Mobile phone security has been a hot topic for debate in recent times. The top mobile manufacturers seem to claim that their mobiles and applications are secure, but recent news on mobile hacking and malware suggest otherwise.
One of the key challenges in mobile security is the diverse platforms and multitude of operating systems (both open and proprietary) in the market. This makes it almost impossible to devise a generic catch-all strategy for mobile application security. Every platform whether it is iOS, Android, Blackberry, Windows Mobile, Symbian etc. is unique and requires a specialized treatment.
In this talk, we will demystify mobile and related application security. We will understand the architectures of various mobile operating systems and the native security support provided by the manufacturers and operating system vendors. Then we will look at how hackers have come up with different techniques and tools to break mobile security, and what mobile companies are doing to mitigate these attacks.
Finally, we will look at secure practices for mobile deployment in the Enterprise using policy files and other technology solutions, We will also outline best practices for business users and road warriors, on how to ensure your company data is protected while still continuing to enjoy the flexibility provided by mobile phones.
Symantec Mobile Security Whitepaper June 2011Symantec
Symantec Corp. announced the publication of "A Window Into Mobile Device Security: Examining the security approaches employed in Apple’s iOS and Google’s Android." This whitepaper conducts an in-depth, technical evaluation of the two predominant mobile platforms, Apple’s iOS and Google’s Android, in an effort to help corporations understand the security risks of deploying these devices in the enterprise.
Intense overview of most mobile security related issues
From Clust Education talk on Security Summit in Milan (Italy):
https://www.securitysummit.it/eventi/view/82
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
The modern organization has recognized the need to embrace mobile devices in the workplace, but this increase in mobile devices brings important security implications.
Symantec Mobile Security Whitepaper June 2011Symantec
Symantec Corp. announced the publication of "A Window Into Mobile Device Security: Examining the security approaches employed in Apple’s iOS and Google’s Android." This whitepaper conducts an in-depth, technical evaluation of the two predominant mobile platforms, Apple’s iOS and Google’s Android, in an effort to help corporations understand the security risks of deploying these devices in the enterprise.
Intense overview of most mobile security related issues
From Clust Education talk on Security Summit in Milan (Italy):
https://www.securitysummit.it/eventi/view/82
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
The modern organization has recognized the need to embrace mobile devices in the workplace, but this increase in mobile devices brings important security implications.
Mobile Security for Smartphones and TabletsVince Verbeke
Are security concerns for mobile devices, like smartphones and tablets, real? Or, are claims of exponential growth in malware simply FUD? We will explore the major mobile operating systems and security concerns with each. This session will provide tips that can be shared to help your users protect their personal info and data when viewed from a mobile device. Information on mobile security programs will be shared, as well, including a look at whether free or commercial offerings provide better protection.
Security challenges of smart phone & mobile device
Visualizing mobile security
Attacks moving to mobile – why?
What your phone knows & what it shares
Smart phone & mobile device the threats
Countermeasures
Mobile security best practices
2012 State of Mobile Survey Global Key FindingsSymantec
Symantec’s 2012 State of Mobility Survey revealed a global tipping point in mobility adoption. The survey highlighted an uptake in mobile applications across organizations with 71 percent of enterprises at least discussing deploying custom mobile applications and one-third currently implementing or have already implemented custom mobile applications.
cell phone is the basic requirement for any type of communication over the world so you r supposed to know the minimum basic information of your cell phone, viruses & its security.
More and more organization employees are required to work outside the office using tablets, laptops and smartphones. These technologies are causing profound changes in the organization of information systems and therefore they have become the source of new risks. Mobile technologies collect and compile an increasing amount of sensitive information to which access must be controlled to protect the privacy of the user and the intellectual property of the company. This webinar will discuss the risks faced by small to medium size organizations that require employees to work remotely. We will also discuss mitigation strategies.
Hi :) Aeturnist#2 Issued. My article on “Mobile Security” is published in this issue :) This article covered brief history of mobile security, Vulnerability Analysis, Why Malware Attacks? Why on Android? How to Protect Your Device and Importance of Mobile Data Security. Hope you guys enjoy reading… :)
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceNowSecure
How do you balance UX and security for mobile banking apps? Check out the slides originally presented on May 2 sharing FFIEC guidance and a study of vulnerabilities 30 mobile banking apps (15 iOS and 15 Android) from 15 financial institutions.
