Mobisec Brief Presentation INTL

YOUR MOBILE SECURITY COMFORT
04/04/16
1

SMARTPHONES:
INTERNET HAS GONE MOBILE
SCENARIO

MobiSEC s.r.l. | Treviso - Via Municipio 6/A - 31100 Italy - Tel. +39 0422 968588
email: info@mobisec.it | P.Iva, C.F. e numero iscrizione al Registro delle Imprese di Treviso: 04735010268 | Capitale sociale € 10.000,00 i.v. REA TV-373846 |
www.mobisec.it
04/04/16
PREMISES - SALES VOLUMES
3
Smartphone purchase reached almost 1,5 billions in 2015 with a 8,5% growth from 2014.
Consumers purchased more than 490 millions in 2014 third quarter with a 4,9% growth
compared to the same trimester in 2013.
Manufacturer
2015* Shipment
Volumes
2015 Market Share
2015 Year-Over-
Year Growth
2019 Shipment
Volumes
2019 Market Share
2019 Year-Over-
Year Growth
5-Year CAGR
Android 1,149.3 79.4% 8.5% 1,524.1 79.0% 5.0% 7.5%
iOS 237.0 16.4% 23.0% 274.5 14.2% 3.0% 7.3%
Windows Phone 46.8 3.2% 34.1% 103.5 5.4% 13.6% 24.3%
Others 14.2 1.0% 3.9% 26.3 1.4% 7.5% 14.0%
TOTAL 1,447.3 100.0% 11.3% 1,928.4 100.0% 5.1% 8.2%
*=millions

www.mobisec.it
04/04/16
PREMISES - DATA USAGE
4
Mobile data trafﬁc reached quota 1.600 PetaBytes in the second half of 2013 with
a more than exponential trend.
Q1 Q2 Q3 Q4
Ø
2007
400
800
1.200
1.600
2.000
Voice
Total(uplink+downlink)monthlytraffic(PetaBytes)
Source. Ericsson (August 2013)
Data
2008 2009 2010 2011 2012 2013
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2

www.mobisec.it
04/04/16
PREMISES - ADDICTION AND TIME SPENT
5
Mobile addiction continue its
rise among all user ranges.
Flurry research into mobile addicts.
Flurry on time spent and revenue on TV vs Mobile
In the US the average time spent
using apps has exceeded TV
watching.
In 2015 in UK 55% of smartphone
users spend at least 1 hour a day

SMARTPHONES:
RISK HAS GONE MOBILE
SCENARIO

www.mobisec.it
04/04/16
WHAT NOW?
7
Internet is going Mobile
Business is going Mobile
Risks are going Mobile

www.mobisec.it
04/04/16
HOW MUCH DO WE TRUST OUR PHONE?
8
what you buy
how you use your phone
who you are
your relationships
where you are = your habits and places
your conversations
your memories
what you see
what you say
your internet trafﬁc
TOO
MUCH.
Probably you don’t trust even your
friends to share with them all these
details of your life.
and remember…
your phone applications run on
background and access your
informations even when you are
not using it and hen you’re not
aware they’re doing it.

www.mobisec.it
04/04/16
HOW MUCH DO WE TRUST OUR NEIGHBOR?
9
TOO
MUCH.
They constantly gather users
information and behavior. 
They are constantly proﬁling our
customers and they lead the Big
Data frontier.
and remember...
your applications share base
informations with all these big
players for service and adv
purpose.
You’d better check what is shared
on purpose and what is left
behind by mistake.

www.mobisec.it
04/04/16
HOW MUCH DO WE TRUST OUR APPS?
10
TOO
MUCH.
Our App can be our ﬁrst backdoor
and trojan horse to access our
legacy systems. 
Once a malicious intent reaches our
systems it is easy to stole all of our
best assets:
- customer data
- customer behaviors and use
- transactions
- know how
- sensible informations
- access to defacement and
communication points hacks

www.mobisec.it
04/04/16
MOBILE FRAUDS AND MONEY LOSS
11
Major Data Breach at JP Morgan Chase Hits 76 Million
JP Morgan Chase, one of the world largest bank in terms of assets,
acknowledged a massive data breach that affected 76 million households and
7 million small businesses.
Bill Hardekopf
Symantec estimates the average cost of a mobile incident at a staggering $429,000.
remediation
refund
loss of trust
(a customer who doesn’t
trust you is a new customer
for your competitors)
Apple cleaning up iOS App Store after first major attack
The company disclosed the effort after several cyber security firms reported finding a
malicious program dubbed XcodeGhost that was embedded in hundreds of legitimate
apps.
By Jim Finkle | REUTERS BOSTON

www.mobisec.it
04/04/16
WHAT WE CAN GIVE TO OUR CUSTOMERS
12
100% security is a chimera. But Mobisec can get closer to it.
Average actual exposure
of mobile apps to fraud
and breach risks
Mobisec Security raises signiﬁcantly
the safety, security and protection
of your mobile application

