SlideShare a Scribd company logo

Enterprise mobileapplicationsecurity

Download as PPSX, PDF
Venkat Alagarsamy
Venkat Alagarsamy
1 of 32
Security – Enterprise Mobile Applications Venkat Alagarsamy venkat.alagarsamy@gmail.com www.linkedin.com/in/VenkatAlagarsamy www.scribd.com/VenkatAlagarsamy www.facebook.com/Venkatachalapathi.Alagarsamy www.slideshare.net/VenkatAlagarsamy www.twitter.com/TwitsOfVenkat VenkatAlagarsamy.blogspot.in Last Updated: 18th Jan 2013
Corporate Data Users • It is a business fact that nearly 60% of all corporate employees access content through public network using phones, tablets and other hand-held devices. • Other than employees, the customers and vendors too access the corporate database anywhere, anytime on any device. • Public
Statistics • 80% of corporate users using the device without knowing security threats. • 80% of corporate users using the jail Broken device • 70% of users do not have Anti-virus on their device • 70% is the possibility that the application getting misused. • 55% user losing sensitive credentials and corporate data to a hacker.
The Challenge The rapid adoption of mobile application by the corporate has created a significant security challenge because the corporate data is accessed outside of the firewall/DMZ. So the challenges to corporate mobile application developers are: How do I secure mobile application with/without limited users? How to secure the application itself? What is to be developed as mobile application? How should I provision this application to users?
Attacks – Device Based • Device based attacks – Misplaced or lost the device • Unencrypted credentials • Insecure Storage • Cached Data – Malware installation due to down loading unknown application • Malicious certificates • Reconfigure proxy settings or • Allow man-in-the-middle (MiTM) visibility into every user transaction.
Attacks – Network and Server Based • Identity Spoofing (IP address Spoofing) – Using a special programs attacker would construct IP packets that appear to originate from valid addresses inside the corporate intranet. – After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete data. • Password Attacks – Obtain lists of valid user and computer names and network information. – Modify server and network configurations, including
Attacks – Network and Server Based • Denial-of-Service Attack – Randomize the attention of corporate internal Information Systems staff so that they do not see the intrusion immediately, which allows the attacker to make more attacks during the diversion. – Send invalid data to applications or network services, which causes abnormal termination or behavior of the applications or services. – Flood a computer or the entire network with traffic until a shutdown occurs because of the overload. – Block traffic, which results in a loss of access to network resources by authorized users.
Attacks – Network and Server Based • Man-in-the-Middle Attack – actively monitoring, capturing, and controlling all communication and re-route a data exchange • Compromised-key-attack – By getting the compromised key, the attacker can decode any secured encrypted data and the use the data as required. • Sniffer Attack – Analyze network and gain information to eventually cause network to crash or to become corrupted. – Read transaction/data communications.
Attacks – Network and Server Based • Application-Layer Attack An application-layer attack targets application servers by deliberately causing a fault in a server's operating system or applications. This results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of application, system, or network, and can do any of the following: – Read, add, delete, or modify data or operating system. – Introduce a virus program that uses corporate computers and software applications to copy viruses throughout corporate network. – Introduce a sniffer program to analyze network and gain information that can eventually be used to crash or to corrupt legacy systems and network.
Device Security - Reverse Engineering • Understand the logic and application security weakness • Look for key words like password, key, SQL and security logic (AES/DES) • Modify the code to bi-pass client side checks and rebuild app • Send request with altered data pack from modified apps • Steps:  Get Executable  Understand the technology
Device Security -Reverse Engineering – Tools Used OS De- compress or Object -> Class -> Functions Editor Windows Winzip ILSpy Visual Studio Notepad Obfuscator preemptive.com/products/dotfuscato r/overview confuser.codeplex.com/ Android Winzip Dex2Jar and JD-GUI Notepad Obfuscator http://proguard.sourceforge.net/ iOS iExplorer OTool and Class-dump- z
Device Security – Malwares  Malwares (Worms and Trojans) are installed in the device either by SMS/MMS or by untrusted application download.  Destroy Operating system  Provide misleading information  Steal data/cookies  Deactivate other trusted applications  Plant spyware to spy calendars, email accounts, notes etc.
