Main Organiser, Norway Euro Info Centre Nord/ VINN • 8512 Narvik, Norway
Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps...
Transcript of Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps...
![Page 1: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/1.jpg)
Mobile Security:App Security – Win or Lose
Date…
By Anders Flaglien
Security Consultant
![Page 2: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/2.jpg)
1000+ Apps are released on Google Play and Appstore every day!
The most popular ones are downloaded
75 000 times a day.
There are many success factors that must be met
for your app to be successful and one of these are
trust
![Page 3: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/3.jpg)
At least when you process business confidential data…
Trust is «everything»
Copyright © 2015 Accenture All rights reserved. 3
![Page 4: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/4.jpg)
Top 10 downloaded apps* with more than 100 million downloads
all rely on users to trust them and the services they offer
*in Google Play according to Wikipedia 26.10.2014
![Page 5: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/5.jpg)
5
Would you give a random app a lot of permissions to control
your device without your approval?
These are the some of ONE apps 40+ permissions to do «whatever»
• opprette kontoer og angi passord
• endre lydinnstillingene
• overstyre andre apper
• ta bilder og videoer
• ta opp lyd
• endre eller slette innholdet i USB-
lagringen
• endre anropsloggen
• ringe telefonnumre direkte
• lese anropsloggen
• lese tekstmeldinger (SMS eller MMS)
• nøyaktig posisjon (GPS- og
nettverksbasert)
• gjøre endringer i kontaktene dine
• lese kalenderoppføringer og
konfidensiell informasjon
• legge til eller endre
kalenderoppføringer og sende e-post
til gjester uten at eieren vet om det
Copyright © 2015 Accenture All rights reserved.
![Page 6: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/6.jpg)
What is Trust?
6Copyright © 2015 Accenture All rights reserved.
…belief that someone or something is
reliable, good, honest, effective, secure…
How to achieve this?
![Page 7: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/7.jpg)
Open Web Application Security Project (OWASP)
OWASP Top 10 Mobile Risks help us to secure mobile
applications for our clients, so can you!
Copyright © 2015 Accenture All rights reserved. 7
M1: Weak Server
Side Controls
M2: Insecure Data
Storage
M3: Insufficient Transport
Layer Protection
M4: Unintended Data
Leakage
M5: Poor Authorization
and Authentication
M6: Broken
Cryptography
M9: Improper
Session Handling
M7: Client
Side Injection
M8: Security Decisions
Via Untrusted Inputs
M10: Lack of
Binary Protections
![Page 8: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/8.jpg)
OWASP Top 10 Mobile Risks
Example 1: Broken Crypto
Copyright © 2015 Accenture All rights reserved. 8
M1: Weak Server
Side Controls
M2: Insecure Data
Storage
M3: Insufficient Transport
Layer Protection
M4: Unintended Data
Leakage
M5: Poor Authorization
and Authentication
M6: Broken
Cryptography
M9: Improper
Session Handling
M7: Client
Side Injection
M8: Security Decisions
Via Untrusted Inputs
M10: Lack of
Binary Protections
![Page 9: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/9.jpg)
Of all apps out there, you should trust that bank applications
are secure, right?
9
![Page 10: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/10.jpg)
OWASP Top 10 Mobile Risks
Example 3: Data leakage and lack of binary protection
Copyright © 2015 Accenture All rights reserved. 10
M1: Weak Server
Side Controls
M2: Insecure Data
Storage
M3: Insufficient Transport
Layer Protection
M4: Unintended Data
Leakage
M5: Poor Authorization
and Authentication
M6: Broken
Cryptography
M9: Improper
Session Handling
M7: Client
Side Injection
M8: Security Decisions
Via Untrusted Inputs
M10: Lack of
Binary Protections
![Page 11: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/11.jpg)
What if I make a game, would I need to secure it?
11
![Page 12: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/12.jpg)
OWASP Top 10 Mobile Risks
Example 4: More than five risks in a combined scenario…
Copyright © 2015 Accenture All rights reserved. 12
M1: Weak Server
Side Controls
M2: Insecure Data
Storage
M3: Insufficient Transport
Layer Protection
M4: Unintended Data
Leakage
M5: Poor Authorization
and Authentication
M6: Broken
Cryptography
M9: Improper
Session Handling
M7: Client
Side Injection
M8: Security Decisions
Via Untrusted Inputs
M10: Lack of
Binary Protections
![Page 13: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/13.jpg)
Scandinavian teenagers favorite picture-sharing app has a not
that appealing feature…
• The App’s goal is to meet users need to communicate
instant photos and videos without the fear that a post or
picture will be held against them in the future
![Page 14: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/14.jpg)
The examples show that we might have to
reconsider our trust to some top 10 apps…
…So how can we learn from others mistakes and build trust?
14Copyright © 2015 Accenture All rights reserved.
