Your SlideShare is downloading. ×
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
C0c0n 2011 mobile  security presentation v1.2
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

C0c0n 2011 mobile security presentation v1.2

2,023

Published on

Mobile phone security has been a hot topic for debate in recent times. The top mobile manufacturers seem to claim that their mobiles and applications are secure, but recent news on mobile hacking and …

Mobile phone security has been a hot topic for debate in recent times. The top mobile manufacturers seem to claim that their mobiles and applications are secure, but recent news on mobile hacking and malware suggest otherwise.

One of the key challenges in mobile security is the diverse platforms and multitude of operating systems (both open and proprietary) in the market. This makes it almost impossible to devise a generic catch-all strategy for mobile application security. Every platform whether it is iOS, Android, Blackberry, Windows Mobile, Symbian etc. is unique and requires a specialized treatment.

In this talk, we will demystify mobile and related application security. We will understand the architectures of various mobile operating systems and the native security support provided by the manufacturers and operating system vendors. Then we will look at how hackers have come up with different techniques and tools to break mobile security, and what mobile companies are doing to mitigate these attacks.

Finally, we will look at secure practices for mobile deployment in the Enterprise using policy files and other technology solutions, We will also outline best practices for business users and road warriors, on how to ensure your company data is protected while still continuing to enjoy the flexibility provided by mobile phones.

