Protecting Mobile Apps and Security around Bring Your Own Device

655 views

Published on

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/14bpf2V.

Alex Batlin and Shane Williams explore the challenges faced maintaining the security of mobile apps and also take a look at the enterprise implications with the push for BYOD. Filmed at qconlondon.com.

Shane is currently regional head of mobile development in Switzerland, developing secure mobile applications across the UBS group. Alex is a Director in UBS's technology innovation, research and development team covering emerging and trending technology topics like big data analytics, social media, cloud and mobile computing, unified communication, post-PC consumer BYOD enterprise architecture.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
655
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Protecting Mobile Apps and Security around Bring Your Own Device

  1. 1. Protecng  Mobile  Apps  and  security  in  the  context  of  Bring  Your  Own  Device    Shane  Williams  Alex  Batlin  
  2. 2. InfoQ.com: News & Community Site• 750,000 unique visitors/month• Published in 4 languages (English, Chinese, Japanese and BrazilianPortuguese)• Post content from our QCon conferences• News 15-20 / week• Articles 3-4 / week• Presentations (videos) 12-15 / week• Interviews 2-3 / week• Books 1 / monthWatch the video with slidesynchronization on InfoQ.com!http://www.infoq.com/presentations/mobile-security-byod
  3. 3. Presented at QCon Londonwww.qconlondon.comPurpose of QCon- to empower software development by facilitating the spread ofknowledge and innovationStrategy- practitioner-driven conference designed for YOU: influencers ofchange and innovation in your teams- speakers and topics driving the evolution and innovation- connecting and catalyzing the influencers and innovatorsHighlights- attended by more than 12,000 delegates since 2007- held in 9 cities worldwide
  4. 4. THE  BASICS  AND  BACKGROUND  
  5. 5. Basics  –  Security  is  the  same  Confiden9ality    LOSS  =  unauthorized  disclosure  of  informa9on.    
  6. 6. Basics  –  Security  is  the  same  Availability  LOSS  =  disrup9on  of  access  to  or  use  of  informa9on  or  an  informa9on  system.    
  7. 7. Basics  –  Security  is  the  same  Integrity  LOSS  =  unauthorized  modifica9on  or  destruc9on  of  informa9on  
  8. 8. Basics  –  Security  is  the  same  Confiden9ality    Integrity   Availability  LOSS  =  unauthorized  disclosure  of  informa9on.    LOSS  =  unauthorized  modifica9on  or  destruc9on  of  informa9on  LOSS  =  disrup9on  of  access  to  or  use  of  informa9on  or  an  informa9on  system.    
  9. 9. Mobile  Threat  Model  WEB  Cloud  Storage  App  Stores  Websites  Web  Services  Corp  Networks  Hardware  Radio,  GPS,  Sensor  OS  Kernel,  Drivers,  FS  Run9me  Libs,  Deps,  VM’s  Apps  Card  reader  Sensors  Laptop  Peer  Device  Payments  Laptop  802.11  NFC  Bluetooth  SMS  Voice  Carrier  Network  Local  Network    (Wi-­‐Fi,  VPN,  etc)  OWASP  Trust  Boundary  CORP   CONS   BUILTIN  
  10. 10. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  
  11. 11. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  Ø Mo9va9on  Ø Financial  Ø Poli9cal  Ø Publicity    Threat-­‐Source  
  12. 12. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  Threat-­‐  Source  A]ack  A]ack  A]ack  
  13. 13. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  Threat-­‐  Source  A]ack  A]ack  A]ack  
  14. 14. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  Threat-­‐  Source  A]ack  A]ack  A]ack  
  15. 15. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  Threat-­‐  Source  A]ack  A]ack  A]ack  0wned
  16. 16. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  Threat-­‐  Source  A]ack  A]ack  A]ack  Func9on  Impact  
