Mobile Application Security

IBM Innovate 2012
Mobile Application Security Foundation &
Directions

Raj Balasubramanian Dirk Nicol
Product Architect, IBM Mobile Foundation Product Manager, IBM Mobile Foundation
raj_balasubramanian@us.ibm.com nicold@us.ibm.com
IPI2478

The Premier Event for Software and Systems Innovation

Please note

IBM’s statements regarding its plans, directions, and intent are subject to change or
withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product
direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise,
or legal obligation to deliver any material, code or functionality. Information about potential
future products may not be incorporated into any contract. The development, release, and
timing of any future features or functionality described for our products remains at our sole
discretion.

Performance is based on measurements and projections using standard IBM benchmarks
in a controlled environment. The actual throughput or performance that any user will
experience will vary depending upon many factors, including considerations such as the
amount of multiprogramming in the user’s job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an
individual user will achieve results similar to those stated here.

2
© 2012 IBM Corporation


Mobile is transformational

10 Billion devices
by 2020

61% of CIOs put
mobile as priority

45% increased productivity
with mobile apps

3


IBM strategy addresses client mobile initiatives

Extend & Transform Build & Connect
Extend existing business Build mobile applications
capabilities to mobile devices Connect to, and run
Transform the business by backend systems in support
creating new opportunities of mobile

Manage & Secure
Manage mobile devices, services
and applications
Secure my mobile business

4


A deeper look at Manage & Secure capabilities

Extend & Transform Build & Connect

Manage & Secure
Manage mobile devices, services Key Capabilities
and applications • Mobile lifecycle management
Secure my mobile business • Device analytics and control
• Secure network communications & management

5


Mobile Devices: Unique Management & Security Challenges

Mobile Mobile devices Mobile Mobile Mobile
devices are have multiple devices are devices are devices
shared more personas diverse used in more prioritize the
.
often locations user

 Personal phones  Work tool  OS immaturity for  A single location  Conflicts with user
and tablets  Entertainment
enterprise mgmt could offer public, experience not
shared with family device  BYOD dictates
private, and cell tolerated
 Enterprise tablet multiple OSs connections  OS architecture
 Personal

shared with co- organization  Vendor / carrier
 Anywhere, puts the user in
workers control dictates anytime control
 Security profile

 Social norms of multiple OS  Increasing  Difficult to enforce
per persona?
mobile apps vs. versions reliance on policy, app lists
file systems enterprise WiFi

6


Mobile Risks
Top 10 Mobile Risks
1. Insecure Data Storage

2. Weak Server Side Controls

3. Insufficient Transport Layer Protection

4. Client Side Injection

5. Poor Authorization and Authentication

6. Improper Session Handling

7. Security Decisions Via Untrusted Inputs

8. Side Channel Data Leakage

9. Broken Cryptography

10. Sensitive Information Disclosure

7 Source: OWASP Mobile Security Project


Challenges of Enterprise Mobility
Data separation: personal vs corporate
Achieving Data Separation & Data leakage into and out of the enterprise
Partial wipe vs. device wipe vs legally defensible wipe
Providing Data Protection Data policies

Multiple device platforms and variants
Multiple providers
Adapting to the BYOD/ Managed devices (B2E)
Unmanaged devices (B2B,B2E, B2C)
Consumerization of IT Trend Endpoint policies
Threat protection

Identity of user and devices
Providing secure access to Authentication, Authorization and Federation
User policies
enterprise applications & Secure Connectivity
data

Application life-cycle
Developing Secure Vulnerability & Penetration testing
Application Management
Applications Application policies

Designing & Instituting an Policy Management: Location, Geo, Roles, Response, Time policies
Security Intelligence
Adaptive Security Posture Reporting

8


So How do I Protect My Mobile Initiatives?

