SlideShare a Scribd company logo

liferay-safe-slides.pdf

S
Salini P

Thesis ppt

Education
1 of 15
Download to read offline
DEVELOPMENT OF A PRIVACY PRESERVING! LIFERAY PORTAL DOCUMENT SYNCHRONIZER! FOR ANDROID! BY! MAX PERRY PERINATO! Thesis Supervisor: Prof. Michele Bugliesi! Department of Environmental Sciences, Informatics and Statistics MASTER OF SCIENCE IN COMPUTER SCIENCE A.Y. 2011/2012 VENICE, 1 MARCH 2013
Motivation! • Bring-Your-Own-Device is becoming an inevitable trend (Juniper Research)! • Employees are bringing their own smartphones and tablets to work! ➔ Access to documents anytime, anywhere! – Private information concerning the enterprise! – Personal information about employees and clients! ➔ Confidentiality and liability issues arise! ! • Security and data breach are the greatest barriers for BYOD (Trend Micro)! !
Mobile Security Risks • Mobile device security model erroneously based on security model of predecessor: laptop computer! • Mobile devices are always turned on and almost always connected! ➔ new set of security risks and attack vectors! • Information discloure via flash memory or RAM! • Privilege escalation bugs! ! • Bad design and insecure coding practices!
Mobile Attacks
Private! Data! Private ! Data! Private ! Data! Preserving Privacy of Enterprise Data • BYOD poses one major challenge to be addressed: ! ! – Protecting and securing the privacy of sensitive data at all times while allowing unrestricted access to public data! • Information security becomes highly dependent on situational information:! – Security of the device, its location, the user, the network and the apps being used! CIA Triad – ISO 27001! • Access to sensitive data can be allowed with “Security Containers” ! – Can mitigate risks surrounding CIA of resources! – Can be trusted by enterprises!
• Android app for synchronization of documents with Liferay Portal! ➔ “The leading open source Portal for the Enterprise”! • Built as a Security Container! – Data encryption ! – Data access and usage control! – Security of data in transit! – Security of user credentials! – Data loss prevention: passcode enforcement, automatic/remote application lock and data wiping! – Dynamic provisioning of user trust! ! • Provides security of private data and offline usage! ! • Protection from malicious outsiders! – e.g., device loss or theft! • Protection from malicious insiders! – e.g., employee leaves the company! !
Android is leading the pack… • 722.3 million smartphones shipped globally in 2012! ! ! • 68.8% (497.1 million) are Android devices!
…but popularity comes at a price! • 145.000 malicious Android apps released in 3Q12 (Trend Micro)! • Lack of a control in app development and effective moderation in Google Play store ! ➔ Can lead to exposure of private information! • Androidʼs security model is flawed:! – Kernel-level sandboxing! ➔Allows privilege escalation attacks (Davi et al.)! – Application-level mandatory access control! ➔Allows permission misuse and insecure data flows (Fuchs et al.) ! ! • Inter-application message passing also an attack surface. ! ➔ Message contents sniffed, modified, stolen or replaced (Chin et al.)!
Client-Server Architecture! • Transport Layer Security (TLS) protocol for communication security ! – Prevents eavesdropping, tampering, and message forgery! • Server identity authentication! – Full validation of CA-signed certificate! • OAuth 2.0 protocol for client authorization! – Separates API security credentials from the Userʼs credentials ! • Access Tokens can be revoked for an individual User or the entire app! – Unique identifier tied to the app, hard to guess, with restricted scope and limited lifetime! • Disabling of insecure channels and TLS validation to prevent side channel & stripping attacks   Weʼll see these next!
Challenges 1/2! • Lack of a “root of trust”, enterprises can trust neither its employees nor their own devices! • Complex management and protection of encryption keys and OAuth tokens ! • Offline usage hinders user revocation, and remote wiping or locking! • Little control over how devices are used and what apps are installed! ! • Rooting a device is easy (e.g., SuperOneClick), no 100% effective way to detect it! • On some devices fastboot allows to re-flash partitions and install a Custom Firmware (e.g., CyanogenMod)! ! !
Challenges 2/2! ! • Data extraction with open source forensics tools (e.g., OSAF-TK, Santoku)! ! • Limited internal storage. Mountable (and removable) external storage! • Impracticable data zeroization on NAND Flash memory due to wear leveling technique! ! • Negative impact of security provisions on user experience and battery life! ! !
Private Documents Caching and Encryption! • Encrypted caching of private data for offline usage! • App-level Virtual Encrypted Disk based on IOCipher library (by The Guardian Project)! – Clone of the standard java.io API! – SQLCipher (by Zetetic LLC) 256-bit AES transparent on-the-fly encryption ! – Libsqlfs (by PalmSource) POSIX style file system on top of an SQLite database! • VED initialized with random master key encrypted with a 256-bit AES key derived from the Access Token! – Access Token has a validity of 24 hours! – When the Token expires the master key and the VED file are erased! – Access Token can also be revoked from the server!
Access Token Management! • Access Token is secured in RAM by CacheGuard! • In-memory obfuscation! • Mitigates lack of a “root of trust” problem! • Exposure to memory analysis! ➔ requires gaining root privileges (Sylve et. Al)! ! • Android Debug Bridge! ➔ Mitigation: Enforce disabling of “USB debugging” setting! • Recovery Boot! ➔ Assumption: Access Token is cleared after reboot! • Remote Exploitation! ➔ Mitigation: Require minimum Android version (at least Jelly Bean)! • Complete access to device! ➔ Mitigation: Enforce use of a password screen lock! ! ➔ Attempt to detect if the device is rooted with a set of heuristics!
Conclusions! • Documents are safe with BYOD at a trade-off: at the state of the art itʼs not possible to provide privacy preservation and offline access without posing any assumptions and constraints:! – 24 hours limited offline access! – Definition and enforcement of enterprise policies! – Size limit of private documents (available RAM)! – Minimum Android version (4.1 Jelly Bean) ! – Mandatory screen lock and disabled “USB debugging” setting! – Reduced battery life! • Lack of a “root of trust”: some Android devices currently embed a Trusted Platform Module (i.e., Secure Element), but itʼs not open to third-party apps! – Necessary to establish a ground of truth on which to build security! – Help increase trustworthiness of consumer devices! ! !
“Never commit to memory what can be easily looked up in books.”! ! - Albert Einstein!

