Xavier Mertens, profile picture
Uploaded byXavier Mertens
PDF, PPTX6,506 views

Mobile Security

The document presents a detailed overview of mobile security risks, emphasizing the top risks including insecure data storage and weak authentication protocols. It discusses policies for managing company-owned vs. employee-owned devices, including the necessity for data classification and mobile device management solutions. The presentation also highlights best practices for secure mobile application development and risks associated with mobile device usage such as rogue apps and hotspot access.

Embed presentation

Download as PDF, PPTX
Mobile Security “Bring war material with you from home but forage on the enemy” - Sun Tzu Xavier Mertens Beltug SIG Security - Jan 2013
Disclaimer “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
Agenda • Introduction: Top-10 mobile risks • Company owned devices • Employee owned device (BYOD) • Risks inherent in mobile devices • Mobile applications development
Top-10 Mobile Risks • Insecure data storage • Weak server side controls • Insufficient transport layer protection • Client side injection • Poor authentication & authorization • Improper session handling • Secure decision via untrusted input • Side channel data leakage • Broken cryptography • Sensitive information disclosure (Source: OWASP)
Top-10 Mobile Risks • Insecure data storage • Weak server side controls • Insufficient transport layer protection Mobile devices • Client side injection are • Poor authentication & authorization Computers! • Improper session handling • Secure decision via untrusted input • Side channel data leakage • Broken cryptography • Sensitive information disclosure (Source: OWASP)
Company Owned Devices
Easy? Really? • Limited set of manufacturers/OS • Full control of hell? • People try to evade from jail (like laptops) • Need procedures (backups, helpdesk)
Corporate Policy • Must be communicated & approved before the device provisioning • Communication channels: addendum to a contract, Intranet, a “check box”? • Restrictions (SD cards, Bluetooth, camera) • What about private data? (pictures, MP3, downloaded (paid!) apps?
Examples • Document already available on beltug.be (Members section) • Simple policy: http://www.security-marathon.be/?p=1466 (Jean-Sébastien Opdebeeck)
Data Classification • Another approach is implementing data classification • Implementation of the “least privileges” principle • Access to data is based on profiles • Work with any device! (benefit broader than the scope of mobile devices)
Data Classification Data Company Owned Personal Devices Classification Devices Top-Secret No No Highly Confidential No No Proprietary Yes No Internal Use Only Yes Yes Public Yes Yes
Employed Owned Devices
Why do people BTOD? • Devices became cheaper and powerful • The “Generation Y” • Always online everywhere!
First Question? • Are you ready to accept personal devices on your network? • It’s a question of ... risk! • Examples: • Data loss • Network intrusion • Data ex-filtration
“MDM”? • Do you need a MDM solution? (Mobile Device Management) • Can you trust $VENDORS? • Microsoft Exchange include ActiveSync for free • Most security $VENDORS propose (basic) tools to handle mobile devices
Minimum Requirements • Automatic lock + password • No jailbroken devices • Remote wipe • Backups (who’s responsible?)
Risks Inherent In Mobile Devices
Personal Hotspots • Tethering allows mobile devices to be used as hotspots • Corporate devices (laptops) could bypass Internet access controls • Risks of rogue routers (if IP-forwarding is enabled
Rogue App Stores • Mobile devices without apps is less useful • Owners tend to install any apps • Some apps may require much more rights than required • People trust Apps stores and developers • Developers must write good code
QR Codes
Geolocalization
NFC
Home & Cars
Mobile Application Development
OWASP Mobile Security Project • Mobile testing guide • Secure mobile development guide • Top-10 mobile controls and design principles https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Lack of/Bad Encryption • Developers re-invent the wheel: do not write a new encryption algorithm • Encrypt everything (data at rest, data in move)
Local VS. Remote Storage Pros Cons No network costs Risk of loss Local Speed Outdated Always updated Data network ($) Central No risk of loss Speed
Geolocalization • Again! But this time for good purposes • Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe • Combine with passwords for stronger authentication/authorization
Enterprise Appstores • Goal: Distribute, secure and manage mobile apps through your own company branded appstore. • Application available in the appstore have been approved by a strong validation process.
Thank You! Xavier Mertens xavier@rootshell.be @xme http://blog.rootshell.be

More Related Content

PPTX
Mobile security in Cyber Security
byGeo Marian
 
PDF
Ensuring Mobile Device Security
byQuick Heal Technologies Ltd.
 
