Mobile Security

“Bring war material with you from home butforage on the enemy” - Sun Tzu

Xavier MertensBeltug SIG Security - Jan 2013

Disclaimer

“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”

Agenda

• Introduction: Top-10 mobile risks

• Company owned devices

• Employee owned device (BYOD)

• Risks inherent in mobile devices

• Mobile applications development

Top-10 Mobile Risks• Insecure data storage

• Weak server side controls

• Insufficient transport layer protection

• Client side injection

• Poor authentication & authorization

• Improper session handling

• Secure decision via untrusted input

• Side channel data leakage

• Broken cryptography

• Sensitive information disclosure

(Source: OWASP)

Top-10 Mobile Risks• Insecure data storage

• Weak server side controls

• Insufficient transport layer protection

• Client side injection

• Poor authentication & authorization

• Improper session handling

• Secure decision via untrusted input

• Side channel data leakage

• Broken cryptography

• Sensitive information disclosure

(Source: OWASP)

Mobile devicesare

Computers!

Company Owned Devices

Easy? Really?

• Limited set of manufacturers/OS

• Full control of hell?

• People try to evade from jail (like laptops)

• Need procedures (backups, helpdesk)

Corporate Policy

• Must be communicated & approved before the device provisioning

• Communication channels: addendum to a contract, Intranet, a “check box”?

• Restrictions (SD cards, Bluetooth, camera)

• What about private data? (pictures, MP3, downloaded (paid!) apps?

Examples

• Document already available on beltug.be(Members section)

• Simple policy: http://www.security-marathon.be/?p=1466(Jean-Sébastien Opdebeeck)

Data Classification

• Another approach is implementing data classification

• Implementation of the “least privileges” principle

• Access to data is based on profiles

• Work with any device! (benefit broader than the scope of mobile devices)

Data ClassificationData

ClassificationCompany Owned

DevicesPersonal Devices

Top-Secret No No

Highly Confidential No No

Proprietary Yes No

Internal Use Only Yes Yes

Public Yes Yes

Employed Owned Devices

Why do people BTOD?

• Devices became cheaper and powerful

• The “Generation Y”

• Always online everywhere!

First Question?

• Are you ready to accept personal devices on your network?

• It’s a question of ... risk!

• Examples:

• Data loss

• Network intrusion

• Data ex-filtration

“MDM”?

• Do you need a MDM solution? (Mobile Device Management)

• Can you trust $VENDORS?

• Microsoft Exchange include ActiveSync for free

• Most security $VENDORS propose (basic) tools to handle mobile devices

Minimum Requirements

• Automatic lock + password

• No jailbroken devices

• Remote wipe

• Backups (who’s responsible?)

Risks Inherent InMobile Devices

Personal Hotspots

• Tethering allows mobile devices to be used as hotspots

• Corporate devices (laptops) could bypass Internet access controls

• Risks of rogue routers (if IP-forwarding is enabled

Rogue App Stores

• Mobile devices without apps is less useful

• Owners tend to install any apps

• Some apps may require much more rights than required

• People trust Apps stores and developers

• Developers must write good code

QR Codes

Geolocalization

NFC

Home & Cars

Mobile Application Development

OWASP Mobile Security Project

• Mobile testing guide

• Secure mobile development guide

• Top-10 mobile controls and design principles

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

Lack of/Bad Encryption

• Developers re-invent the wheel: do not write a new encryption algorithm

• Encrypt everything (data at rest, data in move)

Local VS. Remote Storage

Pros Cons

Local No network costsSpeed

Risk of lossOutdated

CentralAlways updatedNo risk of loss

Data network ($)Speed

Geolocalization

• Again! But this time for good purposes

• Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe

• Combine with passwords for stronger authentication/authorization

Enterprise Appstores

• Goal: Distribute, secure and manage mobile apps through your own company branded appstore.

• Application available in the appstore have been approved by a strong validation process.

Thank You!

Xavier Mertensxavier@rootshell.be@xmehttp://blog.rootshell.be