Building and Deploying Safe and Secure Android Apps for Enterprise

Presented by Technology Consulting Group

at Endeavour Software Technologies

Session Contents

•  Overview  of  Mobility  and  Mobile  Security  –  Introduc6on  to  Mobility  –  Mobile  Security  

•  Best  Prac6ces  for  Secure  So:ware  Development  

•  Android  OS    –  Security  Architecture  and  deployment  –  Android  A@ack  Surfaces  –  Enterprise  features,  What  can  we  leverage?  

•  Ques6ons?  

©  2011  Endeavour  So:ware  Technologies   2  

•  A  Capability  •  Communicate  and  Access  •  On  the  Move  •  Any6me  •  From  Anywhere  •  Voice,  Messages,  Data  

Enterprise  Mobility    The  ability  of  an  enterprise  to  connect  to  people  and  control  assets  from  any  loca6on.    Technologies  that  support  enterprise  mobility  include  wireless  networks,  mobile  applica9ons,  middleware,  devices,  and  security  and  management  so;ware.    Forrester  Research  Defini9on  

Mobility

©  2011  Endeavour  So:ware  Technologies   3  

What is happening in the Corporate World?

©  2011  Endeavour  So:ware  Technologies   4  

Mobile Security – Everywhere!

Device  Level  

Network  Level  

Applica6on  Level  

©  2011  Endeavour  So:ware  Technologies   5  

Mobile Security Considerations

•  Mobility  Infrastructure  –  Security  is  a  key  focus  area.    –  Ensuring  exis6ng  policies  is  implemented  –  Integra6on  with  exis6ng  tools,  systems  –  Keep  devices  light,  manageable  

•  Mobile  Middleware  PlaXorm  –  Composite  Applica6ons  Landscape  and  devices  –  Mobile  Device  Management  –  Mobile  Data  Synchroniza6on  –  Phased  approach  for  Common  Services  and  

Mobile  Applica6ons  

•  Mobile  Applica6ons  Distribu6on  –  Enterprise  distribu6on  through  OTA  to  specific  

devices  

Infrastructure  

Middleware  

Applica3on  

©  2011  Endeavour  So:ware  Technologies   6  

Application Security – Must Include

User  Authen6ca6on  

Data  Security  on  Device  

Data  in  Transit  Issue  

Device  Management  

and  Applica6on  Provisioning  

©  2011  Endeavour  So:ware  Technologies   7  

Mobile Security Considerations

•  Creden6als  •  IMEI/  2FA  •  OTP,  User  –  Agent  •  Quick  Access  Code,  Token  

Access  

•  Files  •  Key  Storage  •  Resources  

Storage  

•  Session  •  Protocols  •  Connec6on  Points  

Transporta6on  

©  2011  Endeavour  So:ware  Technologies   8  

Enterprise Mobile Security – Do’s

©  2011  Endeavour  So:ware  Technologies   9  

Enterprise Mobile Security – Best Practices

1.  Protect  the  Brand  Your  Customers  Trust  2.  Know  Your  Business  and  Support  it  with  Secure  

Solu6ons  3.  Understand  the  Technology  of  the  So:ware  4.  Ensure  Compliance  to  Governance,  Regula6ons,  

and  Privacy  5.  Know  the  Basic  Tenets  of  So:ware  Security  6.  Ensure  the  Protec6on  of  Sensi6ve  Informa6on  7.  Design,  Develop  and  Deploy  So:ware  with  Secure  

Features  

©  2011  Endeavour  So:ware  Technologies   10  

Android Security Architecture

Permission  Based  Model  

Remote  App  Management  Sandbox  

©  2011  Endeavour  So:ware  Technologies   11  

Android Security – Permission based model

•  Permission-­‐based  Model  – Linux  +  Android’s  Permission  – Well  defined  at  system  level  – Approved  by  user  at  install  – High-­‐level  permissions  restricted  by  Android  run6me  framework  

– For  example,  an  applica6on  that  needs  to  monitor  incoming  SMS  messages  would  specify  

<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> ... </manifest>

©  2011  Endeavour  So:ware  Technologies   12  

Android Security – Remote App Management

•  Remote  Install/removal  – Google  can  remove  or  install  apps  remotely  – Users  can  install  apps  remotely  from  online  Android  Market  

h@p://market.android.com  

©  2011  Endeavour  So:ware  Technologies   13  

Android Security - Sandbox

©  2011  Endeavour  So:ware  Technologies   14  

Android’s Attack Surfaces

•  Isolated  applica6ons  is  like  having  mul6-­‐user  system  •  Single  UI/  Device    Secure  sharing  of  UI  and  IO  •  Principal  maps  to  code,  not  user  (like  browsers)  •  Appeals  to  user  for  all  security  decisions  •  Phishing  style  a@ach  risks  •  Linux,  not  Java,  Sandbox.  Na6ve  code  not  a  barrier  •  Any  java  App  can  execute  shell,  load  JNI  libraries,  write  and  exec  programs  

Reference  –  iSEC  PARTNERS  

©  2011  Endeavour  So:ware  Technologies   15  

Enterprise features (Froyo/ GingerBread)

•  Remote  wipe  – Remotely  reset  the  device  to  factory  defaults  

•  Improved  security    – Addi6on  of  numeric  pin,  alphanumeric  passwords  to  unlock  the  device  

•  Exchange  calendars  •  Auto-­‐discovery  •  Global  Address  List  •  C2DM*  –  Cloud  to  device  messaging  *S6ll  it  is  part  of  Google  Code  Labs  

©  2011  Endeavour  So:ware  Technologies   16  

Enterprise features (Honeycomb)

•  New  device  administra6on  policies  – Encrypted  storage  – Password  expira6on  – Password  history  – Complex  characters  in  password  

•  Configure  HTTP  proxy  for  each  connected  WiFi  access  point  (AOS  3.1  only)  

•  Encrypted  storage  cards  

©  2011  Endeavour  So:ware  Technologies   17  

Thanks!

•  You!  –  For  pa6ently  listening  to  us!  

•  Silicon  India  team  •  Endeavour’s  Android  TCG  team  •  Happy  to  receive  feedback  and  ques6ons  at  

tcg@techendeavour.com    

18