creating secure mobile applications illuminating … secure mobile applications illuminating mobile...
TRANSCRIPT
![Page 1: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/1.jpg)
Creating Secure Mobile ApplicationsIlluminating Mobile Threats
OWASP Software Assurance Day DC 2009
Software Confidence. Achieved.
Monday, March 23, 2009 1
OWASP Software Assurance Day DC 2009
Friday, 13 March
Jason Rouse
![Page 2: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/2.jpg)
Agenda
� Introduction
� Mobile Architectures
� Mobile Threat Model – Attacks and Defenses
© 2008 Cigital Inc. All Rights Reserved. Confidential. 2Monday, March 23, 2009
� Mobile Threat Model – Attacks and Defenses
� Wrap-Up & Discussion
![Page 3: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/3.jpg)
The Scale of Things
� The Internet Is big.
� There are approximately 1,000,000,000 people on the internet.
© 2008 Cigital Inc. All Rights Reserved. Confidential. 3Monday, March 23, 2009
� And there are approximately 3,000,000,000 mobile handsets in use.
� What sort of attack surface, computational power, and force multiplication do cell phones have?
![Page 4: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/4.jpg)
Mobile Platforms are Fragmented
� Nokia
� Symbian (J2ME, C/C++)
� UIQ (J2ME, C/C++)
� SonyEricsson (J2ME, C/C++)
� iPhone (J2ME, Objective C)
© 2008 Cigital Inc. All Rights Reserved. Confidential. 4Monday, March 23, 2009
� iPhone (J2ME, Objective C)
� RIM (J2ME, C/C++)
� Motorola (J2ME, C/C++)
� Google Android (Java, C/C++)
![Page 5: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/5.jpg)
Mobile Platforms are Fragmented
� This fragmentation leads to tiny “islands” of content, applications, and use cases
� These islands will begin to disappear as carriers, handset manufacturers, and framework providers come together to monetize cell phones
© 2008 Cigital Inc. All Rights Reserved. Confidential. 5Monday, March 23, 2009
� Once these islands are gone, we’ve got the good, and we’ve got the bad.
![Page 6: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/6.jpg)
Mobile Platforms are Standardized
� The Good:
� 1-stop shopping for content and applications
� Everyone’s smart phone works with everyone else
� Content and application providers will have an
© 2008 Cigital Inc. All Rights Reserved. Confidential. 6Monday, March 23, 2009
� Content and application providers will have an easier time converging functionality onto mobile devices
![Page 7: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/7.jpg)
Mobile Platforms are Standardized
� The Bad:
� 1-stop shopping for content and applications
� Everyone’s smart phone works with everyone else
� Content and application providers will have an
© 2008 Cigital Inc. All Rights Reserved. Confidential. 7Monday, March 23, 2009
� Content and application providers will have an easier time converging functionality onto mobile devices
![Page 8: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/8.jpg)
“Convergence is the Way To Go™”
� Convergence of functionality, and the requisite data onto mobile phones is only increasing
� Mobile phones are becoming interesting targets for attackers wishing to do more than just play with OS vulnerabilities
© 2008 Cigital Inc. All Rights Reserved. Confidential. 8Monday, March 23, 2009
� Mobile phones could represent an incredible efficiency boost, or a horrible liability
![Page 9: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/9.jpg)
“Convergence is the Way To Go™”
� What do you put on your phone?
� Phone numbers
� Call history
� Music?
� Location-Based Services (Google Maps, Google
© 2008 Cigital Inc. All Rights Reserved. Confidential. 9Monday, March 23, 2009
� Location-Based Services (Google Maps, Google Latitude, VZNav, BB Maps)
� Photos
� …VPN keys?
� …Passwords?
![Page 10: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/10.jpg)
“Convergence is the Way To Go™”
� There is no doubt in my mind that secure
© 2008 Cigital Inc. All Rights Reserved. Confidential. 10Monday, March 23, 2009
� There is no doubt in my mind that secure converged devices are the way to go….
![Page 11: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/11.jpg)
“Convergence is the Way To Go™”
� …but we’ve got a long way to go before we have
© 2008 Cigital Inc. All Rights Reserved. Confidential. 11Monday, March 23, 2009
� …but we’ve got a long way to go before we have truly secure mobile devices!
