Fresh Digital Group                         Building Mobile SecurityWe Strategize. We Execute. We Deliver. On All Screens.
The Problem: Vulnerabilities OS Vulnerabilities    Server    Clients Transport Vulnerabilities     Network App Vulne...
The Problem: App Security Apps exist in market to make  $$$    Not to protect you or      your information Gold Rush Me...
The Problem: Enterprise Issues Transforming how people work   Insurance agents close deals in    real time on their iPad...
The Problem: Enterprise Issues Mobile Ecosystem introduces an exponentially expanded attack  surface compared to past int...
Most Vulnerable Securities         We Strategize. We Execute. We Deliver. On All Screens.
The Problem: Mobile Hacking Old Process: 5 Steps to monetize a vulnerability                                    Data     ...
App Vulnerabilities: Mobile App Threat Many considerations    Platforms vary substantially    Similar but still very di...
Mobile Threat Model                           Missing                           Device           Malicious                ...
Biggest Issue: Lost/ Stolen Device Anyone with physical access to your device can get  to a wealth of data    - PIN is no...
Lost/ Stolen Device  Insecure Data Storage Sensitive data left unprotected Applies to locally stored data +  cloud sync...
Second Biggest Issue: Insecure Comms Without additional protection, mobile devices are  susceptible to the “coffee shop a...
Case Study Examples: Mint.com Mint.com : a financial service aggregator that relies on  targeted marketing/ lead generati...
Lost Device Example Physical iOS Exploit Scenario  Lost iPhone> Recovered by data harvester> 4-digit pin    bypassed in ...
Remote iOS Exploit Scenario Un-patched iOS device is  compromised through URL  handling exploit Attacker bundles keylogg...
Common Security Mechanisms: How toBuild in Security Input validation Output escaping Authentication Session handling ...
Authorization Basics Question every action  Is the user allowed to access this:     • File     • Function     • Data By...
Security Solutions Address 4 Aspects  Authentication1 Enforce enterprise standards w/o compromising UX  Data Security (Sto...
Fresh Digital Group                               111 John St 2nd FL                             New York, NY 10038       ...
Upcoming SlideShare
Loading in...5
×

Mobile Security

1,324

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,324
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
23
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Mobile Security "