  17. 17. Threat  paths  A]ack  A]ack  A]ack  Weakness  Weakness  Control  Control  Control  Asset  Func9on  Asset  Impact  Impact  Impact  Weakness  Weakness  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  ©  2002-­‐2013  OWASP  Founda3on  Threat-­‐  Source  
  18. 18. Threat  paths  A]ack  A]ack  A]ack  Weakness  Weakness  Control  Control  Control  Asset  Func9on  Asset  Impact  Impact  Impact  Weakness  Weakness  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Threat-­‐  Source  
  19. 19. Top  10  Mobile  Risks    ?  The  poten3al  that  a  given  threat  will  exploit  vulnerabili3es  of  an  asset  or  group  of  assets  and  thereby  cause  harm  to  the  organiza3on.  ISO  13335  –  Informa9on  Technology  Security  Techniques  
  20. 20. Top  10  Mobile  Risks  1.  Insecure  Data  Storage  2.  Weak  Server  Side  Controls  3.  Insufficient  Transport  Layer  Protec9on  4.  Client  Side  Injec9on  5.  Poor  Authoriza9on  and  Authen9ca9on  6.  Improper  Session  Handling  7.  Security  Decisions  Via  Untrusted  Inputs  8.  Side  Channel  Data  Leakage  9.  Broken  Cryptography  10.  Sensi9ve  Informa9on  Disclosure  The  Open  Web  Applica9on  Security  Project  (OWASP)  -­‐  Mobile  Security  Project    Data  at  rest  control  Bypass  client  to  a]ack  Over-­‐the-­‐wire  XSS,  etc.  Low  factors  Allow  Hijacking  Keyboards  Listening,  in-­‐Sophis9cated    Easily  breakable,  WEP  Data  leakage,  Social    
  21. 21. A]acks  
  22. 22. A]acks  
  23. 23. A]acks  
  24. 24. A]acks  S   R  S   R  Eavesdrop/Copy  Stop/Delay/Modify  A]ack  Confiden9ality  A]ack  Integrity  S   R  Masquerade/  Assume  iden9ty/Authen9city  S   R  Destroy  channel,  corrupt,  overwhelm  A]ack  Availability  
  25. 25. Ø Eavesdropping  Ø No  Physical  Boundaries  Ø Tracing/Tracking  Ø Device  Capture  S   R  A]ack  Confiden9ality  
  26. 26. S   R  A]ack  Integrity   S   R  Ø SSL  Stripping  Ø Reputa9on  Ø Fraud  (Monetary/Iden9ty)  Ø Browser  icons  common  
  27. 27. S   R  A]ack  Availability  Ø Distributed  Denial  of  Service  Ø Bandwidth  Constraints  Ø Interference  and  Jamming  
  28. 28. Recent  Real  World  Examples  •  Feb  2013  –  Watering  Hole  a]ack  •  Notable  and  news  worthy    
  29. 29. SECURITY  CONTROLS  
  30. 30. Security  controls  Plakorm  Controls  Custom  Controls  
  31. 31. Custom  controls  BYOD  Personal  Data  Company  Data  LOA2+  Client  Data  Employee  Data  
  32. 32. NIST  Levels  of  assurance  Level  of  Assurance   Data  Classificaon  Data  Examples   Cumulave  Authencaon  Requirements  Authencaon  Examples  L0  –  No  knowledge  of  iden9ty.  Public  Anonymous  Public  Website   None   Public  website  L1  -­‐  Li]le  or  no  confidence  in  the  asserted  iden9ty’s  validity.  Public   Public  discussion  forum   One  of  any  factor   Username  +  password  i.e.  something  you  know    L2  -­‐  Some  confidence  in  the  asserted  iden9ty’s  validity.  Internal   Team  process  documents  in  SharePoint  One  of  any  factor  Verified  iden9ty  Username  +  password  i.e.  something  you  know,  checked  against  company  HR  controlled  LDAP  directory.  L3  -­‐  High  confidence  in  the  asserted  iden9ty’s  validity.  Confiden9al   Company  strategy  presenta9on  Two  or  more  of  any  factor   Password  protected    X509  son  cer9ficate,  is  both  something  you  have  and  something  you  know.  L4  -­‐Very  high  confidence  in  the  asserted  iden9ty’s  validity.  Strictly  Confiden9al  Client  or  employee  iden9fying  documents  Two  or  more  factors  One  hard  FIPS  140-­‐2  token  Independent  reader  Password  protected  smartcard  over  reader  with  bu]on  Factors:  something  you  know(username,  password),  you  have  (smartcard),  you  are  (fingerprints)  
