This document discusses mobile app security and the need for companies to securely provide access to internal systems and information for mobile workforces. It outlines requirements such as supporting the major mobile platforms while leveraging existing Exchange and Blackberry investments. The proposed solution is a Mobile Device Management system from Good Technology which would allow centralized management and security policies for employee-owned devices accessing corporate resources, at a lower cost than traditional Blackberry solutions.
The fundamentals of Android and iOS app securityNowSecure
Looking for a high-intensity bootcamp covering the basics of secure mobile development? This slideshare was originally presented by mobile security expert and NowSecure CEO Andrew Hoog for a 60-minute workshop at Security by Design covering the following topics:
+ Introduction to identifying security flaws in mobile apps (and how to avoid them)
+ Examples of secure and insecure mobile apps and how to secure them
+ Overview of secure mobile development based on the NowSecure Secure Mobile Development Best Practices
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
The fundamentals of Android and iOS app securityNowSecure
Looking for a high-intensity bootcamp covering the basics of secure mobile development? This slideshare was originally presented by mobile security expert and NowSecure CEO Andrew Hoog for a 60-minute workshop at Security by Design covering the following topics:
+ Introduction to identifying security flaws in mobile apps (and how to avoid them)
+ Examples of secure and insecure mobile apps and how to secure them
+ Overview of secure mobile development based on the NowSecure Secure Mobile Development Best Practices
Android Application Penetration Testing - Mohammed AdamMohammed Adam
Android Penetration Testing is a process of testing and finding security issues in an android application. It involves decompiling, real-time analyzing and testing android application for security point of view. This Slides covers real-time testing of android applications and some security issues like insecure logging, leaking content providers, insecure data storage and access control issues.
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
A more in-depth analysis of cyber forensics; but explained eloquently for the beginner, by Chaitanya Dhareshwar - Cyber Crime Investigator, Technocrat and Entrepreneur.
Learn what cyber forensics is all about and how you can begin using the basic tools of forensics in your day to day life. Not only does it make the world a safer place, your data remains significantly more secure.
Every step you take towards cyber security in this lawless internet allows you to achieve greater knowledge unhindered.
Speaker:Santhosh Kumar
Event:Defcon Kerala
Date:8/03/2014
Android-Forensic and Security Analysis.
Android one of the leading Mobile Operating System which is managed by Google released back in 2008 now stands with a 4.4.x version Android KitKat.The Study Shows that increasing Crime Rates are switching from Computer Centered to PDA Based.Crime against Women,Children And Abuse.As the Digital Forensics and Law Enforcement Agencies find new Hard Challenges Cracking Down different Situation in the Android Environment.Google Play Store which has over 1 Million Application Active has also added to the Pain.
The Talk Focus on various Methods,the Various Situation where the forensics is useful.
The Methods are classified as Logical and physical which involves from breaking the passcodes to exploring virtual NAND memory.
The talk also focus on various places where is information is available to the forensic point of view.
Affected by Mobile Cyber Attack? Tortured by a Android Smartphone ? Relax there is a solution to each and everything.
The Talk also focus on using both Windows And linux as the Forensic Investigation Environment.
Android Which has the linux kernel at Heart can be best paradise when it comes to Forensic Data.
Various Tools on way this can be done in faster way.
Forensic always useful whether you are from a corporate environment or even from the massive Law enforcement Agencies.
This presentation will cover all you need to know about mobile and application device security.
With an introduction, threats, applications, security, and useful tips for people who need to know
So, let's get started. If you enjoy this and find the information beneficial, please like and share it with your friends.
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
CHFI v10 has good coverage on Dark Web, IoT, and Cloud Forensics. Ec-Council took the right decision by upgrading the course from v9 to v10. It was in use for a longer period of time, so it is time to upgrade according to the need for forensics.
Malware analysis, threat intelligence and reverse engineeringbartblaze
In this presentation, I introduce the concepts of malware analysis, threat intelligence and reverse engineering. Experience or knowledge is not required.
Feel free to send me feedback via Twitter (@bartblaze) or email.
Blog post: https://bartblaze.blogspot.com/2018/02/malware-analysis-threat-intelligence.html
Labs: https://github.com/bartblaze/MaTiRe
Mind the disclaimer.
Javier Moreno & Eloi Sanfélix - Seguridad y explotación nativa en Android [Ro...RootedCON
En esta conferencia se examinará el sistema operativo Android y las posibilidades de explotar vulnerabilidades típicas en código nativo.