Device Security – Malware Samples Virus Name OS Symptom, Propagation and Damages Cabir Symbi an Display „Caribe‟ whenever phone is turned on. Spread to other phone using Bluetooth Duts Wind ows Affect EXE file more than 4KB Skulls - Trojan Wind ows Replace all icons with image of skull. Commwarrior Symbi an Spread by MMS and Bluetooth. Hunt devices running Bluetooth and send infected files Gingermaster - Trojan Andro id Hidden malware. Steal device details and send to remote server. DroidKunFu – Trojan Andro id Gets privileges of root and install com.google and ssearch.apk, which remove files, open and auto download of some applications. It also sends device data to remote server.
Device Security – Antivirus Protection Software Operating System BullGu ard Lookou t McAfee ESET Kasper sky Trend Micro F- Secure Webroo t NetQin Android Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Symbian Ye s Ye s Ye s Ye s Ye s BlackBerry Ye s Ye s Ye s Windows Ye s Ye s
Device Security – Some Best Practices (User)  Download applications from the official application store only. Otherwise you expose yourself and your mobile phone software provider does not protect you.  Don‟t jailbreak or root device. If cracked software is installed you are inheriting a risk.  Install an antivirus. Antivirus protects device against apps that try to steal data.  Before installing the application, from application store understand and agree to the application device/data usage.‟  Disable Bluetooth and other wireless components when not in use.
Device Security – Enterprise Application Design Practices  Should adhere to corporate password policy  Transfer the data only through SSL or VPN (Use VPN if possible)  Auto disable all unwanted components like Bluetooth when not required  Make sure there is no memory leakage  Do not store any critical data offline. If required, encrypt data and store using encrypted database like SQLCipher  Ensure the device is registered for using the application  Ensure the user logged-in is the right user to use the device and application  Provide Single sign-on  Provide remote-wipe if device lost  Use dynamic key for encryption of in/out data where the key is controlled by server  Do not use any special characters or SQL, in posting data
Network Security  It is an activities designed to protect network for its  Usability  Reliability  Integrity  Safety  From the threats like  Viruses, worms, and Trojan horses  Spyware and adware  Zero-day attacks, also called zero-hour attacks  Denial of service attacks  Data interception and theft  Identity theft
Network Security Components • Multiple layers of security. If one fails, others still stand. • Network security is accomplished through hardware and software. The software must be constantly updated and managed to protect from emerging threats. • Network security components often include: – Anti-virus and anti-spyware – Firewall, to block unauthorized access to your network (DMZ) – Intrusion prevention systems (IPS), to identify fast- spreading threats, such as zero-day or zero-hour attacks
Attackers – How they do? • Most popular attacks using – Reverse Engineering – Cross site scripting (XSS) – SQL Injection
Cross-site Scripting (XSS Attack) • As documented by Symantec 2007, 84% vulnerability are caused by XSS attacks. • Cross-Site Scripting (XSS) attacks occur when: – Data enters a Web application through an untrusted source, most frequently a web request. – The data is included in dynamic content that is sent to a web user without being validated for malicious code • It is a process of injecting a malicious content in web page and have the content (usually ActiveX, JavaScript, VBScript, Applet, Flash, HTML etc) executed in client browser – To steal client data.
Cross-site Scripting - XSS Types • Stored XSS Attacks – Permanently stores injected code in targeted components like database, message forum, visitor log, comment field, etc. • Reflected XSS Attacks – Injected code is reflected off the web server – As a response such as error message, search result etc. – eMail message When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user‟s browser. The browser then executes the code because it came from a "trusted" server.
XSS – Prevention Summary Data Type Conte xt Code Sample Defense Strin g HTML Body <span>UNTRUSTE D DATA </span> •HTML Entity Encoding Strin g Safe HTML Attribut es <input type=“text” name=“fname” value=“UNTRUSTE D DATA”> •Aggressive HTML Entity Encoding •Only place untrusted data into white list of safe attributes •Strictly validate unsafe attributes such as background, id and name Strin g GET Param eter <a href=“/site/search?v alue=UNTRUSTED DATA”> clickme </a> URL Encoding String Strin Untrus ted URL in a SRC <a href="UNTRUSTED URL">clickme</a> •Cannonicalize input •URL Validation •Safe URL verification •Whitelist http and https URL's only (Avoid Source: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Pre vention_Rules_Summary
