Appsecurity, win or loose

Mobile Security:App Security – Win or LoseDate…

By Anders FlaglienSecurity Consultant

1000+ Apps are released on Google Play and Appstore every day!

The most popular ones are downloaded

75 000 times a day.

There are many success factors that must be met for your app to be successful and one of these are

trust

At least when you process business confidential data…

Trust is «everything»

Copyright © 2015 Accenture All rights reserved. 3

Top 10 downloaded apps* with more than 100 million downloads all rely on users to trust them and the services they offer

*in Google Play according to Wikipedia 26.10.2014


Would you give a random app a lot of permissions to control your device without your approval?

These are the some of ONE apps 40+ permissions to do «whatever»

• opprette kontoer og angi passord

• endre lydinnstillingene

• overstyre andre apper

• ta bilder og videoer

• ta opp lyd

• endre eller slette innholdet i USB-lagringen

• endre anropsloggen

• ringe telefonnumre direkte

• lese anropsloggen

• lese tekstmeldinger (SMS eller MMS)

• nøyaktig posisjon (GPS- og nettverksbasert)

• gjøre endringer i kontaktene dine

• lese kalenderoppføringer og konfidensiell informasjon

• legge til eller endre kalenderoppføringer og sende e-post til gjester uten at eieren vet om det

What is Trust?

6Copyright © 2015 Accenture All rights reserved.

…belief that someone or something is reliable, good, honest, effective, secure…

How to achieve this?

Open Web Application Security Project (OWASP)

OWASP Top 10 Mobile Risks help us to secure mobile applications for our clients, so can you!


M1: Weak ServerSide Controls

M2: Insecure Data Storage

M3: Insufficient TransportLayer Protection

M4: Unintended DataLeakage

M5: Poor Authorization and Authentication

M6: BrokenCryptography

M9: Improper Session Handling

M7: ClientSide Injection

M8: Security DecisionsVia Untrusted Inputs

M10: Lack ofBinary Protections

OWASP Top 10 Mobile Risks

Example 1: Broken Crypto












Of all apps out there, you should trust that bank applications are secure, right?

9


Example 3: Data leakage and lack of binary protection












11

What if I make a game, would I need to secure it?


Example 4: More than five risks in a combined scenario…












Scandinavian teenagers favorite picture-sharing app has a not that appealing feature…

• The App’s goal is to meet users need to communicate instant photos and videos without the fear that a post or picture will be held against them in the future

The examples show that we might have to reconsider our trust to some top 10 apps…

…So how can we learn from others mistakes and build trust?


Copyright © 2015 Accenture All rights reserved.

Executive Summary: Mobile Security

15

Mobile Security Strategy and Capabilities

Business Challenges

Drivers

Solution

Benefits

Organizational Challenges• No organizational structure or

buy-in from business units across the organization

• Lack of training, communication, and awareness

Process Challenges• Lack of or poorly defined mobile

security strategy

• Security policies driven by consumerization without consideration to security strategies makes BYOD more of a risk to the enterprise

Technology Challenges• Difficulty protecting sensitive data

on mobile devices

• Growing Wi-Fi population and inappropriate controls within the infrastructure

• Unknown vulnerabilities within mobile application exploits, backend infrastructure, unauthorized access

Governance• Define processes, policies and

support

• Identify preferred suppliers

• Mobilize your workforce to work from anywhere and increase productivity

• Enable Bring Your Own Device (BYOD) to increase self service, improve satisfaction, and reduce the Total Cost of Ownership (TCO)

• Reduction of threats and vulnerabilities

• Proper administration, controls, and technology to protect critical systems and data

Business Values Technical Benefits

Users/Identity• Define role access, authorization,

and authentication

• Understand usage and prepare users

Applications• Securely develop, test and

distribute apps

• Manage usage and connectivity to backend systems

Data• Secure data (enterprise/personal)

communication and protection

• Classification and functionality

Network• Architecture to support new

interactions (wireless, remote)