  33. 33. Control  categories  Secure  Boot  Code  Protec9on  Data  Protec9on  Mobile  Management  Server  Protec9on  
  34. 34. Secure  Boot  –  Apple  Example  Ø Protec9ng  low  level  to  create  start  of  a  chain  of  trust  Ø  Processor  boots  from  read-­‐only  boot  ROM  –  trusted  –  Protects  Integrity  Ø  Contains  the  Apple  Root  CA  Ø  Verifies  Low-­‐Level  boot  loader  is  signed  by  Apple  Ø  Secure  boot  chain  ensures  lowest  levels  of  sonware  are  tamper  free  Ø  Boot  process  ensures  only  Apple  signed  code  can  run  on  the  device  Ø  Jailbreaks  have  exploited  boot  loader  vulnerabili9es  OS  Par99on  Kernel  Crypto  Engine  Device  Key  Group  Key  Apple  Root  Cer9ficate  Encrypted  File  System  User  Par99on    App  Sandbox  Sonware  Hardware  and  Firmware  
  35. 35. Code  Protec9on  Plakorm  Signed  applica9on  Ve]ed  applica9ons  ASLR  Applica9on  sandboxing  
  36. 36. Code  Protec9on  Custom  Sta9c  code  analysis  Code  obfusca9on  Jailbreak  Detec9on  Trusted  Execu9on  Environment  An9-­‐malware  
  37. 37. Code  Protec9on  Plakorm  Signed  applica9on  Ve]ed  applica9ons  ASLR  Applica9on  sandboxing  Custom  Sta9c  code  analysis  Code  obfusca9on  Jailbreak  Detec9on  Trusted  Execu9on  Environment  An9-­‐malware  
  38. 38. DATA  Protec9on  Plakorm  User  Authen9ca9on  Hardware  Encryp9on  Device  VPN  
  39. 39. Data  Protec9on  -­‐  Encryp9on  Hybrid  •  Symmetric  •  Asymmetric  Homomorphic  
  40. 40. Data  protec9on  Custom  Container  FIPS  140-­‐2  Encryp9on  Container  Tunnels  Digital  Rights  Management  Secure  Tokens  &  OS  
  41. 41. Data  Protec9on  -­‐  Encryp9on  Hardware  Embedded  TPM   HSM  Standalone  (Independent)  SmartCard  Hypervisor  TEE  Sonware  API  OpenSSL  
  42. 42. Data  Protec9on  -­‐  Encryp9on  Keys  Effaceable  Memory  HW  Crypto  API  App  Code  PKCS#11  over  PS/SC  
  43. 43. Data  Protec9on  -­‐  Authen9ca9on  Ease  of  use   Protec9on  PIN   Freq  #1   1234   10.71%  #2   1111   6.02%  #3   0000   1.88%  #4   1212   1.20%  #5   7777   0.75%  #6   1004   0.62%  #7   2000   0.61%  #8   4444   0.53%  #9   2222   0.52%  #10   6969   0.51%  #11   9999   0.45%  #12   3333   0.42%  #13   5555   0.40%  #14   6666   0.39%  #15   1122   0.37%  #16   1313   0.30%  #17   8888   0.30%  #18   4321   0.29%  #19   2001   0.29%  #20   1010   0.29%  #22  =  2580  ?  No  Password   Long  Password  Top  20  used  pins…do  you  have  one?  
  44. 44. Data  Protec9on  -­‐  Authen9ca9on  Basic  (1FA)  PIN   Password  Cryptographic  (MFA)  Son  Cer9ficate  Hard  Token  (OTP/SC)  Biometrics  
  45. 45. Data  Protec9on  -­‐  Authen9ca9on  Mutual   Nego9ated   SSO   Federated   Delegated  
  46. 46. Data  protec9on  Plakorm  User  Authen9ca9on  Hardware  Encryp9on  Device  VPN  Custom  Container  FIPS  140-­‐2  Encryp9on  Container  Tunnels  Digital  Rights  Management  Secure  Tokens  &  OS  
  47. 47. Mobile  Management  Plakorm  Mobile  Device  Management  
  48. 48. Mobile  Management  Custom  Mobile  Applica9on  Management  Mobile  Hypervisor  Management  
  49. 49. Mobile  Management  Plakorm  Mobile  Device  Management  Custom  Mobile  Applica9on  Management  Mobile  Hypervisor  Management  
  50. 50. Securing  Access  to  Services  Reverse  Proxy  Applica9on  Server  Internet  
  51. 51. Securing  Access  to  Services  Ø Risk  Assessment  
  52. 52. Securing  Access  to  Services  Ø Black  Hats  and  White  Hats  
  53. 53. Securing  Access  to  Services  Ø Penetra9on  Test  
  54. 54. Closing  Thoughts  Ø You  get  a  lot  without  trying  on  mobile  plakorm  Ø You  have  to  spend  the  effort  on  the  controls  (Client  /  Server)  Ø Technology  is  improving  to  support  security  
  55. 55. Thank  You!  And  Stay  Safe  Shane  Williams  Alex  Batlin  

×