Mobile Application Security
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Mobile Application Security

  • 2,806 views
Uploaded on

An overview of the security challenges and opportunities that mobile application developers must work through

An overview of the security challenges and opportunities that mobile application developers must work through

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,806
On Slideshare
2,796
From Embeds
10
Number of Embeds
3

Actions

Shares
Downloads
136
Comments
0
Likes
2

Embeds 10

https://www.linkedin.com 4
http://www.slideshare.net 3
http://www.linkedin.com 3

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Mobile Application Security Chris Clark cclark@isecpartners.com iSEC Partners, Inc. 04/23/09 | AND-301 Session Classification: Intermediate
  • 2. Agenda Mobile Today Security Challenges Supporting Security Actions 2
  • 3. Mobile Today
  • 4. Mobile Phone Sales Per Year 1200 Phones 1000 In Millions 800 600 400 200 0 1997 2009 Data from Tomi Ahonen Almanac 2009 4
  • 5. 5
  • 6. Major Smartphone Platforms 6
  • 7. 7
  • 8. Trend Catalysts • Sexier Devices • Unlimited Data Plans • Younger Generation • Provider App Stores • F500 Acceptance • Multi-Environment Phones 8
  • 9. Security Challenges
  • 10. What is Security? • Not the PC or Server Model – Single User – High-Value Information – Low-Value Applications • Availability and Power • Local Attacker Resistance 10
  • 11. The Airline Pocket • Physical Security Just Doesn’t Exist • Phones will Be Lost • Need Ways of Protecting Data – Local encryption – Cloud storage 11
  • 12. Hardware Limitations • Limited Bandwidth • Power • CPU • Size Technology Will Solve These 12
  • 13. Screen Size *From RSnake 13
  • 14. Poor Keyboards C)sOz*ao1pdn 14
  • 15. Regulations 15
  • 16. User Identification • Real Time • Must be Available Immediately • One Handed Interface • More Prompts than PC 16
  • 17. “Ownership” • OS Vendor • User • Carrier • Application Developer All “Own” the Phone and Have Differing Objectives 17
  • 18. Distribution Challenges • Indirect Customer Relationship • Patching Difficulties – Carriers are anti-patch • Long Update Lag • Multiple Hardware Platforms 18
  • 19. Web Browsers • Different Browser Chrome • Inconsistent Standards Support • Too Much WebKit 19
  • 20. Unsafe Languages • Windows Mobile (C/C++) – .Net Mobile Framework (safe) – /GS, SafeCRT • iPhone (Objective-C) – Has C Constructs – NX Stack/Heap • Symbian (Symbian C++) – C++ with more Complex Memory Management 20
  • 21. Technical Comparison Feature Blackberry WinMo 6.x iPhone 2.2.1 Android Enterprise Mail and Calendar Remote Wipe Side-Load Applications Application Sandbox User permission UI App Signing Browser 21
  • 22. Technical Comparison Feature Blackberry WinMo 6 iPhone 2.2.1 Android Application Language Permission Model App Buffer Overflows OS Buffer Overflow Protections Signature Required?
  • 23. Vulnerability Count by Platform 23
  • 24. Desktop Heritage 24
  • 25. Growing Security Activity • Targeted by Security Community • CanSecWest • Asian & European Research • Commercial Spy Products 25
  • 26. Mobile Web Presence • Multiple Internet Presences – Mobile vs. Standard • Both are on the Internet – Accept “All” Connections – Pen-Test from Desktop • Common Real World Result: – Primary website secured – Mobile site unprotected 26
  • 27. Common Mobile Portal Mistakes • Using a Different SLD – bank.mobilecorp.com – mobilecorp.com/bank • Same Credentials as .com • Phishing Education Destroyed – If it Ever Worked
  • 28. Supporting Security
  • 29. Security Goals • Users can Safely Run Applications • OS Protected from Applications – A.K.A. Steal Carrier Revenue • Per-Application Private Data • Contain Vulnerabilities 29
  • 30. Two Models Old Way New Way App App App Privileged Normal App App App 30
  • 31. Old Way • BlackBerry & Windows Mobile • All or Nothing • Signatures Defines Permission Level • No or Limited File Permission Systems • No “users” – Good, because it doesn’t make sense 31
  • 32. Pros/Cons Pros Cons • Easy to Understand • No Exploit Containment • Easy to Test • User can’t Make Granular Choices 32
  • 33. Windows Mobile App 1 App 2 App 3 App 4 Kernel Kernel File System 33
  • 34. Blackberry • J2ME Based • No Raw Device Access • Web Services and Web Based Models 34
  • 35. Security Opportunities • More Granular Permissions • Sandboxed Applications • Reduced Attack Surface • Give Users Control of Data 35
  • 36. iPhone App 1 App 2 App 3 App 4 Kernel App 1 App 2 App 3 App 4 Data Data Data Data 36
  • 37. iPhone • One Distribution Method • Strict AppStore Policy • Non-Technological Policy Enforcement Application Store is a Security Barrier 37
  • 38. Android & Symbian App 1 App 2 App 3 App 4 Kernel App 1 App 2 App 3 App 4 Data Data Data Data 38
  • 39. Benefits • Extensible to Custom Data Types • Users Have Control • Same-Developer Sandbox – An Office Suite is Possible – Attack Surface Increased 39
  • 40. Challenges 40
  • 41. Android Market • Self-Signed Certificates • Community Reputation • No Unsigned Code Allowed Application Store is a Security Barrier 41
  • 42. Actions
  • 43. For Enterprises • Define a Mobile Application Security Policy • Set User Application Security Policy – Are App Stores Allowed? • Build Secure Line of Business Applications • Create a Unified Model for Mobile Interactions – Don’t mix “m.” with /mobile or .mobi domains 43
  • 44. For Developers • Define Security Assertions for Users • Define Threats – Lost Phone – Network Attacks • Create Limits – E.g. Read-only Mobile Endpoints • Apply Secure Development Guidelines • Test on Real Devices 44
  • 45. For Mobile Web Developers • Disallow Older Browsers • Do Not Decrease Overall Security – Tightly-Scope Functionality – Use SSL and Proper Domains • Strong Authentication – Unique Authentication for Mobile Sites • Don’t Make Phishing Easier – Keep Links out of Email – Maintain Clear Message 45
  • 46. Questions? cclark@isecpartners.com 46