Mobile Apps Security Risk Assessment     Kartik Trivedi / Lenin Aboagye
For the Demo…please download and install the followingapps on your mobile device and create an               account      ...
Who are we?• Kartik Trivedi   – Co-founder of Symosis   – Author / Speaker / Interviews - Forbes, Security     Focus, Tech...
AgendaIntroduction   Growth / Revenue   Security ConcernsMobile Apps Top 3 RisksCountermeasures & Risk Management         ...
There is an App for that!                            5
There is an App for that!•   Pay bills                   •   Small Business Payroll•   File income taxes           •   Pay...
7
53% of Fortune 500 companieshave mobile apps                           8
Business Case for Mobile Presence• Networking / communication - unprecedented level of  connectivity between employees, ve...
Security Concerns•   Side Channel Data Leakage                 •   Activity monitoring and data retrieval•   Insufficient ...
AgendaIntroduction   Growth / Revenue   Security ConcernsMobile Apps Top 3 Risks   Side Channel Leakage   Insecure Transpo...
Side Channel Data LeakageData leakage via platform defaults, use of thirdparty libraries, logging, etc• SnapShot (ie- iOS ...
Demo       13
14
15
AgendaMobile Platform RisksMobile Apps Top 3 Risks  Side Channel Leakage  Insecure Transport / Server Controls  Insecure D...
Insecure Transport/Server ControlsFailing to encrypt sensitivenetwork traffic consisting ofsensitive dataInsecure server c...
Demo       18
20
TOCMobile Platform RisksMobile Apps Top 3 Risks  Side Channel Leakage  Insecure Transport / Server Controls  Insecure Data...
Insecure Data StorageLocally stored data both on native and browserbased apps that includes• SQLite / Cache files• Keychai...
Demo       23
24
Risk & Impact: HighSensitive Data exposure• Username & password• PII, SSN, Health Information• Device ID, Application conf...
AgendaIntroductionMobile Apps Top 3 Risks   Insecure Data Storage   Insecure Transport / Server Controls   Side Channel Le...
Secure Programming / EducationDisable Cache - Set the autocorrectionType property toUITextAutocorrectionNo for UITestField...
Encrypt DataData Protection API - set the NSFileProtectionKeyon an existing fileKeychain – Apple recommends storing Sensit...
Secure Design / Architecture• Do not trust the client. Store sensitive data on the server• Perform server side data valida...
AgendaMobile Platform RisksMobile Apps Top 3 RisksSecurity Controls & Risk Management  Tactical  Strategic                ...
Mobile Strategy & Challenges• The are 3 major components of a mobile  strategy that most organizations have to apply  – Mo...
MIM• MIM refers to cloud-based services that syncs  files and documents across different devices• MIM allows for sharing d...
Security Challenges -MIM• BYOD in corporate environments• Potential synching of corporate data across both  corporate and ...
MDM• MDM involves downloading software that  allows users/organizations to lock down• MDM allows controls like  monitoring...
Security Issues-MDM• Addresses security of device only• Has little insight into security health of  applications• Treats a...
MAM• MAM solutions allow users and organizations  to control the security of specific applications  that are deployed on m...
Security Issues-MAM• MAM seems to have the answer for MIM’s  security challenges• MAM should solve the BYOD challenges sin...
Mobile Security Convergence             MDM                             All mobile security                             st...
Thanks for listening…kartik@symosis.com / Lenin.Aboagye@apollogrp.eduEmail info@symosis.com for a free seat to the Mobile ...
Mobile application securitry risks ISACA Silicon Valley 2012
Upcoming SlideShare
Loading in …5
×

Mobile application securitry risks ISACA Silicon Valley 2012

841 views

Published on

Symosis mobile application security risks presentation at ISACA SV. The presentation top 3 covers mobile application security risks and helps you prioritize your risk remediation efforts