Begin by taking a holistic view of Mobile Security

WiFi Mobile
apps
Develop, test and
deliver safe
applications
Web
sites
Internet

Telecom
Provider

Secure
Security Corporate
endpoint Gateway Intranet &
device and Systems
data Achieve Visibility and Enable
Adaptive Security Posture
Secure access to enterprise
applications and data
9


Spectrum of Mobile Security Requirements
Mobile devices are not only computing platforms but also communication devices, hence
mobile security is multi-faceted, driven by customers’ operational priorities
Mobile Security Intelligence

Mobile Device Data, Network & Access Security App/Test
Management Development
Mobile Device Mobile Device Mobile Threat Mobile Mobile Network Mobile Identity& Secure Mobile
Management Security Management Information Protection Access Management Application
Management Protection Development
 Acquire/Deploy  Identity
 Register  Device wipe &  Anti-malware  Data encryption  Secure Management
lockdown  Authorize &  Vulnerability
 Activation  Anti-spyware (device,file & Communications
 Password  Anti-spam app) (VPN) Authenticate testing
 Content Mgmt
Management  Firewall/IPS  Mobile data loss  Edge Protection  Certificate  Mobile app
 Manage/Monitor
 Configuration  Web filtering prevention Management testing
 Self Service
Policy  Web Reputation  Multi-factor  Enforced by tools
 Reporting  Compliance  Enterprise
 Retire
policies
 De-provision

Mobile Applications
i.e. Native, Hybrid, Web Application

Mobile Application Platforms & Containers

Device Platforms
30 device Manufacturers, 10 operating platforms
i.e. iOS, Android, Windows Mobile, Symbian, etc

10


Mobile App Security: Defending the Software

 Consistently apply and
enforce best practices
during Development  Provide or employ a
secure channel for
 Perform vulnerability delivering apps
analysis during
Testing

 Employ a secure runtime
environment to safeguard
app data
 As threats evolve recognize
required updates and establish a  Perform checks to validate
process for pushing them to users the integrity of apps

11


Mobile Security Enabled with IBM Solutions
IBM QRadar
Achieve Visibility & Enable System-wide Mobile Security Awareness
Adaptive Security Posture • Risk Assessment
• Threat Detection

Build & Run Safe Mobile Apps
Secure Data & the Device Protect Access to Enterprise
IBM WorkLight
Apps & Data Develop safe mobile apps
IBM WorkLight • Direct Updates
Runtime for safe mobile apps IBM Security Access
• Encrypted data cache Manager for Mobile IBM AppScan for Mobile
• App validation Authenticate & Authorize users and Vulnerability testing
devices • Dynamic & Static analysis of Hybrid
IBM Endpoint • Standards Support: OAuth, and Mobile web apps
SAML, OpenID
Manager for Mobile • Single Sign-On & Identity
Configure, Provision, Monitor
Mediation
IBM DataPower
• Set appropriate security Protect enterprise applications
policies • XML security & message
• Enable endpoint access IBM Mobile Connect protection
• Ensure compliance Secure Connectivity • Protocol Transformation &
• App level VPN Mediation

Internet
12


The Difference Between Secure Apps and Device Management

Mobile Device Application-Level
Management Security

Device-level control: App takes care of itself:

• Password protection • Authentication
• File-system encryption • File encryption
• Managed apps • Remote administration
• Jailbreak detection • Adaptive functionality

Requires consent of user to have Applicable in all scenarios,
enterprise manage entire device including BYOD and consumer-
facing contexts

13


Worklight Runtime Architecture

Worklight Server Device Runtime

Application Code
Server-side
Client-side
Application Code
App Resources
Stats Aggregation

Cross Platform Technology
JSON Translation Direct Update

Mobile
Authentication Web Apps Security and Authentication
Back-end Data Integration
Post-deployment control
Unified Push
Adapter Library Diagnostics
Notifications

14


Mobile Application Security Objectives

Protect data on Enforce security
the device updates
• Malware, Jailbreaking • Be proactive: can’t rely
• Offline access on users getting the
• Device theft latest software update
on their own
• Phishing, repackaging

Streamline Provide robust Protect from the
Corporate authentication “classic” threats
security approval and authorization to the application
processes • Existing authentication security
• Complex infrastructure • Hacking
• Time-consuming • Passwords are more • Eavesdropping
vulnerable • Man-in-the-middle

15


IBM WorkLight: Security By Design

Protecting data on the Enforcing security
device and in transit updates

App Jailbreak and
Encrypted Offline Secure Remote
authenticity malware Direct update
offline cache authentication connectivity disable
testing detection

SSL with
Mobile Authentication Coupling Data Proven
server Code
platform as a integration device id with protection platform
identity obfuscation
trust factor framework user id realms security
verification

Streamlining Providing robust
Application
Corporate security authentication and
Security
processes authorization

16


IBM WorkLight: Security By Design

Protecting data on the Enforcing security
device and in transit updates

App Jailbreak and
Encrypted Offline Secure Remote
authenticity malware Direct update
offline cache authentication connectivity disable
testing detection

