appsecurity – vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps...

Mobile Security:App Security – Win or Lose

Date…

By Anders Flaglien

Security Consultant

1000+ Apps are released on Google Play and Appstore every day!

The most popular ones are downloaded

75 000 times a day.

There are many success factors that must be met

for your app to be successful and one of these are

trust

At least when you process business confidential data…

Trust is «everything»

Copyright © 2015 Accenture All rights reserved. 3

Top 10 downloaded apps* with more than 100 million downloads

all rely on users to trust them and the services they offer

*in Google Play according to Wikipedia 26.10.2014

5

Would you give a random app a lot of permissions to control

your device without your approval?

These are the some of ONE apps 40+ permissions to do «whatever»

• opprette kontoer og angi passord

• endre lydinnstillingene

• overstyre andre apper

• ta bilder og videoer

• ta opp lyd

• endre eller slette innholdet i USB-

lagringen

• endre anropsloggen

• ringe telefonnumre direkte

• lese anropsloggen

• lese tekstmeldinger (SMS eller MMS)

• nøyaktig posisjon (GPS- og

nettverksbasert)

• gjøre endringer i kontaktene dine

• lese kalenderoppføringer og

konfidensiell informasjon

• legge til eller endre

kalenderoppføringer og sende e-post

til gjester uten at eieren vet om det

Copyright © 2015 Accenture All rights reserved.

What is Trust?

6Copyright © 2015 Accenture All rights reserved.

…belief that someone or something is

reliable, good, honest, effective, secure…

How to achieve this?

Open Web Application Security Project (OWASP)

OWASP Top 10 Mobile Risks help us to secure mobile

applications for our clients, so can you!


M1: Weak Server

Side Controls

M2: Insecure Data

Storage

M3: Insufficient Transport

Layer Protection

M4: Unintended Data

Leakage

M5: Poor Authorization

and Authentication

M6: Broken

Cryptography

M9: Improper

Session Handling

M7: Client

Side Injection

M8: Security Decisions

Via Untrusted Inputs

M10: Lack of

Binary Protections

OWASP Top 10 Mobile Risks

Example 1: Broken Crypto


M1: Weak Server

Side Controls

M2: Insecure Data

Storage


Layer Protection

M4: Unintended Data

Leakage


and Authentication

M6: Broken

Cryptography

M9: Improper

Session Handling

M7: Client

Side Injection



M10: Lack of

Binary Protections

Of all apps out there, you should trust that bank applications

are secure, right?

9


Example 3: Data leakage and lack of binary protection


M1: Weak Server

Side Controls

M2: Insecure Data

Storage


Layer Protection

M4: Unintended Data

Leakage


and Authentication

M6: Broken

Cryptography

M9: Improper

Session Handling

M7: Client

Side Injection



M10: Lack of

Binary Protections

What if I make a game, would I need to secure it?

11


Example 4: More than five risks in a combined scenario…


M1: Weak Server

Side Controls

M2: Insecure Data

Storage


Layer Protection

M4: Unintended Data

Leakage


and Authentication

M6: Broken

Cryptography

M9: Improper

Session Handling

M7: Client

Side Injection



M10: Lack of

Binary Protections

Scandinavian teenagers favorite picture-sharing app has a not

that appealing feature…

• The App’s goal is to meet users need to communicate

instant photos and videos without the fear that a post or

picture will be held against them in the future

The examples show that we might have to

reconsider our trust to some top 10 apps…

…So how can we learn from others mistakes and build trust?


Executive Summary: Mobile Security


Mobile Security Strategy and Capabilities

Business Challenges

Drivers

Solution

Benefits

Organizational Challenges

• No organizational structure or

buy-in from business units across

the organization

• Lack of training, communication,

and awareness

Process Challenges

• Lack of or poorly defined mobile

security strategy

• Security policies driven by

consumerization without

consideration to security strategies

makes BYOD more of a risk to the

enterprise

Technology Challenges

• Difficulty protecting sensitive data

on mobile devices

• Growing Wi-Fi population and

inappropriate controls within the

infrastructure

• Unknown vulnerabilities within

mobile application exploits, backend

infrastructure, unauthorized access

Governance

• Define processes, policies and

support

• Identify preferred suppliers

• Mobilize your workforce to work from anywhere and

increase productivity

• Enable Bring Your Own Device (BYOD) to increase self

service, improve satisfaction, and reduce the Total Cost

of Ownership (TCO)