Published in: Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total views
841
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide
  • Please make a selection by clicking on the
  • Mobile App Growth
  • How consumers are evolving and changing their mobile behaviorhttp://www.pwc.com/us/en/industry/entertainment-media/publications/assets/consumer-research-series-smartphones.pdf
  • Mobile AppGrowth - http://www.appconomist.com/2011/08/01/fortune-500-apps-a-50-update/TransactionMarketingSMS / TXT MarketingNews AlertsTake a picture QR codes
  • http://www.strategicgrowthconcepts.com/growth/increase-productivity--profitability.html
  • Please make a selection by clicking on the
  • Side channel data leakage applies to data leakage via platform defaults, use of third party libraries, logging, etc. In order to provide the visual iOS has been proven to capture and store snapshots.This occurs when a device suspends (rather than terminates), when either the home button is pressed, or a phone call or other event temporarily suspends the applicationPlist is a structured text file that contains essential configuration information for a bundled executable
  • A PLIST (Property List) file is an XML file that holds application properties. Some applications store sensitive information in the plist files including authentication credentials, PIN and oAUTH tokensPlist files can be found in several location in the application directory . An example location and plist file content storing sensitive authentication credentials are shown on the screen
  • http://garethwright.com/blog/facebook-mobile-security-hole-allows-identity-theft#
  • Please make a selection by clicking on the
  • Web sites and servers sometimes have improperly configured SSL certificates. This causes warning messages which are often ignored by the users. This results in users Phishing attacks where users end up providing personal information and private data to malicious websites that look like legitimate applicationsApplications that fall back or can be forced out of an encrypting mode can also be abused by attackers resulting in insecure communication. This is common on sites that operate on both HTTP and HTTPS services, or by the implementation of older versions of SSL on the web server that are vulnerable to downgrade attacks.
  • In 2011, it was discovered that Android devices transmitted data and AuthToken session cookie via insecure HTTP. AuthToken is not bound to any session or device and thus would allow an adversary to access any personal data which is made available through the service API. This includes Google calendar, picasa and contact information for that user. For more Reference: http://www.uni-ulm.de/in/mi/mitarbeiter/koenings/catching-authtokens.htmlThe issue here is the use of insecure HTTP channel which allows network eavesdropping of the authToken and user data
  • http://www.theverge.com/2012/2/14/2798008/ios-apps-and-the-address-book-what-you-need-to-know
  • Please make a selection by clicking on the
  • InsecureData Storage applies to the locally stored data by the mobile applications. There are two types of mobiles apps - native apps and browser based apps. Native apps are apps that is installed in the handset, processes data locally and may connect to the internet for updates or sending user specific information to the server. Example: Gaming apps, News apps, etc. Browser based apps are apps that are accessible via mobile browser. This vulnerability applies to both categories of apps.Most apps stores user specific information on mobile devices. This data may be stored in clear text and may includeUsername and passwordPII, SSN, Health InformationDevice ID, Application configurationAccount Number, Credit Card, Financial Information
  • http://blog.agilebits.com/2012/04/06/oauth-dropbox-and-your-1password-data/
  • Insecure transport layer protection is considered a high risk security vulnerabilityThe impact could includeLoss of Data Confidentiality & Integrity when sensitive information is revealed to the attackerData Tampering when attacker modifies application traffic and force user accept itMan-in-the-Middle (MITM attack) if an attacker diverts all traffic through an insecure channelImpersonation if the attacker hijacks user account
  • Please make a selection by clicking on the
  • Disable the auto-correct feature for any sensitive information, not just for password fields. Since the keyboard caches sensitive information, it may be recoverable. For UITextField, look into setting the autocorrectionType property to UITextAutocorrectionNo to disable caching. Set UITextField to OFF to prevent caching altogetherAdd an enterprise policy to clear the keyboard dictionary at regular intervals. This can be done by the end user by simply going to the Settings application, General > Reset > Reset Keyboard Dictionary
  • Please make a selection by clicking on the
  • Mobile application securitry risks ISACA Silicon Valley 2012