Recommended

Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Spikes Security Isla Isolation
Spikes Security Isla IsolationSpikes Security Isla Isolation
Spikes Security Isla IsolationCybryx
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
CocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesCocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesMutual Mobile
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityXavier Mertens
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 

Recommended

Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Spikes Security Isla Isolation
Spikes Security Isla IsolationSpikes Security Isla Isolation
Spikes Security Isla IsolationCybryx
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
CocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesCocoaConf Austin 2014 | Demystifying Security Best Practices
CocoaConf Austin 2014 | Demystifying Security Best PracticesMutual Mobile
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityXavier Mertens
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoTWSO2
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecturePaul Fremantle
 
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudA Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudWSO2
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2
 
Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...
Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...
Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...UL Transaction Security
 
Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Mike Kleviansky
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version Brian Pichman
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014Islam Azeddine Mennouchi
 
Cyber security event
Cyber security eventCyber security event
Cyber security eventTryzens
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Internet security
Internet securityInternet security
Internet securityAntony Mathew
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 

More Related Content

Similar to liferay-safe-slides.pdf

Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecturePaul Fremantle
 
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudA Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudWSO2
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2
 
Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...
Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...
Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...UL Transaction Security
 
Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Mike Kleviansky
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version Brian Pichman
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Cyber security event
Cyber security eventCyber security event
Cyber security eventTryzens
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 

Similar to liferay-safe-slides.pdf (20)

Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecture
 
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudA Reference Architecture for IoT: How to create a resilient, secure IoT cloud
A Reference Architecture for IoT: How to create a resilient, secure IoT cloud
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
 
Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...
Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...
Mobility & BYOD: Leveraging Best Practices and Latest Technologies for Compre...
 
Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017) Baking Security into the Company Culture (2017)
Baking Security into the Company Culture (2017)
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
 
Cyber security event
Cyber security eventCyber security event
Cyber security event
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Internet security
Internet securityInternet security
Internet security
 

Recently uploaded

Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Micromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of PowdersMicromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of PowdersChitralekhaTherkar
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 

Recently uploaded (20)

Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
Micromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of PowdersMicromeritics - Fundamental and Derived Properties of Powders
Micromeritics - Fundamental and Derived Properties of Powders
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 

