android camp 2011 @ silicon india
DESCRIPTION
This is the presentation i gave at Android Camp and Mobile Developer Summit held in 2011.TRANSCRIPT
Building and Deploying Safe and Secure Android Apps for Enterprise
Presented by Technology Consulting Group
at Endeavour Software Technologies
Session Contents
• Overview of Mobility and Mobile Security – Introduc6on to Mobility – Mobile Security
• Best Prac6ces for Secure So:ware Development
• Android OS – Security Architecture and deployment – Android A@ack Surfaces – Enterprise features, What can we leverage?
• Ques6ons?
© 2011 Endeavour So:ware Technologies 2
• A Capability • Communicate and Access • On the Move • Any6me • From Anywhere • Voice, Messages, Data
Enterprise Mobility The ability of an enterprise to connect to people and control assets from any loca6on. Technologies that support enterprise mobility include wireless networks, mobile applica9ons, middleware, devices, and security and management so;ware. Forrester Research Defini9on
Mobility
© 2011 Endeavour So:ware Technologies 3
What is happening in the Corporate World?
© 2011 Endeavour So:ware Technologies 4
Mobile Security – Everywhere!
Device Level
Network Level
Applica6on Level
© 2011 Endeavour So:ware Technologies 5
Mobile Security Considerations
• Mobility Infrastructure – Security is a key focus area. – Ensuring exis6ng policies is implemented – Integra6on with exis6ng tools, systems – Keep devices light, manageable
• Mobile Middleware PlaXorm – Composite Applica6ons Landscape and devices – Mobile Device Management – Mobile Data Synchroniza6on – Phased approach for Common Services and
Mobile Applica6ons
• Mobile Applica6ons Distribu6on – Enterprise distribu6on through OTA to specific
devices
Infrastructure
Middleware
Applica3on
© 2011 Endeavour So:ware Technologies 6
Application Security – Must Include
User Authen6ca6on
Data Security on Device
Data in Transit Issue
Device Management
and Applica6on Provisioning
© 2011 Endeavour So:ware Technologies 7
Mobile Security Considerations
• Creden6als • IMEI/ 2FA • OTP, User – Agent • Quick Access Code, Token
Access
• Files • Key Storage • Resources
Storage
• Session • Protocols • Connec6on Points
Transporta6on
© 2011 Endeavour So:ware Technologies 8
Enterprise Mobile Security – Do’s
© 2011 Endeavour So:ware Technologies 9
Enterprise Mobile Security – Best Practices
1. Protect the Brand Your Customers Trust 2. Know Your Business and Support it with Secure
Solu6ons 3. Understand the Technology of the So:ware 4. Ensure Compliance to Governance, Regula6ons,
and Privacy 5. Know the Basic Tenets of So:ware Security 6. Ensure the Protec6on of Sensi6ve Informa6on 7. Design, Develop and Deploy So:ware with Secure
Features
© 2011 Endeavour So:ware Technologies 10
Android Security Architecture
Permission Based Model
Remote App Management Sandbox
© 2011 Endeavour So:ware Technologies 11
Android Security – Permission based model
• Permission-‐based Model – Linux + Android’s Permission – Well defined at system level – Approved by user at install – High-‐level permissions restricted by Android run6me framework
– For example, an applica6on that needs to monitor incoming SMS messages would specify
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> ... </manifest>
© 2011 Endeavour So:ware Technologies 12
Android Security – Remote App Management
• Remote Install/removal – Google can remove or install apps remotely – Users can install apps remotely from online Android Market
h@p://market.android.com
© 2011 Endeavour So:ware Technologies 13
Android Security - Sandbox
© 2011 Endeavour So:ware Technologies 14
Android’s Attack Surfaces
• Isolated applica6ons is like having mul6-‐user system • Single UI/ Device Secure sharing of UI and IO • Principal maps to code, not user (like browsers) • Appeals to user for all security decisions • Phishing style a@ach risks • Linux, not Java, Sandbox. Na6ve code not a barrier • Any java App can execute shell, load JNI libraries, write and exec programs
Reference – iSEC PARTNERS
© 2011 Endeavour So:ware Technologies 15
Enterprise features (Froyo/ GingerBread)
• Remote wipe – Remotely reset the device to factory defaults
• Improved security – Addi6on of numeric pin, alphanumeric passwords to unlock the device
• Exchange calendars • Auto-‐discovery • Global Address List • C2DM* – Cloud to device messaging *S6ll it is part of Google Code Labs
© 2011 Endeavour So:ware Technologies 16
Enterprise features (Honeycomb)
• New device administra6on policies – Encrypted storage – Password expira6on – Password history – Complex characters in password
• Configure HTTP proxy for each connected WiFi access point (AOS 3.1 only)
• Encrypted storage cards
© 2011 Endeavour So:ware Technologies 17
Thanks!
• You! – For pa6ently listening to us!
• Silicon India team • Endeavour’s Android TCG team • Happy to receive feedback and ques6ons at
18