PPTX
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
PPTX
Mobile security
byCyberoamAcademy
 
PPTX
Smartphone security
byManish Gupta
 
PPTX
Mobile security
byHimmatsingh Rajpurohit
 
PPTX
Mobile security
byNaveen Kumar
 
PDF
Mobile Security
byMarketingArrowECS_CZ
 
Mobile security in Cyber Security
byGeo Marian
 
Ensuring Mobile Device Security
byQuick Heal Technologies Ltd.
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
Mobile security
byCyberoamAcademy
 
Smartphone security
byManish Gupta
 
Mobile security
byHimmatsingh Rajpurohit
 
Mobile security
byNaveen Kumar
 
Mobile Security
byMarketingArrowECS_CZ
 

What's hot

PPTX
Cyber security
byHarsh verma
 
PDF
End-User Security Awareness
bySurya Bathulapalli
 
PPTX
Mobile security
byTapan Khilar
 
PPTX
Social Media Cyber Security Awareness Briefing
byDepartment of Defense
 
PDF
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
bySoo Chin Hock
 
PPTX
Network Security ppt
bySAIKAT BISWAS
 
PPT
Building An Information Security Awareness Program
byBill Gardner
 
PPTX
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
PDF
Cybersecurity Awareness Training Presentation v1.3
byDallasHaselhorst
 
PDF
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
byEdureka!
 
PDF
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
byEdureka!
 
PDF
Anatomy of a cyber attack
byMark Silver
 
PDF
14 tips to increase cybersecurity awareness
byMichel Bitter
 
PPTX
Mobile device security
byLisa Herrera
 
PPT
Social media and Security risks
byParakum Pathirana
 
PPT
Integrating Physical And Logical Security
byJorge Sebastiao
 
PDF
Mobile Security 101
byLookout
 
PPTX
Cyber Security 03
byHome
 
PDF
Cyber Threat Intelligence
bymohamed nasri
 
PPTX
Cyber Threat Management
byRishi Kant
 
Cyber security
byHarsh verma
 
End-User Security Awareness
bySurya Bathulapalli
 
Mobile security
byTapan Khilar
 
Social Media Cyber Security Awareness Briefing
byDepartment of Defense
 
Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf
bySoo Chin Hock
 
Network Security ppt
bySAIKAT BISWAS
 
Building An Information Security Awareness Program
byBill Gardner
 
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
Cybersecurity Awareness Training Presentation v1.3
byDallasHaselhorst
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
byEdureka!
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
byEdureka!
 
Anatomy of a cyber attack
byMark Silver
 
14 tips to increase cybersecurity awareness
byMichel Bitter
 
Mobile device security
byLisa Herrera
 
Social media and Security risks
byParakum Pathirana
 
Integrating Physical And Logical Security
byJorge Sebastiao
 
Mobile Security 101
byLookout
 
Cyber Security 03
byHome
 
Cyber Threat Intelligence
bymohamed nasri
 
Cyber Threat Management
byRishi Kant
 

Viewers also liked

PPTX
E commerce ppt
byMunish Singla
 
PDF
Symantec Mobile Security Whitepaper June 2011
bySymantec
 
PDF
2015 Mobile Security Trends: Are You Ready?
byIBM Security
 
PPTX
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
byAjin Abraham
 
PPTX
Mobile security
byhome
 
PPTX
Mobile security
byBasant Kumar
 
E commerce ppt
byMunish Singla
 
Symantec Mobile Security Whitepaper June 2011
bySymantec
 
2015 Mobile Security Trends: Are You Ready?
byIBM Security
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
byAjin Abraham
 
Mobile security
byhome
 
Mobile security
byBasant Kumar
 

Similar to Mobile Security

PDF
Developing Secure Mobile Applications
byDenim Group
 
PPT
Mobile Apps Security
byXavier Mertens
 
PDF
Mobile Application Security
byDirk Nicol
 
PPTX
Mobile Application Security
byLenin Aboagye
 
PDF
CNIT 128 8: Mobile development security
bySam Bowne
 
PDF
การสร้างเกราะป้องกันภัยคุกคาม ต่อข้อมูลความเป็นส่วนบุคคลในองค์กร
bySoftware Park Thailand
 
PDF
Securing mobile devices 1
byKamaljeet Singh Matharu (Kam)
 
PDF
Websense: A 3-step plan for mobile security
byarms8586
 
PPTX
Mobile application securitry risks ISACA Silicon Valley 2012
bySymosis Security (Previously C-Level Security)
 
PDF
BYOD: Device Control in the Wild, Wild, West
byJay McLaughlin
 
PPTX
Outside the Office: Mobile Security
byMcKonly & Asbury, LLP
 
PDF
ISACA CACS 2012 - Mobile Device Security and Privacy
byMichael Davis
 
PDF
Mobile Threats and Owasp Top 10 Risks
bySantosh Satam
 
PPTX
Webinar on Enterprise Security & android
byEndeavour Software Technologies
 
PPT
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
byIBM Danmark
 
PDF
Mobile security blunders and what you can do about them
byBen Rothke
 
PDF
C0c0n 2011 mobile security presentation v1.2
bySantosh Satam
 
PPTX
Mobile security summit - 10 mobile risks
byVladimir Jirasek
 
PPTX
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
byMasha Geller
 
PDF
Securing mobile devices_in_the_business_environment
byK Singh
 
Developing Secure Mobile Applications
byDenim Group
 
Mobile Apps Security
byXavier Mertens
 
Mobile Application Security
byDirk Nicol
 
Mobile Application Security
byLenin Aboagye
 
CNIT 128 8: Mobile development security
bySam Bowne
 
การสร้างเกราะป้องกันภัยคุกคาม ต่อข้อมูลความเป็นส่วนบุคคลในองค์กร
bySoftware Park Thailand
 