• Provide secure enterprise connectivity and monitoring

Device• Define appropriate management

program and supported platforms

• Secure the device while providing choice and flexibility to end users

Mobile Security Overview


Several components need to be addressed to provide comprehensive mobile security

16

Reference: • Information Security Forum• National Institute of Standards and Technology

Governance

Data

ApplicationNetwork

Users &IdentityDevice

MobileSecurity

Mobile Security StrategyA comprehensive program and strategy to embed security throughout the enterprise’s mobile lifecycle

Users & Identity• Roles and authorization levels

and authentication• Evaluation / monitoring of

usage patterns• Program awareness and

education

Applications• SDLC development• Testing• Distribution / provisioning• Access Control• Secure connection to backend

systems and data (Ex: Cloud)• Monitoring / Management

Data• Classification• Authentication• Secure connection• Strong Encryption• Data loss prevention• Secure storage• Audit and forensics

Network• Voice• Secure remote connectivity• Monitoring and Testing• Wireless networking• Use of untrusted and/or public

networks

Device• Security functionality• Control connectivity• Secure remote connections• Disposal and wipe• Synchronization / Backup• Ability to update• Physical Access• Tracking/Management

Governance• Define processes and policies

(ownership, connectivity, applications, privacy, audit / wipe)

• Support / Training• Identify preferred suppliers /

service level for business


Accenture contributed our view to the OWASP Top 10 Mobile Risks and developed a solution framework to address them:

1. Insecure or unnecessary data storage and transmission

2. Applications with higher privileges than required and/or authorized

3. Use of (or failure to disable) insecure mobile device platform features in application

4. Allowing access to resources without strong authentication

5. Malicious/Counterfeit third-party code

6. Insecure or unnecessary interaction between applications and OS components

7. Server accepting unvalidated or unauthenticated input from mobile devices

8. Personal or corporate data leakage

9. Client-side injection and overflows

10. Client-side DoS

The OWASP top 10 Mobile Security Risks empowered by the Solution Landscape

17

Map Risk to the Mobile Environment

MobileApps

MobilePlatform/Device

MobileNetwork

EnterpriseNetwork/Enclave

Back EndServices/Cloud

3 4 5

7

1 2 6 8 9 10

Solutions Landscape

MobileApps

MobilePlatform/Device

MobileNetwork

EnterpriseNetwork/Enclave

Back EndServices/Cloud M

obile

App

Sec

urity

Cod

e R

evie

w

Mob

ile A

pp /

Pla

tform

Sec

urity

Rev

iew

Mob

ile D

evic

e T

hrea

t Ana

lysi

s

Priv

ate

Mob

ile A

pp S

tore

s

Mob

ile D

evic

e H

ost-

Bas

ed S

ecur

ity

Sec

ure

Mob

ile V

oice

as

a S

ervi

ce

Mob

ile A

pp P

KE


Example use cases (Not Comprehensive)

Mobile Security – Example Use Cases

18

Use Case Key Considerations

Consumer Applications • Protection of customer data• Secure communication with service provider• Maintaining trust and enhancing user experience

Enterprise Mobile Application • Protection of enterprise data• Distribution and management• Enhanced productivity

Enterprise BYOD (User Owned) • Limited controls on a privately owned device• Balance between corporate and private data• Governance of policies and procedures to control functionality (Example:

wiping the device, use of native controls)• Asset management, authorization and authentication

Enterprise Provisioned Devices (Corporate Owned)

• Fully specified security configurations• Balance between corporate and private data• Governance of policies and procedures to control functionality (Example:

wiping the device, use of native controls)• Asset management, authorization and authentication

Email Security • Securing enterprise data and confidential information• Maintaining user experience

Desktop Virtualization • Leverage existing hardware investments or personally owned devices• Protection of enterprise systems and data

Point of Sale/Connected Devices • Device hardening• Network hardening• Protection of end user and enterprise systems and data (cross-industry)

Questions?