Published in: Technology, News & Politics
2 Comments
7 Likes
Statistics
Notes
  • Hi Santosh, thanks for your reply. My email is chuwc@hotmail.com.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi Santosh, the info in your slides is excellent. Can I have a pdf copy of your slides ?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
2,023
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
2
Likes
7
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 1
  • 2. c0c0n 2011Mobile Security © 2011 MIEL eSecurity Pvt Ltd Confidential 2
  • 3. DisclaimerThe following presentation contains information, which is proprietary to MIEL e-SecurityPvt. Ltd. and should be treated as strictly private & confidential. This document is beingdiscussed with you solely for your information and may not be reproduced,redistributed or passed on, directly or indirectly, to any other organization or published,in whole or in part, for any purpose without the express written consent of MIEL e-Security Pvt. Ltd. COPYRIGHT © 2011 MIEL e-Security Pvt. Ltd. All rights reserved. 3
  • 4. Presenter’s Profile Santosh Satam Head-Technical Services CISA | CISM | CISSP | CSSLP • Enterprise Security Strategy • Application & Mobile Security AssessmentSecurity Crunch > My Daily Newsletter on Other Interests: Running MarathonCyber Security 4
  • 5. Agenda Introduction  Trends and Threats  Mobile Threatscape  Enterprise Challenges  Recommendations  Conclusion 5
  • 6. Information Age and You 6
  • 7. Evolution of Mobile Use Cases Source :Mobiles are becoming a first class citizen in enterprises 7
  • 8. Mobile Trends 8
  • 9. Evolution of Mobile Phones • Now evolved to powerful machines with almost all capabilities as out laptops • Always on, always with you • Constantly evolving and becoming more powerful • Security not kept pace with this growth, remains afterthought 9
  • 10. Mobile ThreatsSource: McAfee Quarterly Report 2011 10
  • 11. Lots of security incidents reported..MOBILE MISHAPS IN THE NEWS 11
  • 12. 12source : trendmicro
  • 13. 13source : netsecurity.org
  • 14. 14
  • 15. 15
  • 16. LET’S GO EXPLORING MOBILESECURITY ! 16
  • 17. Stakeholders in Mobile Security 1 1. Mobile Manufacturers 2. IT 3. End Users2 3 4 Internet Networks Application Backend Applications 1. Application 1. Application 1. Mobile Operators Developers Developers 2. IT 2. IT 2. End Users 3. End Users 17
  • 18. Mobile security-specific issues.. SECURE DATA STORAGE(on Disk)MULTIPLE USER SUPPORTWITH SECURITY STRONG AUTHENTICATION WITH POOR KEYBOARDS 18
  • 19. Mobile security-specific issues..CONSTRAINED BROWSING ENVIRONMENT INFORMATION DISCLOSURE 19
  • 20. Mobile security-specific issues..LOCATION/PRIVACY SECURITY MULTIFACTOR AUTHENTICATIONDIFFICULT PATCHING / UPDATEPROCESS 20
  • 21. Diving deeper..UNDERSTANDING THE THREATS 21
  • 22. Mobile Threatscape 1 InternetApplications Networks Application Backend 22
  • 23. Mobile Security Assessment 1 Mobile Platform Security Audit 23
  • 24. Mobile Platform Security Threats • Diverse Platforms vulnerable to security1 problems (Android, iOS, Blackberry, Windows Phone) • Operating System security vulnerabilities – Viruses and Worms – is there an Anti Virus? – Break-in over Wi-Fi and Internet – is there a Firewall? – Is there a Patch Management? – Is there a provision to regularly upgrade the OS? • What happens if the phone is stolen ? • What happens if data is intentionally or accidently deleted? Is there a backup and restoration mechanism? 24
  • 25. Android Platform Security• Created by Google and the Open Handset Alliance• Linux based• Java programmable• Each Application : a new user (UID)• Android applications are considered “equal” 25
  • 26. Android Platform Security• Permissions - help provide data security• Android’s permission model allows user’s to make bad but informed choices• A confused user can’t make good choices. 26
  • 27. Android Platform Security • Possible for 2 applications to Share the same User ID • Be run within the same process and VM Sandbox • Must be signed with the same certificate • An application can allow for World Readable and Writeable mode • This allows any application on the system to read / write the host applications files 27
  • 28. Android Platform Security• Android Market is the sick man of the app world• It’s an open market• Google’s Android Market has 90,000+ apps• Recently Google has removed 26 malicious apps. 28
  • 29. iOS Platform Security• Processor – ARM 6 or 7 depending on model• Runs iOS• Derived from Mac OSX• FreeBSD• 2 primary users • Mobile • Root 29
  • 30. iOS Platform Security• There are around 5,00,000+ apps for iOS platform• Code Signing applied to all applications• Appstore applications signed by Apple• All applications run as user “mobile”• Chroot used to restrict apps from each other• Applications are also encrypted when stored• Runtime decryption before execution 30
  • 31. iOS Platform Security• Jailbreaking is the process of getting “root” access to the phone. This allows running custom software / firmware on the phone• Unlocking refers to bypass controls which bind the phone to a carrier. This opens it for use with any carrier. 31
  • 32. Mobile Platform Security• Proprietary OS created by RIM• Provides multi-tasking support• Currently version 7• Written in C++• OS supports devices unique to the BB – trackball, trackwheel, touchscreen and touchpad• Runs on ARM 7, 9 and ARM 11 processors 32
  • 33. Mobile Platform Security• As vulnerable as other phones, Still less in number• Difficult to infect as no popular public appstore• Most applications are loaded over the air by the network managers• Offers strong suite of security features which include: • End-to-end Encryption • RSA SecurID Two-Factor Authentication • HTTPS Secure Data Access • Strong IT Policy Enforcement and Management • Built in Firewall 33
  • 34. Blac Application Attacks• Browser a key part of Blackberry• Based on the open source Webkit• Webkit known to be vulnerable• First public exploit on BB demoed at Pwn2Own 2011• ARM based exploit code 34
  • 35. Microsoft Windows Phone• Microsoft’s Mobile OS• Windows Phone 7 was developed from scratch• Currently in version 7.5 (called Mango)• Not to be confused with Windows 8 OS (One OS for Desktops, Laptops, and Tablets.) 35