Securing mobile devices 1
byKamaljeet Singh Matharu (Kam)
 
Websense: A 3-step plan for mobile security
byarms8586
 
Mobile application securitry risks ISACA Silicon Valley 2012
bySymosis Security (Previously C-Level Security)
 
BYOD: Device Control in the Wild, Wild, West
byJay McLaughlin
 
Outside the Office: Mobile Security
byMcKonly & Asbury, LLP
 
ISACA CACS 2012 - Mobile Device Security and Privacy
byMichael Davis
 
Mobile Threats and Owasp Top 10 Risks
bySantosh Satam
 
Webinar on Enterprise Security & android
byEndeavour Software Technologies
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
byIBM Danmark
 
Mobile security blunders and what you can do about them
byBen Rothke
 
C0c0n 2011 mobile security presentation v1.2
bySantosh Satam
 
Mobile security summit - 10 mobile risks
byVladimir Jirasek
 
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
byMasha Geller
 
Securing mobile devices_in_the_business_environment
byK Singh
 

More from Xavier Mertens

PDF
HTTP For the Good or the Bad - FSEC Edition
byXavier Mertens
 
PDF
Unity Makes Strength
byXavier Mertens
 
PDF
Building A Poor man’s Fir3Ey3 Mail Scanner
byXavier Mertens
 
PDF
FPC for the Masses - CoRIIN 2018
byXavier Mertens
 
PDF
$HOME Sweet $HOME SANSFIRE Edition
byXavier Mertens
 
PDF
Secure Web Coding
byXavier Mertens
 
PDF
$HOME Sweet $HOME Devoxx 2015
byXavier Mertens
 
KEY
Unity makes strength
byXavier Mertens
 
PDF
$HOME Sweet $HOME
byXavier Mertens
 
PDF
Unity Makes Strength SOURCE Dublin 2013
byXavier Mertens
 
PDF
Malware Analysis Using Free Software
byXavier Mertens
 
PDF
What Will You Investigate Today?
byXavier Mertens
 
PDF
You have a SIEM! And now?
byXavier Mertens
 
PDF
What are-you-investigate-today? (version 2.0)
byXavier Mertens
 
PDF
FPC for the Masses (SANSFire Edition)
byXavier Mertens
 
PDF
Developers are from Mars, Security guys are from Venus
byXavier Mertens
 
PDF
HTTP For the Good or the Bad
byXavier Mertens
 
PDF
Automatic MIME Attachments Triage
byXavier Mertens
 
PDF
The BruCO"NSA" Network
byXavier Mertens
 
PDF
Because we are just humans
byXavier Mertens
 
HTTP For the Good or the Bad - FSEC Edition
byXavier Mertens
 
Unity Makes Strength
byXavier Mertens
 
Building A Poor man’s Fir3Ey3 Mail Scanner
byXavier Mertens
 
FPC for the Masses - CoRIIN 2018
byXavier Mertens
 
$HOME Sweet $HOME SANSFIRE Edition
byXavier Mertens
 
Secure Web Coding
byXavier Mertens
 
$HOME Sweet $HOME Devoxx 2015
byXavier Mertens
 
Unity makes strength
byXavier Mertens
 
$HOME Sweet $HOME
byXavier Mertens
 
Unity Makes Strength SOURCE Dublin 2013
byXavier Mertens
 
Malware Analysis Using Free Software
byXavier Mertens
 
What Will You Investigate Today?
byXavier Mertens
 
You have a SIEM! And now?
byXavier Mertens
 
What are-you-investigate-today? (version 2.0)
byXavier Mertens
 
FPC for the Masses (SANSFire Edition)
byXavier Mertens
 
Developers are from Mars, Security guys are from Venus
byXavier Mertens
 
HTTP For the Good or the Bad
byXavier Mertens
 
Automatic MIME Attachments Triage
byXavier Mertens
 
The BruCO"NSA" Network
byXavier Mertens
 
Because we are just humans
byXavier Mertens
 

Recently uploaded

PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
PDF
AI Driven & AI Native Development AI native development
byZainKarim7
 
PDF
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PPTX
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PDF
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
PPTX
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
PDF
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
PDF
Regenerative Agriculture Finance : Environmental impact
byrose mason
 