04/04/16
www.mobisec.it
STATE OF THE ART
14
Mobisec Italia is an Italian startup born in april 2015.
The first product has been engineered and implemented since early
2013, by Alessandro Nepoti (technical leader and CTO) and Alberto
Zannol (Product Officer, CEO).
In the last months of 2014 after several months of study and
prototyping, the final candidate was released.
In April the company was founded with an industrial strategic partner
and now it is starting to operate in the market with the first product
Mobisec Security Analysis.

www.mobisec.it
04/04/16
WHAT IS MOBISEC
16
Mobisec Security Analysis is a client and server application platform
to ensure that mobile applications are not exposed to design and
implementation vulnerabilities.
Its competitive differential is that on top of routine static checks that
other market solutions can already perform on mobile applications,
Mobisec Security Analysis verify and ensure that also the structure,
design and components security is safe and that your distributed
application can run on a mobile system without any kind of threat or
danger.
Mobisec Security Analysis base its security check procedures on
ethical hacking principles, following all the dynamic use cases needed
to perform a complete security check:
• penetration test
• vulnerability assessment
• security audit

www.mobisec.it
04/04/16
WHAT MAKES MOBISEC DIFFERENT?
17
We can find different security solutions on the market, but they only
ensure static security verifications or malware/virus scan.
That is not what Mobisec Security Analysis has been released for.
Borrowing from scientific world, security check applications or
antivirus run on a diagnosis & remedy base.
Mobisec Security Analysis is not a doctor, is more like a geneticist,
that check base rationals, design patterns, product architecture and
models to check and prevent not only declared security problems, but
also all those defects and design errors that may incur in security
threats, combining security blueprints and guidelines with design and
architectural and implementation models.

www.mobisec.it
04/04/16
WHAT MAKES MOBISEC DIFFERENT?
18
Competitors
Diagnosis & remedy 1 at a time
(medic)
Short term validity
Mobisec Security Analysis
From design, to implementation, to
dynamic use (geneticist)
Every day during the whole life cycle
of the app
3 to 5 weeks for a security report 1 to 2 days for a security report
EXPENSIVE for a one-time
full security analysis
cheap fee for a year subscription
(inﬁnite runs, inﬁnite reports)
analysis carried within the app sandbox analysis carried on the app sandbox,
communications with other apps and
with the OS even when in background
source code, tech docs & details black box approach

www.mobisec.it
04/04/16
WHAT MOBISEC PROTECTS
19
Mobisec Security Analysis checks every data, function, transaction,
component used by mobile applications during a customer session.
Our dynamic security analysis is aimed to protect:
• Corporate Data
• Company Business
• Consumer data
• Money transactions
• Mobile Payments
• Reserved informations
• Reserved or premium services
• Accounts and personal data
• Health private data
• Sensible informations

04/04/16
www.mobisec.it
MOBISEC ANATOMY
21
Mobisec Security Analysis is a platform.
It is structured in 4 main components:
1. kext device agent (client)
2. service/events handler and data collector (services)
3. pattern matching engine (server - definitions, knowledge, matching
maps)
4. reporting master (server)
Each component interacts with the mobile application, its functions, its
processes, its mobile environment and the data and communications
that the application produce.
[ ]
Agent
[ ]
Services
(events and data collector)
[ ]
Matching
Engine
[ ]
Report

04/04/16
www.mobisec.it
COMPONENTS
22
It’s the client component.
It is installed on device.
It is a OS kernel extension and its activity
generates events on the GUI and in the
mobile application components in order
to gather communications and triggers
activated during the mobile application
use.
We work at Kernel level. We track ALL
during your app use.
[ ]
AGENT
iOS Agent (c/objc application )
agent for any iDevice iOS 6.x/7.x/8.x
compliant.
Android Agent (c/Java application)
agent for any Android device 2.x/3.x/4.x
compliant.
Our model office is compliant with the
following configuration:
iOS: 7.x, 8.x, 9.x
Android: 3.x, 4.x, 5.x/6.x (1 for each big
vendor: Samsung, Nexus, HTC according
to actual market stats)
(iOS 9.x and Android 5.x on next release
1st half 2016)

04/04/16
www.mobisec.it
COMPONENTS
23
Communication services between
agent and server.
It is a bidirectional communication
bus, full duplex, able to gather and
send to the server end all the data
registered by the agent during the
routines executions, but also to push
to the agent (from server) instructions
and directives to modify the agent
runtime (security hooks enable/
disable requests, fuzzy test,
frequency rate execution, scenarios,
test cases, etc.)
SERVICES
(events and data
collector and test
policies instructor)
[ ]

04/04/16
www.mobisec.it
COMPONENTS
24
It is the interpretation logic of the
system.
It contains, for each application domain,
all the vulnerability and risk cases
known, the relational patterns that join
them to relate them and their risk level
and coexistence probability.
It’s a dynamic mongoDB database,
non-relational, extended on every
security analysis result patterns found
during all the test sessions.
It combines in an heuristic model all the
data gathered from the agent and
decides if any case, representing a
threat or not by itself, can be dangerous
if combined with other occurrences of
other vulnerabilities in the system.
[ ]
Matching
Engine

