Your SlideShare is downloading. ×
Mobile application securitry risks ISACA Silicon Valley 2012
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Mobile application securitry risks ISACA Silicon Valley 2012


Published on

Symosis mobile application security risks presentation at ISACA SV. The presentation top 3 covers mobile application security risks and helps you prioritize your risk remediation efforts

Symosis mobile application security risks presentation at ISACA SV. The presentation top 3 covers mobile application security risks and helps you prioritize your risk remediation efforts

Published in: Technology

1 Comment
  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Please make a selection by clicking on the
  • Mobile App Growth
  • How consumers are evolving and changing their mobile behavior
  • Mobile AppGrowth - / TXT MarketingNews AlertsTake a picture QR codes
  • Please make a selection by clicking on the
  • Side channel data leakage applies to data leakage via platform defaults, use of third party libraries, logging, etc. In order to provide the visual iOS has been proven to capture and store snapshots.This occurs when a device suspends (rather than terminates), when either the home button is pressed, or a phone call or other event temporarily suspends the applicationPlist is a structured text file that contains essential configuration information for a bundled executable
  • A PLIST (Property List) file is an XML file that holds application properties. Some applications store sensitive information in the plist files including authentication credentials, PIN and oAUTH tokensPlist files can be found in several location in the application directory . An example location and plist file content storing sensitive authentication credentials are shown on the screen
  • Please make a selection by clicking on the
  • Web sites and servers sometimes have improperly configured SSL certificates. This causes warning messages which are often ignored by the users. This results in users Phishing attacks where users end up providing personal information and private data to malicious websites that look like legitimate applicationsApplications that fall back or can be forced out of an encrypting mode can also be abused by attackers resulting in insecure communication. This is common on sites that operate on both HTTP and HTTPS services, or by the implementation of older versions of SSL on the web server that are vulnerable to downgrade attacks.
  • In 2011, it was discovered that Android devices transmitted data and AuthToken session cookie via insecure HTTP. AuthToken is not bound to any session or device and thus would allow an adversary to access any personal data which is made available through the service API. This includes Google calendar, picasa and contact information for that user. For more Reference: issue here is the use of insecure HTTP channel which allows network eavesdropping of the authToken and user data
  • Please make a selection by clicking on the
  • InsecureData Storage applies to the locally stored data by the mobile applications. There are two types of mobiles apps - native apps and browser based apps. Native apps are apps that is installed in the handset, processes data locally and may connect to the internet for updates or sending user specific information to the server. Example: Gaming apps, News apps, etc. Browser based apps are apps that are accessible via mobile browser. This vulnerability applies to both categories of apps.Most apps stores user specific information on mobile devices. This data may be stored in clear text and may includeUsername and passwordPII, SSN, Health InformationDevice ID, Application configurationAccount Number, Credit Card, Financial Information
  • Insecure transport layer protection is considered a high risk security vulnerabilityThe impact could includeLoss of Data Confidentiality & Integrity when sensitive information is revealed to the attackerData Tampering when attacker modifies application traffic and force user accept itMan-in-the-Middle (MITM attack) if an attacker diverts all traffic through an insecure channelImpersonation if the attacker hijacks user account
  • Please make a selection by clicking on the
  • Disable the auto-correct feature for any sensitive information, not just for password fields. Since the keyboard caches sensitive information, it may be recoverable. For UITextField, look into setting the autocorrectionType property to UITextAutocorrectionNo to disable caching. Set UITextField to OFF to prevent caching altogetherAdd an enterprise policy to clear the keyboard dictionary at regular intervals. This can be done by the end user by simply going to the Settings application, General > Reset > Reset Keyboard Dictionary
  • Please make a selection by clicking on the
  • Transcript