XSS – Prevention Summary (Contd…) Source: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Pre vention_Rules_Summary Data Type Conte xt Code Sample Defense Strin g CSS Value <div style="width: UNTRU STED DATA;">Selection</di v> •Strict structural validation •CSS Hex encoding •Good design of CSS Features Strin g JavaS cript Variab le <script>var currentValue='UNTR USTED DATA';</script> <script>someFunctio n('UNTRUSTED DATA');</script> •Ensure JavaScript variables are quoted •JavaScript Hex Encoding •JavaScript Unicode Encoding •Avoid backslash encoding (" or ' or ) HTM L HTML Body <div>UNTRUSTED HTML</div> •HTML Validation (JSoup, AntiSamy, HTML Sanitizer) Strin DOM <script>document.wri te("UNTRUSTED
XSS Prevention – Output Encoding Source: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Pre vention_Rules_SummaryEncoding Type Encoding Mechanism HTML Entity Encoding Convert & to &amp; Convert < to &lt; Convert > to &gt; Convert " to &quot; Convert ' to &#x27; Convert / to &#x2F; HTML Attribute Encoding Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value) URL Encoding Standard percent encoding, see: http://www.w3schools.com/tags/ref_urlencode.asp JavaScript Encoding Except for alphanumeric characters, escape all characters with the uXXXX unicode escaping format (X = Integer). CSS escaping supports XX and XXXXXX. Using a two character escape can cause problems if the next character
XSS Prevention – Testing Tools • Commercial License: o Veracode Dynamic Scanner o Whitehat o HP WebInspect o Cenzic Hailstorm o IBM AppScan o NTOSpider o Qualys o Burp Professional • Free/Open Source: o W3af o XSS-Me and Access-Me o OWASP ZAP o Skipfish o Wfuzz o Reference for more tools :
SQL Injection • SQL Injection Attack (SQLIA) is the one of the top 10 vulnerability, identified by OWASP. • It is a insertion of a SQL in posted request from client application to server. • By injecting SQL, the attacker can – Read sensitive database – Modify (insert/update/delete) database – Execute admin operations – Alter DB structure – Bi-pass user authentication
Sub Classes of SQLIA • Classic SQLIA • Inference SQL injection • Interacting with SQL injection • Database management system-specific SQLIA • Compounded SQLIA • SQL injection + insufficient authentication • SQL injection + DDoS attacks Source: http://en.wikipedia.org/wiki/SQL_injection
Prevention of SQL Injection – Primary Defense  Prepare Statements (Parameterized Queries) – Attacker can not change the intent of a query. Recommendations  Java EE – use PreparedStatement() with bind variables  .NET – use parameterized queries like SqlCommand() or OleDbCommand() with bind variables  PHP – use PDO with strongly typed parameterized queries (using bindParam())  Hibernate - use createQuery() with bind variables (called named parameters in Hibernate)  SQLite - use sqlite3_prepare() to create a statement object  Stored Procedures – Same like Prepare Statement  Escaping All User Supplied Input Reference OWASP: https://www.owasp.org/index.php/ESAPI Google: http://owasp-esapi-
Prevention of SQL Injection – Additional Defense Least Privilege White list Input Validation Reference: http://ferruh.mavituna.com/sql-injection- cheatsheet-oku/ https://www.owasp.org/index.php/Input_Validation _Cheat_Sheet
Prevention of SQL Injection – Testing Tools  SQL Inject-Me  SQLMAP  SQLler  SQLbftools  SQL Injection brute- force  SQLBrute  BobCat  Absinthe Source: http://rochakchauhan.com/blog/2008/01/10/top-15-free-sql-injection- scanners/  SQL Injection Pen- testing tools  SQID  Blind SQL Injection Perl tool  SQL Power Injector  FJ-Injector framework  SQLNinja  Automatic SQL Injector  NGGSS SQL Injector
Architectural and Development consideration  Validate the Device Registration from Server  Always use VPN (at least SSL) network for communication  Encrypt the critical data in both ends  Use Dynamic Encryption keys. A Encryption key should be used for only one communication and it should have automatic expiry.  The key should have some complex generation logic.  Do not store entire initial complete encryption key in device. i.e., a complete key should be generated based on partial key.  Do no cache, store data. Do not create any cookies  Disable all network components that are not used by the application  Enforce password policy  Enable single sign-on using servers like LDAP  Disable client-scripting  Do not keep any SQL in client side  If necessary, to store offline data, use encrypted DB like SQLCipher  Always validate the both input and output data for its format and canonical
Conclusion  The security of mobile application should be ensured at all levels and by all players  Application/service providers  Organization  Device providers  Registries  Data Centers/Cloud Services  Government  CERTs  Users  All players in this ecosystem must apply the basic rules for effective security  Coordination  Communication and

