Upload
bjorn-sloth
View
145
Download
0
Tags:
Embed Size (px)
Citation preview
Mobile Security:App Security – Win or LoseDate…
By Anders FlaglienSecurity Consultant
1000+ Apps are released on Google Play and Appstore every day!
The most popular ones are downloaded
75 000 times a day.
There are many success factors that must be met for your app to be successful and one of these are
trust
At least when you process business confidential data…
Trust is «everything»
Copyright © 2015 Accenture All rights reserved. 3
Top 10 downloaded apps* with more than 100 million downloads all rely on users to trust them and the services they offer
*in Google Play according to Wikipedia 26.10.2014
Copyright © 2015 Accenture All rights reserved. 5
Would you give a random app a lot of permissions to control your device without your approval?
These are the some of ONE apps 40+ permissions to do «whatever»
• opprette kontoer og angi passord
• endre lydinnstillingene
• overstyre andre apper
• ta bilder og videoer
• ta opp lyd
• endre eller slette innholdet i USB-lagringen
• endre anropsloggen
• ringe telefonnumre direkte
• lese anropsloggen
• lese tekstmeldinger (SMS eller MMS)
• nøyaktig posisjon (GPS- og nettverksbasert)
• gjøre endringer i kontaktene dine
• lese kalenderoppføringer og konfidensiell informasjon
• legge til eller endre kalenderoppføringer og sende e-post til gjester uten at eieren vet om det
What is Trust?
6Copyright © 2015 Accenture All rights reserved.
…belief that someone or something is reliable, good, honest, effective, secure…
How to achieve this?
Open Web Application Security Project (OWASP)
OWASP Top 10 Mobile Risks help us to secure mobile applications for our clients, so can you!
Copyright © 2015 Accenture All rights reserved. 7
M1: Weak ServerSide Controls
M2: Insecure Data Storage
M3: Insufficient TransportLayer Protection
M4: Unintended DataLeakage
M5: Poor Authorization and Authentication
M6: BrokenCryptography
M9: Improper Session Handling
M7: ClientSide Injection
M8: Security DecisionsVia Untrusted Inputs
M10: Lack ofBinary Protections
OWASP Top 10 Mobile Risks
Example 1: Broken Crypto
Copyright © 2015 Accenture All rights reserved. 8
M1: Weak ServerSide Controls
M2: Insecure Data Storage
M3: Insufficient TransportLayer Protection
M4: Unintended DataLeakage
M5: Poor Authorization and Authentication
M6: BrokenCryptography
M9: Improper Session Handling
M7: ClientSide Injection
M8: Security DecisionsVia Untrusted Inputs
M10: Lack ofBinary Protections
Of all apps out there, you should trust that bank applications are secure, right?
9
OWASP Top 10 Mobile Risks
Example 3: Data leakage and lack of binary protection
Copyright © 2015 Accenture All rights reserved. 10
M1: Weak ServerSide Controls
M2: Insecure Data Storage
M3: Insufficient TransportLayer Protection
M4: Unintended DataLeakage
M5: Poor Authorization and Authentication
M6: BrokenCryptography
M9: Improper Session Handling
M7: ClientSide Injection
M8: Security DecisionsVia Untrusted Inputs
M10: Lack ofBinary Protections
11
What if I make a game, would I need to secure it?
OWASP Top 10 Mobile Risks
Example 4: More than five risks in a combined scenario…
Copyright © 2015 Accenture All rights reserved. 12
M1: Weak ServerSide Controls
M2: Insecure Data Storage
M3: Insufficient TransportLayer Protection
M4: Unintended DataLeakage
M5: Poor Authorization and Authentication
M6: BrokenCryptography
M9: Improper Session Handling
M7: ClientSide Injection
M8: Security DecisionsVia Untrusted Inputs
M10: Lack ofBinary Protections
Scandinavian teenagers favorite picture-sharing app has a not that appealing feature…
• The App’s goal is to meet users need to communicate instant photos and videos without the fear that a post or picture will be held against them in the future
The examples show that we might have to reconsider our trust to some top 10 apps…
…So how can we learn from others mistakes and build trust?
14Copyright © 2015 Accenture All rights reserved.
Copyright © 2015 Accenture All rights reserved.