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)Vince Verbeke
Are security concerns for mobile devices, like smartphones and tablets, real? Or, are claims of exponential growth in malware simply FUD? We will explore the major mobile operating systems and security concerns with each. This session will provide tips that can be shared to help your users protect their personal info and data when viewed from a mobile device. Information on mobile security programs will be shared, as well, including a look at whether free or commercial offerings provide better protection.
As the world becomes more connected, security needs to be at the forefront of people’s minds as they use mobile devices to live every day life. Here are 5 things to consider when using your mobile device.
The above PPT contains the following content:
1. SPREADING OF VIRUS
2. ANAMNESIS (CASE STUDIES)
3. CURRENT STATUS OF MOBILE MALWARE
4. PROTECTIVE MEASURES
5. THREATS OF MOBILE PHONE
6. CONCLUSION
The detailed PROTECTIVE MEASURES are given in the above PPT.
How iOS and Android Handle Security WebinarDenim Group
This webinar takes a technical look at mobile security in iOS and Android and how each of the platforms handle security differently. During the webinar, Dan will cover numerous mobile security topics including mobile secure development, defeating platform environment restrictions and their respective permission models and how to protect network communications.
The 60-minute webinar will provide actionable information to help build a more secure mobile application development program with time for questions.
Mobile Security for Smartphones and TabletsVince Verbeke
Are security concerns for mobile devices, like smartphones and tablets, real? Or, are claims of exponential growth in malware simply FUD? We will explore the major mobile operating systems and security concerns with each. This session will provide tips that can be shared to help your users protect their personal info and data when viewed from a mobile device. Information on mobile security programs will be shared, as well, including a look at whether free or commercial offerings provide better protection.
Security challenges of smart phone & mobile device
Visualizing mobile security
Attacks moving to mobile – why?
What your phone knows & what it shares
Smart phone & mobile device the threats
Countermeasures
Mobile security best practices
2012 State of Mobile Survey Global Key FindingsSymantec
Symantec’s 2012 State of Mobility Survey revealed a global tipping point in mobility adoption. The survey highlighted an uptake in mobile applications across organizations with 71 percent of enterprises at least discussing deploying custom mobile applications and one-third currently implementing or have already implemented custom mobile applications.
cell phone is the basic requirement for any type of communication over the world so you r supposed to know the minimum basic information of your cell phone, viruses & its security.
More and more organization employees are required to work outside the office using tablets, laptops and smartphones. These technologies are causing profound changes in the organization of information systems and therefore they have become the source of new risks. Mobile technologies collect and compile an increasing amount of sensitive information to which access must be controlled to protect the privacy of the user and the intellectual property of the company. This webinar will discuss the risks faced by small to medium size organizations that require employees to work remotely. We will also discuss mitigation strategies.
Hi :) Aeturnist#2 Issued. My article on “Mobile Security” is published in this issue :) This article covered brief history of mobile security, Vulnerability Analysis, Why Malware Attacks? Why on Android? How to Protect Your Device and Importance of Mobile Data Security. Hope you guys enjoy reading… :)
Delivering secure mobile financial services (MFS) - "Frictionless" vs diligenceNowSecure
How do you balance UX and security for mobile banking apps? Check out the slides originally presented on May 2 sharing FFIEC guidance and a study of vulnerabilities 30 mobile banking apps (15 iOS and 15 Android) from 15 financial institutions.
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)Vince Verbeke
Are security concerns for mobile devices, like smartphones and tablets, real? Or, are claims of exponential growth in malware simply FUD? We will explore the major mobile operating systems and security concerns with each. This session will provide tips that can be shared to help your users protect their personal info and data when viewed from a mobile device. Information on mobile security programs will be shared, as well, including a look at whether free or commercial offerings provide better protection.
As the world becomes more connected, security needs to be at the forefront of people’s minds as they use mobile devices to live every day life. Here are 5 things to consider when using your mobile device.
The above PPT contains the following content:
1. SPREADING OF VIRUS
2. ANAMNESIS (CASE STUDIES)
3. CURRENT STATUS OF MOBILE MALWARE
4. PROTECTIVE MEASURES
5. THREATS OF MOBILE PHONE
6. CONCLUSION
The detailed PROTECTIVE MEASURES are given in the above PPT.
