Mobile Application Security

IBM Innovate 2012Mobile Application Security Foundation &DirectionsRaj Balasubramanian Dirk NicolProduct Architect, IBM Mobile Foundation Product Manager, IBM Mobile Foundationraj_balasubramanian@us.ibm.com nicold@us.ibm.comIPI2478

The Premier Event for Software and Systems Innovation Please note IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.2 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Mobile is transformational 10 Billion devices by 2020 61% of CIOs put mobile as priority 45% increased productivity with mobile apps3 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation IBM strategy addresses client mobile initiatives Extend & Transform Build & Connect Extend existing business Build mobile applications capabilities to mobile devices Connect to, and run Transform the business by backend systems in support creating new opportunities of mobile Manage & Secure Manage mobile devices, services and applications Secure my mobile business4 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation A deeper look at Manage & Secure capabilities Extend & Transform Build & Connect Manage & Secure Manage mobile devices, services Key Capabilities and applications • Mobile lifecycle management Secure my mobile business • Device analytics and control • Secure network communications & management5 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Mobile Devices: Unique Management & Security Challenges Mobile Mobile devices Mobile Mobile Mobile devices are have multiple devices are devices are devices shared more personas diverse used in more prioritize the . often locations user  Personal phones  Work tool  OS immaturity for  A single location  Conflicts with user and tablets  Entertainment enterprise mgmt could offer public, experience not shared with family device  BYOD dictates private, and cell tolerated  Enterprise tablet multiple OSs connections  OS architecture  Personal shared with co- organization  Vendor / carrier  Anywhere, puts the user in workers control dictates anytime control  Security profile  Social norms of multiple OS  Increasing  Difficult to enforce per persona? mobile apps vs. versions reliance on policy, app lists file systems enterprise WiFi6 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Mobile Risks Top 10 Mobile Risks 1. Insecure Data Storage 2. Weak Server Side Controls 3. Insufficient Transport Layer Protection 4. Client Side Injection 5. Poor Authorization and Authentication 6. Improper Session Handling 7. Security Decisions Via Untrusted Inputs 8. Side Channel Data Leakage 9. Broken Cryptography 10. Sensitive Information Disclosure7 Source: OWASP Mobile Security Project © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Challenges of Enterprise Mobility Data separation: personal vs corporate Achieving Data Separation & Data leakage into and out of the enterprise Partial wipe vs. device wipe vs legally defensible wipe Providing Data Protection Data policies Multiple device platforms and variants Multiple providers Adapting to the BYOD/ Managed devices (B2E) Unmanaged devices (B2B,B2E, B2C) Consumerization of IT Trend Endpoint policies Threat protection Identity of user and devices Providing secure access to Authentication, Authorization and Federation User policies enterprise applications & Secure Connectivity data Application life-cycle Developing Secure Vulnerability & Penetration testing Application Management Applications Application policies Designing & Instituting an Policy Management: Location, Geo, Roles, Response, Time policies Security Intelligence Adaptive Security Posture Reporting8 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation So How do I Protect My Mobile Initiatives? Begin by taking a holistic view of Mobile Security WiFi Mobile apps Develop, test and deliver safe applications Web sites Internet Telecom Provider Secure Security Corporate endpoint Gateway Intranet & device and Systems data Achieve Visibility and Enable Adaptive Security Posture Secure access to enterprise applications and data9 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Spectrum of Mobile Security Requirements Mobile devices are not only computing platforms but also communication devices, hence mobile security is multi-faceted, driven by customers’ operational priorities Mobile Security Intelligence Mobile Device Data, Network & Access Security App/Test Management DevelopmentMobile Device Mobile Device Mobile Threat Mobile Mobile Network Mobile Identity& Secure MobileManagement Security Management Information Protection Access Management Application Management Protection Development Acquire/Deploy  Identity  Register  Device wipe &  Anti-malware  Data encryption  Secure Management lockdown  Authorize &  Vulnerability  Activation  Anti-spyware (device,file & Communications  Password  Anti-spam app) (VPN) Authenticate testing  Content Mgmt Management  Firewall/IPS  Mobile data loss  Edge Protection  Certificate  Mobile app Manage/Monitor  Configuration  Web