liferay-safe-slides.pdf

  • 1. DEVELOPMENT OF A PRIVACY PRESERVING! LIFERAY PORTAL DOCUMENT SYNCHRONIZER! FOR ANDROID! BY! MAX PERRY PERINATO! Thesis Supervisor: Prof. Michele Bugliesi! Department of Environmental Sciences, Informatics and Statistics MASTER OF SCIENCE IN COMPUTER SCIENCE A.Y. 2011/2012 VENICE, 1 MARCH 2013
  • 2. Motivation! • Bring-Your-Own-Device is becoming an inevitable trend (Juniper Research)! • Employees are bringing their own smartphones and tablets to work! ➔ Access to documents anytime, anywhere! – Private information concerning the enterprise! – Personal information about employees and clients! ➔ Confidentiality and liability issues arise! ! • Security and data breach are the greatest barriers for BYOD (Trend Micro)! !
  • 3. Mobile Security Risks • Mobile device security model erroneously based on security model of predecessor: laptop computer! • Mobile devices are always turned on and almost always connected! ➔ new set of security risks and attack vectors! • Information discloure via flash memory or RAM! • Privilege escalation bugs! ! • Bad design and insecure coding practices!
  • 5. Private! Data! Private ! Data! Private ! Data! Preserving Privacy of Enterprise Data • BYOD poses one major challenge to be addressed: ! ! – Protecting and securing the privacy of sensitive data at all times while allowing unrestricted access to public data! • Information security becomes highly dependent on situational information:! – Security of the device, its location, the user, the network and the apps being used! CIA Triad – ISO 27001! • Access to sensitive data can be allowed with “Security Containers” ! – Can mitigate risks surrounding CIA of resources! – Can be trusted by enterprises!
  • 6. • Android app for synchronization of documents with Liferay Portal! ➔ “The leading open source Portal for the Enterprise”! • Built as a Security Container! – Data encryption ! – Data access and usage control! – Security of data in transit! – Security of user credentials! – Data loss prevention: passcode enforcement, automatic/remote application lock and data wiping! – Dynamic provisioning of user trust! ! • Provides security of private data and offline usage! ! • Protection from malicious outsiders! – e.g., device loss or theft! • Protection from malicious insiders! – e.g., employee leaves the company! !
  • 7. Android is leading the pack… • 722.3 million smartphones shipped globally in 2012! ! ! • 68.8% (497.1 million) are Android devices!
  • 8. …but popularity comes at a price! • 145.000 malicious Android apps released in 3Q12 (Trend Micro)! • Lack of a control in app development and effective moderation in Google Play store ! ➔ Can lead to exposure of private information! • Androidʼs security model is flawed:! – Kernel-level sandboxing! ➔Allows privilege escalation attacks (Davi et al.)! – Application-level mandatory access control! ➔Allows permission misuse and insecure data flows (Fuchs et al.) ! ! • Inter-application message passing also an attack surface. ! ➔ Message contents sniffed, modified, stolen or replaced (Chin et al.)!
  • 9. Client-Server Architecture! • Transport Layer Security (TLS) protocol for communication security ! – Prevents eavesdropping, tampering, and message forgery! • Server identity authentication! – Full validation of CA-signed certificate! • OAuth 2.0 protocol for client authorization! – Separates API security credentials from the Userʼs credentials ! • Access Tokens can be revoked for an individual User or the entire app! – Unique identifier tied to the app, hard to guess, with restricted scope and limited lifetime! • Disabling of insecure channels and TLS validation to prevent side channel & stripping attacks   Weʼll see these next!
  • 10. Challenges 1/2! • Lack of a “root of trust”, enterprises can trust neither its employees nor their own devices! • Complex management and protection of encryption keys and OAuth tokens ! • Offline usage hinders user revocation, and remote wiping or locking! • Little control over how devices are used and what apps are installed! ! • Rooting a device is easy (e.g., SuperOneClick), no 100% effective way to detect it! • On some devices fastboot allows to re-flash partitions and install a Custom Firmware (e.g., CyanogenMod)! ! !
  • 11. Challenges 2/2! ! • Data extraction with open source forensics tools (e.g., OSAF-TK, Santoku)! ! • Limited internal storage. Mountable (and removable) external storage! • Impracticable data zeroization on NAND Flash memory due to wear leveling technique! ! • Negative impact of security provisions on user experience and battery life! ! !
  • 12. Private Documents Caching and Encryption! • Encrypted caching of private data for offline usage! • App-level Virtual Encrypted Disk based on IOCipher library (by The Guardian Project)! – Clone of the standard java.io API! – SQLCipher (by Zetetic LLC) 256-bit AES transparent on-the-fly encryption ! – Libsqlfs (by PalmSource) POSIX style file system on top of an SQLite database! • VED initialized with random master key encrypted with a 256-bit AES key derived from the Access Token! – Access Token has a validity of 24 hours! – When the Token expires the master key and the VED file are erased! – Access Token can also be revoked from the server!
  • 13. Access Token Management! • Access Token is secured in RAM by CacheGuard! • In-memory obfuscation! • Mitigates lack of a “root of trust” problem! • Exposure to memory analysis! ➔ requires gaining root privileges (Sylve et. Al)! ! • Android Debug Bridge! ➔ Mitigation: Enforce disabling of “USB debugging” setting! • Recovery Boot! ➔ Assumption: Access Token is cleared after reboot! • Remote Exploitation! ➔ Mitigation: Require minimum Android version (at least Jelly Bean)! • Complete access to device! ➔ Mitigation: Enforce use of a password screen lock! ! ➔ Attempt to detect if the device is rooted with a set of heuristics!
  • 14. Conclusions! • Documents are safe with BYOD at a trade-off: at the state of the art itʼs not possible to provide privacy preservation and offline access without posing any assumptions and constraints:! – 24 hours limited offline access! – Definition and enforcement of enterprise policies! – Size limit of private documents (available RAM)! – Minimum Android version (4.1 Jelly Bean) ! – Mandatory screen lock and disabled “USB debugging” setting! – Reduced battery life! • Lack of a “root of trust”: some Android devices currently embed a Trusted Platform Module (i.e., Secure Element), but itʼs not open to third-party apps! – Necessary to establish a ground of truth on which to build security! – Help increase trustworthiness of consumer devices! ! !
  • 15. “Never commit to memory what can be easily looked up in books.”! ! - Albert Einstein!