software confidence. achieved. mobile security and payments infrastructure 1 aj dexter sr. security...
TRANSCRIPT
Software Confidence. Achieved.
Mobile Security and Payments Infrastructure
1
AJ Dexter Sr. Security Consultant
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
A little about me..
Sr. Security Consultant at Cigital Former Lead Mobile Security Architect @ US Bank.
Mobile Platform & Application SME Mobile Development Liaison for Security
BITS/FSTC Mobile Threat Assessment SME. Portland OWASP Founder Appreciator of nature and multi colored sunsets.
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Agenda
Intro Key Terms Statistics Mobile Security Issues Mobile Services
Mobile Payments Mobile Platforms
Common Issues Android iOS Blackberry
Discussion
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Key Terms
Smartphone - Mobile phone offering advanced capabilities. PC-like functionality.
Platform – The operating system on the smartphone. Mobile Web Applications – Web application with a
constrained interface. Mobile Applications – “Thick” application meant to be run
from the phone. Mobile Banking – View account balances, transactions,
transfer funds between accounts, pay bills, receive account alerts, deposit checks, etc.
Mobile Payments - Use mobile device for purchase or other payment-related transaction at point of sale (proximity) or via internet (remote).
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Worldwide Broadband Growth
5
Source: International Telecommunications Union
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Mobile Broadband Subscriptions
6
Source: International Telecommunication Union (Nov. 2011)
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
United States Mobile User Behavior
7
Source: Adobe Mobile Experience Survey (Oct. 2010)
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
United States Mobile User Behavior
8
Source: Adobe Mobile Experience Survey (Oct. 2010)
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
MOBILE PAYMENTS
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Mobile Payment Evolution
10
EMV/NFC Contactless
Mobile
NFC Card Equivalent
Remote MobilePayments
P2P
Advanced Features of Mobile Banking
Basic Mobile Banking
Online Banking
Source: Marianne Crowe Federal Reserve Bank of Boston
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Mobile Financial Services
11
Mobile Financial Services
Mobile Banking
InformationServices
SimpleTransactions
Bill Payment
MobilePayments
Remote Physical Peer-2-Peer
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
MOBILE SECURITY ISSUES
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
OWASP Top Ten Mobile Risks
Source: OWASP Mobile Security Project
13
Cryptography: Insecure Data Storage Broken or *Non-existent
Cryptography Sensitive Information Disclosure
Transport: Weak Server Side Controls – Not
mobile specific Insufficient Transport Layer
Protection
Identity: Poor Authorization and
Authentication
Backend Issues: Improper Session Handling Client Side Injection Security Decisions via Untrusted
inputs
Other: Side Channel Data Leakage Physical Security
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Major Mobile Risks
Source: OWASP Mobile Security Project
14
Malware Malicious software.
Mobile Spoofing A malicious person or program could misrepresent as another.
Web Browser Attacks Exploitation of malicious web applications.
Marketplace Certification Misrepresentation of branding or theft of legitimate branding.
SMS Redirection, SMS Hijacking, SMS Exploit
An SMS message can be used to redirect a mobile web browser to a malicious website; call forwarding can be used to fraudulently to bypass authentication.
Vendor Breach Compromise of a vendor’s infrastructure could result in the loss of confidential information. Includes carriers
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Major Mobile Risks continued
Source: OWASP Mobile Security Project
15
Transport/Protocol Gaps Weakness in network or transport layer could allow eavesdropping or takeover
User Device Control Mobile device could be lost, stolen or inappropriately borrowed or misused
Platform Specific Attacks Utilization of known platform specific weaknesses.
Device Specific Attacks Utilization of known device specific weaknesses.
Rogue Applications Fake applications placed in application stores for download that are usually trojanized copies of legitimate applications.
Mobile Payment Fraud Lack of adequate monitoring, detection, or prevention.
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Cryptography
Store only what is absolutely necessary. Don’t trust the device to protect that sensitive information. Where possible leverage the application for robust encryption and
make use of industry standard libraries. Don’t rely on Platform or “All device” encryption.
16
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Transport
Understand the architecture. Includes mobile carrier networks/operators, personal networks, and corporate networks.
End to end encryption.
17
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Backend Issues
Understand additional risks that mobile devices bring to existing architectures.
Secure the backend APIs just as you would for web services. Implement robust session handling.
18
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Other
Give users the ability to educate themselves, and take a role in their own security/safety.
Just don’t trust them to make the right decisions. Build security into the application at all layers of the SDLC.
19
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
PLATFORM CAPABILITIES
Apple iOS Google Android Blackberry
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 21
General Platform Issues
Robust, well vetted platform encryption still not common. Physical Security;
Single User security model. Assume attacker has physical access.
Removable media can’t be trusted Application Isolation/Sandboxing…Weak link? Jail breaking adds an unknown to testing and security. App stores can act as a mechanism to validate basic coding
practices. They aren’t robust tests for security. Also act as a means for distributing truly bad apps. Platforms
teach users to intrinsically trust distribution channels. Small displays make it difficult to inform users of choices, provide
warnings. Makes easier phishing targets.
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 22
Apple iOSSecurity Model Very similar to Mac OS X. Based on TrustedBSD Uses Mandatory Access Control to restrict the capabilities of applications. Implements a method for sandboxing applications.
Permissions/Access Control Each application is given free access to it’s own file system resources. Any elevated privileges or access to specific APIs prompts user to allow or deny at time of
use.
Storage SQL Database: flat file databases where data can be accessed with conventional SQL
queries. Keychain Storage: for securely storing small amounts of data. Passwords, cookies, short
text strings. File System: Similar to a home directory for each application
Development Applications are developed in Objective-C. Bundled with an entitlements and preferences
file, code signed by an Apple issued certificate.
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 23
Google Android
Security Model Based on Linux user and file permissions. Each process is tied to a userid. Applications are run isolated in their own virtual machine.
Permissions/Access Control Free for harmless interactions with the operating system. For all other interactions the developer has to specify what permissions are needed
in a manifest file. The user approves these interactions when the application is installed.
Storage File system: Similar to a home directory for each application SQLite Databases: flat file databases where data can be accessed with
conventional SQL queries.
Development Applications are developed in Java, compiled into Davlik Executables, bundled with
the manifest files, and packaged into Android Package files. Packaged is signed by the developer’s public key pair, and sent to Google Market.
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 24
Blackberry
Security Model Relies on a custom Java Virtual Machine to sandbox applications. Controls application access on a per-API level. Security enforcement is facilitated by signatures, java verification, and class
restrictions.
Permissions/Access Control Permissions are determined and assigned per application based on the signature
and policy specified by the user. Sensitive APIs may require the application to be signed before allowing access.
Storage Combined flash and external memory in virtualized view. Layout similar to a Unix
based operating system. Utilizes a pretty sophisticated content protection system that encrypts data when
written to memory.
Development Applications typically developed in Java.
© 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential.
Discussion
Questions/Thoughts?
Check out the OWASP Mobile Project
Contact Info:
AJ Dexter
LinkedIn, Google+, Twitter
25