filtering prevention Management testing  Self Service Policy  Web Reputation  Multi-factor  Enforced by tools  Reporting  Compliance  Enterprise Retire policies  De-provision Mobile Applications i.e. Native, Hybrid, Web Application Mobile Application Platforms & Containers Device Platforms 30 device Manufacturers, 10 operating platforms i.e. iOS, Android, Windows Mobile, Symbian, etc10 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Mobile App Security: Defending the Software  Consistently apply and enforce best practices during Development  Provide or employ a secure channel for  Perform vulnerability delivering apps analysis during Testing  Employ a secure runtime environment to safeguard app data  As threats evolve recognize required updates and establish a  Perform checks to validate process for pushing them to users the integrity of apps11 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Mobile Security Enabled with IBM Solutions IBM QRadar Achieve Visibility & Enable System-wide Mobile Security Awareness Adaptive Security Posture • Risk Assessment • Threat Detection Build & Run Safe Mobile AppsSecure Data & the Device Protect Access to Enterprise IBM WorkLight Apps & Data Develop safe mobile apps IBM WorkLight • Direct Updates Runtime for safe mobile apps IBM Security Access • Encrypted data cache Manager for Mobile IBM AppScan for Mobile • App validation Authenticate & Authorize users and Vulnerability testing devices • Dynamic & Static analysis of Hybrid IBM Endpoint • Standards Support: OAuth, and Mobile web apps SAML, OpenID Manager for Mobile • Single Sign-On & Identity Configure, Provision, Monitor Mediation IBM DataPower • Set appropriate security Protect enterprise applications policies • XML security & message • Enable endpoint access IBM Mobile Connect protection • Ensure compliance Secure Connectivity • Protocol Transformation & • App level VPN Mediation Internet12 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation The Difference Between Secure Apps and Device Management Mobile Device Application-Level Management Security Device-level control: App takes care of itself: • Password protection • Authentication • File-system encryption • File encryption • Managed apps • Remote administration • Jailbreak detection • Adaptive functionality Requires consent of user to have Applicable in all scenarios, enterprise manage entire device including BYOD and consumer- facing contexts13 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Worklight Runtime Architecture Worklight Server Device Runtime Application Code Server-side Client-side Application Code App Resources Stats Aggregation Cross Platform Technology JSON Translation Direct Update Mobile Authentication Web Apps Security and Authentication Back-end Data Integration Post-deployment control Unified Push Adapter Library Diagnostics Notifications14 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Mobile Application Security Objectives Protect data on Enforce security the device updates • Malware, Jailbreaking • Be proactive: can’t rely • Offline access on users getting the • Device theft latest software update on their own • Phishing, repackaging Streamline Provide robust Protect from the Corporate authentication “classic” threats security approval and authorization to the application processes • Existing authentication security • Complex infrastructure • Hacking • Time-consuming • Passwords are more • Eavesdropping vulnerable • Man-in-the-middle15 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation IBM WorkLight: Security By Design Protecting data on the Enforcing security device and in transit updates App Jailbreak and Encrypted Offline Secure Remote authenticity malware Direct update offline cache authentication connectivity disable testing detection SSL with Mobile Authentication Coupling Data Proven server Code platform as a integration device id with protection platform identity obfuscation trust factor framework user id realms security verification Streamlining Providing robust Application Corporate security authentication and Security processes authorization16 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation IBM WorkLight: Security By Design Protecting data on the Enforcing security device and in transit updates App Jailbreak and Encrypted Offline Secure Remote authenticity malware Direct update offline cache authentication connectivity disable testing detection SSL with Mobile Authentication Coupling Data Proven server Code platform as a integration device id with protection platform identity obfuscation trust factor framework user id realms security verification Streamlining Providing robust Application Corporate security authentication and Security processes authorization Integration point with VPN solutions (i.e. IBM Mobile Connect) Integration point with User Security solutions (i.e. IBM Security Access Manager for Integration point with MDM solutions (i.e. IBM Endpoint Manager for Mobile) Mobile)17 © 2012 IBM Corporation

