appsecurity – vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps...
TRANSCRIPT
Mobile Security:App Security – Win or Lose
Date…
By Anders Flaglien
Security Consultant
1000+ Apps are released on Google Play and Appstore every day!
The most popular ones are downloaded
75 000 times a day.
There are many success factors that must be met
for your app to be successful and one of these are
trust
At least when you process business confidential data…
Trust is «everything»
Copyright © 2015 Accenture All rights reserved. 3
Top 10 downloaded apps* with more than 100 million downloads
all rely on users to trust them and the services they offer
*in Google Play according to Wikipedia 26.10.2014
5
Would you give a random app a lot of permissions to control
your device without your approval?
These are the some of ONE apps 40+ permissions to do «whatever»
• opprette kontoer og angi passord
• endre lydinnstillingene
• overstyre andre apper
• ta bilder og videoer
• ta opp lyd
• endre eller slette innholdet i USB-
lagringen
• endre anropsloggen
• ringe telefonnumre direkte
• lese anropsloggen
• lese tekstmeldinger (SMS eller MMS)
• nøyaktig posisjon (GPS- og
nettverksbasert)
• gjøre endringer i kontaktene dine
• lese kalenderoppføringer og
konfidensiell informasjon
• legge til eller endre
kalenderoppføringer og sende e-post
til gjester uten at eieren vet om det
Copyright © 2015 Accenture All rights reserved.
What is Trust?
6Copyright © 2015 Accenture All rights reserved.
…belief that someone or something is
reliable, good, honest, effective, secure…
How to achieve this?
Open Web Application Security Project (OWASP)
OWASP Top 10 Mobile Risks help us to secure mobile
applications for our clients, so can you!
Copyright © 2015 Accenture All rights reserved. 7
M1: Weak Server
Side Controls
M2: Insecure Data
Storage
M3: Insufficient Transport
Layer Protection
M4: Unintended Data
Leakage
M5: Poor Authorization
and Authentication
M6: Broken
Cryptography
M9: Improper
Session Handling
M7: Client
Side Injection
M8: Security Decisions
Via Untrusted Inputs
M10: Lack of
Binary Protections
OWASP Top 10 Mobile Risks
Example 1: Broken Crypto
Copyright © 2015 Accenture All rights reserved. 8
M1: Weak Server
Side Controls
M2: Insecure Data
Storage
M3: Insufficient Transport
Layer Protection
M4: Unintended Data
Leakage
M5: Poor Authorization
and Authentication
M6: Broken
Cryptography
M9: Improper
Session Handling
M7: Client
Side Injection
M8: Security Decisions
Via Untrusted Inputs
M10: Lack of
Binary Protections
Of all apps out there, you should trust that bank applications
are secure, right?
9
OWASP Top 10 Mobile Risks
Example 3: Data leakage and lack of binary protection
Copyright © 2015 Accenture All rights reserved. 10
M1: Weak Server
Side Controls
M2: Insecure Data
Storage
M3: Insufficient Transport
Layer Protection
M4: Unintended Data
Leakage
M5: Poor Authorization
and Authentication
M6: Broken
Cryptography
M9: Improper
Session Handling
M7: Client
Side Injection
M8: Security Decisions
Via Untrusted Inputs
M10: Lack of
Binary Protections
What if I make a game, would I need to secure it?
11
OWASP Top 10 Mobile Risks
Example 4: More than five risks in a combined scenario…
Copyright © 2015 Accenture All rights reserved. 12
M1: Weak Server
Side Controls
M2: Insecure Data
Storage
M3: Insufficient Transport
Layer Protection
M4: Unintended Data
Leakage
M5: Poor Authorization
and Authentication
M6: Broken
Cryptography
M9: Improper
Session Handling
M7: Client
Side Injection
M8: Security Decisions
Via Untrusted Inputs
M10: Lack of
Binary Protections
Scandinavian teenagers favorite picture-sharing app has a not
that appealing feature…
• The App’s goal is to meet users need to communicate
instant photos and videos without the fear that a post or
picture will be held against them in the future
The examples show that we might have to
reconsider our trust to some top 10 apps…
…So how can we learn from others mistakes and build trust?
14Copyright © 2015 Accenture All rights reserved.
