0
Mobile
Application
Security

Chris Clark
cclark@isecpartners.com
iSEC Partners, Inc.
04/23/09 | AND-301

Session Classific...
Agenda

   Mobile Today


Security Challenges


Supporting Security


      Actions


         2
Mobile
Today
Mobile Phone Sales Per Year

        1200
Phones 1000
   In
Millions 800
         600
         400
         200
          ...
5
Major Smartphone Platforms




            6
7
Trend Catalysts

• Sexier Devices           • Unlimited Data Plans
• Younger Generation       • Provider App Stores
• F500...
Security
Challenges
What is Security?

• Not the PC or Server Model
  – Single User
  – High-Value Information
  – Low-Value Applications

• A...
The Airline Pocket

• Physical Security Just Doesn’t Exist
• Phones will Be Lost
• Need Ways of Protecting Data
  – Local ...
Hardware Limitations

• Limited Bandwidth
• Power
• CPU
• Size

                Technology Will Solve These




          ...
Screen Size




              *From RSnake
     13
Poor Keyboards




C)sOz*ao1pdn



       14
Regulations




     15
User Identification

• Real Time
• Must be Available Immediately
• One Handed Interface
• More Prompts than PC




       ...
“Ownership”

• OS Vendor                 • User
• Carrier                   • Application Developer




All “Own” the Phon...
Distribution Challenges

• Indirect Customer Relationship
• Patching Difficulties
   – Carriers are anti-patch

• Long Upd...
Web Browsers

• Different Browser Chrome
• Inconsistent Standards Support
• Too Much WebKit




                       19
Unsafe Languages

• Windows Mobile (C/C++)
  – .Net Mobile Framework (safe)
  – /GS, SafeCRT

• iPhone (Objective-C)
  – H...
Technical Comparison

Feature           Blackberry   WinMo 6.x   iPhone 2.2.1   Android
Enterprise Mail
and Calendar
Remot...
Technical Comparison

Feature       Blackberry   WinMo 6   iPhone 2.2.1   Android
Application
Language
Permission
Model
Ap...
Vulnerability Count by Platform




               23
Desktop Heritage




       24
Growing Security Activity

• Targeted by Security Community
• CanSecWest
• Asian & European Research
• Commercial Spy Prod...
Mobile Web Presence

• Multiple Internet Presences
  – Mobile vs. Standard

• Both are on the Internet
  – Accept “All” Co...
Common Mobile Portal Mistakes
• Using a Different SLD
  – bank.mobilecorp.com
  – mobilecorp.com/bank

• Same Credentials ...
Supporting
Security
Security Goals

• Users can Safely Run Applications
• OS Protected from Applications
  – A.K.A. Steal Carrier Revenue

• P...
Two Models


  Old Way                   New Way

                           App   App   App

         Privileged
Normal

...
Old Way

• BlackBerry & Windows Mobile
• All or Nothing
• Signatures Defines Permission Level
• No or Limited File Permiss...
Pros/Cons
  Pros                       Cons
• Easy to Understand        • No Exploit
                              Contain...
Windows Mobile



App 1   App 2        App 3   App 4




           Kernel
            Kernel



         File System


  ...
Blackberry

• J2ME Based
• No Raw Device Access
• Web Services and Web Based Models




                     34
Security Opportunities

• More Granular Permissions
• Sandboxed Applications
• Reduced Attack Surface
• Give Users Control...
iPhone



App 1   App 2        App 3   App 4




           Kernel

App 1   App 2        App 3   App 4
Data    Data       ...
iPhone

• One Distribution Method
• Strict AppStore Policy
• Non-Technological Policy Enforcement




            Applicat...
Android & Symbian



App 1   App 2        App 3   App 4




           Kernel

App 1   App 2        App 3   App 4
Data    ...
Benefits

• Extensible to Custom Data Types
• Users Have Control
• Same-Developer Sandbox
  – An Office Suite is Possible
...
Challenges




    40
Android Market

• Self-Signed Certificates
• Community Reputation
• No Unsigned Code Allowed




            Application S...
Actions
For Enterprises

• Define a Mobile Application Security Policy
• Set User Application Security Policy
  – Are App Stores A...
For Developers

• Define Security Assertions for Users
• Define Threats
  – Lost Phone
  – Network Attacks

• Create Limit...
For Mobile Web Developers

• Disallow Older Browsers
• Do Not Decrease Overall Security
  – Tightly-Scope Functionality
  ...
Questions?
cclark@isecpartners.com




           46
Upcoming SlideShare
Loading in...5
×

Mobile Application Security

1,844

Published on

An overview of the security challenges and opportunities that mobile application developers must work through

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,844
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
142
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Mobile Application Security"