![Page 15: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/15.jpg)
Executive Summary: Mobile Security
Copyright © 2015 Accenture All rights reserved. 15
Mobile Security Strategy and Capabilities
Business Challenges
Drivers
Solution
Benefits
Organizational Challenges
• No organizational structure or
buy-in from business units across
the organization
• Lack of training, communication,
and awareness
Process Challenges
• Lack of or poorly defined mobile
security strategy
• Security policies driven by
consumerization without
consideration to security strategies
makes BYOD more of a risk to the
enterprise
Technology Challenges
• Difficulty protecting sensitive data
on mobile devices
• Growing Wi-Fi population and
inappropriate controls within the
infrastructure
• Unknown vulnerabilities within
mobile application exploits, backend
infrastructure, unauthorized access
Governance
• Define processes, policies and
support
• Identify preferred suppliers
• Mobilize your workforce to work from anywhere and
increase productivity
• Enable Bring Your Own Device (BYOD) to increase self
service, improve satisfaction, and reduce the Total Cost
of Ownership (TCO)
• Reduction of threats and vulnerabilities
• Proper administration, controls, and technology to
protect critical systems and data
Business Values Technical Benefits
Users/Identity
• Define role access, authorization,
and authentication
• Understand usage and prepare
users
Applications
• Securely develop, test and
distribute apps
• Manage usage and connectivity to
backend systems
Data
• Secure data (enterprise/personal)
communication and protection
• Classification and functionality
Network
• Architecture to support new
interactions (wireless, remote)
• Provide secure enterprise
connectivity and monitoring
Device
• Define appropriate management
program and supported platforms
• Secure the device while providing
choice and flexibility to end users
Mobile Security
Overview
![Page 16: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/16.jpg)
Several components need to be addressed to provide
comprehensive mobile security
Copyright © 2013 Accenture All rights reserved. 16
Reference:
• Information Security Forum
• National Institute of Standards and Technology
Governance
Data
ApplicationNetwork
Users &Identity
Device
MobileSecurity
Mobile Security StrategyA comprehensive program and
strategy to embed security
throughout the enterprise’s
mobile lifecycle
Users & Identity• Roles and authorization levels
and authentication• Evaluation / monitoring of
usage patterns• Program awareness and
education
Applications• SDLC development• Testing• Distribution / provisioning• Access Control• Secure connection to backend
systems and data (Ex: Cloud)• Monitoring / Management
Data• Classification• Authentication• Secure connection• Strong Encryption• Data loss prevention• Secure storage• Audit and forensics
Network• Voice• Secure remote connectivity• Monitoring and Testing• Wireless networking• Use of untrusted and/or public
networks
Device• Security functionality• Control connectivity• Secure remote connections• Disposal and wipe• Synchronization / Backup• Ability to update• Physical Access• Tracking/Management
Governance• Define processes and policies
(ownership, connectivity, applications, privacy, audit / wipe)
• Support / Training• Identify preferred suppliers /
service level for business
![Page 17: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/17.jpg)
Accenture contributed our view to the OWASP Top 10 Mobile
Risks and developed a solution framework to address them:
1. Insecure or unnecessary
data storage and
transmission
2. Applications with higher
privileges than required
and/or authorized
3. Use of (or failure to disable)
insecure mobile device
platform features in
application
4. Allowing access to
resources without strong
authentication
5. Malicious/Counterfeit third-
party code
6. Insecure or unnecessary
interaction between
applications and OS
components
7. Server accepting
unvalidated or
unauthenticated input from
mobile devices
8. Personal or corporate data
leakage
9. Client-side injection and
overflows
10. Client-side DoS
The OWASP top 10 Mobile Security Risks empowered by the
Solution Landscape
Copyright © 2013 Accenture All rights reserved. 17
Map Risk to the Mobile Environment
MobileApps
MobilePlatform/Device
MobileNetwork
EnterpriseNetwork/Enclave
Back EndServices/Cloud
3 4 5
7
1 2 6 8 9 10
Solutions Landscape
MobileApps
MobilePlatform/Device
MobileNetwork
EnterpriseNetwork/Enclave
Back EndServices/Cloud M
obile
App S
ecurity
Code R
evie
w
Mobile
App / P
latf
orm
Security
Revie
w
Mobile
Devic
e
Thre
at A
naly
sis
Private
Mobile
App S
tore
s
Mobile
Devic
e H
ost-
Based S
ecurity
Secure
Mobile
Voic
e a
s a
Serv
ice
Mobile
App P
KE
![Page 18: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/18.jpg)
Example use cases (Not Comprehensive)
Mobile Security – Example Use Cases
Copyright © 2013 Accenture All rights reserved. 18
Use Case Key Considerations
Consumer Applications • Protection of customer data
• Secure communication with service provider
• Maintaining trust and enhancing user experience
Enterprise Mobile Application • Protection of enterprise data
• Distribution and management
• Enhanced productivity
Enterprise BYOD (User Owned) • Limited controls on a privately owned device
• Balance between corporate and private data
• Governance of policies and procedures to control functionality (Example:
wiping the device, use of native controls)
• Asset management, authorization and authentication
Enterprise Provisioned Devices
(Corporate Owned)
• Fully specified security configurations
• Balance between corporate and private data
• Governance of policies and procedures to control functionality (Example:
wiping the device, use of native controls)
• Asset management, authorization and authentication
Email Security • Securing enterprise data and confidential information
• Maintaining user experience
Desktop Virtualization • Leverage existing hardware investments or personally owned devices
• Protection of enterprise systems and data
Point of Sale/Connected Devices • Device hardening
• Network hardening
• Protection of end user and enterprise systems and data (cross-industry)
![Page 19: Appsecurity – Vinn eller forsvinnfiles.meetup.com/18481432/appsecurityv01.pdfdistribute apps •Manage usage and connectivity to backend systems Data •Secure data (enterprise/personal)](https://reader033.fdocuments.net/reader033/viewer/2022060401/5f0e2cc07e708231d43df7b0/html5/thumbnails/19.jpg)
Questions?
19Copyright © 2015 Accenture All rights reserved.