![Page 12: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/12.jpg)
Mobile Application Architectures
© 2008 Cigital Inc. All Rights Reserved. Confidential. 12Monday, March 23, 2009
![Page 13: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/13.jpg)
Mobile Application Architectures
� Easily characterized by how much information is stored on handset.
� Generally dependent on liability, performance, scalability.
� Share more common traits than you think.
© 2008 Cigital Inc. All Rights Reserved. Confidential. 13Monday, March 23, 2009
� Share more common traits than you think.
� Almost any application architecture can be transformed into another, given enough $$ and time.
![Page 14: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/14.jpg)
Complex Payment Architecture
© 2008 Cigital Inc. All Rights Reserved. Confidential. 14Monday, March 23, 2009
![Page 15: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/15.jpg)
Complex Payment Architecture
� Stores important information on the handset.
� Requires tight integration between MNO and FI
� Requires high trust between MNO and FI
� Burdens the handset with information protection requirements
© 2008 Cigital Inc. All Rights Reserved. Confidential. 15Monday, March 23, 2009
protection requirements
� Device loss could become liability for consumer, MNO, or FI
� Any other issues?
![Page 16: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/16.jpg)
Web Front-End
© 2008 Cigital Inc. All Rights Reserved. Confidential. 16Monday, March 23, 2009
![Page 17: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/17.jpg)
Web Front-End
� Does not require storage of important information on the handset
� No integration between MNO and ASP –essentially turns MNO into a “plumber” providing pipes connecting mobile browser to ASP website
© 2008 Cigital Inc. All Rights Reserved. Confidential. 17Monday, March 23, 2009
ASP website
� Usually cost-effective, as ASP can leverage previous investments in web applications to on-board mobile devices
� Example: BoA Online Banking for Mobile
![Page 18: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/18.jpg)
Mobile Services Client (Hybrid)
© 2008 Cigital Inc. All Rights Reserved. Confidential. 18Monday, March 23, 2009
![Page 19: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/19.jpg)
Mobile Services Client (Hybrid)
� May require storage of important information on the handset
� Little or no integration between MNO and ASP –however, MNO often controls some aspect of application loading, provisioning, and personalization
© 2008 Cigital Inc. All Rights Reserved. Confidential. 19Monday, March 23, 2009
personalization
� Usually cost-effective, as ASP can leverage previous investments in web applications/services to on-board mobile devices
� Example: VzW Visual Voicemail
![Page 20: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/20.jpg)
Mobile Threats – Attacks, Defenses, and Data
© 2008 Cigital Inc. All Rights Reserved. Confidential. 20Monday, March 23, 2009
![Page 21: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/21.jpg)
Mobile Application Threat Mind Map
© 2008 Cigital Inc. All Rights Reserved. Confidential. 213/23/2009
![Page 22: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/22.jpg)
5 Main Areas | Resources and Practices
© 2008 Cigital Inc. All Rights Reserved. Confidential. 22Monday, March 23, 2009
![Page 23: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/23.jpg)
5 Main Areas
� Directed SMS
� Application event drivers
� Debugging & Logging
� Wildly variable implementation
� Error Handling
© 2008 Cigital Inc. All Rights Reserved. Confidential. 23Monday, March 23, 2009
� Error Handling
� Failures & Recovery
� Architecture & Design
� “remote control” to “full mobile application”
� Device Loss or Capture
� Remote control of content
![Page 24: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/24.jpg)
5 Main Areas | Resources and Practices
Directed SMS
© 2008 Cigital Inc. All Rights Reserved. Confidential. 24Monday, March 23, 2009
Directed SMSDebugging & Logging
Error HandlingArchitecture & Design
Device Loss or Capture
![Page 25: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/25.jpg)
Directed SMS
© 2008 Cigital Inc. All Rights Reserved. Confidential. 25Monday, March 23, 2009
![Page 26: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/26.jpg)
Directed SMS
� Messages drive many events for handset applications
� Often, these messages contain actionable data, from content IDs to IP addresses
� This input must be carefully screened for
© 2008 Cigital Inc. All Rights Reserved. Confidential. 26Monday, March 23, 2009
� This input must be carefully screened for malicious content
� Information contained in these messages must be protected as well as information stored on a handset!
![Page 27: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/27.jpg)
Directed SMS
� How often do we authenticate the sender or receiver of an SMS message?
� How can we authenticate such principals?