PDF
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
PPTX
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
PDF
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
PDF
“Lessons from Yesterday's Tomorrowland” by Scott M. Graffius
byScott M. Graffius
 
DOCX
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
PDF
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
PDF
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
AI Driven & AI Native Development AI native development
byZainKarim7
 
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
Ai In Courts Ai in courts AI in court AI in court
byZainKarim7
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
Regenerative Agriculture Finance : Environmental impact
byrose mason
 
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
“Lessons from Yesterday's Tomorrowland” by Scott M. Graffius
byScott M. Graffius
 
Top Websites To ⭐Buy ⭐Old ⭐Gmail ⭐Accounts (PVA & Bulk) (5).docx
byBuy Old Gmail Accounts
 
250 Prompts - ChatGPT acting as your Assistant
byMihir Nagarkar
 
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 

Mobile Security

  • 1.
    Mobile Security “Bring warmaterial with you from home but forage on the enemy” - Sun Tzu Xavier Mertens Beltug SIG Security - Jan 2013
  • 2.
    Disclaimer “The opinions expressedin this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
  • 3.
    Agenda • Introduction: Top-10mobile risks • Company owned devices • Employee owned device (BYOD) • Risks inherent in mobile devices • Mobile applications development
  • 4.
    Top-10 Mobile Risks • Insecure data storage • Weak server side controls • Insufficient transport layer protection • Client side injection • Poor authentication & authorization • Improper session handling • Secure decision via untrusted input • Side channel data leakage • Broken cryptography • Sensitive information disclosure (Source: OWASP)
  • 5.
    Top-10 Mobile Risks • Insecure data storage • Weak server side controls • Insufficient transport layer protection Mobile devices • Client side injection are • Poor authentication & authorization Computers! • Improper session handling • Secure decision via untrusted input • Side channel data leakage • Broken cryptography • Sensitive information disclosure (Source: OWASP)
  • 6.
  • 7.
    Easy? Really? • Limitedset of manufacturers/OS • Full control of hell? • People try to evade from jail (like laptops) • Need procedures (backups, helpdesk)
  • 8.
    Corporate Policy • Mustbe communicated & approved before the device provisioning • Communication channels: addendum to a contract, Intranet, a “check box”? • Restrictions (SD cards, Bluetooth, camera) • What about private data? (pictures, MP3, downloaded (paid!) apps?
  • 9.
    Examples • Document alreadyavailable on beltug.be (Members section) • Simple policy: http://www.security-marathon.be/?p=1466 (Jean-Sébastien Opdebeeck)
  • 10.
    Data Classification • Anotherapproach is implementing data classification • Implementation of the “least privileges” principle • Access to data is based on profiles • Work with any device! (benefit broader than the scope of mobile devices)
  • 11.
    Data Classification Data Company Owned Personal Devices Classification Devices Top-Secret No No Highly Confidential No No Proprietary Yes No Internal Use Only Yes Yes Public Yes Yes
  • 12.
  • 13.
    Why do peopleBTOD? • Devices became cheaper and powerful • The “Generation Y” • Always online everywhere!
  • 14.
    First Question? • Areyou ready to accept personal devices on your network? • It’s a question of ... risk! • Examples: • Data loss • Network intrusion • Data ex-filtration
  • 15.
    “MDM”? • Do youneed a MDM solution? (Mobile Device Management) • Can you trust $VENDORS? • Microsoft Exchange include ActiveSync for free • Most security $VENDORS propose (basic) tools to handle mobile devices
  • 16.
    Minimum Requirements • Automaticlock + password • No jailbroken devices • Remote wipe • Backups (who’s responsible?)
  • 17.
  • 18.
    Personal Hotspots • Tetheringallows mobile devices to be used as hotspots • Corporate devices (laptops) could bypass Internet access controls • Risks of rogue routers (if IP-forwarding is enabled
  • 19.
    Rogue App Stores •Mobile devices without apps is less useful • Owners tend to install any apps • Some apps may require much more rights than required • People trust Apps stores and developers • Developers must write good code
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
    OWASP Mobile Security Project • Mobile testing guide • Secure mobile development guide • Top-10 mobile controls and design principles https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  • 26.
    Lack of/Bad Encryption •Developers re-invent the wheel: do not write a new encryption algorithm • Encrypt everything (data at rest, data in move)
  • 27.
    Local VS. Remote Storage Pros Cons No network costs Risk of loss Local Speed Outdated Always updated Data network ($) Central No risk of loss Speed
  • 28.
    Geolocalization • Again! Butthis time for good purposes • Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe • Combine with passwords for stronger authentication/authorization
  • 29.
    Enterprise Appstores • Goal:Distribute, secure and manage mobile apps through your own company branded appstore. • Application available in the appstore have been approved by a strong validation process.
  • 30.