Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Addressing Mobile Application Security

1,140
views

Published on

In this presentation, we examine and discuss the various security risks involved with developing and deploying mobile applications. We will discuss the potential pitfalls in deploying mobile …

In this presentation, we examine and discuss the various security risks involved with developing and deploying mobile applications. We will discuss the potential pitfalls in deploying mobile enterprise applications and how to mitigate them with specific best practices, monitoring tools, and a proven, highly secure mobile enterprise application platform.

View this session to:
Learn to manage risk and exposure with mobile app development best practices
Discover potentially threatening security holes in mobile apps built with HTML5
Understand how to eliminate data exposure and/or loss when a device goes missing
Explore how the Splitware Mobility Platform makes it simple to rapidly deploy highly secure, native mobile apps

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,140
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • NASRIN
  • NASRIN
  • NASRIN
  • Examples: personnel information, patient data, statistics, business intelligence, scores, plans & designs, inventory, pricing, costs, etc
  • NASRIN
  • NASRIN
  • NASRIN
  • NASRIN
  • NASRIN
  • NASRIN
  • NASRIN
  • NASRIN
  • NASRIN
  • NASRIN
  • NASRIN
  • Transcript

    • 1. Addressing Mobile Application Security www.mobilereach.com
    • 2. Welcome! • Introduction • Understanding the Enterprise Environment • Security Concerns in Enterprise Mobility • What is Important • Specific concerns with HTML5 • What to remember • Wrap up, Q&A2
    • 3. Introduction • Security is by far the most important enterprise mobility adoption challenge for CIOs, according to a recent survey • However… according to 2012 Information Security Breaches Survey  Only 39% of large organizations encrypt data downloaded to smartphones and tablets  38% of large businesses do not have any kind of program for educating their staff about security risks.  26% of respondents with a security policy believe their staff have a very good understanding of it, while 21% think the level of staff understanding is poor.3
    • 4. Introduction • Crucial to have right policy and tools in place • Implementation of a clear mobile security policy will contribute to success • New technology useful for solving some problems, MDM, etc. • However, securing mobile apps from the ground up and with the right policies and procedures in place will ensure all bases are covered.4
    • 5. Enterprise Mobile App Security • The Corporate / Organization perspective:  Enterprise responsibility  Balance between risk and reward  Employee impacts • Security concerns within your Mobile Strategy • Taking advantage of technology to create secure processes • HTML5 risks • The Mobile Reach approach5
    • 6. What is an Enterprise Mobile App AREAS OF SECURITY CONCERN! 1. Network hacker “listens” to my data Enterprise Environment 2. Device data exposed 3. Unauthorized person gains access to data 4. Unauthorized network access after hacking device 4 Mobile Environment data data 2 1 data 36
    • 7. What is Important? • Your Organization cares about Protecting Enterprise Data in the hands and on the devices of mobile users  What is the data? How sensitive is it?  How bad is it if the data gets lost or into the “wrong” hands? • Your Organization cares about keeping malicious users and other threats OUT of the Corporate network  How to limit the threats?  How to minimize damage upon a breach?7
    • 8. Security in your Mobile Strategy • What happens if a user loses his/her mobile device?  How do we prevent sensitive or confidential information from being exposed?  How do we prevent an unauthorized user from using the device / its applications? • How do we prevent a malicious user, application, or virus from infecting our corporate network? • How do we protect the corporate entity from a legal situation (being sued)?8
    • 9. Mobile App Considerations • Think twice about pushing sensitive information to the mobile device. Does the mobile user need it to do his job? • Is it possible to minimize the sensitive data to a point where exposure is very low risk? • Whenever neither is possible:  Encrypt the data in all over-the-air transport  Encrypt the data at rest on a mobile device  Have procedures in place to detect/inform as soon as data is at risk  Use remote –wipe and device tracking features ASAP9
    • 10. Addressing Security Concerns Your Mobile Strategy MUST include:  Security Policies and Procedures for your PEOPLE  NETWORK Security and Policies to control access  Mobile DEVICE Management  Data RISK ANALYSIS for your mobile apps  Data PROTECTION for all sensitive data10
    • 11. PEOPLE Security Policies and Procedures:  BYOD requirements, including remote wipe consent  Instructions on the handling of sensitive/confidential information  Instructions on how/when to report lost or stolen devices  Authentication policies  Mobile application usage instructions  User responsibilities and penalties for non-compliance Clear and Consistent rules and processes11
    • 12. NETWORK Security Security and Policies for network access:  Identify WHO is allowed to access the corporate network from WHAT mobile device  Identify HOW mobile users are to access the corporate network  Specify required authentication  Incorporate malware protection Protect network from unauthorized access (hacking)12