Executive Summary: Mobile Security
Copyright © 2015 Accenture All rights reserved. 15
Mobile Security Strategy and Capabilities
Business Challenges
Drivers
Solution
Benefits
Organizational Challenges
• No organizational structure or
buy-in from business units across
the organization
• Lack of training, communication,
and awareness
Process Challenges
• Lack of or poorly defined mobile
security strategy
• Security policies driven by
consumerization without
consideration to security strategies
makes BYOD more of a risk to the
enterprise
Technology Challenges
• Difficulty protecting sensitive data
on mobile devices
• Growing Wi-Fi population and
inappropriate controls within the
infrastructure
• Unknown vulnerabilities within
mobile application exploits, backend
infrastructure, unauthorized access
Governance
• Define processes, policies and
support
• Identify preferred suppliers
• Mobilize your workforce to work from anywhere and
increase productivity
• Enable Bring Your Own Device (BYOD) to increase self
service, improve satisfaction, and reduce the Total Cost
of Ownership (TCO)
• Reduction of threats and vulnerabilities
• Proper administration, controls, and technology to
protect critical systems and data
Business Values Technical Benefits
Users/Identity
• Define role access, authorization,
and authentication
• Understand usage and prepare
users
Applications
• Securely develop, test and
distribute apps
• Manage usage and connectivity to
backend systems
Data
• Secure data (enterprise/personal)
communication and protection
• Classification and functionality
Network
• Architecture to support new
interactions (wireless, remote)
• Provide secure enterprise
connectivity and monitoring
Device
• Define appropriate management
program and supported platforms
• Secure the device while providing
choice and flexibility to end users
Mobile Security
Overview
Several components need to be addressed to provide
comprehensive mobile security
Copyright © 2013 Accenture All rights reserved. 16
Reference:
• Information Security Forum
• National Institute of Standards and Technology
Governance
Data
ApplicationNetwork
Users &Identity
Device
MobileSecurity
Mobile Security StrategyA comprehensive program and
strategy to embed security
throughout the enterprise’s
mobile lifecycle
Users & Identity• Roles and authorization levels
and authentication• Evaluation / monitoring of
usage patterns• Program awareness and
education
Applications• SDLC development• Testing• Distribution / provisioning• Access Control• Secure connection to backend
systems and data (Ex: Cloud)• Monitoring / Management
Data• Classification• Authentication• Secure connection• Strong Encryption• Data loss prevention• Secure storage• Audit and forensics
Network• Voice• Secure remote connectivity• Monitoring and Testing• Wireless networking• Use of untrusted and/or public
networks
Device• Security functionality• Control connectivity• Secure remote connections• Disposal and wipe• Synchronization / Backup• Ability to update• Physical Access• Tracking/Management
Governance• Define processes and policies
(ownership, connectivity, applications, privacy, audit / wipe)
• Support / Training• Identify preferred suppliers /
service level for business
Accenture contributed our view to the OWASP Top 10 Mobile
Risks and developed a solution framework to address them:
1. Insecure or unnecessary
data storage and
transmission
2. Applications with higher
privileges than required
and/or authorized
3. Use of (or failure to disable)
insecure mobile device
platform features in
application
4. Allowing access to
resources without strong
authentication
5. Malicious/Counterfeit third-
party code
6. Insecure or unnecessary
interaction between
applications and OS
components
7. Server accepting
unvalidated or
unauthenticated input from
mobile devices
8. Personal or corporate data
leakage
9. Client-side injection and
overflows
10. Client-side DoS
The OWASP top 10 Mobile Security Risks empowered by the
Solution Landscape
Copyright © 2013 Accenture All rights reserved. 17
Map Risk to the Mobile Environment
MobileApps
MobilePlatform/Device
MobileNetwork
EnterpriseNetwork/Enclave
Back EndServices/Cloud
3 4 5
7
1 2 6 8 9 10
Solutions Landscape
MobileApps
MobilePlatform/Device
MobileNetwork
EnterpriseNetwork/Enclave
Back EndServices/Cloud M
obile
App S
ecurity
Code R
evie
w
Mobile
App / P
latf
orm
Security
Revie
w
Mobile
Devic
e
Thre
at A
naly
sis
Private
Mobile
App S
tore
s
Mobile
Devic
e H
ost-
Based S
ecurity
Secure
Mobile
Voic
e a
s a
Serv
ice
Mobile
App P
KE
Example use cases (Not Comprehensive)
Mobile Security – Example Use Cases
Copyright © 2013 Accenture All rights reserved. 18
Use Case Key Considerations
Consumer Applications • Protection of customer data
• Secure communication with service provider
• Maintaining trust and enhancing user experience
Enterprise Mobile Application • Protection of enterprise data
• Distribution and management
• Enhanced productivity
Enterprise BYOD (User Owned) • Limited controls on a privately owned device
• Balance between corporate and private data
• Governance of policies and procedures to control functionality (Example:
wiping the device, use of native controls)
• Asset management, authorization and authentication
Enterprise Provisioned Devices
(Corporate Owned)
• Fully specified security configurations
• Balance between corporate and private data
• Governance of policies and procedures to control functionality (Example:
wiping the device, use of native controls)
• Asset management, authorization and authentication
Email Security • Securing enterprise data and confidential information
• Maintaining user experience
Desktop Virtualization • Leverage existing hardware investments or personally owned devices
• Protection of enterprise systems and data
Point of Sale/Connected Devices • Device hardening
• Network hardening
• Protection of end user and enterprise systems and data (cross-industry)
Questions?
19Copyright © 2015 Accenture All rights reserved.