© 2008 Cigital Inc. All Rights Reserved. Confidential. 27Monday, March 23, 2009
![Page 28: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/28.jpg)
5 Main Areas | Resources and Practices
Directed SMS
© 2008 Cigital Inc. All Rights Reserved. Confidential. 28Monday, March 23, 2009
Directed SMSDebugging & Logging
Error HandlingArchitecture & Design
Device Loss or Capture
![Page 29: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/29.jpg)
Debugging & Logging
© 2008 Cigital Inc. All Rights Reserved. Confidential. 29Monday, March 23, 2009
![Page 30: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/30.jpg)
Debugging & Logging
� Near & Dear to my heart
� Incredibly valuable to:
� Programmers
� Attackers
� Not so directly valuable to:
© 2008 Cigital Inc. All Rights Reserved. Confidential. 30Monday, March 23, 2009
� Not so directly valuable to:
� Users
� Let’s look at the topics separately
![Page 31: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/31.jpg)
Debugging
© 2008 Cigital Inc. All Rights Reserved. Confidential. 31Monday, March 23, 2009
![Page 32: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/32.jpg)
Debugging
� Need to know what to record and what not to record.
� Need to take into consideration where you’re storing this information
� Need to consider performance hits
© 2008 Cigital Inc. All Rights Reserved. Confidential. 32Monday, March 23, 2009
� Need to consider performance hits
� Need to consider remote-control ability for debug logs and troubleshooting
![Page 33: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/33.jpg)
Logging
© 2008 Cigital Inc. All Rights Reserved. Confidential. 33Monday, March 23, 2009
![Page 34: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/34.jpg)
Logging
� Very different from debugging – logs could conceivably stay on during normal deployments, and might even form a part of the application’s data model
� Still have some of the same issues – what to log, how to log it, where to log it, etc…
© 2008 Cigital Inc. All Rights Reserved. Confidential. 34Monday, March 23, 2009
how to log it, where to log it, etc…
![Page 35: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/35.jpg)
5 Main Areas | Resources and Practices
Directed SMS
© 2008 Cigital Inc. All Rights Reserved. Confidential. 35Monday, March 23, 2009
Directed SMSDebugging & Logging
Error HandlingArchitecture & Design
Device Loss or Capture
![Page 36: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/36.jpg)
Error Handling
© 2008 Cigital Inc. All Rights Reserved. Confidential. 36Monday, March 23, 2009
![Page 37: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/37.jpg)
Error Handling
� Error handling can be a make-or-break aspect of many mobile applications.
� Error handling can release protected content (fail open)
� Error handling can cause lost revenue when, for
© 2008 Cigital Inc. All Rights Reserved. Confidential. 37Monday, March 23, 2009
� Error handling can cause lost revenue when, for instance, an application uninstall is interrupted but the billing information is erased
� Error handling can even affect life safety, if we look at E911 services
![Page 38: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/38.jpg)
Error Handling
� The biggest question to ask yourself is: Fail Open, or Fail Closed?
� The answer to this question will dictate any and all controls you must put in place downstream
© 2008 Cigital Inc. All Rights Reserved. Confidential. 38Monday, March 23, 2009
![Page 39: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/39.jpg)
5 Main Areas | Resources and Practices
Directed SMS
© 2008 Cigital Inc. All Rights Reserved. Confidential. 39Monday, March 23, 2009
Directed SMSDebugging & Logging
Error HandlingArchitecture & Design
Device Loss or Capture
![Page 40: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/40.jpg)
Architecture & Design
� The architecture can drastically affect where we store and process information. This means that we have to be cognizant of a number of areas, including:
� Authentication Tokens
© 2008 Cigital Inc. All Rights Reserved. Confidential. 40Monday, March 23, 2009
� Information Leakage
� Content Protection
![Page 41: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/41.jpg)
Authentication Tokens
© 2008 Cigital Inc. All Rights Reserved. Confidential. 41Monday, March 23, 2009
![Page 42: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/42.jpg)
Authentication Tokens
� Auth tokens are the holy grail of attackers
� If they can be stolen, predicted, fixed, or obviated, then we have lost, and the attacker has won
� The key issue here is to be aware of the tokens
© 2008 Cigital Inc. All Rights Reserved. Confidential. 42Monday, March 23, 2009
� The key issue here is to be aware of the tokens
you use, how long you use them, and how they are
disposed of!