• Reduction of threats and vulnerabilities

• Proper administration, controls, and technology to

protect critical systems and data

Business Values Technical Benefits

Users/Identity

• Define role access, authorization,

and authentication

• Understand usage and prepare

users

Applications

• Securely develop, test and

distribute apps

• Manage usage and connectivity to

backend systems

Data

• Secure data (enterprise/personal)

communication and protection

• Classification and functionality

Network

• Architecture to support new

interactions (wireless, remote)

• Provide secure enterprise

connectivity and monitoring

Device

• Define appropriate management

program and supported platforms

• Secure the device while providing

choice and flexibility to end users

Mobile Security

Overview

Several components need to be addressed to provide

comprehensive mobile security


Reference:

• Information Security Forum

• National Institute of Standards and Technology

Governance

Data

ApplicationNetwork

Users &Identity

Device

MobileSecurity

Mobile Security StrategyA comprehensive program and

strategy to embed security

throughout the enterprise’s

mobile lifecycle

Users & Identity• Roles and authorization levels

and authentication• Evaluation / monitoring of

usage patterns• Program awareness and

education

Applications• SDLC development• Testing• Distribution / provisioning• Access Control• Secure connection to backend

systems and data (Ex: Cloud)• Monitoring / Management

Data• Classification• Authentication• Secure connection• Strong Encryption• Data loss prevention• Secure storage• Audit and forensics

Network• Voice• Secure remote connectivity• Monitoring and Testing• Wireless networking• Use of untrusted and/or public

networks

Device• Security functionality• Control connectivity• Secure remote connections• Disposal and wipe• Synchronization / Backup• Ability to update• Physical Access• Tracking/Management

Governance• Define processes and policies

(ownership, connectivity, applications, privacy, audit / wipe)

• Support / Training• Identify preferred suppliers /

service level for business

Accenture contributed our view to the OWASP Top 10 Mobile

Risks and developed a solution framework to address them:

1. Insecure or unnecessary

data storage and

transmission

2. Applications with higher

privileges than required

and/or authorized

3. Use of (or failure to disable)

insecure mobile device

platform features in

application

4. Allowing access to

resources without strong

authentication

5. Malicious/Counterfeit third-

party code

6. Insecure or unnecessary

interaction between

applications and OS

components

7. Server accepting

unvalidated or

unauthenticated input from

mobile devices

8. Personal or corporate data

leakage

9. Client-side injection and

overflows

10. Client-side DoS

The OWASP top 10 Mobile Security Risks empowered by the

Solution Landscape


Map Risk to the Mobile Environment

MobileApps

MobilePlatform/Device

MobileNetwork

EnterpriseNetwork/Enclave

Back EndServices/Cloud

3 4 5

7

1 2 6 8 9 10

Solutions Landscape

MobileApps

MobilePlatform/Device

MobileNetwork

EnterpriseNetwork/Enclave

Back EndServices/Cloud M

obile

App S

ecurity

Code R

evie

w

Mobile

App / P

latf

orm

Security

Revie

w

Mobile

Devic

e

Thre

at A

naly

sis

Private

Mobile

App S

tore

s

Mobile

Devic

e H

ost-

Based S

ecurity

Secure

Mobile

Voic

e a

s a

Serv

ice

Mobile

App P

KE

Example use cases (Not Comprehensive)

Mobile Security – Example Use Cases


Use Case Key Considerations

Consumer Applications • Protection of customer data

• Secure communication with service provider

• Maintaining trust and enhancing user experience

Enterprise Mobile Application • Protection of enterprise data

• Distribution and management

• Enhanced productivity

Enterprise BYOD (User Owned) • Limited controls on a privately owned device

• Balance between corporate and private data

• Governance of policies and procedures to control functionality (Example:

wiping the device, use of native controls)

• Asset management, authorization and authentication

Enterprise Provisioned Devices

(Corporate Owned)

• Fully specified security configurations

• Balance between corporate and private data

• Governance of policies and procedures to control functionality (Example:

wiping the device, use of native controls)

• Asset management, authorization and authentication

Email Security • Securing enterprise data and confidential information

• Maintaining user experience

Desktop Virtualization • Leverage existing hardware investments or personally owned devices

• Protection of enterprise systems and data

Point of Sale/Connected Devices • Device hardening

• Network hardening

• Protection of end user and enterprise systems and data (cross-industry)

Questions?


appsecurity – vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps...

Documents