Tras la introducción al desarrollo de shellcodes para este sistema operativo y su correcta funcionalidad, se estudiará la posibilidad de explotar desbordamientos de búfer en la pila (stack) y en memoria dinámica (heap), analizando las protecciones de memoria disponibles en Android y tratando de buscar maneras alternativas de explotar dichos desbordamientos.
Finalmente, se repasarán las posibilidades de utilizar LKMs para realizar tareas de post-explotación en el sistema pasando lo más desapercibidos posible. Se demostrará cómo realizar "syscall hooking" así como un pequeño módulo para interceptar las pulsaciones del teclado virtual de Android, todo ello acompañándose de sus correspondientes demostraciones prácticas.
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
A more in-depth analysis of cyber forensics; but explained eloquently for the beginner, by Chaitanya Dhareshwar - Cyber Crime Investigator, Technocrat and Entrepreneur.
Learn what cyber forensics is all about and how you can begin using the basic tools of forensics in your day to day life. Not only does it make the world a safer place, your data remains significantly more secure.
Every step you take towards cyber security in this lawless internet allows you to achieve greater knowledge unhindered.
Speaker:Santhosh Kumar
Event:Defcon Kerala
Date:8/03/2014
Android-Forensic and Security Analysis.
Android one of the leading Mobile Operating System which is managed by Google released back in 2008 now stands with a 4.4.x version Android KitKat.The Study Shows that increasing Crime Rates are switching from Computer Centered to PDA Based.Crime against Women,Children And Abuse.As the Digital Forensics and Law Enforcement Agencies find new Hard Challenges Cracking Down different Situation in the Android Environment.Google Play Store which has over 1 Million Application Active has also added to the Pain.
The Talk Focus on various Methods,the Various Situation where the forensics is useful.
The Methods are classified as Logical and physical which involves from breaking the passcodes to exploring virtual NAND memory.
The talk also focus on various places where is information is available to the forensic point of view.
Affected by Mobile Cyber Attack? Tortured by a Android Smartphone ? Relax there is a solution to each and everything.
The Talk also focus on using both Windows And linux as the Forensic Investigation Environment.
Android Which has the linux kernel at Heart can be best paradise when it comes to Forensic Data.
Various Tools on way this can be done in faster way.
Forensic always useful whether you are from a corporate environment or even from the massive Law enforcement Agencies.
This presentation will cover all you need to know about mobile and application device security.
With an introduction, threats, applications, security, and useful tips for people who need to know
So, let's get started. If you enjoy this and find the information beneficial, please like and share it with your friends.
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
CHFI v10 has good coverage on Dark Web, IoT, and Cloud Forensics. Ec-Council took the right decision by upgrading the course from v9 to v10. It was in use for a longer period of time, so it is time to upgrade according to the need for forensics.
Malware analysis, threat intelligence and reverse engineeringbartblaze
In this presentation, I introduce the concepts of malware analysis, threat intelligence and reverse engineering. Experience or knowledge is not required.
Feel free to send me feedback via Twitter (@bartblaze) or email.
Blog post: https://bartblaze.blogspot.com/2018/02/malware-analysis-threat-intelligence.html
Labs: https://github.com/bartblaze/MaTiRe
Mind the disclaimer.
Javier Moreno & Eloi Sanfélix - Seguridad y explotación nativa en Android [Ro...RootedCON
En esta conferencia se examinará el sistema operativo Android y las posibilidades de explotar vulnerabilidades típicas en código nativo.
Tras la introducción al desarrollo de shellcodes para este sistema operativo y su correcta funcionalidad, se estudiará la posibilidad de explotar desbordamientos de búfer en la pila (stack) y en memoria dinámica (heap), analizando las protecciones de memoria disponibles en Android y tratando de buscar maneras alternativas de explotar dichos desbordamientos.
Finalmente, se repasarán las posibilidades de utilizar LKMs para realizar tareas de post-explotación en el sistema pasando lo más desapercibidos posible. Se demostrará cómo realizar "syscall hooking" así como un pequeño módulo para interceptar las pulsaciones del teclado virtual de Android, todo ello acompañándose de sus correspondientes demostraciones prácticas.
Esta sesión de formación contiene material para obtener el conocimiento necesario para realizar ingeniería inversa sobre aplicaciones Android, ver cómo realizar peritaje forense y trabajar en local con la información de un dispositivo smartphone. Analizando varias muestras de malware y desarrollando una vulnerabilidad de tipo 0-day.
