Your SlideShare is downloading. ×
MOBILE SECURITYFrancesco IovineAssets, Threats, Risks and Controls explainedGuest LectureUniversity of Rome "Tor Vergata"S...
Cinzia QuerquesGiuseppe F. ItalianoSimone Onofriwww.francesco.iovine.namef.iovine@gmail.com@franciovCredits:
I started dealing with computers with a Commodore 64
But my main occupation was playing games like this
Then Microsoft Windows appeared though the clouds
And I started dealing with Internet Security
My main occupation was fighting against regedit
And I was about to become an hacker!
Then I changed my mind
And started working with mobile handsets
Then with smartphones
Dealing with different operating systems
Brand new technologies
Then I started dealing with mobile banking and mobile payment applications
And I found out that everything has with pros and cons
Internet Security is a quite complex world
OWASP gives you an hand in improving application security
Ready to start?
ThreatsRisks ControlsAssetsMobileSECURITY
AssetsMobileSECURITY
ThreatsAssetsMobileSECURITY
ThreatsRisksAssetsMobileSECURITY
ThreatsRisks ControlsAssetsMobileSECURITY
ThreatsRisks ControlsAssetsMobileSECURITY
DatabasePhoto by Kevin / Flickr.com
CodePhoto by nikio / Flickr.com
DevicePhoto by ari / Flickr.com
MoneyMoneyPhoto by 401(K) / Flickr.com
ThreatsRisks ControlsAssetsMobileSECURITY
September 4th 20121 Million Apple ID Numbers Posted by Hackersarstechnica.comPhoto by raincoaster / Flickr.comNews
SpoofingTamperingRepudiationInformation disclosureDenial of serviceElevation of privilegeTypes
owasp.orgAttackersEND USER WEB APPLICATION BACKENDATTACKER ADMINISTRATOR ATTACKER
ModelHARDWAREOSWIFI/3G Network/VPNAPPCorporate Consumer Built-in MaliciousAPP APP APPWEBCloud storageApp storesWeb sitesWe...
ModelHARDWAREOSWIFI/3G Network/VPNAPPCorporate Consumer Built-in MaliciousAPP APP APPWEBCloud storageApp storesWeb sitesWe...
ThreatsRisks ControlsAssetsMobileSECURITY
August 6th 2012How Apple and Amazon security flawsled to my epic hacking.Mat Honan / wired.comPhoto by Wired.comNews
Which kind of mobile solution?• Native app• Hybrid native-web app• Mobile site• App that contains a mobile siteDesign
Which are the sensitive data?• Password• Username• Device ID• Session tokenData
Where are the sensitive data?• Device memory• Code• Network• Cache, log and temp filesData
Which kind of input to trust?• NFC• QR Codes• SMSInput
Web
OWASP Top 10 Application SecurityRisks - 2013 Release CandidateA1. InjectionA2. Broken Authentication and Session Manageme...
OWASP Top 10 Application SecurityRisks - 2013 Release CandidateWeb
OWASP Mobile Top 10 RisksM1. Insecure Data StorageM2. Weak Server Side ControlM3. Insufficient Transport LayerM4. Client S...
Do you really need to save the username?Is it possible to choose where to save data?Is it possible to set RW permissions o...
What kind of risks are you running by adding a newfront-end application to your battle-proven back-endsystem?Do you know a...
Do you encrypt every output data coming fromcellular networks, wifi or NFC?How do you handle the security exceptions?Mobil...
Do you get advantage of WebViews in your app?How do you make interact the native side with the webside of your hybrid app?...
How does your app authenticate with the server?Are you getting advantage of unique identifiers such asdevice-id, phone num...