Recommended

Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2
Kabul Education University
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
Quick Heal Technologies Ltd.
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database Threats
Imperva
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
Zara Nawaz
 
Information Security (Malicious Software)
Information Security (Malicious Software)Information Security (Malicious Software)
Information Security (Malicious Software)
Zara Nawaz
 
System security
System securitySystem security
System security
sommerville-videos
 
Ch # 10 computer security risks and safe guards
Ch # 10 computer security risks and safe guardsCh # 10 computer security risks and safe guards
Ch # 10 computer security risks and safe guards
MuhammadRobeel3
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower Costs
Imperva
 

Recommended

Cyber Security # Lec 2
Cyber Security # Lec 2Cyber Security # Lec 2
Cyber Security # Lec 2
Kabul Education University
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
Quick Heal Technologies Ltd.
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database Threats
Imperva
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
Zara Nawaz
 
Information Security (Malicious Software)
Information Security (Malicious Software)Information Security (Malicious Software)
Information Security (Malicious Software)
Zara Nawaz
 
System security
System securitySystem security
System security
sommerville-videos
 
Ch # 10 computer security risks and safe guards
Ch # 10 computer security risks and safe guardsCh # 10 computer security risks and safe guards
Ch # 10 computer security risks and safe guards
MuhammadRobeel3
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower Costs
Imperva
 
Safeguard your enterprise against ransomware
Safeguard your enterprise against ransomwareSafeguard your enterprise against ransomware
Safeguard your enterprise against ransomware
Quick Heal Technologies Ltd.
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...
Zara Nawaz
 
Computer security
Computer securityComputer security
Computer security
Shashi Chandra
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
Eoin Keary
 
System vulnerability and abuse
System vulnerability and abuseSystem vulnerability and abuse
System vulnerability and abuse
Prakash Raval
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Imperva
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
CAS
 
Security vulnerability
Security vulnerabilitySecurity vulnerability
Security vulnerability
A. Shamel
 
Computer security and
Computer security andComputer security and
Computer security andRana Usman Sattar
 
Computer security overview
Computer security overviewComputer security overview
Computer security overview
CAS
 
Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3
Muhammad Talha Zaroon
 
The Anatomy of Comment Spam
The Anatomy of Comment SpamThe Anatomy of Comment Spam
The Anatomy of Comment Spam
Imperva
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
Vamsee Krishna Kiran
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
Noah Jaehnert
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Internet safety and you
Internet safety and youInternet safety and you
Internet safety and you
Art Ocain
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Jiri Danihelka
 
9 - Security
9 - Security9 - Security
9 - Security
Raymond Gao
 
Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3
Kabul Education University
 
Computer security basics
Computer security basicsComputer security basics
Computer security basicsSrinu Potnuru
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 

More Related Content

What's hot

Safeguard your enterprise against ransomware
Safeguard your enterprise against ransomwareSafeguard your enterprise against ransomware
Safeguard your enterprise against ransomware
Quick Heal Technologies Ltd.
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...
Zara Nawaz
 
Computer security
Computer securityComputer security
Computer security
Shashi Chandra
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
Eoin Keary
 
System vulnerability and abuse
System vulnerability and abuseSystem vulnerability and abuse
System vulnerability and abuse
Prakash Raval
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Imperva
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
CAS
 
Security vulnerability
Security vulnerabilitySecurity vulnerability
Security vulnerability
A. Shamel
 
Computer security overview
Computer security overviewComputer security overview
Computer security overview
CAS
 
Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3
Muhammad Talha Zaroon
 
The Anatomy of Comment Spam
The Anatomy of Comment SpamThe Anatomy of Comment Spam
The Anatomy of Comment Spam
Imperva
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
Vamsee Krishna Kiran
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
Noah Jaehnert
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Internet safety and you
Internet safety and youInternet safety and you
Internet safety and you
Art Ocain
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Jiri Danihelka
 
9 - Security
9 - Security9 - Security
9 - Security
Raymond Gao
 
Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3
Kabul Education University
 
Computer security basics
Computer security basicsComputer security basics
Computer security basicsSrinu Potnuru
 

What's hot (20)

Safeguard your enterprise against ransomware
Safeguard your enterprise against ransomwareSafeguard your enterprise against ransomware
Safeguard your enterprise against ransomware
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...
 
Computer security
Computer securityComputer security
Computer security
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
System vulnerability and abuse
System vulnerability and abuseSystem vulnerability and abuse
System vulnerability and abuse
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 
Security vulnerability
Security vulnerabilitySecurity vulnerability
Security vulnerability
 
Computer security and
Computer security andComputer security and
Computer security and
 
Computer security overview
Computer security overviewComputer security overview
Computer security overview
 
Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3Viruses (Lecture) IT Slides # 3
Viruses (Lecture) IT Slides # 3
 
The Anatomy of Comment Spam
The Anatomy of Comment SpamThe Anatomy of Comment Spam
The Anatomy of Comment Spam
 
System Security-Chapter 1
System Security-Chapter 1System Security-Chapter 1
System Security-Chapter 1
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
 
Security testing
Security testingSecurity testing
Security testing
 
Internet safety and you
Internet safety and youInternet safety and you
Internet safety and you
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
9 - Security
9 - Security9 - Security
9 - Security
 
Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3Cryptography and Network security # Lecture 3
Cryptography and Network security # Lecture 3
 
Computer security basics
Computer security basicsComputer security basics
Computer security basics
 