How iOS and Android Handle Security WebinarDenim Group
This webinar takes a technical look at mobile security in iOS and Android and how each of the platforms handle security differently. During the webinar, Dan will cover numerous mobile security topics including mobile secure development, defeating platform environment restrictions and their respective permission models and how to protect network communications.
The 60-minute webinar will provide actionable information to help build a more secure mobile application development program with time for questions.
2015 Mobile Security Trends: Are You Ready?IBM Security
We’ve been hearing for years now that mobile security threats are coming into their own, both in terms of volume and capacity to inflict harm. Is 2015 the year when organizations will move past their fundamental BYOD debates and start discussing more progressive mobile security topics? Securing the mobile enterprise requires a comprehensive approach that includes securing devices, protecting data, safeguarding applications, and managing access and fraud.
In this session, hear IBM Security experts discuss:
- The latest mobile security trends and challenges
- Real-life customer experiences
- Best practices on building your overall mobile security strategy
View on-demand recording: http://securityintelligence.com/events/2015-mobile-security-trends/
Pentesting iPhone Applications - It mainly focuses on the techniques and the tools that will help security testers while assessing the security of iPhone applications.
Fore more info visit - http://www.securitylearn.net
In recent days mobile application development has come up with providing a unique solution for the business.
http://www.ndot.in/mobile-application-development.html
This webinar by Endeavour's Technology Consulting group provides insights on Enterprise Security & android platform.
Data and transaction security has become of paramount importance with increase in mobile application usage in enterprises. The challenges of the security issues faced have become a top priority in every enterprise. Businesses and IT departments are experiencing employees opting for Android phones as corporate communication tools over other Smartphone as they offer powerful apps and innovative hardware specs.
Give your users the latest mobile technology while keeping your organization’s data safe. We help you secure, monitor and control mobile devices with over-the-air control. The self-service portal makes mobile management easy and stops Bring Your Own Device (BYOD) from becoming an IT nightmare. Choose the delivery model to suit your needs.
For more on Sophos Mobile Control, visit: http://bit.ly/SMC_solutions
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...IBM Security
Take a deep-dive into the benefits of incorporating improved security protection into your organization’s mobile application development lifecycle, from testing phase to run-time.
In this on-demand webinar, you’ll learn how to:
- Better identify application integrity risks (vulnerable portions of your apps that could serve as attractive attack targets to hackers, even after you’ve adhered to safe-coding practices), and to bolster your overall level of mobile security protection.
- Deploy protection tools—based on AppScan-aided risk assessment technology and supplemented by manual analysis—to design and implement “defend”, “detect”, and “react” protections inside your applications, without modifying their source code.
- Augment your code-testing with proactive protections inside your mobile applications, by learning more about IBM’s and Arxan’s partnered solutions.
View the full on-demand webcast: http://securityintelligence.com/events/incorporating-security-protection-organizations-mobile-application-development-lifecycle/#.VYxU1_lVhBf
Unicom Conference - Mobile Application SecuritySubho Halder
Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices. The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations during development. We will be covering from basic OWASP top 10 security issues to live demos on different use-case scenarios on how a hacker can hack your application, and how to prevent them.
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Security
81% of companies have employee owned devices accessing their networks, but only 48% claim to have a well-defined mobile security strategy. To secure today’s mobile workforce businesses must consider adopting a framework to enable the use of mobile technology while minimizing the risks to both their employees and their customers. In this presentation, we review the unique challenges we all face and IBM’s approach to securing and managing the mobile enterprise.
http://securityintelligence.com/events/live-from-impact-2014-ibm-mobile-security-a-comprehensive-approach-to-securing-and-managing-the-mobile-enterprise/#.VMvT2vMo6Mo
Panda Endpoint Protection is the cloud based solution that allows you to manage the security of your network endpoints (Windows, Mac, Linux and Android), without interfering with the performance and with minimum cost.
More info: http://www.pandasecurity.com/enterprise/solutions/cloud-office-protection/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
9. Evolution of Mobile Phones
• Now evolved to powerful machines with
almost all capabilities as out laptops
• Always on, always with you
• Constantly evolving and becoming more
powerful
• Security not kept pace with this growth,
remains afterthought
9
17. Stakeholders in Mobile Security
1
1. Mobile Manufacturers
2. IT
3. End Users
2 3 4
Internet
Networks Application Backend
Applications
1. Application
1. Application 1. Mobile Operators Developers
Developers 2. IT 2. IT
2. End Users 3. End Users 17
18. Mobile security-specific issues..
SECURE DATA STORAGE(on
Disk)
MULTIPLE USER SUPPORT
WITH SECURITY
STRONG AUTHENTICATION
WITH POOR KEYBOARDS
18
24. Mobile Platform Security
Threats
• Diverse Platforms vulnerable to security
1 problems (Android, iOS, Blackberry, Windows
Phone)
• Operating System security vulnerabilities
– Viruses and Worms – is there an Anti Virus?