    • 1. Mobile Apps Security Risk Assessment Kartik Trivedi / Lenin Aboagye
    • 2. For the Demo…please download and install the followingapps on your mobile device and create an account 2
    • 3. Who are we?• Kartik Trivedi – Co-founder of Symosis – Author / Speaker / Interviews - Forbes, Security Focus, Tech world, Security News, etc – Golfer (Advanced Amateur? )• Lenin Aboagye – Security Architect Apollo group – Cloud / Mobile security expert – Media & Television, Education, Health, Real Estate and Energy industries experience 3
    • 4. AgendaIntroduction Growth / Revenue Security ConcernsMobile Apps Top 3 RisksCountermeasures & Risk Management 4
    • 5. There is an App for that! 5
    • 6. There is an App for that!• Pay bills • Small Business Payroll• File income taxes • Pay invoice• Pay property tax • Location based check in• Scan & Shop • Personal finance• Deposit checks • Investments & 401k• Transfer money • Health & Fitness• Store medical records • Productivity• Refill prescription • Facebook / twitter• Manage health information • Place bets on sports• Remember your meds • Utilities• Book flight / hotel • Store passwords• Medscape / pharmacopia • Document storage 6
    • 7. 7
    • 8. 53% of Fortune 500 companieshave mobile apps 8
    • 9. Business Case for Mobile Presence• Networking / communication - unprecedented level of connectivity between employees, vendors, and/or customers• Instant Feedback - sharing information through this medium allows businesses to get immediate feedback on products and services from customers.• Marketing - SMS (text) messaging, mobile websites, mobile applications, banner ads, QR codes, IVR messaging and more.• Commerce – Mobile ticketing, vouchers, coupons, loyalty cards, content purchase, delivery, location based services, Information services, mobile banking, mobile brokerage, mobile purchase 9
    • 10. Security Concerns• Side Channel Data Leakage • Activity monitoring and data retrieval• Insufficient Transport Layer Protection • Unauthorized dialing, SMS, and payments• Weak Server Side Controls • Unauthorized network connectivity (data exfiltration or command & control)• Insecure Data Storage • UI (unique identifier) impersonation• Client Side Injection • System modification (rootkit, APN proxy• Poor Authorization and configuration) Authentication • Mobile Malware• Improper Session Handling • Criminals Target and Infect App Stores• Security Decisions Via Untrusted Inputs • Social-Engineering • Geolocation compromise• Broken Cryptography • Security Regulatory Compliance• Sensitive Information Disclosure • Device Risk• Hardcoded password/keys • BYOD / MDM• Privacy compliance • Application management• Identity exposure • Installation of un-verified / unsigned 3rd party apps 10
    • 11. AgendaIntroduction Growth / Revenue Security ConcernsMobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data StorageCountermeasures & Risk Management 11
    • 12. Side Channel Data LeakageData leakage via platform defaults, use of thirdparty libraries, logging, etc• SnapShot (ie- iOS backgrounding)• Plist filesSometimes result of programmatic flaws
    • 13. Demo 13
    • 14. 14
    • 15. 15
    • 16. AgendaMobile Platform RisksMobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data StorageCountermeasures & Risk Management 16
    • 17. Insecure Transport/Server ControlsFailing to encrypt sensitivenetwork traffic consisting ofsensitive dataInsecure server controls -web, application andbackend API - can lead tosecurity compromise
    • 18. Demo 18
    • 19. 20
    • 20. TOCMobile Platform RisksMobile Apps Top 3 Risks Side Channel Leakage Insecure Transport / Server Controls Insecure Data StorageCountermeasures & Risk Management 21
    • 21. Insecure Data StorageLocally stored data both on native and browserbased apps that includes• SQLite / Cache files• Keychain – Is this really secure? 22
    • 22. Demo 23
    • 23. 24
    • 24. Risk & Impact: HighSensitive Data exposure• Username & password• PII, SSN, Health Information• Device ID, Application configuration• Account Number, Credit Card, Financial InformationLoss of Data Confidentiality & IntegrityData TemperingMan-in-the-Middle (MITM attack)ImpersonationUnauthorized access to application data orfunctionalityPrivacy Violations / reputation damage
    • 25. AgendaIntroductionMobile Apps Top 3 Risks Insecure Data Storage Insecure Transport / Server Controls Side Channel LeakageCountermeasures & Risk Management Tactical Strategic 26