Similar to Enterprise mobileapplicationsecurity

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Security & Compliance for Startups
Security & Compliance for StartupsSecurity & Compliance for Startups
Security & Compliance for Startups
Symosis Security (Previously C-Level Security)
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptx
JenetSilence
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxWeek-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
yasirkhokhar7
 
Client server network threat
Client server network threatClient server network threat
Client server network threat
Raj vardhan
 
IoT-Device-Security.pptx
IoT-Device-Security.pptxIoT-Device-Security.pptx
IoT-Device-Security.pptx
ZahidHussainqaisar
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform Service
Soumitra Bhattacharyya
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Chapter-2 (1).pptx
Chapter-2 (1).pptxChapter-2 (1).pptx
Chapter-2 (1).pptx
PaulaRodalynMateo1
 
IoT-Device-Security-DRAFT-slide-presentation
IoT-Device-Security-DRAFT-slide-presentationIoT-Device-Security-DRAFT-slide-presentation
IoT-Device-Security-DRAFT-slide-presentation
AuliaArifWardana
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network securitySreerag Gopinath
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
AmardeepKumar621436
 
Cybersecurity Training
Cybersecurity TrainingCybersecurity Training
Cybersecurity Training
WindstoneHealth
 
Security and control in mis
Security and control in misSecurity and control in mis
Security and control in mis
Gurjit
 
Chapter 10.0
Chapter 10.0Chapter 10.0
Chapter 10.0
Adebisi Tolulope
 
It security
It securityIt security
It security
avi2607
 

Similar to Enterprise mobileapplicationsecurity (20)

Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
Security & Compliance for Startups
Security & Compliance for StartupsSecurity & Compliance for Startups
Security & Compliance for Startups
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptx
 
Application security
Application securityApplication security
Application security
 
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptxWeek-09-10-11-12 Fundamentals of Cybersecurity.pptx
Week-09-10-11-12 Fundamentals of Cybersecurity.pptx
 
Client server network threat
Client server network threatClient server network threat
Client server network threat
 
IoT-Device-Security.pptx
IoT-Device-Security.pptxIoT-Device-Security.pptx
IoT-Device-Security.pptx
 
Cloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform ServiceCloud monitoring - An essential Platform Service
Cloud monitoring - An essential Platform Service
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Chapter-2 (1).pptx
Chapter-2 (1).pptxChapter-2 (1).pptx
Chapter-2 (1).pptx
 
IoT-Device-Security-DRAFT-slide-presentation
IoT-Device-Security-DRAFT-slide-presentationIoT-Device-Security-DRAFT-slide-presentation
IoT-Device-Security-DRAFT-slide-presentation
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Web Security
Web SecurityWeb Security
Web Security
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Cybersecurity Training
Cybersecurity TrainingCybersecurity Training
Cybersecurity Training
 
Security and control in mis
Security and control in misSecurity and control in mis
Security and control in mis
 
Chapter 10.0
Chapter 10.0Chapter 10.0
Chapter 10.0
 
It security
It securityIt security
It security
 

More from Venkat Alagarsamy

Wearable Tech - What is Next?
Wearable Tech - What is Next?Wearable Tech - What is Next?
Wearable Tech - What is Next?
Venkat Alagarsamy
 
IoT in Healthcare
IoT in HealthcareIoT in Healthcare
IoT in Healthcare
Venkat Alagarsamy
 
Introduction to NFC
Introduction to NFCIntroduction to NFC
Introduction to NFC
Venkat Alagarsamy
 
Application of RFID in Fashion Retail outlet
Application of RFID in Fashion Retail outletApplication of RFID in Fashion Retail outlet
Application of RFID in Fashion Retail outlet
Venkat Alagarsamy
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testingVenkat Alagarsamy
 
Cross platform mobile application architecture for enterprise
Cross platform mobile application architecture for enterpriseCross platform mobile application architecture for enterprise
Cross platform mobile application architecture for enterpriseVenkat Alagarsamy
 

More from Venkat Alagarsamy (8)

Wearable Tech - What is Next?
Wearable Tech - What is Next?Wearable Tech - What is Next?
Wearable Tech - What is Next?
 
