Mobile Application Security

2,399 views

Published on

An overview of the security challenges and opportunities that mobile application developers must work through

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,399
On SlideShare
0
From Embeds
0
Number of Embeds
27
Actions
Shares
0
Downloads
169
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Mobile Application Security

  1. 1. Mobile Application Security Chris Clark cclark@isecpartners.com iSEC Partners, Inc. 04/23/09 | AND-301 Session Classification: Intermediate
  2. 2. Agenda Mobile Today Security Challenges Supporting Security Actions 2
  3. 3. Mobile Today
  4. 4. Mobile Phone Sales Per Year 1200 Phones 1000 In Millions 800 600 400 200 0 1997 2009 Data from Tomi Ahonen Almanac 2009 4
  5. 5. 5
  6. 6. Major Smartphone Platforms 6
  7. 7. 7
  8. 8. Trend Catalysts • Sexier Devices • Unlimited Data Plans • Younger Generation • Provider App Stores • F500 Acceptance • Multi-Environment Phones 8
  9. 9. Security Challenges
  10. 10. What is Security? • Not the PC or Server Model – Single User – High-Value Information – Low-Value Applications • Availability and Power • Local Attacker Resistance 10
  11. 11. The Airline Pocket • Physical Security Just Doesn’t Exist • Phones will Be Lost • Need Ways of Protecting Data – Local encryption – Cloud storage 11
  12. 12. Hardware Limitations • Limited Bandwidth • Power • CPU • Size Technology Will Solve These 12
  13. 13. Screen Size *From RSnake 13
  14. 14. Poor Keyboards C)sOz*ao1pdn 14
  15. 15. Regulations 15
  16. 16. User Identification • Real Time • Must be Available Immediately • One Handed Interface • More Prompts than PC 16
  17. 17. “Ownership” • OS Vendor • User • Carrier • Application Developer All “Own” the Phone and Have Differing Objectives 17
  18. 18. Distribution Challenges • Indirect Customer Relationship • Patching Difficulties – Carriers are anti-patch • Long Update Lag • Multiple Hardware Platforms 18
  19. 19. Web Browsers • Different Browser Chrome • Inconsistent Standards Support • Too Much WebKit 19
  20. 20. Unsafe Languages • Windows Mobile (C/C++) – .Net Mobile Framework (safe) – /GS, SafeCRT • iPhone (Objective-C) – Has C Constructs – NX Stack/Heap • Symbian (Symbian C++) – C++ with more Complex Memory Management 20
  21. 21. Technical Comparison Feature Blackberry WinMo 6.x iPhone 2.2.1 Android Enterprise Mail and Calendar Remote Wipe Side-Load Applications Application Sandbox User permission UI App Signing Browser 21
  22. 22. Technical Comparison Feature Blackberry WinMo 6 iPhone 2.2.1 Android Application Language Permission Model App Buffer Overflows OS Buffer Overflow Protections Signature Required?
  23. 23. Vulnerability Count by Platform 23
  24. 24. Desktop Heritage 24
  25. 25. Growing Security Activity • Targeted by Security Community • CanSecWest • Asian & European Research • Commercial Spy Products 25
  26. 26. Mobile Web Presence • Multiple Internet Presences – Mobile vs. Standard • Both are on the Internet – Accept “All” Connections – Pen-Test from Desktop • Common Real World Result: – Primary website secured – Mobile site unprotected 26
  27. 27. Common Mobile Portal Mistakes • Using a Different SLD – bank.mobilecorp.com – mobilecorp.com/bank • Same Credentials as .com • Phishing Education Destroyed – If it Ever Worked
  28. 28. Supporting Security
  29. 29. Security Goals • Users can Safely Run Applications • OS Protected from Applications – A.K.A. Steal Carrier Revenue • Per-Application Private Data • Contain Vulnerabilities 29
  30. 30. Two Models Old Way New Way App App App Privileged Normal App App App 30
  31. 31. Old Way • BlackBerry & Windows Mobile • All or Nothing • Signatures Defines Permission Level • No or Limited File Permission Systems • No “users” – Good, because it doesn’t make sense 31
  32. 32. Pros/Cons Pros Cons • Easy to Understand • No Exploit Containment • Easy to Test • User can’t Make Granular Choices 32
  33. 33. Windows Mobile App 1 App 2 App 3 App 4 Kernel Kernel File System 33
  34. 34. Blackberry • J2ME Based • No Raw Device Access • Web Services and Web Based Models 34
  35. 35. Security Opportunities • More Granular Permissions • Sandboxed Applications • Reduced Attack Surface • Give Users Control of Data 35
  36. 36. iPhone App 1 App 2 App 3 App 4 Kernel App 1 App 2 App 3 App 4 Data Data Data Data 36
  37. 37. iPhone • One Distribution Method • Strict AppStore Policy • Non-Technological Policy Enforcement Application Store is a Security Barrier 37
  38. 38. Android & Symbian App 1 App 2 App 3 App 4 Kernel App 1 App 2 App 3 App 4 Data Data Data Data 38
  39. 39. Benefits • Extensible to Custom Data Types • Users Have Control • Same-Developer Sandbox – An Office Suite is Possible – Attack Surface Increased 39
  40. 40. Challenges 40
  41. 41. Android Market • Self-Signed Certificates • Community Reputation • No Unsigned Code Allowed Application Store is a Security Barrier 41
  42. 42. Actions
  43. 43. For Enterprises • Define a Mobile Application Security Policy • Set User Application Security Policy – Are App Stores Allowed? • Build Secure Line of Business Applications • Create a Unified Model for Mobile Interactions – Don’t mix “m.” with /mobile or .mobi domains 43
  44. 44. For Developers • Define Security Assertions for Users • Define Threats – Lost Phone – Network Attacks • Create Limits – E.g. Read-only Mobile Endpoints • Apply Secure Development Guidelines • Test on Real Devices 44
  45. 45. For Mobile Web Developers • Disallow Older Browsers • Do Not Decrease Overall Security – Tightly-Scope Functionality – Use SSL and Proper Domains • Strong Authentication – Unique Authentication for Mobile Sites • Don’t Make Phishing Easier – Keep Links out of Email – Maintain Clear Message 45
  46. 46. Questions? cclark@isecpartners.com 46

×