– Break-in over Wi-Fi and Internet – is there a
Firewall?
– Is there a Patch Management?
– Is there a provision to regularly upgrade the OS?
• What happens if the phone is stolen ?
• What happens if data is intentionally or
accidently deleted? Is there a backup
and restoration mechanism?
24
25. Android Platform Security
• Created by Google and the Open Handset
Alliance
• Linux based
• Java programmable
• Each Application : a new user (UID)
• Android applications are considered “equal”
25
26. Android Platform Security
• Permissions - help provide data security
• Android’s permission model allows user’s to make
bad but informed choices
• A confused user can’t make good
choices.
26
27. Android Platform Security
• Possible for 2 applications to
Share the same User ID
• Be run within the same process
and VM Sandbox
• Must be signed with the same
certificate
• An application can allow for
World Readable and Writeable
mode
• This allows any application on
the system to read / write the
host applications files 27
28. Android Platform Security
• Android Market is the sick man of the app world
• It’s an open market
• Google’s Android Market has 90,000+ apps
• Recently Google has removed 26 malicious apps.
28
29. iOS Platform Security
• Processor – ARM 6 or 7 depending on model
• Runs iOS
• Derived from Mac OSX
• FreeBSD
• 2 primary users
• Mobile
• Root
29
30. iOS Platform Security
• There are around 5,00,000+ apps for iOS platform
• Code Signing applied to all applications
• Appstore applications signed by Apple
• All applications run as user “mobile”
• Chroot used to restrict apps from each other
• Applications are also encrypted when stored
• Runtime decryption before execution
30
31. iOS Platform Security
• Jailbreaking is the process of getting “root”
access to the phone. This allows running custom
software / firmware on the phone
• Unlocking refers to bypass controls which bind
the phone to a carrier. This opens it for use with
any carrier.
31
32. Mobile Platform Security
• Proprietary OS created by
RIM
• Provides multi-tasking support
• Currently version 7
• Written in C++
• OS supports devices unique to the BB – trackball,
trackwheel, touchscreen and touchpad
• Runs on ARM 7, 9 and ARM 11 processors
32
33. Mobile Platform Security
• As vulnerable as other phones, Still less in number
• Difficult to infect as no popular public appstore
• Most applications are loaded over the air by the
network managers
• Offers strong suite of security features which
include:
• End-to-end Encryption
• RSA SecurID Two-Factor Authentication
• HTTPS Secure Data Access
• Strong IT Policy Enforcement and Management
• Built in Firewall
33
34. Blac Application Attacks
• Browser a key part of
Blackberry
• Based on the open source
Webkit
• Webkit known to be vulnerable
• First public exploit on BB demoed at Pwn2Own 2011
• ARM based exploit code
34
35. Microsoft Windows Phone
• Microsoft’s Mobile OS
• Windows Phone 7 was developed from scratch
• Currently in version 7.5 (called Mango)
• Not to be confused with Windows 8 OS (One OS for
Desktops, Laptops, and Tablets.)
35
36. Security Model
• Does not support for removable storage.
• No tethered file system access from a PC
• No concept of users and user logon
• Application origin based authentication and authorization
• Elements of Windows Phone Security Model
– Chambers
– Capabilities
– Application Safeguards
36
37. Chambers
Principle of isolation and Least Privilege
Trusted Computing Base Unrestricted access to the platform
(TCB) Driver and OS level code
Elevated Rights User mode drivers and services.
Chamber (ERC)
Standard Rights All pre-installed MS and OEM applications
Chamber (SRC)
Least Privileged Default permission set in which all apps
Chamber (LPC) from the App Marketplace run
37
38. Capabilities
• Capabilities are granted during application installation, and
their privileges cannot be elevated at run time
• Capabilities include geographical location information,
camera, microphone, networking, and sensors.
• The Least Privileged Chamber (LPC) defines a minimal set of
access rights by default. This helps in reducing the attack
surface.