  1. 1. Fresh Digital Group Building Mobile SecurityWe Strategize. We Execute. We Deliver. On All Screens.
  2. 2. The Problem: Vulnerabilities OS Vulnerabilities  Server  Clients Transport Vulnerabilities  Network App Vulnerabilities  Client  Middleware  Servers We Strategize. We Execute. We Deliver. On All Screens.
  3. 3. The Problem: App Security Apps exist in market to make $$$  Not to protect you or your information Gold Rush Mentality  Developers are extremely rushed to produce apps  Leading to security suffering We Strategize. We Execute. We Deliver. On All Screens.
  4. 4. The Problem: Enterprise Issues Transforming how people work  Insurance agents close deals in real time on their iPad  Doctors can review secure messages and patient records from a restaurant  Social workers carry tablets to each clients home, takes images, updates records We Strategize. We Execute. We Deliver. On All Screens.
  5. 5. The Problem: Enterprise Issues Mobile Ecosystem introduces an exponentially expanded attack surface compared to past introductions  Non-Managed Firmware  Non-Managed Networks  Non-Managed OSs  Non-Managed Applications  Non-Managed Data Flows Significant economic impacts from past situations with fewer variables and complexities  Email- I Love You virus = $10B  Web Servers- Code Red = $9B  PC’s- Blaster = $5B We Strategize. We Execute. We Deliver. On All Screens.
  6. 6. Most Vulnerable Securities We Strategize. We Execute. We Deliver. On All Screens.
  7. 7. The Problem: Mobile Hacking Old Process: 5 Steps to monetize a vulnerability Data Data Exploit Install Profit Theft Sale New Process: 3 Steps to monetize a vulnerability Exploit Install Profit We Strategize. We Execute. We Deliver. On All Screens.
  8. 8. App Vulnerabilities: Mobile App Threat Many considerations  Platforms vary substantially  Similar but still very different than traditional web app-- even when heavy with client-side code It’s more than just apps  Cloud/network integration  Device platform considerations Most mobile apps are basically web apps  But with more client “smarts,” almost all web weaknesses are relevant, and more We Strategize. We Execute. We Deliver. On All Screens.
  9. 9. Mobile Threat Model Missing Device Malicious Social Carrier Tampering Repudiation QR code Spoofing Engineering Network Breach Untrusted Weak NFC tag or Authorization Peer Toll Modifying Malware Local Insecure Fraud Improper Data WiFi Client Network Session Side Malicious WeakInjection Handling Application Authentication Push Crashing Malware Sandbox Compromised Notification Compromised Apps Escape Credentials FloodingBackend Device Breach Lost Flawed Excessive Weak Device Authentication API Usage Authorization Elevation Denial ofInformation Reverse of Service Engineering DDoS Disclosure Apps Privilege We Strategize. We Execute. We Deliver. On All Screens.
  10. 10. Biggest Issue: Lost/ Stolen Device Anyone with physical access to your device can get to a wealth of data - PIN is not effective - App data - Keychains - Properties Disk encryption helps, but we can’t count on users using it Apps must protect users’ local data storage We Strategize. We Execute. We Deliver. On All Screens.
  11. 11. Lost/ Stolen Device  Insecure Data Storage Sensitive data left unprotected Applies to locally stored data + cloud synced Impact Generally a result of:  Confidentiality of  Not Encrypting Data data lost  Caching data not intended for  Credentials long-term storage disclosed  Weak or global permissions  Privacy violations  Not leveraging platform best-  Non-compliance practices We Strategize. We Execute. We Deliver. On All Screens.
  12. 12. Second Biggest Issue: Insecure Comms Without additional protection, mobile devices are susceptible to the “coffee shop attack”  Anyone on an open WiFi can eavesdrop on your data  No different than any other WiFi device really Your apps MUST protect your users’ data in transit We Strategize. We Execute. We Deliver. On All Screens.
  13. 13. Case Study Examples: Mint.com Mint.com : a financial service aggregator that relies on targeted marketing/ lead generation, 5M+ active users How it works: - Create Mint.com account - Link financial accounts to Mint.com - Install mobile application and enter Mint.com credentials - View all financial account activity within app We Strategize. We Execute. We Deliver. On All Screens.
  14. 14. Lost Device Example Physical iOS Exploit Scenario  Lost iPhone> Recovered by data harvester> 4-digit pin bypassed in 3 minutes> User partion copied> Mint.com cookies and configuration copied to attach iOS platform  Full Mint.com mobile access in 20 minutes or less We Strategize. We Execute. We Deliver. On All Screens.
  15. 15. Remote iOS Exploit Scenario Un-patched iOS device is compromised through URL handling exploit Attacker bundles keylogger as exploit payload User installs Mint.com and links mobile application to Mint.com account Attacker programs compromised phone to schedule daily dumps of keystroke logs We Strategize. We Execute. We Deliver. On All Screens.
  16. 16. Common Security Mechanisms: How toBuild in Security Input validation Output escaping Authentication Session handling Protecting secrets  At rest  In transit SQL connections We Strategize. We Execute. We Deliver. On All Screens.
  17. 17. Authorization Basics Question every action  Is the user allowed to access this: • File • Function • Data By role or by user  Complexity issues  Maintainability issues  Creeping exceptions We Strategize. We Execute. We Deliver. On All Screens.
  18. 18. Security Solutions Address 4 Aspects Authentication1 Enforce enterprise standards w/o compromising UX Data Security (Storage and Transit)2 Isolate Corporate data, secure it, and provide DLP Control Corp. Data3 Provision enterprise access, enforce policy and visibility App Creation4 Native & HTML5, UX, Cross platform, getting business logic right We Strategize. We Execute. We Deliver. On All Screens.
  19. 19. Fresh Digital Group 111 John St 2nd FL New York, NY 10038 www. freshdigitalgroup.comFresh Digital Group

×