In mobile applications the session timeout is often longer thanweb applications. Is it your case?What if a mobile device g...
Does your app ask for user permission before taking anaction?Does your app check user settings before taking anaction?Mobi...
Web cachesKeystroke loggingScreenshotsLogsTemp directoriesMobileM8. Side Channel Data Leakage
Encoding != obfuscation != encryptionDoes the OS provide cryptographic libraries? Does yourapp use provided libraries?Wher...
Do you keep the business logic on the server?Does your app store passwords in the source code?How does your app get Privat...
ThreatsRisks ControlsAssetsMobileSECURITY
August 23th 2012The Role of the National Institute of Standardsand Technology in Mobile Security nist.govPhoto by freefoto...
DevelopersPhoto by kk / Flickr.com
OWASP Recommendations• Application Security Requirements• Application Security Architecture• Standard Security Controls• S...
OWASP Top 10 mobile controls1. Identify and protect sensitive data on the mobile device2. Handle password credentials secu...
TestersPhoto by sebastian_bergmann / Flickr.com
OWASP Recommendations• Get Organized• Code Review• Security and Penetration TestingTesters
Manual Inspections & Reviews• Analyzing documentation• Performing interviews with the designers orsystem owners• Reviewing...
Manual Inspections & ReviewsAdvantages• Requires no supporting technology• Can be applied to a variety of situations• Flex...
Manual Inspections & ReviewsDisadvantages• Can be time consuming• Supporting material not always available• Requires signi...
Threat Modeling• Decomposing the application• Defining and classifying the assets• Exploring potential vulnerabilities• Ex...
Threat ModelingAdvantages• Practical attackers view of the system• Flexible• Early in the SDLCTesters
Threat ModelingDisadvantages• Relatively new technique• Good threat models don’t automatically meangood softwareTesters
Code Reviewif you want to know what’s really going on,go straight to the sourceTesters
Code ReviewAdvantages• Completeness and effectiveness• Accuracy• Fast (for competent reviewers)Testers
Code ReviewDisadvantages• Requires highly skilled security developers• Can miss issues in compiled libraries• Cannot detec...
Penetration Testing• Also commonly known as black box testing orethical hacking.• Testing a running application remotely t...
Penetration TestingAdvantages• Can be fast (and therefore cheap)• Requires a relatively lower skill-set than sourcecode re...
Penetration TestingDisadvantages• Too late in the SDLC• Front impact testing only!Testers
Test EffortTesters
How to value the real riskRisk = Likelihood * ImpactLikelihood• Threat Agent Factors• Vulnerability FactorsImpact• Technic...
Mobile Security TestingDynamic Analysis1. Debug the running app (on device or inemulator)2. Analyze network traffic3. Anal...
Mobile Security TestingStatic Analysis1. Get Application1. Extract application from device2. Receive application package f...
OrganizationsPhoto by swisscan / Flickr.com
• Get Started• Risk Based Portfolio Approach• Enable with a Strong Foundation• Integrate Security into Existing Processes•...
Thanks
Cinzia QuerquesGiuseppe F. ItalianoSimone Onofriwww.francesco.iovine.namef.iovine@gmail.com@franciovCredits:
Mobile security - assets, threats, risks and controls explained
Upcoming SlideShare
Loading in...5
×