Charla: Análisis Forense de Dispositivos Android, impartida por Antonio Díaz de Informática 64 para el curso de Especialización en Dispositivos Móviles que tuvo lugar en la Facultad de Informática de la Universidad de A Coruña del 20 al 22 de Junio de 2012. Diapositivas 1/3.
hva det betyr at alle tar kontrollen over egen IT-arena? Richard Hayton gir oss innsikt i hva konsekvensene er av at de ansatte definerer sin egen IT-arbeidsplass og hvordan fremtidens klientløsninger skal bygges for å ivareta både ansatte og bedriftens interesser.
Smarter Commerce Summit - IBM MobileFirst ServicesChris Pepin
IBM's industry-leading business and technology services for strategy/design and development/deployment of mobile applications, devices, communication and IT networks are an integral component of the IBM MobileFirst portfolio. Learn how we can help you begin, accelerate and manage your journey to becoming a mobile-first enterprise.
Best practices for mobile enterprise security and the importance of endpoint ...Chris Pepin
With the rapid growth of smartphones and tablets in the enterprise, CIOs are struggling to secure mobile devices and data across a wide range of mobile platforms. Attend this session to learn best practices around defining a mobile security policy, educating employees about safe computing practices, and deploying a secure technology framework. We'll discuss the benefits of endpoint management solutions like IBM Endpoint Manager in the context of a comprehensive enterprise deployment encompassing smartphones, tablets, PCs and servers.
Pete Wassell (Augmate Corportation) Security in the Enterprise Smart GlassesAugmentedWorldExpo
While companies have made significant strides with mobile device security software on smart phones and tablets, the wearables category is a different story. Personal data, customer data, and sensitive corporate information is at risk with data leaks exposed at multiple end points. There are a number of factors contributing to this situation that we will look at in this presentation as well as best practices to address them. The miniaturization of sensors and cameras and unprecedented connectivity have created a scenario where data can be captured and stored very easily, and at times unwittingly, by users. Lack of policies and careless use of enterprise wearables can be more of a security risk than cyber criminals. The trend of this problem will likely get worse, market forecasts show that IoT devices and wearables will surpass volumes of mobile devices over the next few years. The great promise and benefits of these devices coupled with privacy and security concerns make this technology a double edge sword.
Augmented World Expo (AWE) is back for its seventh year in our largest conference and expo featuring technologies giving us superpowers: augmented reality (AR), virtual reality (VR) and wearable tech. Join over 4,000 attendees from all over the world including a mix of CEOs, CTOs, designers, developers, creative agencies, futurists, analysts, investors, and top press in a fantastic opportunity to learn, inspire, partner, and experience first hand the most exciting industry of our times. See more at http://AugmentedWorldExpo.com
CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
The intersection of cool mobility and corporate protectionEnclaveSecurity
Cool Mobility in business terms is mobile productivity. It enables a workforce to have instant access to information through mobile applications anywhere, anytime. People are fundamentally changing the way they work, and in order to remain competitive, organizations are making enterprise applications accessible through mobile devices. But, what about the confidential data? How do we audit those mobile devices? This presentation will provide a streamline approach to auditing endpoint security on mobile devices.
Embrace BYOD - Help your customers be more productive and use their mobile device of choice. At the same time be VERY SECURE - manage your mobile content!
CIS13: Beyond the Building: Secure Identity Services for Mobile and Cloud AppsCloudIDSummit
David McNeely, Director of Product Management, Centrify
When it comes to identity, thinking outside of the box benefits both end users and IT organizations alike. IDaaS allows enterprises to make identity a transparent and ubiquitous part of their cloud and mobile applications, securely. Whether you’re developing application services, in-house mobile apps or taking advantage of existing SaaS apps, gain insight into integrating and managing mobile user access with your existing Identity Services, all while ensuring consistency in authentication, authorization, security policy and compliance. Attend this session and learn how to establish one single login for users and one unified identity infrastructure for IT.
The core of extensible programming is defining functions. Python allows mandatory and optional arguments, keyword arguments, and even arbitrary argument lists
Web technologies are in a constant state of flux. It’s impossible to predict which will fail, which will shine brightly then quickly fade away, and which have real longevity. Rapid innovation is what makes web app development so exciting, but shiny new things shouldn’t be pursued without a solid understanding of the underlying web platform.
Open Source software is gaining momentum. Two facts witness its astonishing diffusion. On one hand, the demand for Open Source solutions is rising very fast; nowadays thousands of individuals and organisations are running Open Source programs on their systems. On the other hand, there are more and more Open Source projects and an ever-increasing number of programmers contribute to them.
The goal of user authentication is to establish a user’s identity using one or more mechanisms, e.g. what the
user is, knows, or has, or where they are. While textual passwords are by far the most commonly used method
for user authentication in computer systems
2. 2
Definition:
Mobile app security is
the extent of protection
that mobile device applications
(apps) have from malware
and the activities of crackers
and other criminals.