  1. 1. Mobile Application Security Chris Clark cclark@isecpartners.com iSEC Partners, Inc. 04/23/09 | AND-301 Session Classification: Intermediate
  2. 2. Agenda Mobile Today Security Challenges Supporting Security Actions 2
  3. 3. Mobile Today
  4. 4. Mobile Phone Sales Per Year 1200 Phones 1000 In Millions 800 600 400 200 0 1997 2009 Data from Tomi Ahonen Almanac 2009 4
  5. 5. 5
  6. 6. Major Smartphone Platforms 6
  7. 7. 7
  8. 8. Trend Catalysts • Sexier Devices • Unlimited Data Plans • Younger Generation • Provider App Stores • F500 Acceptance • Multi-Environment Phones 8
  9. 9. Security Challenges
  10. 10. What is Security? • Not the PC or Server Model – Single User – High-Value Information – Low-Value Applications • Availability and Power • Local Attacker Resistance 10
  11. 11. The Airline Pocket • Physical Security Just Doesn’t Exist • Phones will Be Lost • Need Ways of Protecting Data – Local encryption – Cloud storage 11
  12. 12. Hardware Limitations • Limited Bandwidth • Power • CPU • Size Technology Will Solve These 12
  13. 13. Screen Size *From RSnake 13
  14. 14. Poor Keyboards C)sOz*ao1pdn 14
  15. 15. Regulations 15
  16. 16. User Identification • Real Time • Must be Available Immediately • One Handed Interface • More Prompts than PC 16
  17. 17. “Ownership” • OS Vendor • User • Carrier • Application Developer All “Own” the Phone and Have Differing Objectives 17
  18. 18. Distribution Challenges • Indirect Customer Relationship • Patching Difficulties – Carriers are anti-patch • Long Update Lag • Multiple Hardware Platforms 18
  19. 19. Web Browsers • Different Browser Chrome • Inconsistent Standards Support • Too Much WebKit 19
  20. 20. Unsafe Languages • Windows Mobile (C/C++) – .Net Mobile Framework (safe) – /GS, SafeCRT • iPhone (Objective-C) – Has C Constructs – NX Stack/Heap • Symbian (Symbian C++) – C++ with more Complex Memory Management 20
  21. 21. Technical Comparison Feature Blackberry WinMo 6.x iPhone 2.2.1 Android Enterprise Mail and Calendar Remote Wipe Side-Load Applications Application Sandbox User permission UI App Signing Browser 21
  22. 22. Technical Comparison Feature Blackberry WinMo 6 iPhone 2.2.1 Android Application Language Permission Model App Buffer Overflows OS Buffer Overflow Protections Signature Required?
  23. 23. Vulnerability Count by Platform 23
  24. 24. Desktop Heritage 24
  25. 25. Growing Security Activity • Targeted by Security Community • CanSecWest • Asian & European Research • Commercial Spy Products 25
  26. 26. Mobile Web Presence • Multiple Internet Presences – Mobile vs. Standard • Both are on the Internet – Accept “All” Connections – Pen-Test from Desktop • Common Real World Result: – Primary website secured – Mobile site unprotected 26
  27. 27. Common Mobile Portal Mistakes • Using a Different SLD – bank.mobilecorp.com – mobilecorp.com/bank • Same Credentials as .com • Phishing Education Destroyed – If it Ever Worked
  28. 28. Supporting Security
  29. 29. Security Goals • Users can Safely Run Applications • OS Protected from Applications – A.K.A. Steal Carrier Revenue • Per-Application Private Data • Contain Vulnerabilities 29
  30. 30. Two Models Old Way New Way App App App Privileged Normal App App App 30
  31. 31. Old Way • BlackBerry & Windows Mobile • All or Nothing • Signatures Defines Permission Level • No or Limited File Permission Systems • No “users” – Good, because it doesn’t make sense 31
  32. 32. Pros/Cons Pros Cons • Easy to Understand • No Exploit Containment • Easy to Test • User can’t Make Granular Choices 32
  33. 33. Windows Mobile App 1 App 2 App 3 App 4 Kernel Kernel File System 33
  34. 34. Blackberry • J2ME Based • No Raw Device Access • Web Services and Web Based Models 34
  35. 35. Security Opportunities • More Granular Permissions • Sandboxed Applications • Reduced Attack Surface • Give Users Control of Data 35
  36. 36. iPhone App 1 App 2 App 3 App 4 Kernel App 1 App 2 App 3 App 4 Data Data Data Data 36
  37. 37. iPhone • One Distribution Method • Strict AppStore Policy • Non-Technological Policy Enforcement Application Store is a Security Barrier 37
  38. 38. Android & Symbian App 1 App 2 App 3 App 4 Kernel App 1 App 2 App 3 App 4 Data Data Data Data 38
  39. 39. Benefits • Extensible to Custom Data Types • Users Have Control • Same-Developer Sandbox – An Office Suite is Possible – Attack Surface Increased 39
  40. 40. Challenges 40
  41. 41. Android Market • Self-Signed Certificates • Community Reputation • No Unsigned Code Allowed Application Store is a Security Barrier 41
  42. 42. Actions
  43. 43. For Enterprises • Define a Mobile Application Security Policy • Set User Application Security Policy – Are App Stores Allowed? • Build Secure Line of Business Applications • Create a Unified Model for Mobile Interactions – Don’t mix “m.” with /mobile or .mobi domains 43
  44. 44. For Developers • Define Security Assertions for Users • Define Threats – Lost Phone – Network Attacks • Create Limits – E.g. Read-only Mobile Endpoints • Apply Secure Development Guidelines • Test on Real Devices 44
  45. 45. For Mobile Web Developers • Disallow Older Browsers • Do Not Decrease Overall Security – Tightly-Scope Functionality – Use SSL and Proper Domains • Strong Authentication – Unique Authentication for Mobile Sites • Don’t Make Phishing Easier – Keep Links out of Email – Maintain Clear Message 45
  46. 46. Questions? cclark@isecpartners.com 46
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×