SSL with
Mobile Authentication Coupling Data Proven
server Code
platform as a integration device id with protection platform
identity obfuscation
trust factor framework user id realms security
verification

Streamlining Providing robust
Application
Corporate security authentication and
Security
processes authorization

Integration point with VPN solutions (i.e. IBM Mobile Connect) Integration point with User Security solutions
(i.e. IBM Security Access Manager for
Integration point with MDM solutions (i.e. IBM Endpoint Manager for Mobile) Mobile)

17

Protecting data on the device

Malware, Jailbreaking
Protecting data Device theft
on the device Offline access
Phishing, repackaging

Secure
Encrypted App Compatibility
Offline challenge-
offline authenticity with jailbreak
authentication response on
cache testing detection libs
startup

Encrypted offline cache
Offline authentication using password
Extended authentication with server using secure challenge response
App authenticity testing: server-side verification mechanism to mitigate
risk of Phishing through repackaging or app forgery
Compatibility with various jailbreak and malware detection libraries

18


Enforcing security updates

Can’t rely on users Remote Disable: shut down
getting the latest
software update on specific versions of a
their own downloadable app, providing
users with link to update

Enforcing
security
updates
Direct Update: automatically
send new versions of the
Remote Direct locally-cached HTML/JS
disable update
resources to installed apps

19


Authentication and Authorization

Authentication Data
Device
integration
framework
protection
realms
Provisioning Very flexible framework for simplifying
integration of apps with existing
authentication infrastructure
Providing robust
authentication and Manages authenticated sessions with
authorization
configurable expiration
Open: e.g., custom OTP as
anti-keylogger mechanism
Need to integrate with existing Server-side services grouped into
authentication infrastructure separate protection realms for different
authentication levels
Authenticate users when offline Secure device ID generated as part of
extensible provisioning process
Mobile passwords are more
vulnerable (keyboard more
difficult to use, typed text is
visible)
20


Session Authentication Management
Step 1 – Unauthenticated Session

1. Call protected Procedure
Worklight Server
Access denied because
session is unauthenticated or
expired
2. Request Authentication

Session:

• Created on first access from client
• Identified using session cookie
• Associated data is stored on the server

21


Step 2 – Authentication

1. Obtain credentials from
user and device
Worklight Server

2. Forward credentials Process authentication data

3. If necessary:
• Consult with authentication servers
• Perform device provisioning
• Receive authentication token
• Associate token with session

22


Step 3 – Authenticated Session

1. Procedure call on Worklight Server
authenticated session
Authenticated token
associated with session
3. Procedure result

Session ID Auth
Tokens/State

2bd4296a3f29 Realm 1:
25487
Realm 2: ------ 2. Access back-end service
--
using authentication
25617ff82a90 Realm 1: ------
---
token
Realm 2:
a6c9a
89a77921b02 Realm 1:
7b8df
Realm 2:
6a8a0

23


Worklight Studio simplifies the reuse of custom
containers across the organization

One team creates a custom
container (“Shell Component”) for
extensive security certification

Other teams create
HTML-only “inner apps”
wrapped in that container

24


Mobile Security Enabled with IBM Solutions
IBM brings together a broad portfolio of technologies and services to meet the
mobile security needs of customers across multiple industries

•Application security
•Worklight
•IBM Rational AppScan

•Mobile device management
•IBM Endpoint Manager for Mobile devices
•IBM Hosted Mobile Device Security
Management

•Secure enterprise access
•IBM Security Access Manager

•Security Intelligence
•IBM QRadar

25


Deployment for SSO and Security Intelligence

Security Intelligence Platform

Hybrid Mobile Apps IBM Endpoint
Based on WorkLight Manager
Risk Based Access

Hybrid App. SSL SSO WorkLight Server Enterprise
Hybrid App. Mobile Security
Applications,
Gateway (WAS w/ security)
Worklight Runtime Connectivity & Data

Mobile Device

 Security intelligence with mobile context
 Intelligence around malware and advanced threats in mobile enabled enterprise
 User identity and device identity correlation, leading to behavior analysis
 Geo-fencing, anomaly detection based on device, user, location, and application
characteristics

