Mobile Security“Bring war material with you from home but forage on the enemy” - Sun Tzu Xavier Mertens Beltug SIG Security - Jan 2013
Disclaimer“The opinions expressed in this presentationare those of the speaker and do not necessarilyreﬂect those of past, present employers,partners or customers.”
Agenda• Introduction: Top-10 mobile risks• Company owned devices• Employee owned device (BYOD)• Risks inherent in mobile devices• Mobile applications development
Top-10 Mobile Risks• Insecure data storage• Weak server side controls• Insufﬁcient transport layer protection• Client side injection• Poor authentication & authorization• Improper session handling• Secure decision via untrusted input• Side channel data leakage• Broken cryptography• Sensitive information disclosure (Source: OWASP)
Top-10 Mobile Risks• Insecure data storage• Weak server side controls• Insufﬁcient transport layer protection Mobile devices• Client side injection are• Poor authentication & authorization Computers!• Improper session handling• Secure decision via untrusted input• Side channel data leakage• Broken cryptography• Sensitive information disclosure (Source: OWASP)
Easy? Really?• Limited set of manufacturers/OS• Full control of hell?• People try to evade from jail (like laptops)• Need procedures (backups, helpdesk)
Corporate Policy• Must be communicated & approved before the device provisioning• Communication channels: addendum to a contract, Intranet, a “check box”?• Restrictions (SD cards, Bluetooth, camera)• What about private data? (pictures, MP3, downloaded (paid!) apps?
Examples• Document already available on beltug.be (Members section)• Simple policy: http://www.security-marathon.be/?p=1466 (Jean-Sébastien Opdebeeck)
Data Classiﬁcation• Another approach is implementing data classiﬁcation• Implementation of the “least privileges” principle• Access to data is based on proﬁles• Work with any device! (beneﬁt broader than the scope of mobile devices)
Data Classiﬁcation Data Company Owned Personal Devices Classiﬁcation Devices Top-Secret No NoHighly Conﬁdential No No Proprietary Yes NoInternal Use Only Yes Yes Public Yes Yes
Why do people BTOD? • Devices became cheaper and powerful • The “Generation Y” • Always online everywhere!
First Question?• Are you ready to accept personal devices on your network?• It’s a question of ... risk!• Examples: • Data loss • Network intrusion • Data ex-ﬁltration
“MDM”?• Do you need a MDM solution? (Mobile Device Management)• Can you trust $VENDORS?• Microsoft Exchange include ActiveSync for free• Most security $VENDORS propose (basic) tools to handle mobile devices
Personal Hotspots• Tethering allows mobile devices to be used as hotspots• Corporate devices (laptops) could bypass Internet access controls• Risks of rogue routers (if IP-forwarding is enabled
Rogue App Stores• Mobile devices without apps is less useful• Owners tend to install any apps• Some apps may require much more rights than required• People trust Apps stores and developers• Developers must write good code
OWASP Mobile Security Project• Mobile testing guide• Secure mobile development guide• Top-10 mobile controls and design principles https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Lack of/Bad Encryption• Developers re-invent the wheel: do not write a new encryption algorithm• Encrypt everything (data at rest, data in move)
Local VS. Remote Storage Pros Cons No network costs Risk of loss Local Speed Outdated Always updated Data network ($)Central No risk of loss Speed
Geolocalization• Again! But this time for good purposes• Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe• Combine with passwords for stronger authentication/authorization
Enterprise Appstores• Goal: Distribute, secure and manage mobile apps through your own company branded appstore.• Application available in the appstore have been approved by a strong validation process.