IoT in Healthcare
IoT in HealthcareIoT in Healthcare
IoT in Healthcare
 
Introduction to NFC
Introduction to NFCIntroduction to NFC
Introduction to NFC
 
Application of RFID in Fashion Retail outlet
Application of RFID in Fashion Retail outletApplication of RFID in Fashion Retail outlet
Application of RFID in Fashion Retail outlet
 
Introduction to RFID
Introduction to RFIDIntroduction to RFID
Introduction to RFID
 
Software Task Estimation
Software Task EstimationSoftware Task Estimation
Software Task Estimation
 
Introduction to software testing
Introduction to software testingIntroduction to software testing
Introduction to software testing
 
Cross platform mobile application architecture for enterprise
Cross platform mobile application architecture for enterpriseCross platform mobile application architecture for enterprise
Cross platform mobile application architecture for enterprise
 

Recently uploaded

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 

Recently uploaded (20)

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 

Enterprise mobileapplicationsecurity

  • 1. Security – Enterprise Mobile Applications Venkat Alagarsamy venkat.alagarsamy@gmail.com www.linkedin.com/in/VenkatAlagarsamy www.scribd.com/VenkatAlagarsamy www.facebook.com/Venkatachalapathi.Alagarsamy www.slideshare.net/VenkatAlagarsamy www.twitter.com/TwitsOfVenkat VenkatAlagarsamy.blogspot.in Last Updated: 18th Jan 2013
  • 2. Corporate Data Users • It is a business fact that nearly 60% of all corporate employees access content through public network using phones, tablets and other hand-held devices. • Other than employees, the customers and vendors too access the corporate database anywhere, anytime on any device. • Public
  • 3. Statistics • 80% of corporate users using the device without knowing security threats. • 80% of corporate users using the jail Broken device • 70% of users do not have Anti-virus on their device • 70% is the possibility that the application getting misused. • 55% user losing sensitive credentials and corporate data to a hacker.
  • 4. The Challenge The rapid adoption of mobile application by the corporate has created a significant security challenge because the corporate data is accessed outside of the firewall/DMZ. So the challenges to corporate mobile application developers are: How do I secure mobile application with/without limited users? How to secure the application itself? What is to be developed as mobile application? How should I provision this application to users?
  • 5. Attacks – Device Based • Device based attacks – Misplaced or lost the device • Unencrypted credentials • Insecure Storage • Cached Data – Malware installation due to down loading unknown application • Malicious certificates • Reconfigure proxy settings or • Allow man-in-the-middle (MiTM) visibility into every user transaction.
  • 6. Attacks – Network and Server Based • Identity Spoofing (IP address Spoofing) – Using a special programs attacker would construct IP packets that appear to originate from valid addresses inside the corporate intranet. – After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete data. • Password Attacks – Obtain lists of valid user and computer names and network information. – Modify server and network configurations, including
  • 7. Attacks – Network and Server Based • Denial-of-Service Attack – Randomize the attention of corporate internal Information Systems staff so that they do not see the intrusion immediately, which allows the attacker to make more attacks during the diversion. – Send invalid data to applications or network services, which causes abnormal termination or behavior of the applications or services. – Flood a computer or the entire network with traffic until a shutdown occurs because of the overload. – Block traffic, which results in a loss of access to network resources by authorized users.
  • 8. Attacks – Network and Server Based • Man-in-the-Middle Attack – actively monitoring, capturing, and controlling all communication and re-route a data exchange • Compromised-key-attack – By getting the compromised key, the attacker can decode any secured encrypted data and the use the data as required. • Sniffer Attack – Analyze network and gain information to eventually cause network to crash or to become corrupted. – Read transaction/data communications.
  • 9. Attacks – Network and Server Based • Application-Layer Attack An application-layer attack targets application servers by deliberately causing a fault in a server's operating system or applications. This results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of application, system, or network, and can do any of the following: – Read, add, delete, or modify data or operating system. – Introduce a virus program that uses corporate computers and software applications to copy viruses throughout corporate network. – Introduce a sniffer program to analyze network and gain information that can eventually be used to crash or to corrupt legacy systems and network.
  • 10. Device Security - Reverse Engineering • Understand the logic and application security weakness • Look for key words like password, key, SQL and security logic (AES/DES) • Modify the code to bi-pass client side checks and rebuild app • Send request with altered data pack from modified apps • Steps:  Get Executable  Understand the technology