Mobile security - assets, threats, risks and controls explained

1,371

Published on

The web site of the course: https://sites.google.com/site/italianodidattica/didattica/ssi-info

Published in: Technology

Transcript of "Mobile security - assets, threats, risks and controls explained"

  1. 1. MOBILE SECURITYFrancesco IovineAssets, Threats, Risks and Controls explainedGuest LectureUniversity of Rome "Tor Vergata"School of Engineering14 June 2013
  2. 2. Cinzia QuerquesGiuseppe F. ItalianoSimone Onofriwww.francesco.iovine.namef.iovine@gmail.com@franciovCredits:
  3. 3. I started dealing with computers with a Commodore 64
  4. 4. But my main occupation was playing games like this
  5. 5. Then Microsoft Windows appeared though the clouds
  6. 6. And I started dealing with Internet Security
  7. 7. My main occupation was fighting against regedit
  8. 8. And I was about to become an hacker!
  9. 9. Then I changed my mind
  10. 10. And started working with mobile handsets
  11. 11. Then with smartphones
  12. 12. Dealing with different operating systems
  13. 13. Brand new technologies
  14. 14. Then I started dealing with mobile banking and mobile payment applications
  15. 15. And I found out that everything has with pros and cons
  16. 16. Internet Security is a quite complex world
  17. 17. OWASP gives you an hand in improving application security
  18. 18. Ready to start?
  19. 19. ThreatsRisks ControlsAssetsMobileSECURITY
  20. 20. AssetsMobileSECURITY
  21. 21. ThreatsAssetsMobileSECURITY
  22. 22. ThreatsRisksAssetsMobileSECURITY
  23. 23. ThreatsRisks ControlsAssetsMobileSECURITY
  24. 24. ThreatsRisks ControlsAssetsMobileSECURITY
  25. 25. DatabasePhoto by Kevin / Flickr.com
  26. 26. CodePhoto by nikio / Flickr.com
  27. 27. DevicePhoto by ari / Flickr.com
  28. 28. MoneyMoneyPhoto by 401(K) / Flickr.com
  29. 29. ThreatsRisks ControlsAssetsMobileSECURITY
  30. 30. September 4th 20121 Million Apple ID Numbers Posted by Hackersarstechnica.comPhoto by raincoaster / Flickr.comNews
  31. 31. SpoofingTamperingRepudiationInformation disclosureDenial of serviceElevation of privilegeTypes
  32. 32. owasp.orgAttackersEND USER WEB APPLICATION BACKENDATTACKER ADMINISTRATOR ATTACKER
  33. 33. ModelHARDWAREOSWIFI/3G Network/VPNAPPCorporate Consumer Built-in MaliciousAPP APP APPWEBCloud storageApp storesWeb sitesWeb servicesCorporate networksCarrierNetworkSMSVoice Mobile deviceLIBRARIESPeer devicesPaymentsLaptopsNFCLaptopsSensorsHardwareextensions
  34. 34. ModelHARDWAREOSWIFI/3G Network/VPNAPPCorporate Consumer Built-in MaliciousAPP APP APPWEBCloud storageApp storesWeb sitesWeb servicesCorporate networksCarrierNetworkSMSVoice Mobile deviceLIBRARIESPeer devicesPaymentsLaptopsNFCLaptopsSensorsHardwareextensions
  35. 35. ThreatsRisks ControlsAssetsMobileSECURITY
  36. 36. August 6th 2012How Apple and Amazon security flawsled to my epic hacking.Mat Honan / wired.comPhoto by Wired.comNews
  37. 37. Which kind of mobile solution?• Native app• Hybrid native-web app• Mobile site• App that contains a mobile siteDesign
  38. 38. Which are the sensitive data?• Password• Username• Device ID• Session tokenData
  39. 39. Where are the sensitive data?• Device memory• Code• Network• Cache, log and temp filesData
  40. 40. Which kind of input to trust?• NFC• QR Codes• SMSInput
  41. 41. Web
  42. 42. OWASP Top 10 Application SecurityRisks - 2013 Release CandidateA1. InjectionA2. Broken Authentication and Session ManagementA3. Cross-Site Scripting (XSS)A4. Insecure Direct Object ReferencesA5. Security MisconfigurationA6. Sensitive Data ExposureA7. Missing Function Level Access ControlA8. Cross-Site Request Forgery (CSRF)A9. Using Components With Known VulnerabilitiesA10. Unvalidated Redirects and ForwardsWeb
  43. 43. OWASP Top 10 Application SecurityRisks - 2013 Release CandidateWeb
  44. 44. OWASP Mobile Top 10 RisksM1. Insecure Data StorageM2. Weak Server Side ControlM3. Insufficient Transport LayerM4. Client Side InjectionM5. Poor Authorization and AuthenticationM6. Improper Session HandlingM7. Security Decisions Via Untrusted InputsM8. Side Channel Data LeakageM9. Broken CryptographyM10. Sensitive Information DisclosureMobile
  45. 45. Do you really need to save the username?Is it possible to choose where to save data?Is it possible to set RW permissions on saved data?Does the OS provide a File Encryption API?MobileM1. Insecure Data Storage
  46. 46. What kind of risks are you running by adding a newfront-end application to your battle-proven back-endsystem?Do you know about any existing security issues?OWASP Web Top 10OWASP Cloud Top 10OWASP Web Services Top 10MobileM2. Weak Server Side Controls
  47. 47. Do you encrypt every output data coming fromcellular networks, wifi or NFC?How do you handle the security exceptions?MobileM3. Insufficient Transport LayerProtection
  48. 48. Do you get advantage of WebViews in your app?How do you make interact the native side with the webside of your hybrid app?Do you sanitize or escape every untrusted data beforeprocessing?MobileM4. Client Side Injection
  49. 49. How does your app authenticate with the server?Are you getting advantage of unique identifiers such asdevice-id, phone number, IMEI, IMSI, UUID?What if a smartphone gets stolen?MobileM5. Poor Authorization andAuthentication
