Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Appsecurity, win or loose

521 views

Published on

1000+ Apps are released on Google Play and Appstore every day!
The most popular ones are downloaded
75 000 times a day.
There are many success factors that must be met for your app to be successful and one of these are trust

Published in: Mobile
  • Be the first to comment

  • Be the first to like this

Appsecurity, win or loose

  1. 1. Mobile Security: App Security – Win or Lose Date… By Anders Flaglien Security Consultant
  2. 2. 1000+ Apps are released on Google Play and Appstore every day! The most popular ones are downloaded 75 000 times a day. There are many success factors that must be met for your app to be successful and one of these are trust
  3. 3. At least when you process business confidential data… Trust is «everything» Copyright © 2015 Accenture All rights reserved. 3
  4. 4. Top 10 downloaded apps* with more than 100 million downloads all rely on users to trust them and the services they offer *in Google Play according to Wikipedia 26.10.2014
  5. 5. 5 Would you give a random app a lot of permissions to control your device without your approval? These are the some of ONE apps 40+ permissions to do «whatever» • opprette kontoer og angi passord • endre lydinnstillingene • overstyre andre apper • ta bilder og videoer • ta opp lyd • endre eller slette innholdet i USB- lagringen • endre anropsloggen • ringe telefonnumre direkte • lese anropsloggen • lese tekstmeldinger (SMS eller MMS) • nøyaktig posisjon (GPS- og nettverksbasert) • gjøre endringer i kontaktene dine • lese kalenderoppføringer og konfidensiell informasjon • legge til eller endre kalenderoppføringer og sende e-post til gjester uten at eieren vet om det Copyright © 2015 Accenture All rights reserved.
  6. 6. What is Trust? 6Copyright © 2015 Accenture All rights reserved. …belief that someone or something is reliable, good, honest, effective, secure… How to achieve this?
  7. 7. Open Web Application Security Project (OWASP) OWASP Top 10 Mobile Risks help us to secure mobile applications for our clients, so can you! Copyright © 2015 Accenture All rights reserved. 7 M1: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M6: Broken Cryptography M9: Improper Session Handling M7: Client Side Injection M8: Security Decisions Via Untrusted Inputs M10: Lack of Binary Protections
  8. 8. OWASP Top 10 Mobile Risks Example 1: Broken Crypto Copyright © 2015 Accenture All rights reserved. 8 M1: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M6: Broken Cryptography M9: Improper Session Handling M7: Client Side Injection M8: Security Decisions Via Untrusted Inputs M10: Lack of Binary Protections
  9. 9. Of all apps out there, you should trust that bank applications are secure, right? 9
  10. 10. OWASP Top 10 Mobile Risks Example 3: Data leakage and lack of binary protection Copyright © 2015 Accenture All rights reserved. 10 M1: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M6: Broken Cryptography M9: Improper Session Handling M7: Client Side Injection M8: Security Decisions Via Untrusted Inputs M10: Lack of Binary Protections
  11. 11. What if I make a game, would I need to secure it? 11
  12. 12. OWASP Top 10 Mobile Risks Example 4: More than five risks in a combined scenario… Copyright © 2015 Accenture All rights reserved. 12 M1: Weak Server Side Controls M2: Insecure Data Storage M3: Insufficient Transport Layer Protection M4: Unintended Data Leakage M5: Poor Authorization and Authentication M6: Broken Cryptography M9: Improper Session Handling M7: Client Side Injection M8: Security Decisions Via Untrusted Inputs M10: Lack of Binary Protections
  13. 13. Scandinavian teenagers favorite picture-sharing app has a not that appealing feature… • The App’s goal is to meet users need to communicate instant photos and videos without the fear that a post or picture will be held against them in the future
  14. 14. The examples show that we might have to reconsider our trust to some top 10 apps… …So how can we learn from others mistakes and build trust? 14Copyright © 2015 Accenture All rights reserved.
  15. 15. Executive Summary: Mobile Security Copyright © 2015 Accenture All rights reserved. 15 Mobile Security Strategy and Capabilities Business Challenges Drivers Solution Benefits Organizational Challenges • No organizational structure or buy-in from business units across the organization • Lack of training, communication, and awareness Process Challenges • Lack of or poorly defined mobile security strategy • Security policies driven by consumerization without consideration to security strategies makes BYOD more of a risk to the enterprise Technology Challenges • Difficulty protecting sensitive data on mobile devices • Growing Wi-Fi population and inappropriate controls within the infrastructure • Unknown vulnerabilities within mobile application exploits, backend infrastructure, unauthorized access Governance • Define processes, policies and support • Identify preferred suppliers • Mobilize your workforce to work from anywhere and increase