Android Camp 2011 @ Silicon India

884 views

Published on

This is the presentation i gave at Android Camp and Mobile Developer Summit held in 2011.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
884
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Android Camp 2011 @ Silicon India

  1. 1. Building and DeployingSafe and Secure AndroidApps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies
  2. 2. Session Contents•  Overview  of  Mobility  and  Mobile  Security   –  Introduc6on  to  Mobility   –  Mobile  Security  •  Best  Prac6ces  for  Secure  So:ware  Development  •  Android  OS     –  Security  Architecture  and  deployment   –  Android  A@ack  Surfaces   –  Enterprise  features,  What  can  we  leverage?  •  Ques6ons?   ©  2011  Endeavour  So:ware  Technologies   2  
  3. 3. Mobility•  A  Capability   Enterprise  Mobility  •  Communicate  and  Access    •  On  the  Move   The  ability  of  an  enterprise  to  connect  to  people   and  control  assets  from  any  loca6on.  •  Any6me    •  From  Anywhere   Technologies  that  support  enterprise  mobility  •  Voice,  Messages,  Data   include  wireless  networks,  mobile  applica9ons,   middleware,  devices,  and  security  and   management  so;ware.     Forrester  Research  Defini9on   ©  2011  Endeavour  So:ware  Technologies   3  
  4. 4. What is happening in the Corporate World? ©  2011  Endeavour  So:ware  Technologies   4  
  5. 5. Mobile Security – Everywhere! Applica6on   Device   Level   Level   Network  Level   ©  2011  Endeavour  So:ware  Technologies   5  
  6. 6. Mobile Security Considerations •  Mobility  Infrastructure   –  Security  is  a  key  focus  area.     –  Ensuring  exis6ng  policies  is  implemented   Infrastructure   –  Integra6on  with  exis6ng  tools,  systems   –  Keep  devices  light,  manageable   •  Mobile  Middleware  PlaXorm   –  Composite  Applica6ons  Landscape  and  devices  Middleware   –  Mobile  Device  Management   –  Mobile  Data  Synchroniza6on   –  Phased  approach  for  Common  Services  and   Applica3on   Mobile  Applica6ons   •  Mobile  Applica6ons  Distribu6on   –  Enterprise  distribu6on  through  OTA  to  specific   devices   ©  2011  Endeavour  So:ware  Technologies   6  
  7. 7. Application Security – Must Include User   Data  Security   Authen6ca6on   on  Device   Device   Management   Data  in  Transit   and   Issue   Applica6on   Provisioning   ©  2011  Endeavour  So:ware  Technologies   7  
  8. 8. Mobile Security Considerations •  Creden6als   •  IMEI/  2FA   Access   •  OTP,  User  –  Agent   •  Quick  Access  Code,  Token   •  Files   Storage   •  Key  Storage   •  Resources   •  Session  Transporta6on   •  Protocols   •  Connec6on  Points   ©  2011  Endeavour  So:ware  Technologies   8  
  9. 9. Enterprise Mobile Security – Do’s ©  2011  Endeavour  So:ware  Technologies   9  
  10. 10. Enterprise Mobile Security – Best Practices1.  Protect  the  Brand  Your  Customers  Trust  2.  Know  Your  Business  and  Support  it  with  Secure   Solu6ons  3.  Understand  the  Technology  of  the  So:ware  4.  Ensure  Compliance  to  Governance,  Regula6ons,   and  Privacy  5.  Know  the  Basic  Tenets  of  So:ware  Security  6.  Ensure  the  Protec6on  of  Sensi6ve  Informa6on  7.  Design,  Develop  and  Deploy  So:ware  with  Secure   Features   ©  2011  Endeavour  So:ware  Technologies   10  
  11. 11. Android Security Architecture Permission   Based  Model   Remote  App   Sandbox   Management   ©  2011  Endeavour  So:ware  Technologies   11  
  12. 12. Android Security – Permission based model•  Permission-­‐based  Model   –  Linux  +  Android’s  Permission   –  Well  defined  at  system  level   –  Approved  by  user  at  install   –  High-­‐level  permissions  restricted  by  Android   run6me  framework   –  For  example,  an  applica6on  that  needs  to  monitor   incoming  SMS  messages  would  specify  <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> ...</manifest> ©  2011  Endeavour  So:ware  Technologies   12  
  13. 13. Android Security – Remote App Management•  Remote  Install/removal   –  Google  can  remove  or  install  apps  remotely   –  Users  can  install  apps  remotely  from  online   Android  Market   h@p://market.android.com   ©  2011  Endeavour  So:ware  Technologies   13  
  14. 14. Android Security - Sandbox ©  2011  Endeavour  So:ware  Technologies   14  
  15. 15. Android’s Attack Surfaces•  Isolated  applica6ons  is  like  having  mul6-­‐user  system  •  Single  UI/  Device    Secure  sharing  of  UI  and  IO  •  Principal  maps  to  code,  not  user  (like  browsers)  •  Appeals  to  user  for  all  security  decisions  •  Phishing  style  a@ach  risks  •  Linux,  not  Java,  Sandbox.  Na6ve  code  not  a  barrier  •  Any  java  App  can  execute  shell,  load  JNI  libraries,   write  and  exec  programs  Reference  –  iSEC  PARTNERS   ©  2011  Endeavour  So:ware  Technologies   15  
  16. 16. Enterprise features (Froyo/ GingerBread)•  Remote  wipe   –  Remotely  reset  the  device  to  factory  defaults  •  Improved  security     –  Addi6on  of  numeric  pin,  alphanumeric  passwords   to  unlock  the  device  •  Exchange  calendars  •  Auto-­‐discovery  •  Global  Address  List  •  C2DM*  –  Cloud  to  device  messaging  *S6ll  it  is  part  of  Google  Code  Labs   ©  2011  Endeavour  So:ware  Technologies   16  
  17. 17. Enterprise features (Honeycomb)•  New  device  administra6on  policies   –  Encrypted  storage   –  Password  expira6on   –  Password  history   –  Complex  characters  in  password  •  Configure  HTTP  proxy  for  each  connected  WiFi   access  point  (AOS  3.1  only)  •  Encrypted  storage  cards   ©  2011  Endeavour  So:ware  Technologies   17  
  18. 18. Thanks!•  You!   –  For  pa6ently  listening  to  us!  •  Silicon  India  team  •  Endeavour’s  Android  TCG  team  •  Happy  to  receive  feedback  and  ques6ons  at   tcg@techendeavour.com     18  

×