26


IBM AppScan: Bringing Vulnerability Scanning to Mobile

Detection of Vulnerabilities before Apps are Delivered and Deployed
 Known vulnerabilities can be addressed in software development and testing
 Code vulnerable to known threat models can be identified in testing
 Security designed in vs. bolted on
Leverage AppScan for vulnerability testing of mobile web apps and web elements (JavaScript,
HTML5) of hybrid mobile apps
27


IBM Security Access Manager: Authentication & Authorization of Mobile
Users and their Devices

Authorization Access Manager
Servers (e.g.,
IBM Access Policy)
Manager
User registries
(i.e. LDAP)

Federated
External Identity
Authentication Manager
Authentication Provider
VPN or (i.e. userid/password,
HTTPS Basic Auth,
Certificate or
Custom)

IBM Security Access Manager for Mobile can be Application Servers
used to satisfy complex authentication (i.e. WebSphere, WorkLight)
requirements. A feature called the External
Authentication Interface (EAI) is designed to
provide flexibility in authentication.
Mobile Browser Enterprise
Web
or Native Web Services Applications
Applications
Federated Identity Manager can be incorporated into
the solution to provide federated identity management
28


IBM Endpoint Manager for Mobile: Extending Management Reach to Mobile
Devices

Common Advanced management for iOS,
management agent Android, Symbian, and Windows
and console Phone
Systems Security
management management Unified management automatically
Near-instant
enables VPN access based on
deployment of
security compliance
new features
Integration with back-end IT
management systems such as
service desk, CMDB, and SIEM
IBM Endpoint Manager
Security threat detection and
automated remediation

Extends IBM’s existing 500,000
endpoint deployment

Desktop / laptop / Mobile Purpose-specific
server endpoint endpoint endpoint

29


IBM Qradar: Delivering Mobile Security Intelligence
Delivers Mobile Security Intelligence by monitoring data collected from other mobile
security solutions – visibility, reporting and threat detection

 Unified collection, aggregation and analysis  Ingest log data and events from:
architecture for:  Endpoint Manager for Mobile Devices
o Application logs  Access Manager for Mobile
o Security events  Mobile Connect
o Vulnerability data  WorkLight
o Identity and Access Management data
o Configuration files
o Network flow telemetry
 A common platform for
o Searching
o Filtering
o Rule writing
o Reporting functions
 A single user interface for
oLog management
o Risk modeling
o Vulnerability prioritization
o Incident detection
o Impact analysis tasks

30


Copyright and Trademarks

© IBM Corporation 2012. All Rights Reserved.

IBM, the IBM logo, ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or
other companies. A current list of IBM trademarks is available on the Web at
“Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml.

31


IBM Global Technology Services offers a broad set of complementary mobile
capabilities

Client Initiatives
Build mobile Manage mobile Extend existing
applications devices and business capabilities
Connect to, and run applications to mobile devices
backend systems in Secure my mobile Transform the
support of mobile business business by creating
new opportunities

Services
• Mobile application development • Telecom Expense • Unified Communications
• Mobile Application Platform Management Services
Management • Mobile Security • Mobile Application Platform
• Network (e.g. wi-fi, VPN) • Mobile Device Management Management
• End-user and administration • Strategy & Transformation
support • Mobile Application
• Procurement, staging and Management
kitting • Messaging, collaboration and
social

32


www.ibm.com/software/rational

33


Daily iPod Touch giveaway

 Complete your session surveys online each day at a conference kiosk or on your
Innovate 2012 Portal!

 Each day that you complete all of that day’s session surveys, your name will be entered
to win the daily IPOD touch!

 On Wednesday be sure to complete your full conference evaluation to receive your
free conference t-shirt!

34


Acknowledgements and disclaimers

Availability: References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries
in which IBM operates.

The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for
informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant.
While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without
warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this
presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or
representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of
IBM software.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have
achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to,
nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

© Copyright IBM Corporation 2012. All rights reserved.
– U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM, the IBM logo, ibm.com, Rational, the Rational logo, Telelogic, the Telelogic logo, Green Hat, the Green Hat logo, and other IBM products and
services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these
and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate
U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or
common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml
If you have mentioned trademarks that are not from IBM, please update and add the following lines:
[Insert any special third-party trademark names/attributions here]
Other company, product, or service names may be trademarks or service marks of others.

35


www.ibm.com/software/rational

© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have
the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM
software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities
referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature
availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines
Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

36

Mobile Application Security

More Related Content

What's hot

Viewers also liked

Similar to Mobile Application Security

Recently uploaded

Mobile Application Security