Executive Summary: Mobile Security
15
Mobile Security Strategy and Capabilities
Business Challenges
Drivers
Solution
Benefits
Organizational Challenges• No organizational structure or
buy-in from business units across the organization
• Lack of training, communication, and awareness
Process Challenges• Lack of or poorly defined mobile
security strategy
• Security policies driven by consumerization without consideration to security strategies makes BYOD more of a risk to the enterprise
Technology Challenges• Difficulty protecting sensitive data
on mobile devices
• Growing Wi-Fi population and inappropriate controls within the infrastructure
• Unknown vulnerabilities within mobile application exploits, backend infrastructure, unauthorized access
Governance• Define processes, policies and
support
• Identify preferred suppliers
• Mobilize your workforce to work from anywhere and increase productivity
• Enable Bring Your Own Device (BYOD) to increase self service, improve satisfaction, and reduce the Total Cost of Ownership (TCO)
• Reduction of threats and vulnerabilities
• Proper administration, controls, and technology to protect critical systems and data
Business Values Technical Benefits
Users/Identity• Define role access, authorization,
and authentication
• Understand usage and prepare users
Applications• Securely develop, test and
distribute apps
• Manage usage and connectivity to backend systems
Data• Secure data (enterprise/personal)
communication and protection
• Classification and functionality
Network• Architecture to support new
interactions (wireless, remote)
• Provide secure enterprise connectivity and monitoring
Device• Define appropriate management
program and supported platforms
• Secure the device while providing choice and flexibility to end users
Mobile Security Overview
Copyright © 2013 Accenture All rights reserved.
Several components need to be addressed to provide comprehensive mobile security
16
Reference: • Information Security Forum• National Institute of Standards and Technology
Governance
Data
ApplicationNetwork
Users &IdentityDevice
MobileSecurity
Mobile Security StrategyA comprehensive program and strategy to embed security throughout the enterprise’s mobile lifecycle
Users & Identity• Roles and authorization levels
and authentication• Evaluation / monitoring of
usage patterns• Program awareness and
education
Applications• SDLC development• Testing• Distribution / provisioning• Access Control• Secure connection to backend
systems and data (Ex: Cloud)• Monitoring / Management
Data• Classification• Authentication• Secure connection• Strong Encryption• Data loss prevention• Secure storage• Audit and forensics
Network• Voice• Secure remote connectivity• Monitoring and Testing• Wireless networking• Use of untrusted and/or public
networks
Device• Security functionality• Control connectivity• Secure remote connections• Disposal and wipe• Synchronization / Backup• Ability to update• Physical Access• Tracking/Management
Governance• Define processes and policies
(ownership, connectivity, applications, privacy, audit / wipe)
• Support / Training• Identify preferred suppliers /
service level for business
Copyright © 2013 Accenture All rights reserved.
Accenture contributed our view to the OWASP Top 10 Mobile Risks and developed a solution framework to address them:
1. Insecure or unnecessary data storage and transmission
2. Applications with higher privileges than required and/or authorized
3. Use of (or failure to disable) insecure mobile device platform features in application
4. Allowing access to resources without strong authentication
5. Malicious/Counterfeit third-party code
6. Insecure or unnecessary interaction between applications and OS components
7. Server accepting unvalidated or unauthenticated input from mobile devices
8. Personal or corporate data leakage
9. Client-side injection and overflows
10. Client-side DoS
The OWASP top 10 Mobile Security Risks empowered by the Solution Landscape
17
Map Risk to the Mobile Environment
MobileApps
MobilePlatform/Device
MobileNetwork
EnterpriseNetwork/Enclave
Back EndServices/Cloud
3 4 5
7
1 2 6 8 9 10
Solutions Landscape
MobileApps
MobilePlatform/Device
MobileNetwork
EnterpriseNetwork/Enclave
Back EndServices/Cloud M
obile
App
Sec
urity
Cod
e R
evie
w
Mob
ile A
pp /
Pla
tform
Sec
urity
Rev
iew
Mob
ile D
evic
e T
hrea
t Ana
lysi
s
Priv
ate
Mob
ile A
pp S
tore
s
Mob
ile D
evic
e H
ost-
Bas
ed S
ecur
ity
Sec
ure
Mob
ile V
oice
as
a S
ervi
ce
Mob
ile A
pp P
KE
Copyright © 2013 Accenture All rights reserved.
Example use cases (Not Comprehensive)
Mobile Security – Example Use Cases
18
Use Case Key Considerations
Consumer Applications • Protection of customer data• Secure communication with service provider• Maintaining trust and enhancing user experience
Enterprise Mobile Application • Protection of enterprise data• Distribution and management• Enhanced productivity
Enterprise BYOD (User Owned) • Limited controls on a privately owned device• Balance between corporate and private data• Governance of policies and procedures to control functionality (Example:
wiping the device, use of native controls)• Asset management, authorization and authentication
Enterprise Provisioned Devices (Corporate Owned)
• Fully specified security configurations• Balance between corporate and private data• Governance of policies and procedures to control functionality (Example:
wiping the device, use of native controls)• Asset management, authorization and authentication
Email Security • Securing enterprise data and confidential information• Maintaining user experience
Desktop Virtualization • Leverage existing hardware investments or personally owned devices• Protection of enterprise systems and data
Point of Sale/Connected Devices • Device hardening• Network hardening• Protection of end user and enterprise systems and data (cross-industry)
Questions?
19Copyright © 2015 Accenture All rights reserved.