  • 36. Security Model• Does not support for removable storage.• No tethered file system access from a PC• No concept of users and user logon• Application origin based authentication and authorization• Elements of Windows Phone Security Model – Chambers – Capabilities – Application Safeguards 36
  • 37. Chambers Principle of isolation and Least PrivilegeTrusted Computing Base Unrestricted access to the platform (TCB) Driver and OS level code Elevated Rights User mode drivers and services. Chamber (ERC) Standard Rights All pre-installed MS and OEM applications Chamber (SRC) Least Privileged Default permission set in which all apps Chamber (LPC) from the App Marketplace run 37
  • 38. Capabilities• Capabilities are granted during application installation, and their privileges cannot be elevated at run time• Capabilities include geographical location information, camera, microphone, networking, and sensors.• The Least Privileged Chamber (LPC) defines a minimal set of access rights by default. This helps in reducing the attack surface. 38
  • 39. Application Safeguards• Application developers must register with Microsoft• Stringent check before inclusion in the App store• All applications are code-signed by VeriSign.• Applications that are not code-signed cannot run on Windows Phone 7.• Applications run in a sandboxed process – Can interact with the OS in a limited way – Execution Manager monitors programs and kills programs with unusual activity 39
  • 40. Windows Mobile MalwareSource: http://news.cnet.com/8301-27080_3-20006882-245.html 40
  • 41. Secure Practices Recommendations • Turn-off GPS / Bluetooth when not in use. • Do not leave your phone unattended • Make sure that the OS and firmware is updated • Use anti-virus software and keep the definition file up to date • Password protect your device and change this regularly
  • 42. Mobile Threatscape2 Internet Applications Networks Application Backend 42
  • 43. Mobile Security Assessment 2 1 Mobile Mobile Application Platform Security Security Audit Audit 43
  • 44. Mobile Application Security Threats 2 • Malware and Trojan applications • Security vulnerabilities in code • Client Application security • Bypass Enterprise policies – Difficult to apply Enterprise security policy • Acts like a Backdoor into the EnterpriseApplications 44
  • 45. What if ? There’s a..MALWARE IN MY MOBILE !! 45
  • 46. Malware that mails secrets! Attacker Unaware userDownloads App Hidden Trojan Mails all secrets to attacker / Tracks Location 46
  • 47. Secure Practices Recommendations • Address security in the mobile application development process • Download apps from trustworthy sources Scrutinize permission requirements of applications before installation • Use mobile security apps for data protection
  • 48. Mobile Threatscape 3 InternetApplications Networks Application Backend 48
  • 49. Mobile Security Assessment 3 2 1 Mobile Mobile Mobile Network Application Platform Security Security Security Audit Audit Audit 49
  • 50. Network Access Security 3 Threats • Heterogeneous Network Risks – GPRS/3G/$G – Wi-Fi – Bluetooth – PC Synchronization • “ON” by default open up to network based attacks • Every access mechanism has security implications • Difficult to control and prevent unauthorizedNetworks access • Requires custom solution to address each – Difficult to apply uniformly across all devices on the network 50
  • 51. Understanding Mobile Connectivity ad Device b Sync c 51
  • 52. Full Disclosure: Hacking Mobile Phones using Bluetooth! 52
  • 53. Secure Practices Recommendations Use device inventory and track all mobile devices before and after allowing network access-You can’t protect or manage what you can’t see Non compliant mobile phones should be denied network access until they have been scanned, patched or remediated. Do not access corporate secured sites over public Wi-Fi 53
  • 54. Mobile Threatscape 4 InternetApplications Networks Application Backend 54
  • 55. Application Backend Security 4 Threats • Application farm security vulnerabilities – Web server security bugs – Database server security bugs – Storage server security bugs – Load balancer security bugs • Web application security vulnerabilities – OWASP Top 10 security problems – Advanced Web Application attacks • Web service security vulnerabilitiesApplication • Client application security vulnerabilities Backend 55
  • 56. Security Breach Targets iPad Servers 56
  • 57. Confidential Information Exposed!! 57
  • 58. Mobile Security Assessment 4 3 2 1Application Mobile Mobile Mobile Backend Network Application Platform Security Security Security Security Audit Audit Audit Audit 58
  • 59. MOBILE SECURITY CHALLENGES INAN ENTERPRISE ENVIRONMENT 59
  • 60. Enterprise Mobile Security Challenges INFORMATION DISCLOSURE POLICIESLACK OF KNOWLEDGEABOUT RISK • DIFFICULTY AND COMPLEXITY IN IMPLEMENTATION 60
  • 61. Enterprise Mobile Security Challenges RESTRICTING MOBILE INTERNET ACCESSREMOTE CONTROL, TRACKINGAND DATA WIPING • ENTERPRISE WIDE MOBILE SECURITY POLICIES 61
  • 62. Enterprise Security RecommendationsA lost or stolen device Provide support to multiple devicesImplement acentral Controlling data flow on multiple devices Implementmanagement centrally Prevent Unauthorized Synchronizationconsole Secure server managed systems with mobile device User awareness strong access Monitor and managers control restrict data Create keen Mechanism for transfers to awareness on installing secure handheld or apps centrally information through an removable assets, risk authorized storage and value to server devices. the enterprise 62
  • 63. The Future• Mobile and Cloud will turn traditional IT and computing on it’s head.• It’s about user experience (U-Ex)• Virtual smart phones (Mobile Hypervisor )• Dynamic context- and content-aware Data Protection• NFC enabled smart phones to take center stage and may replace cards 63
  • 64. Thank you! Santosh Satamssatam@mielesecurity.comwww.securitycrunch.in@satamsantoshhttp://in.linkedin.com/in/santoshsatamhttps://www.facebook.com/satamsantosh 64
  • 65. Any people that wouldgive up liberty for alittle temporary safetydeserves neitherliberty nor safety.Benjamin Franklin 65
  • 66. References• SECURING MOBILE DEVICES ISACA EMERGING TECHNOLOGY WHITEPAPER• DEVELOPING SECURE MOBILE APPLICATIONS FOR ANDROID An introduction to making secure Android applications Jesse Burns• Mobile banking: Safe, at least for now, Elinor Mills 66

×