  • 11. Device Security -Reverse Engineering – Tools Used OS De- compress or Object -> Class -> Functions Editor Windows Winzip ILSpy Visual Studio Notepad Obfuscator preemptive.com/products/dotfuscato r/overview confuser.codeplex.com/ Android Winzip Dex2Jar and JD-GUI Notepad Obfuscator http://proguard.sourceforge.net/ iOS iExplorer OTool and Class-dump- z
  • 12. Device Security – Malwares  Malwares (Worms and Trojans) are installed in the device either by SMS/MMS or by untrusted application download.  Destroy Operating system  Provide misleading information  Steal data/cookies  Deactivate other trusted applications  Plant spyware to spy calendars, email accounts, notes etc.
  • 13. Device Security – Malware Samples Virus Name OS Symptom, Propagation and Damages Cabir Symbi an Display „Caribe‟ whenever phone is turned on. Spread to other phone using Bluetooth Duts Wind ows Affect EXE file more than 4KB Skulls - Trojan Wind ows Replace all icons with image of skull. Commwarrior Symbi an Spread by MMS and Bluetooth. Hunt devices running Bluetooth and send infected files Gingermaster - Trojan Andro id Hidden malware. Steal device details and send to remote server. DroidKunFu – Trojan Andro id Gets privileges of root and install com.google and ssearch.apk, which remove files, open and auto download of some applications. It also sends device data to remote server.
  • 14. Device Security – Antivirus Protection Software Operating System BullGu ard Lookou t McAfee ESET Kasper sky Trend Micro F- Secure Webroo t NetQin Android Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Symbian Ye s Ye s Ye s Ye s Ye s BlackBerry Ye s Ye s Ye s Windows Ye s Ye s
  • 15. Device Security – Some Best Practices (User)  Download applications from the official application store only. Otherwise you expose yourself and your mobile phone software provider does not protect you.  Don‟t jailbreak or root device. If cracked software is installed you are inheriting a risk.  Install an antivirus. Antivirus protects device against apps that try to steal data.  Before installing the application, from application store understand and agree to the application device/data usage.‟  Disable Bluetooth and other wireless components when not in use.
  • 16. Device Security – Enterprise Application Design Practices  Should adhere to corporate password policy  Transfer the data only through SSL or VPN (Use VPN if possible)  Auto disable all unwanted components like Bluetooth when not required  Make sure there is no memory leakage  Do not store any critical data offline. If required, encrypt data and store using encrypted database like SQLCipher  Ensure the device is registered for using the application  Ensure the user logged-in is the right user to use the device and application  Provide Single sign-on  Provide remote-wipe if device lost  Use dynamic key for encryption of in/out data where the key is controlled by server  Do not use any special characters or SQL, in posting data
  • 17. Network Security  It is an activities designed to protect network for its  Usability  Reliability  Integrity  Safety  From the threats like  Viruses, worms, and Trojan horses  Spyware and adware  Zero-day attacks, also called zero-hour attacks  Denial of service attacks  Data interception and theft  Identity theft
  • 18. Network Security Components • Multiple layers of security. If one fails, others still stand. • Network security is accomplished through hardware and software. The software must be constantly updated and managed to protect from emerging threats. • Network security components often include: – Anti-virus and anti-spyware – Firewall, to block unauthorized access to your network (DMZ) – Intrusion prevention systems (IPS), to identify fast- spreading threats, such as zero-day or zero-hour attacks
  • 19. Attackers – How they do? • Most popular attacks using – Reverse Engineering – Cross site scripting (XSS) – SQL Injection
  • 20. Cross-site Scripting (XSS Attack) • As documented by Symantec 2007, 84% vulnerability are caused by XSS attacks. • Cross-Site Scripting (XSS) attacks occur when: – Data enters a Web application through an untrusted source, most frequently a web request. – The data is included in dynamic content that is sent to a web user without being validated for malicious code • It is a process of injecting a malicious content in web page and have the content (usually ActiveX, JavaScript, VBScript, Applet, Flash, HTML etc) executed in client browser – To steal client data.
  • 21. Cross-site Scripting - XSS Types • Stored XSS Attacks – Permanently stores injected code in targeted components like database, message forum, visitor log, comment field, etc. • Reflected XSS Attacks – Injected code is reflected off the web server – As a response such as error message, search result etc. – eMail message When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user‟s browser. The browser then executes the code because it came from a "trusted" server.
  • 22. XSS – Prevention Summary Data Type Conte xt Code Sample Defense Strin g HTML Body <span>UNTRUSTE D DATA </span> •HTML Entity Encoding Strin g Safe HTML Attribut es <input type=“text” name=“fname” value=“UNTRUSTE D DATA”> •Aggressive HTML Entity Encoding •Only place untrusted data into white list of safe attributes •Strictly validate unsafe attributes such as background, id and name Strin g GET Param eter <a href=“/site/search?v alue=UNTRUSTED DATA”> clickme </a> URL Encoding String Strin Untrus ted URL in a SRC <a href="UNTRUSTED URL">clickme</a> •Cannonicalize input •URL Validation •Safe URL verification •Whitelist http and https URL's only (Avoid Source: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Pre vention_Rules_Summary