38
39. Application Safeguards
• Application developers must register with Microsoft
• Stringent check before inclusion in the App store
• All applications are code-signed by VeriSign.
• Applications that are not code-signed cannot run on Windows
Phone 7.
• Applications run in a sandboxed process
– Can interact with the OS in a limited way
– Execution Manager monitors programs and kills programs
with unusual activity
39
41. Secure Practices Recommendations
• Turn-off GPS / Bluetooth when not in use.
• Do not leave your phone unattended
• Make sure that the OS and firmware is updated
• Use anti-virus software and keep the definition file up to
date
• Password protect your device and change this regularly
44. Mobile Application Security
Threats
2
• Malware and Trojan applications
• Security vulnerabilities in code
• Client Application security
• Bypass Enterprise policies
– Difficult to apply Enterprise security policy
• Acts like a Backdoor into the Enterprise
Applications
44
45. What if ? There’s a..
MALWARE IN MY MOBILE !!
45
46. Malware that mails secrets!
Attacker
Unaware user
Downloads
App
Hidden Trojan Mails all secrets
to attacker /
Tracks Location 46
47. Secure Practices Recommendations
• Address security in the mobile application development
process
• Download apps from trustworthy sources
Scrutinize permission requirements of applications
before installation
• Use mobile security apps for data protection
48. Mobile Threatscape
3
Internet
Applications Networks Application
Backend
48
49. Mobile Security Assessment
3 2 1
Mobile Mobile Mobile
Network Application Platform
Security Security Security
Audit Audit Audit
49
50. Network Access Security
3
Threats
• Heterogeneous Network Risks
– GPRS/3G/$G
– Wi-Fi
– Bluetooth
– PC Synchronization
• “ON” by default open up to network based
attacks
• Every access mechanism has security
implications
• Difficult to control and prevent unauthorized
Networks access
• Requires custom solution to address each
– Difficult to apply uniformly across all devices on the
network
50
53. Secure Practices Recommendations
Use device inventory and track all mobile
devices before and after allowing network
access-You can’t protect or manage what
you can’t see
Non compliant mobile phones should be
denied network access until they have
been scanned, patched or remediated.
Do not access corporate secured sites over public
Wi-Fi
53
54. Mobile Threatscape
4
Internet
Applications Networks Application
Backend
54
55. Application Backend Security
4
Threats
• Application farm security vulnerabilities
– Web server security bugs
– Database server security bugs
– Storage server security bugs
– Load balancer security bugs
• Web application security vulnerabilities
– OWASP Top 10 security problems
– Advanced Web Application attacks
• Web service security vulnerabilities
Application • Client application security vulnerabilities
Backend
55
60. Enterprise Mobile Security Challenges
INFORMATION DISCLOSURE
POLICIES
LACK OF KNOWLEDGE
ABOUT RISK
• DIFFICULTY AND COMPLEXITY
IN IMPLEMENTATION
60
61. Enterprise Mobile Security Challenges
RESTRICTING MOBILE INTERNET
ACCESS
REMOTE CONTROL, TRACKING
AND DATA WIPING
• ENTERPRISE WIDE MOBILE
SECURITY POLICIES
61
62. Enterprise Security Recommendations
A lost or stolen device
Provide support to multiple devices
Implement a
central Controlling data flow on multiple devices
Implement
management centrally Prevent Unauthorized Synchronization
console Secure server
managed systems with
mobile device User awareness
strong access Monitor and
managers control restrict data Create keen
Mechanism for transfers to awareness on
installing secure handheld or
apps centrally information
through an removable assets, risk
authorized storage and value to
server devices. the
enterprise
62
63. The Future
• Mobile and Cloud will turn traditional IT and computing on it’s
head.
• It’s about user experience (U-Ex)
• Virtual smart phones (Mobile Hypervisor )
• Dynamic context- and content-aware Data Protection
• NFC enabled smart phones to take center stage and may
replace cards
63
65. Any people that would
give up liberty for a
little temporary safety
deserves neither
liberty nor safety.
Benjamin Franklin
65
66. References
• SECURING MOBILE DEVICES ISACA EMERGING TECHNOLOGY WHITEPAPER
• DEVELOPING SECURE MOBILE APPLICATIONS FOR ANDROID An introduction to
making secure Android applications Jesse Burns
• Mobile banking: Safe, at least for now, Elinor Mills
66