  50. 50. In mobile applications the session timeout is often longer thanweb applications. Is it your case?What if a mobile device gets stolen? Does your systemprovide a way to revoke auth tokens?Is it the session token robust? The device id is not a robustsession token.MobileM6. Improper Session Handling
  51. 51. Does your app ask for user permission before taking anaction?Does your app check user settings before taking anaction?MobileM7. Security Decisions Via UntrustedInputs
  52. 52. Web cachesKeystroke loggingScreenshotsLogsTemp directoriesMobileM8. Side Channel Data Leakage
  53. 53. Encoding != obfuscation != encryptionDoes the OS provide cryptographic libraries? Does yourapp use provided libraries?Where does my app store the cryptographic keys?MobileM9. Broken Cryptography
  54. 54. Do you keep the business logic on the server?Does your app store passwords in the source code?How does your app get Private APIs credentials?MobileM10. Sensitive Information Disclosure
  55. 55. ThreatsRisks ControlsAssetsMobileSECURITY
  56. 56. August 23th 2012The Role of the National Institute of Standardsand Technology in Mobile Security nist.govPhoto by freefotouk / Flickr.comNews
  57. 57. DevelopersPhoto by kk / Flickr.com
  58. 58. OWASP Recommendations• Application Security Requirements• Application Security Architecture• Standard Security Controls• Secure Development Lifecycle• Application Security EducationDevelopers
  59. 59. OWASP Top 10 mobile controls1. Identify and protect sensitive data on the mobile device2. Handle password credentials securely on the device3. Ensure sensitive data is protected in transit4. Implement user authentication/authorization and sessionmanagement correctly5. Keep the backend APIs (services) and the platform (server)secure6. Perform data integration with third party services/applicationssecurely7. Pay specific attention to the collection and storage of consentfor the collection and use of the user’s data8. Implement controls to prevent unauthorized access to paid-forresources (wallet, SMS, phone calls etc...)9. Ensure secure distribution/provisioning of mobile applications10. Carefully check any runtime interpretation of code for errorsDevelopers
  60. 60. TestersPhoto by sebastian_bergmann / Flickr.com
  61. 61. OWASP Recommendations• Get Organized• Code Review• Security and Penetration TestingTesters
  62. 62. Manual Inspections & Reviews• Analyzing documentation• Performing interviews with the designers orsystem owners• Reviewing the documentation, secure codingpolicies, security requirements, andarchitectural designsTesters
  63. 63. Manual Inspections & ReviewsAdvantages• Requires no supporting technology• Can be applied to a variety of situations• Flexible• Promotes teamwork• Early in the SDLCTesters
  64. 64. Manual Inspections & ReviewsDisadvantages• Can be time consuming• Supporting material not always available• Requires significant human thought and skill tobe effective!Testers
  65. 65. Threat Modeling• Decomposing the application• Defining and classifying the assets• Exploring potential vulnerabilities• Exploring potential threats• Creating mitigation strategiesTesters
  66. 66. Threat ModelingAdvantages• Practical attackers view of the system• Flexible• Early in the SDLCTesters
  67. 67. Threat ModelingDisadvantages• Relatively new technique• Good threat models don’t automatically meangood softwareTesters
  68. 68. Code Reviewif you want to know what’s really going on,go straight to the sourceTesters
  69. 69. Code ReviewAdvantages• Completeness and effectiveness• Accuracy• Fast (for competent reviewers)Testers
  70. 70. Code ReviewDisadvantages• Requires highly skilled security developers• Can miss issues in compiled libraries• Cannot detect run-time errors easily• The source code actually deployed mightdiffer from the one being analyzedTesters
  71. 71. Penetration Testing• Also commonly known as black box testing orethical hacking.• Testing a running application remotely to findsecurity vulnerabilities• No need to know the inner workings of theapplication itselfTesters
  72. 72. Penetration TestingAdvantages• Can be fast (and therefore cheap)• Requires a relatively lower skill-set than sourcecode review• Tests the code that is actually being exposedTesters
  73. 73. Penetration TestingDisadvantages• Too late in the SDLC• Front impact testing only!Testers
  74. 74. Test EffortTesters
  75. 75. How to value the real riskRisk = Likelihood * ImpactLikelihood• Threat Agent Factors• Vulnerability FactorsImpact• Technical Impact Factors• Business Impact FactorsTesters
  76. 76. Mobile Security TestingDynamic Analysis1. Debug the running app (on device or inemulator)2. Analyze network traffic3. Analyze remote services (HTTP/SOAP/etc)Testers
  77. 77. Mobile Security TestingStatic Analysis1. Get Application1. Extract application from device2. Receive application package from developers2. Source Code Review3. Reverse Engineering4. Disassembly5. PatchingTesters
  78. 78. OrganizationsPhoto by swisscan / Flickr.com
  79. 79. • Get Started• Risk Based Portfolio Approach• Enable with a Strong Foundation• Integrate Security into Existing Processes• Provide Management VisibilityOWASP RecommendationsOrganizations
  80. 80. Thanks
  81. 81. Cinzia QuerquesGiuseppe F. ItalianoSimone Onofriwww.francesco.iovine.namef.iovine@gmail.com@franciovCredits:

×