliver applications like secure email, calendar, expense reporting • Allows security policies to be applied exclusively on specific applications based on their security classification – Encryption, remote wipe, remote application kill etc.. 36
  • 37. Security Issues-MAM • MAM seems to have the answer for MIM’s security challenges • MAM should solve the BYOD challenges since it allows for security policies to be applied to corporate applications and their data and allows for non-visibility into personal user information • MAM solutions have several challenges: – Rewrite secure versions of vendor applications(functionality challenges) – Allow vendors plug into their security platform – Currently works only an a few apps – Create a wrapper around vendor applications (most vendors will not provide original packaged files to wrap with MAM tools) 37
  • 38. Mobile Security Convergence MDM All mobile security strategies converge on these MIM approaches MAM Mobile Application Security 38
  • 39. Thanks for listening… kartik@symosis.com / Lenin.Aboagye@apollogrp.edu Email info@symosis.com for a free seat to the Mobile Apps Top 10 Security Risk Training Course 39

Editor's Notes

  • #5: Please make a selection by clicking on the
  • #6: Mobile App Growth
  • #8: How consumers are evolving and changing their mobile behaviorhttp://www.pwc.com/us/en/industry/entertainment-media/publications/assets/consumer-research-series-smartphones.pdf
  • #9: Mobile AppGrowth - http://www.appconomist.com/2011/08/01/fortune-500-apps-a-50-update/TransactionMarketingSMS / TXT MarketingNews AlertsTake a picture QR codes
  • #10: http://www.strategicgrowthconcepts.com/growth/increase-productivity--profitability.html
  • #12: Please make a selection by clicking on the
  • #13: Side channel data leakage applies to data leakage via platform defaults, use of third party libraries, logging, etc. In order to provide the visual iOS has been proven to capture and store snapshots.This occurs when a device suspends (rather than terminates), when either the home button is pressed, or a phone call or other event temporarily suspends the applicationPlist is a structured text file that contains essential configuration information for a bundled executable
  • #15: A PLIST (Property List) file is an XML file that holds application properties. Some applications store sensitive information in the plist files including authentication credentials, PIN and oAUTH tokensPlist files can be found in several location in the application directory . An example location and plist file content storing sensitive authentication credentials are shown on the screen
  • #16: http://garethwright.com/blog/facebook-mobile-security-hole-allows-identity-theft#
  • #17: Please make a selection by clicking on the
  • #18: Web sites and servers sometimes have improperly configured SSL certificates. This causes warning messages which are often ignored by the users. This results in users Phishing attacks where users end up providing personal information and private data to malicious websites that look like legitimate applicationsApplications that fall back or can be forced out of an encrypting mode can also be abused by attackers resulting in insecure communication. This is common on sites that operate on both HTTP and HTTPS services, or by the implementation of older versions of SSL on the web server that are vulnerable to downgrade attacks.
  • #20: In 2011, it was discovered that Android devices transmitted data and AuthToken session cookie via insecure HTTP. AuthToken is not bound to any session or device and thus would allow an adversary to access any personal data which is made available through the service API. This includes Google calendar, picasa and contact information for that user. For more Reference: http://www.uni-ulm.de/in/mi/mitarbeiter/koenings/catching-authtokens.htmlThe issue here is the use of insecure HTTP channel which allows network eavesdropping of the authToken and user data
  • #21: http://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know
  • #22: Please make a selection by clicking on the
  • #23: InsecureData Storage applies to the locally stored data by the mobile applications. There are two types of mobiles apps - native apps and browser based apps. Native apps are apps that is installed in the handset, processes data locally and may connect to the internet for updates or sending user specific information to the server. Example: Gaming apps, News apps, etc. Browser based apps are apps that are accessible via mobile browser. This vulnerability applies to both categories of apps.Most apps stores user specific information on mobile devices. This data may be stored in clear text and may includeUsername and passwordPII, SSN, Health InformationDevice ID, Application configurationAccount Number, Credit Card, Financial Information
  • #25: http://blog.agilebits.com/2012/04/06/oauth-dropbox-and-your-1password-data/
  • #26: Insecure transport layer protection is considered a high risk security vulnerabilityThe impact could includeLoss of Data Confidentiality & Integrity when sensitive information is revealed to the attackerData Tampering when attacker modifies application traffic and force user accept itMan-in-the-Middle (MITM attack) if an attacker diverts all traffic through an insecure channelImpersonation if the attacker hijacks user account
  • #27: Please make a selection by clicking on the
  • #28: Disable the auto-correct feature for any sensitive information, not just for password fields. Since the keyboard caches sensitive information, it may be recoverable. For UITextField, look into setting the autocorrectionType property to UITextAutocorrectionNo to disable caching. Set UITextField to OFF to prevent caching altogetherAdd an enterprise policy to clear the keyboard dictionary at regular intervals. This can be done by the end user by simply going to the Settings application, General > Reset > Reset Keyboard Dictionary
  • #31: Please make a selection by clicking on the