3. With the explosive growth of smartphones,
tablets and mobile devices, companies must find
a means of providing access to their internal
systems and information to their mobile
workforce securely and seamlessly.
3
4. Microsoft Exchange
2003
Blackberry Enterprise
Server 4.1 SP7
◦ 10,000 email boxes
2,000 using mobile devices
Only company provided
Blackberry devices are
supported
4
5. Confidentiality
◦ Commercial Data
Ex: Financial, IP, etc.
◦ Personal Data
Ex: Customer, Employee records,
PCI, etc.
User Personal Data
◦ Diplomatic cables
Accessibility
◦ Resource uptime
◦ High Availability / Recoverability
◦ Archive
5
Maintain device flexibility
while protecting against
security risks
6. • Business users today are more
mobile than ever before and are
looking to access the enterprise
from multiple devices:
– Apple iOS
– Android
– Blackberry
– Windows Mobile
• Users today are more
technically skilled than before
and are unfortunately able to
develop “Business Managed
Solutions” which may not meet
the security requirements of the
enterprise
– Must securely support
users on the 4
identified leading
mobile platforms
– Must leverage the
significant existing
Exchange and
Blackberry investment
High Level Requirements
&
Solution Approach
The answer – A Mobile Device Management (MDM)
Solution
8. MS Exchange
◦ Exchange 2003 or Exchange 2007 SP2
◦ ActiveSync (EAS) enabled
◦ Enterprise Certificate services / certificate based
authentication
Mobile Device support
◦ Support latest Mobile OS’s
◦ Employee-provided device
◦ Support for VPN, Wi-Fi, ActiveSync and encryption
◦ Centralized IT management & control
◦ Support for common file attachments
8
9. Security
◦ All devices should be enrolled into corporate network
◦ Provisioning of mobile devices should be secure
◦ Security policies should be targeted to right
groups/employees
◦ Restriction of some/all mobile applications
◦ Complex/multi-character passwords required
◦ Updates of mobile OS required
◦ Encryption of all forms of corporate data
◦ Tracking and inventory of all devices
◦ Access control over corporate email system
◦ Sanction and disconnect modified devices or rouge
device
◦ Selective/full remote wipe of device
9
11. Good Technology
Manage & Protect access to vital company
information
Without imprisoning the user or their device
With flexibility…
◦ Manage the entire device
OR
◦ Manage the Good application
Plays nice in the mobile sandbox!
11
"Corporate policies should focus on regulating behavior, rather than
devices..."
— Gartner, May 2010
14. FIREWALLS
FIREWALLS
AD / LDAP Services Email Servers
Good Message Servers
Good Mobile Control
Good Mobile Access
SQL Database
Good NOC
SSL
14
15. Good Technology Solution
Capital Expense
Software (2000 licenses) $140,468 -
Hardware $178,801 $34,410
Maintenance - $57,775
Sub Total $319,269 $92,185
TOTAL 2 year capacity $411,454
15
Per Device Comparison
Blackberry
Enterprise
Server
Good
Technology
Annual data plan service $504 $0*
Annual Inclusive maintenance & support $4 $159
Total annual cost $508 $159
$0
$200,000
$400,000
$600,000
$800,000
$1,000,000
0
200
400
600
800
1000
1200
1400
1600
1800
2000
Annual Cost Comparison
of Mobility Run Rates
Good Technology
Blackberry ES
16. Financial Liability
◦ May be required to pay stipend for device/usage
Additionally corporate data plans apply in some
instances
◦ Employee may be taxed for fringe benefit
◦ Nonexempt employees create issues
Legal Liability
◦ Evidence of illegal activity must not go unreported
◦ Archiving may be required
16
17. While some employees will only need access
to PIM-data, many will need full device
management.
In these cases, all data must be subject to
review and/or archive by the company
◦ Email, SMS/MMS, IM, music, etc.
All activity (applications, browser, peripheral
control, etc.) must be subject to audit and
control at any time.
How to handle all of this??
17
18. Most people will agree to any ToS
without second thoughts.
Acceptance of the restrictions rely
completely on employees’
understanding them
Rewards are worth the
risks …
18
19. Despite shared liability, employee-provided
cell phones for business purposes are
extremely popular.
◦ Conveniences for employee
◦ Savings for employer
Trend will continue
19
20. Employee-owned mobile phones provide
risks, challenges.
However, benefits are great to both company
and employees.
Our provided solution, leveraging Good
Technology, is the most efficient and feasible
way to implement a corporate private mobile
device policy.
20