Protecting data on the device The Premier Event for Software and Systems Innovation Malware, Jailbreaking Protecting data Device theft on the device Offline access Phishing, repackaging Secure Encrypted App Compatibility Offline challenge- offline authenticity with jailbreak authentication response on cache testing detection libs startup Encrypted offline cache Offline authentication using password Extended authentication with server using secure challenge response App authenticity testing: server-side verification mechanism to mitigate risk of Phishing through repackaging or app forgery Compatibility with various jailbreak and malware detection libraries18 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Enforcing security updates Can’t rely on users Remote Disable: shut down getting the latest software update on specific versions of a their own downloadable app, providing users with link to update Enforcing security updates Direct Update: automatically send new versions of the Remote Direct locally-cached HTML/JS disable update resources to installed apps19 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Authentication and Authorization Authentication Data Device integration framework protection realms Provisioning Very flexible framework for simplifying integration of apps with existing authentication infrastructure Providing robust authentication and Manages authenticated sessions with authorization configurable expiration Open: e.g., custom OTP as anti-keylogger mechanism Need to integrate with existing Server-side services grouped into authentication infrastructure separate protection realms for different authentication levels Authenticate users when offline Secure device ID generated as part of extensible provisioning process Mobile passwords are more vulnerable (keyboard more difficult to use, typed text is visible)20 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Session Authentication Management Step 1 – Unauthenticated Session 1. Call protected Procedure Worklight Server Access denied because session is unauthenticated or expired 2. Request Authentication Session: • Created on first access from client • Identified using session cookie • Associated data is stored on the server21 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Session Authentication Management Step 2 – Authentication 1. Obtain credentials from user and device Worklight Server 2. Forward credentials Process authentication data 3. If necessary: • Consult with authentication servers • Perform device provisioning • Receive authentication token • Associate token with session22 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Session Authentication Management Step 3 – Authenticated Session 1. Procedure call on Worklight Server authenticated session Authenticated token associated with session 3. Procedure result Session ID Auth Tokens/State 2bd4296a3f29 Realm 1: 25487 Realm 2: ------ 2. Access back-end service -- using authentication 25617ff82a90 Realm 1: ------ --- token Realm 2: a6c9a 89a77921b02 Realm 1: 7b8df Realm 2: 6a8a023 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Worklight Studio simplifies the reuse of custom containers across the organization One team creates a custom container (“Shell Component”) for extensive security certification Other teams create HTML-only “inner apps” wrapped in that container24 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Mobile Security Enabled with IBM SolutionsIBM brings together a broad portfolio of technologies and services to meet the mobile security needs of customers across multiple industries •Application security •Worklight •IBM Rational AppScan •Mobile device management •IBM Endpoint Manager for Mobile devices •IBM Hosted Mobile Device Security Management •Secure enterprise access •IBM Security Access Manager •Security Intelligence •IBM QRadar25 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Deployment for SSO and Security Intelligence Security Intelligence Platform Hybrid Mobile Apps IBM Endpoint Based on WorkLight Manager Risk Based Access Hybrid App. SSL SSO WorkLight Server Enterprise Hybrid App. Mobile Security Applications, Gateway (WAS w/ security) Worklight Runtime Connectivity & Data Mobile Device  Security intelligence with mobile context  Intelligence around malware and advanced threats in mobile enabled enterprise  User identity and device identity correlation, leading to behavior analysis  Geo-fencing, anomaly detection based on device, user, location, and application characteristics26 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation IBM AppScan: Bringing Vulnerability Scanning to Mobile Detection of Vulnerabilities before Apps are Delivered and Deployed  Known vulnerabilities can be addressed in software development and testing  Code vulnerable to known threat models can be identified in testing  Security designed in vs. bolted on Leverage AppScan for vulnerability testing of mobile web apps and web elements (JavaScript, HTML5) of hybrid mobile apps27 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation IBM Security Access