04/04/16
www.mobisec.it
COMPONENTS
25
It contains the representation grammar
of all the data collected by the agent,
transmitted by the services and
processed by the Pattern Matching
Engine.
It’s a json-syle query engine that extracts
records and, with a jasper connector,
merges them in a pdf template,
according to the presentation and layout
model settings.
It can be also extended to feed real-time
report engine or ALM and configuration
management tools, to provide real-time
reports to the dev teams.
[ ]
REPORT MASTER

04/04/16
www.mobisec.it
SCOPES AND DOMAINS
27
The Pattern Matching Engine combines the scopes, that we can call “investigation scopes”, with their
applicability domains to reach the right analysis target.
[ ]
MATCHING ENGINE

04/04/16
www.mobisec.it
DOMAINS
28
The domains in which the solution operates and
order the data gathered by the agent are the
following:
1. Sensitive Data
2. Operations
3. Network
4. System
5. Untrusted Input
6. Broken Cryptography

04/04/16
www.mobisec.it
ANALYSIS SCOPES
29
The coverage of these domains allow the solution to cover all these
security areas:
- Network vulnerabilities
- Insecure storage of sensitive data or lack in protection
- Insecure use of cryptography for transmitting data or for local
storage
- Weak session management
- Unauthorised access to other users’ accounts
- Untrusted input
- Well known platform vulnerabilities
- Errors triggering sensitive informations leaks
- Broken ACLs/Weak passwords

04/04/16
www.mobisec.it
ANALYSIS TARGETS
30
To ensure the mobile target application follows the properties of
confidentiality, integrity, and availability, applying the Mobisec mobile
security model, the main concerns are about how to decompose the
system into relevant components and analyze in deep each of them
against spoofing, tampering, repudiation, information disclosure,
denial of service and elevation of privilege.
To apply the model, the system inspect ﬁve targets: data flows, data
stores, processes, interactors and the trust system boundaries.

04/04/16
www.mobisec.it
ANALYSIS TARGETS 1/2
31
Data ﬂows
Represent data in motion over network connections, named pipes, mail
slots, SMS channels, Phone Call and so on.
Data stores
Represent ﬁles, databases, properties keys, which resources are being
used and the how they are used.
Processes
Are computations or programs run by the user system or the kernel.
Mobisec can grant control not only within the app sandbox, but also on
other app and OS properties.

04/04/16
www.mobisec.it
ANALYSIS TARGETS 2/2
32
Interactors
Are the end points of the system and they could be internals like user
interactions with the UI, Location sensors, Contacts, Phone etc. or
externals like Web services, Ads, etc.
In general, they are the data providers and consumers that are outside
the scope of your app and system, but clearly related to it.
Trust boundaries
Are perhaps the most subjective of all: these represent the border
between trusted and untrusted elements into the mobile operating
system and its trusted execution environment.

www.mobisec.it
04/04/16
TARGETS
34
Mobisec Security Analysis is aimed to be a solution for the whole
market chain. It protects the customer data and accounts, as well as the
companies business lines and customer base and it has also a strategic
value for agencies and system integrators and mobile app developers
as a knowledge best practice in secure software development.
2. Consumers 3. Developers / SI1. Companies

04/04/16
www.mobisec.it
OUR CUSTOMERS
35
Mobisec Security Analysis has been released for al the market players
with dispositive/business/premium service or data mobile
applications, especially for these market verticals:
1.ecommerce & shopping
2.sensible data & privacy
3.self care & self service
4.dispositive services
5.communication and premium contents/services

04/04/16
www.mobisec.it
OUR CUSTOMERS
36
The previous prospect classes designing a target proﬁling as follows:
1.banks & ﬁnance (1, 2, 3, 4, 5)
2.insurance (2, 3, 4)
3.betting & gaming (1, 2, 3, 4, 5)
4.Telco (1, 2, 3)
5.Healthcare (2, 3, 4)
6.PA and citizen services = health, public entities, etc. (2, 3, 4, 5)
7.ecommerce and b2c (1, 2, 4, 5)
8.b2b & corporate properties (1, 3, 4, 5)

04/04/16
www.mobisec.it
COMPANIES - CUSTOMERS
37
eCommerce Privacy Self Care Services Communication
Banks & Finance
Insurances
Betting & gaming
Telco
Healthcare
B2B
B2C
PA

04/04/16
www.mobisec.it
SERVICE MODEL
39
Service proposition
service propositions for Mobisec Security Analysis is PaaS:
- laboratory inside Mobisec properties
- laboratory managed and operated by Mobisec technicians
- no need of dedicated staff for customers
- no HW and infrastructure costs for customers
- cve and software upgrades available real-time
- solution is ready for operations at time 0
- no need for source codes or detailed documentations
- no need for support during analysis phases
- no need for devices or mobile supplies

Thanks.
www.mobisec.it
04/04/16
40
contacts: alberto.zannol@mobisec.it

Mobisec Brief Presentation INTL

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (7)

Recently uploaded

Recently uploaded (20)

Mobisec Brief Presentation INTL