    • 13. DEVICE MANAGEMENT Mobile Device Management MUST include:  Support for all mobile devices that your users will be using  Provisioning to manage who is allowed to use what  Anti-virus, Anti-malware capability  Remote wipe capability  Ongoing support, upgrading, etc  Device location tracking Manage and control mobile devices and usage13
    • 14. RISK ANALYSIS Data Risk Analysis for your Mobile Apps:  Identify the data that will be used by the mobile app and characterize its sensitivity  Map out processes for mobile users  Minimize sensitive data on the mobile device  Identify the risks of exposure for all sensitive data  Implement data protection measures to mitigate risks Minimize risk while maximizing operational effectiveness14
    • 15. DATA PROTECTION Protecting Sensitive Data:  Do not count on device security to be enough!  Application-level ENCRYPT ION of all sensitive data BOTH during Over-the-Air transmission AND At-Rest on the device is required  AUTHENTICATION of authorized mobile users is required for access to enterprise mobile apps and data  No clear text storage of passwords or other authentication criteria Make it extremely difficult / impossible to hack data15
    • 16. Using technology securely • How it can help:  Visually hiding data  Encrypting data (at rest, over-the-air)  Requiring Authentication for access  Transferring data real-time, removing it from the mobile device • Considerations:  Data is in an electronic format  Must be encrypted within the software16
    • 17. Examples… • Nurse capturing patient data  Form and clipboard – free text, easy to be seen  Mobile device with electronic form – encrypted text • Military personnel performing an Armory inventory  Spreadsheets and clipboard with part-codes and quantities in free text  Mobile device with barcode scanner and coded fields Technology can be used to assist in the protection of data17
    • 18. Components of a secure app • Authentication of users • Incorporate an idle timer application lock • Encryption of all data at rest • Encryption of data transferred over the air • Good error handling • No dependence on untrustworthy code18
    • 19. Security Issues With HTML • Browser Based Vulnerabilities  Security varies depending on browser  Many more browser options available on smartphones  With much more data caching and local storage, browsers now accessing much more sensitive data  Email client, CRM and other systems could be exposed  Browsers are the major attack point for hackers  Browser providers must agree to adopt industry standards that have yet to be approved  New standard not due until 201419
    • 20. HTML 5 Holes • Browser Attack Points  Cross Document Messaging, Local Storage, Cookies  Issues with HTML4 and JavaScript remain in HTML5  Abuse of DNS and insecure of of API could leave website vulnerable  Flawed input validation, client side validation syntax issues20
    • 21. Predictions • According to a recent report on Security Predicitions and Trends by Watchguard.com, HTML5 will be under increased attack in 2012. “… the security of HTML5 applications is still dependent on the skill and care with which developers create them. HTML5 is new and complex … Developers are still getting comfortable with it, which means they are likely to make programming mistakes that could translate into web vulnerabilities. Increased usage of HTML5 will significantly contribute to the continued increase in web applications attacks next year."21
    • 22. The Mobile Reach approach Mobile Reach Splitware Mobility Platform: • Security built into the foundation of the platform • Data transferred and at rest is encrypted via AES256-bit encryption  Easy to scale / add other encryption algorithms • All software built in-house with no 3rd party components • Native application platform to avoid the pitfalls of HTML5 • Ability to incorporate fingerprint scanning, retina scanning, and other device-native features • Database protected from general-purpose device backup facilities • Authentication incorporated22
    • 23. Splitware Approach to Security23
    • 24. Splitware System Encryption24
    • 25. The Mobile Strategy Checklist • What happens if a user loses his/her mobile device?  Mobile apps lock requiring password; Remote wipe • How do we prevent sensitive or confidential information from being exposed?  Encryption of all data, encryption of all passwords • How do we prevent an unauthorized user from using the device and its applications?  Authentication (ideally two-factor), Idle-time locking • How do we prevent a malicious user, application, or virus from infecting our corporate network?  Network security software • How do we protect the corporate entity from a legal situation (being sued)?  Well-thought-out and documented procedures, adherence to industry best practices25
    • 26. Summary • Protecting enterprise data is what’s important • Developing appropriate rules and procedures that complement your mobile processes and the needs of your mobile workforce is critical • Understand the real risks of your mobile solution and focus security measures on those risks • Avoid using HTML5 for mobile apps that require high security • Avoid the tendency to implement security procedures just for the sake of “security”26
    • 27. Q&A For a copy of the presentation, more information, or to request a product demonstration, please contact Bob Silver. Bob Silver: bsilver@mobilereach.com 919-336-2500, ext 10927
    • 28. Thanks for Joining Us! • Mobile Reach Enterprise Mobility Webinar Series  Building Mobile Apps in Minutes  Analyzing and Implementing Effective Mobile Workflow  Why Native Apps are the right choice for Enterprise  Addressing Mobile Application Security Developing an Enterprise Mobile Strategy August 201228