    1. 1. Mobile Apps Security Risk Assessment Kartik Trivedi / Lenin Aboagye
    2. 2. For the Demo…please download and install the followingapps on your mobile device and create an account 2
    3. 3. Who are we?• Kartik Trivedi – Co-founder of Symosis – Author / Speaker / Interviews - Forbes, Security Focus, Tech world, Security News, etc – Golfer (Advanced Amateur? )• Lenin Aboagye – Security Architect Apollo group – Cloud / Mobile security expert – Media & Television, Education, Health, Real Estate and Energy industries experience 3
    4. 4. AgendaIntroduction Growth / Revenue Security ConcernsMobile Apps Top 3 RisksCountermeasures & Risk Management 4
    5. 5. There is an App for that! 5
    6. 6. There is an App for that!• Pay bills • Small Business Payroll• File income taxes • Pay invoice• Pay property tax • Location based check in• Scan & Shop • Personal finance• Deposit checks • Investments & 401k• Transfer money • Health & Fitness• Store medical records • Productivity• Refill prescription • Facebook / twitter• Manage health information • Place bets on sports• Remember your meds • Utilities• Book flight / hotel • Store passwords• Medscape / pharmacopia • Document storage 6
    7. 7. 7
    8. 8. 53% of Fortune 500 companieshave mobile apps 8
    9. 9. Business Case for Mobile Presence• Networking / communication - unprecedented level of connectivity between employees, vendors, and/or customers• Instant Feedback - sharing information through this medium allows businesses to get immediate feedback on products and services from customers.• Marketing - SMS (text) messaging, mobile websites, mobile applications, banner ads, QR codes, IVR messaging and more.• Commerce – Mobile ticketing, vouchers, coupons, loyalty cards, content purchase, delivery, location based services, Information services, mobile banking, mobile brokerage, mobile purchase 9
    10. 10. Security Concerns• Side Channel Data Leakage • Activity monitoring and data retrieval• Insufficient Transport Layer Protection • Unauthorized dialing, SMS, and payments• Weak Server Side Controls • Unauthorized network connectivity (data exfiltration or command & control)• Insecure Data Storage • UI (unique identifier) impersonation• Client Side Injection • System modification (rootkit, APN proxy• Poor Authorization and configuration) Authentication • Mobile Malware• Improper Session Handling • Criminals Target and Infect App Stores• Security Decisions Via Untrusted Inputs • Social-Engineering • Geolocation compromise• Broken Cryptography • Security Regulatory Compliance• Sensitive Information Disclosure • Device Risk• Hardcoded password/keys • BYOD / MDM• Privacy compliance • Application management• Identity exposure • Installation of un-verified / unsigned 3rd party apps 10
    11. 11. AgendaIntroduction Growth / Revenue Security ConcernsMobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data StorageCountermeasures & Risk Management 11
    12. 12. Side Channel Data LeakageData leakage via platform defaults, use of thirdparty libraries, logging, etc• SnapShot (ie- iOS backgrounding)• Plist filesSometimes result of programmatic flaws
    13. 13. Demo 13
    14. 14. 14
    15. 15. 15
    16. 16. AgendaMobile Platform RisksMobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data StorageCountermeasures & Risk Management 16
    17. 17. Insecure Transport/Server ControlsFailing to encrypt sensitivenetwork traffic consisting ofsensitive dataInsecure server controls -web, application andbackend API - can lead tosecurity compromise
    18. 18. Demo 18
    19. 19. 20
    20. 20. TOCMobile Platform RisksMobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data StorageCountermeasures & Risk Management 21
    21. 21. Insecure Data StorageLocally stored data both on native and browserbased apps that includes• SQLite / Cache files• Keychain – Is this really secure? 22
    22. 22. Demo 23
    23. 23. 24
    24. 24. Risk & Impact: HighSensitive Data exposure• Username & password• PII, SSN, Health Information• Device ID, Application configuration• Account Number, Credit Card, Financial InformationLoss of Data Confidentiality & IntegrityData TemperingMan-in-the-Middle (MITM attack)ImpersonationUnauthorized access to application data orfunctionalityPrivacy Violations / reputation damage
    25. 25. AgendaIntroductionMobile Apps Top 3 Risks Insecure Data Storage Insecure Transport / Server Controls Side Channel LeakageCountermeasures & Risk Management Tactical Strategic 26