  • 23. XSS – Prevention Summary (Contd…) Source: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Pre vention_Rules_Summary Data Type Conte xt Code Sample Defense Strin g CSS Value <div style="width: UNTRU STED DATA;">Selection</di v> •Strict structural validation •CSS Hex encoding •Good design of CSS Features Strin g JavaS cript Variab le <script>var currentValue='UNTR USTED DATA';</script> <script>someFunctio n('UNTRUSTED DATA');</script> •Ensure JavaScript variables are quoted •JavaScript Hex Encoding •JavaScript Unicode Encoding •Avoid backslash encoding (" or ' or ) HTM L HTML Body <div>UNTRUSTED HTML</div> •HTML Validation (JSoup, AntiSamy, HTML Sanitizer) Strin DOM <script>document.wri te("UNTRUSTED
  • 24. XSS Prevention – Output Encoding Source: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Pre vention_Rules_SummaryEncoding Type Encoding Mechanism HTML Entity Encoding Convert & to &amp; Convert < to &lt; Convert > to &gt; Convert " to &quot; Convert ' to &#x27; Convert / to &#x2F; HTML Attribute Encoding Except for alphanumeric characters, escape all characters with the HTML Entity &#xHH; format, including spaces. (HH = Hex Value) URL Encoding Standard percent encoding, see: http://www.w3schools.com/tags/ref_urlencode.asp JavaScript Encoding Except for alphanumeric characters, escape all characters with the uXXXX unicode escaping format (X = Integer). CSS escaping supports XX and XXXXXX. Using a two character escape can cause problems if the next character
  • 25. XSS Prevention – Testing Tools • Commercial License: o Veracode Dynamic Scanner o Whitehat o HP WebInspect o Cenzic Hailstorm o IBM AppScan o NTOSpider o Qualys o Burp Professional • Free/Open Source: o W3af o XSS-Me and Access-Me o OWASP ZAP o Skipfish o Wfuzz o Reference for more tools :
  • 26. SQL Injection • SQL Injection Attack (SQLIA) is the one of the top 10 vulnerability, identified by OWASP. • It is a insertion of a SQL in posted request from client application to server. • By injecting SQL, the attacker can – Read sensitive database – Modify (insert/update/delete) database – Execute admin operations – Alter DB structure – Bi-pass user authentication
  • 27. Sub Classes of SQLIA • Classic SQLIA • Inference SQL injection • Interacting with SQL injection • Database management system-specific SQLIA • Compounded SQLIA • SQL injection + insufficient authentication • SQL injection + DDoS attacks Source: http://en.wikipedia.org/wiki/SQL_injection
  • 28. Prevention of SQL Injection – Primary Defense  Prepare Statements (Parameterized Queries) – Attacker can not change the intent of a query. Recommendations  Java EE – use PreparedStatement() with bind variables  .NET – use parameterized queries like SqlCommand() or OleDbCommand() with bind variables  PHP – use PDO with strongly typed parameterized queries (using bindParam())  Hibernate - use createQuery() with bind variables (called named parameters in Hibernate)  SQLite - use sqlite3_prepare() to create a statement object  Stored Procedures – Same like Prepare Statement  Escaping All User Supplied Input Reference OWASP: https://www.owasp.org/index.php/ESAPI Google: http://owasp-esapi-
  • 29. Prevention of SQL Injection – Additional Defense Least Privilege White list Input Validation Reference: http://ferruh.mavituna.com/sql-injection- cheatsheet-oku/ https://www.owasp.org/index.php/Input_Validation _Cheat_Sheet
  • 30. Prevention of SQL Injection – Testing Tools  SQL Inject-Me  SQLMAP  SQLler  SQLbftools  SQL Injection brute- force  SQLBrute  BobCat  Absinthe Source: http://rochakchauhan.com/blog/2008/01/10/top-15-free-sql-injection- scanners/  SQL Injection Pen- testing tools  SQID  Blind SQL Injection Perl tool  SQL Power Injector  FJ-Injector framework  SQLNinja  Automatic SQL Injector  NGGSS SQL Injector
  • 31. Architectural and Development consideration  Validate the Device Registration from Server  Always use VPN (at least SSL) network for communication  Encrypt the critical data in both ends  Use Dynamic Encryption keys. A Encryption key should be used for only one communication and it should have automatic expiry.  The key should have some complex generation logic.  Do not store entire initial complete encryption key in device. i.e., a complete key should be generated based on partial key.  Do no cache, store data. Do not create any cookies  Disable all network components that are not used by the application  Enforce password policy  Enable single sign-on using servers like LDAP  Disable client-scripting  Do not keep any SQL in client side  If necessary, to store offline data, use encrypted DB like SQLCipher  Always validate the both input and output data for its format and canonical
  • 32. Conclusion  The security of mobile application should be ensured at all levels and by all players  Application/service providers  Organization  Device providers  Registries  Data Centers/Cloud Services  Government  CERTs  Users  All players in this ecosystem must apply the basic rules for effective security  Coordination  Communication and