    • 26. Secure Programming / EducationDisable Cache - Set the autocorrectionType property toUITextAutocorrectionNo for UITestFieldDisable Snapshot – Use applicationWillResignActivedelegate methodDisable Logs – Disable NSLog and NSAssertDisable Insecure HTTP - Use NSURLConnection along withcanAuthenticateAgainstProtectionSpace 27
    • 27. Encrypt DataData Protection API - set the NSFileProtectionKeyon an existing fileKeychain – Apple recommends storing Sensitivedata like passwords and keys in the KeychainCCCrypt - provides access to AES, DES, 3DESSQLCipher (IOS & Android) - transparent256-bit AES encryption of database files 28
    • 28. Secure Design / Architecture• Do not trust the client. Store sensitive data on the server• Perform server side data validation and canonicalization• Only collect and disclose data which is required for business use of the application• Define and deploy secure configuration• Establish common set of security requirements• Perform periodic security scans and audits• Protect sensitive data using HTTPS & SSL• Do not log credentials, PII and other sensitive data• Review all third party libraries before use 29
    • 29. AgendaMobile Platform RisksMobile Apps Top 3 RisksSecurity Controls & Risk Management Tactical Strategic 30
    • 30. Mobile Strategy & Challenges• The are 3 major components of a mobile strategy that most organizations have to apply – Mobile Information Management(MIM) – Mobile Application Management(MAM) – Mobile Device Management(MDM) 31
    • 31. MIM• MIM refers to cloud-based services that syncs files and documents across different devices• MIM allows for sharing data of varying security classification across devices with varying degrees of trust• MIM intersects Cloud and Mobile Security• Public MIM services are Dropbox, Box, Microsoft SkyDrive, GoogleDrive• Corporate MIM solutions include Monodesk, WatchDox, Citrix ShareFile, Vmware Octopus• NFC technologies could be classified as MIM 32
    • 32. Security Challenges -MIM• BYOD in corporate environments• Potential synching of corporate data across both corporate and non-corporate issued endpoints• Sensitive bi-directional data leakage from user’s private and personal data into corporate and vice-versa• Access and Identity Management• Data classification , identification and protection• Difficult to apply and enforce any corporate security configurations across mobile devices• No existing virtual segregation capabilities for corporate/user components to allow for different security policies to be applied based on risk 33
    • 33. MDM• MDM involves downloading software that allows users/organizations to lock down• MDM allows controls like monitoring, encryption, policy enforcement , remote wiping etc..• Addresses security at the device level as opposed to the application level• Especially challenging in BYOD era• One policy regardless of varying classification levels of applications on device – Policies like remote wiping could adversely affect user personal /private data 34
    • 34. Security Issues-MDM• Addresses security of device only• Has little insight into security health of applications• Treats all applications and all data at the same classification level• Difficulties in adoption in corporate environments that allows BYOD• Does not affect or improve the security of applications 35
    • 35. MAM• MAM solutions allow users and organizations to control the security of specific applications that are deployed on mobile endpoints• MAM can allow an organization to deliver applications like secure email, calendar, expense reporting• Allows security policies to be applied exclusively on specific applications based on their security classification – Encryption, remote wipe, remote application kill etc.. 36
    • 36. Security Issues-MAM• MAM seems to have the answer for MIM’s security challenges• MAM should solve the BYOD challenges since it allows for security policies to be applied to corporate applications and their data and allows for non-visibility into personal user information• MAM solutions have several challenges: – Rewrite secure versions of vendor applications(functionality challenges) – Allow vendors plug into their security platform – Currently works only an a few apps – Create a wrapper around vendor applications (most vendors will not provide original packaged files to wrap with MAM tools) 37
    • 37. Mobile Security Convergence MDM All mobile security strategies converge on these MIM approaches MAM Mobile Application Security 38
    • 38. Thanks for listening… / Lenin.Aboagye@apollogrp.eduEmail for a free seat to the Mobile Apps Top 10 Security Risk Training Course 39