    26. 26. Secure Programming / EducationDisable Cache - Set the autocorrectionType property toUITextAutocorrectionNo for UITestFieldDisable Snapshot – Use applicationWillResignActivedelegate methodDisable Logs – Disable NSLog and NSAssertDisable Insecure HTTP - Use NSURLConnection along withcanAuthenticateAgainstProtectionSpace 27
    27. 27. Encrypt DataData Protection API - set the NSFileProtectionKeyon an existing fileKeychain – Apple recommends storing Sensitivedata like passwords and keys in the KeychainCCCrypt - provides access to AES, DES, 3DESSQLCipher (IOS & Android) - transparent256-bit AES encryption of database files 28
    28. 28. Secure Design / Architecture• Do not trust the client. Store sensitive data on the server• Perform server side data validation and canonicalization• Only collect and disclose data which is required for business use of the application• Define and deploy secure configuration• Establish common set of security requirements• Perform periodic security scans and audits• Protect sensitive data using HTTPS & SSL• Do not log credentials, PII and other sensitive data• Review all third party libraries before use 29
    29. 29. AgendaMobile Platform RisksMobile Apps Top 3 RisksSecurity Controls & Risk Management Tactical Strategic 30
    30. 30. Mobile Strategy & Challenges• The are 3 major components of a mobile strategy that most organizations have to apply – Mobile Information Management(MIM) – Mobile Application Management(MAM) – Mobile Device Management(MDM) 31
    31. 31. MIM• MIM refers to cloud-based services that syncs files and documents across different devices• MIM allows for sharing data of varying security classification across devices with varying degrees of trust• MIM intersects Cloud and Mobile Security• Public MIM services are Dropbox, Box, Microsoft SkyDrive, GoogleDrive• Corporate MIM solutions include Monodesk, WatchDox, Citrix ShareFile, Vmware Octopus• NFC technologies could be classified as MIM 32
    32. 32. Security Challenges -MIM• BYOD in corporate environments• Potential synching of corporate data across both corporate and non-corporate issued endpoints• Sensitive bi-directional data leakage from user’s private and personal data into corporate and vice-versa• Access and Identity Management• Data classification , identification and protection• Difficult to apply and enforce any corporate security configurations across mobile devices• No existing virtual segregation capabilities for corporate/user components to allow for different security policies to be applied based on risk 33
    33. 33. MDM• MDM involves downloading software that allows users/organizations to lock down• MDM allows controls like monitoring, encryption, policy enforcement , remote wiping etc..• Addresses security at the device level as opposed to the application level• Especially challenging in BYOD era• One policy regardless of varying classification levels of applications on device – Policies like remote wiping could adversely affect user personal /private data 34
    34. 34. Security Issues-MDM• Addresses security of device only• Has little insight into security health of applications• Treats all applications and all data at the same classification level• Difficulties in adoption in corporate environments that allows BYOD• Does not affect or improve the security of applications 35
    35. 35. MAM• MAM solutions allow users and organizations to control the security of specific applications that are deployed on mobile endpoints• MAM can allow an organization to deliver applications like secure email, calendar, expense reporting• Allows security policies to be applied exclusively on specific applications based on their security classification – Encryption, remote wipe, remote application kill etc.. 36
    36. 36. Security Issues-MAM• MAM seems to have the answer for MIM’s security challenges• MAM should solve the BYOD challenges since it allows for security policies to be applied to corporate applications and their data and allows for non-visibility into personal user information• MAM solutions have several challenges: – Rewrite secure versions of vendor applications(functionality challenges) – Allow vendors plug into their security platform – Currently works only an a few apps – Create a wrapper around vendor applications (most vendors will not provide original packaged files to wrap with MAM tools) 37
    37. 37. Mobile Security Convergence MDM All mobile security strategies converge on these MIM approaches MAM Mobile Application Security 38
    38. 38. Thanks for listening…kartik@symosis.com / Lenin.Aboagye@apollogrp.eduEmail info@symosis.com for a free seat to the Mobile Apps Top 10 Security Risk Training Course 39

    ×