![Page 43: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/43.jpg)
Information Leakage
© 2008 Cigital Inc. All Rights Reserved. Confidential. 43Monday, March 23, 2009
![Page 44: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/44.jpg)
Information Leakage
� We see many familiar things here – Personally Identifiable Information, like MDN, phonebook entries, LBS fixes...
� All of this is a potential customer-affecting issue!
� Information leakage must be curtailed during the
© 2008 Cigital Inc. All Rights Reserved. Confidential. 44Monday, March 23, 2009
� Information leakage must be curtailed during the architecture phase and managed with strict controls in deployment
� Handsets have a rich storage capacity in multiple formats and multiple transfer capabilities
![Page 45: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/45.jpg)
Information Leakage
� We often forget, as developers, just how much information we leave on handsets!
� Debug PINs
� URLs
� Error Strings
© 2008 Cigital Inc. All Rights Reserved. Confidential. 45Monday, March 23, 2009
� Error Strings
� Authentication Clues
![Page 46: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/46.jpg)
Content Protection
© 2008 Cigital Inc. All Rights Reserved. Confidential. 46Monday, March 23, 2009
![Page 47: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/47.jpg)
Content Protection
� Content Protection is an easy to understand issue on today’s networks: carriers seek to monetize content and its delivery
� Content protection can run the gamut from encrypted files with a robust key-management scheme to a simple “stream-on-demand” model
© 2008 Cigital Inc. All Rights Reserved. Confidential. 47Monday, March 23, 2009
scheme to a simple “stream-on-demand” model that seeks to prevent content from existing on the handset for too long
� Some vendors are even pursuing watermarking of content as a deterrent
![Page 48: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/48.jpg)
5 Main Areas | Resources and Practices
Directed SMS
© 2008 Cigital Inc. All Rights Reserved. Confidential. 48Monday, March 23, 2009
Directed SMSDebugging & Logging
Error HandlingArchitecture & Design
Device Loss or Capture
![Page 49: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/49.jpg)
Device Loss or Capture
© 2008 Cigital Inc. All Rights Reserved. Confidential. 49Monday, March 23, 2009
![Page 50: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/50.jpg)
Remote Wipe
� Often times it’s easiest to classify this functionality as “network” or “device” mediated.
� If the carrier/MNO can remotely wipe a device, there is a good amount of protection.
© 2008 Cigital Inc. All Rights Reserved. Confidential. 50Monday, March 23, 2009
� If a local application, however, is able to wipe the device by using a dead-man’s switch, then this could catch criminals off-guard
� True or False: There is rarely a need in consumer goods for robust network or device remote wipe!
![Page 51: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/51.jpg)
Content Licensing
� When a device is lost, it is as important to recover a customer’s licenses as it is to recover their content
� If those licenses cannot be recovered, then the
© 2008 Cigital Inc. All Rights Reserved. Confidential. 51Monday, March 23, 2009
� If those licenses cannot be recovered, then the device should support some form of revocation, to protect both the customer and the content owner from fraudulent uses of their data
![Page 52: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/52.jpg)
Content Recovery
� The biggest problem with content recovery is: where do I get my content from? Most mobile applications can reconstruct or restore a handset’s state by re-personalizing or re-provisioning a handset
When we have hundreds of megabytes or more,
© 2008 Cigital Inc. All Rights Reserved. Confidential. 52Monday, March 23, 2009
� When we have hundreds of megabytes or more, however, things get complicated
� Side-loading is by far the easiest method to off-load the network, but it may cause headaches with OS support, client issues, etc…
![Page 53: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/53.jpg)
Wrap-Up
© 2008 Cigital Inc. All Rights Reserved. Confidential. 53Monday, March 23, 2009
![Page 54: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/54.jpg)
Wrap-Up
� We’ve covered a lot of ground: mobile architectures, mobile threats.
� Take a moment to digest, and let’s talk about some of the relationships between these
© 2008 Cigital Inc. All Rights Reserved. Confidential. 54Monday, March 23, 2009
some of the relationships between these elements and any other questions we might have.
![Page 55: Creating Secure Mobile Applications Illuminating … Secure Mobile Applications Illuminating Mobile Threats ... data onto mobile phones is only increasing ... Let’s look at the topics](https://reader031.vdocument.in/reader031/viewer/2022022504/5ab487287f8b9a0f058be86a/html5/thumbnails/55.jpg)
Discussion & Question Period
© 2008 Cigital Inc. All Rights Reserved. Confidential. 55Monday, March 23, 2009