productivity • Enable Bring Your Own Device (BYOD) to increase self service, improve satisfaction, and reduce the Total Cost of Ownership (TCO) • Reduction of threats and vulnerabilities • Proper administration, controls, and technology to protect critical systems and data Business Values Technical Benefits Users/Identity • Define role access, authorization, and authentication • Understand usage and prepare users Applications • Securely develop, test and distribute apps • Manage usage and connectivity to backend systems Data • Secure data (enterprise/personal) communication and protection • Classification and functionality Network • Architecture to support new interactions (wireless, remote) • Provide secure enterprise connectivity and monitoring Device • Define appropriate management program and supported platforms • Secure the device while providing choice and flexibility to end users Mobile Security Overview
  16. 16. Several components need to be addressed to provide comprehensive mobile security Copyright © 2013 Accenture All rights reserved. 16 Reference: • Information Security Forum • National Institute of Standards and Technology Governance Data ApplicationNetwork Users & Identity Device Mobile Security Mobile Security Strategy A comprehensive program and strategy to embed security throughout the enterprise’s mobile lifecycle Users & Identity • Roles and authorization levels and authentication • Evaluation / monitoring of usage patterns • Program awareness and education Applications • SDLC development • Testing • Distribution / provisioning • Access Control • Secure connection to backend systems and data (Ex: Cloud) • Monitoring / Management Data • Classification • Authentication • Secure connection • Strong Encryption • Data loss prevention • Secure storage • Audit and forensics Network • Voice • Secure remote connectivity • Monitoring and Testing • Wireless networking • Use of untrusted and/or public networks Device • Security functionality • Control connectivity • Secure remote connections • Disposal and wipe • Synchronization / Backup • Ability to update • Physical Access • Tracking/Management Governance • Define processes and policies (ownership, connectivity, applications, privacy, audit / wipe) • Support / Training • Identify preferred suppliers / service level for business
  17. 17. Accenture contributed our view to the OWASP Top 10 Mobile Risks and developed a solution framework to address them: 1. Insecure or unnecessary data storage and transmission 2. Applications with higher privileges than required and/or authorized 3. Use of (or failure to disable) insecure mobile device platform features in application 4. Allowing access to resources without strong authentication 5. Malicious/Counterfeit third- party code 6. Insecure or unnecessary interaction between applications and OS components 7. Server accepting unvalidated or unauthenticated input from mobile devices 8. Personal or corporate data leakage 9. Client-side injection and overflows 10. Client-side DoS The OWASP top 10 Mobile Security Risks empowered by the Solution Landscape Copyright © 2013 Accenture All rights reserved. 17 Map Risk to the Mobile Environment Mobile Apps Mobile Platform/ Device Mobile Network Enterprise Network/ Enclave Back End Services/ Cloud 3 4 5 7 1 2 6 8 9 10 Solutions Landscape Mobile Apps Mobile Platform/ Device Mobile Network Enterprise Network/ Enclave Back End Services/ Cloud MobileAppSecurityCodeReview MobileApp/PlatformSecurityReview MobileDevice ThreatAnalysis PrivateMobileAppStores MobileDeviceHost-BasedSecurity SecureMobileVoiceasaService MobileAppPKE
  18. 18. Example use cases (Not Comprehensive) Mobile Security – Example Use Cases Copyright © 2013 Accenture All rights reserved. 18 Use Case Key Considerations Consumer Applications • Protection of customer data • Secure communication with service provider • Maintaining trust and enhancing user experience Enterprise Mobile Application • Protection of enterprise data • Distribution and management • Enhanced productivity Enterprise BYOD (User Owned) • Limited controls on a privately owned device • Balance between corporate and private data • Governance of policies and procedures to control functionality (Example: wiping the device, use of native controls) • Asset management, authorization and authentication Enterprise Provisioned Devices (Corporate Owned) • Fully specified security configurations • Balance between corporate and private data • Governance of policies and procedures to control functionality (Example: wiping the device, use of native controls) • Asset management, authorization and authentication Email Security • Securing enterprise data and confidential information • Maintaining user experience Desktop Virtualization • Leverage existing hardware investments or personally owned devices • Protection of enterprise systems and data Point of Sale/Connected Devices • Device hardening • Network hardening • Protection of end user and enterprise systems and data (cross-industry)
  19. 19. Questions? 19Copyright © 2015 Accenture All rights reserved.

×