Manager: Authentication & Authorization of Mobile Users and their Devices Authorization Access Manager Servers (e.g., IBM Access Policy) Manager User registries (i.e. LDAP) Federated External Identity Authentication Manager Authentication Provider VPN or (i.e. userid/password, HTTPS Basic Auth, Certificate or Custom) IBM Security Access Manager for Mobile can be Application Servers used to satisfy complex authentication (i.e. WebSphere, WorkLight) requirements. A feature called the External Authentication Interface (EAI) is designed to provide flexibility in authentication. Mobile Browser Enterprise Web or Native Web Services Applications Applications Federated Identity Manager can be incorporated into the solution to provide federated identity management28 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation IBM Endpoint Manager for Mobile: Extending Management Reach to Mobile Devices Common Advanced management for iOS, management agent Android, Symbian, and Windows and console Phone Systems Security management management Unified management automatically Near-instant enables VPN access based on deployment of security compliance new features Integration with back-end IT management systems such as service desk, CMDB, and SIEM IBM Endpoint Manager Security threat detection and automated remediation Extends IBM’s existing 500,000 endpoint deployment Desktop / laptop / Mobile Purpose-specific server endpoint endpoint endpoint29 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation IBM Qradar: Delivering Mobile Security Intelligence Delivers Mobile Security Intelligence by monitoring data collected from other mobile security solutions – visibility, reporting and threat detection  Unified collection, aggregation and analysis  Ingest log data and events from: architecture for:  Endpoint Manager for Mobile Devices o Application logs  Access Manager for Mobile o Security events  Mobile Connect o Vulnerability data  WorkLight o Identity and Access Management data o Configuration files o Network flow telemetry  A common platform for o Searching o Filtering o Rule writing o Reporting functions  A single user interface for oLog management o Risk modeling o Vulnerability prioritization o Incident detection o Impact analysis tasks30 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Copyright and Trademarks © IBM Corporation 2012. All Rights Reserved. IBM, the IBM logo, ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.31 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation IBM Global Technology Services offers a broad set of complementary mobile capabilities Client Initiatives Build mobile Manage mobile Extend existing applications devices and business capabilities Connect to, and run applications to mobile devices backend systems in Secure my mobile Transform the support of mobile business business by creating new opportunities Services • Mobile application development • Telecom Expense • Unified Communications • Mobile Application Platform Management Services Management • Mobile Security • Mobile Application Platform • Network (e.g. wi-fi, VPN) • Mobile Device Management Management • End-user and administration • Strategy & Transformation support • Mobile Application • Procurement, staging and Management kitting • Messaging, collaboration and social32 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Daily iPod Touch giveaway  Complete your session surveys online each day at a conference kiosk or on your Innovate 2012 Portal!  Each day that you complete all of that day’s session surveys, your name will be entered to win the daily IPOD touch!  On Wednesday be sure to complete your full conference evaluation to receive your free conference t-shirt!34 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation Acknowledgements and disclaimers Availability: References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. © Copyright IBM Corporation 2012. All rights reserved. – U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, ibm.com, Rational, the Rational logo, Telelogic, the Telelogic logo, Green Hat, the Green Hat logo, and other IBM products and services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml If you have mentioned trademarks that are not from IBM, please update and add the following lines: [Insert any special third-party trademark names/attributions here] Other company, product, or service names may be trademarks or service marks of others.35 © 2012 IBM Corporation

The Premier Event for Software and Systems Innovation www.ibm.com/software/rational© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall havethe effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBMsoftware. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilitiesreferenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or featureavailability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business MachinesCorporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 36 © 2012 IBM Corporation

Mobile Application Security

by Dirk Nicol

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 3

Statistics