Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass •...
Transcript of Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass •...
![Page 1: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/1.jpg)
© 2011
Security Compass inc.
Mobile Securityfor the forgetful
Friday, May 20, 2011
![Page 2: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/2.jpg)
© 2011
Security Compass inc.
Me
• Max Veytsman
• Security Consultant at Security Compass
Friday, May 20, 2011
![Page 3: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/3.jpg)
© 2011
Security Compass inc.
Client-side mobile attacks
Friday, May 20, 2011
![Page 4: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/4.jpg)
© 2011
Security Compass inc.
Lost and stolen computers account for a quarter of lost data
Friday, May 20, 2011
![Page 5: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/5.jpg)
© 2011
Security Compass inc.
Stealing a phoneA demonstration
Friday, May 20, 2011
![Page 6: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/6.jpg)
© 2011
Security Compass inc.
What’s on your phone?
• Contacts
• Call history
• Photos
• Text messages
Friday, May 20, 2011
![Page 7: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/7.jpg)
© 2011
Security Compass inc.
What’s on your smartphone?
• Social networking
• GPS
• Mobile banking
• Corporate VPN
• Just about anything else you can think of
Friday, May 20, 2011
![Page 8: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/8.jpg)
© 2011
Security Compass inc.
But my phone is password-protected!
Friday, May 20, 2011
![Page 9: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/9.jpg)
© 2011
Security Compass inc.
Bypassing a passwordA demonstration
Friday, May 20, 2011
![Page 10: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/10.jpg)
© 2011
Security Compass inc.
Caveats
Friday, May 20, 2011
![Page 11: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/11.jpg)
© 2011
Security Compass inc.
But I can remotely wipe my phone!
Friday, May 20, 2011
![Page 12: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/12.jpg)
© 2011
Security Compass inc.
Faraday CageFriday, May 20, 2011
![Page 13: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/13.jpg)
© 2011
Security Compass inc.
Faraday CageFriday, May 20, 2011
![Page 14: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/14.jpg)
© 2011
Security Compass inc.
At least they won’t be able to pose as me.
Friday, May 20, 2011
![Page 15: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/15.jpg)
© 2011
Security Compass inc.
CloningFriday, May 20, 2011
![Page 16: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/16.jpg)
© 2011
Security Compass inc.
CloningFriday, May 20, 2011
![Page 17: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/17.jpg)
© 2011
Security Compass inc.
Spoofing identifiersFriday, May 20, 2011
![Page 18: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/18.jpg)
© 2011
Security Compass inc.
Weaponizing the Android Emulator
• Blog post forthcoming
• https://github.com/SecurityCompass/android_emulator_spoofing
Friday, May 20, 2011
![Page 19: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/19.jpg)
© 2011
Security Compass inc.
“The enemy knows the system”
Friday, May 20, 2011
![Page 20: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/20.jpg)
© 2011
Security Compass inc.
The enemy can
• Access the filesystem
• Decompile and read your code
• Use remote debugging to:
• Access memory at runtime
• Step through code branches
Friday, May 20, 2011
![Page 21: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/21.jpg)
© 2011
Security Compass inc.
An Aside
Friday, May 20, 2011
![Page 22: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/22.jpg)
© 2011
Security Compass inc.
Earlier: we made the phone accept any password.Is that an issue?
Friday, May 20, 2011
![Page 23: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/23.jpg)
© 2011
Security Compass inc.
Hi Maxim,
Thank you for your note.
An a6acker with the ability to modify /data/system/gesture.key alreadyhas root access on the phone. They can do much more damage to a phonethan disabling or nulling out the screen unlock. The a6ack sceneriosdescribed already assume a compromised device.
Regards,NickThe Android Security Team
Friday, May 20, 2011
![Page 24: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/24.jpg)
© 2011
Security Compass inc.
Our Goal:Root Access != Game Over
Friday, May 20, 2011
![Page 25: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/25.jpg)
© 2011
Security Compass inc.
What can you do?As a developer
Friday, May 20, 2011
![Page 26: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/26.jpg)
© 2011
Security Compass inc.
Encrypt data at rest(Or not to store anything)
Friday, May 20, 2011
![Page 27: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/27.jpg)
© 2011
Security Compass inc.
Encryption is hard
Friday, May 20, 2011
![Page 28: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/28.jpg)
© 2011
Security Compass inc.
Military grade encryptionFriday, May 20, 2011
![Page 29: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/29.jpg)
© 2011
Security Compass inc.
Military grade encryptionFriday, May 20, 2011
![Page 30: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/30.jpg)
© 2011
Security Compass inc.
Military grade encryptionFriday, May 20, 2011
![Page 31: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/31.jpg)
© 2011
Security Compass inc.
Where do you put keys?
Friday, May 20, 2011
![Page 32: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/32.jpg)
© 2011
Security Compass inc.
One answer is PBE (PKCS #5)
Friday, May 20, 2011
![Page 33: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/33.jpg)
© 2011
Security Compass inc.
...Or not to store anything.
Friday, May 20, 2011
![Page 34: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/34.jpg)
© 2011
Security Compass inc.
Don’t trust the hardware
Friday, May 20, 2011
![Page 35: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/35.jpg)
© 2011
Security Compass inc.
Be aware of Shannon’s Maxim
Friday, May 20, 2011
![Page 36: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/36.jpg)
© 2011
Security Compass inc.
What can we do?As the security community
Friday, May 20, 2011
![Page 37: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/37.jpg)
© 2011
Security Compass inc.
OWASP Mobile Securityhttps://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Friday, May 20, 2011
![Page 38: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/38.jpg)
© 2011
Security Compass inc.
Develop guidelinesEncrypting data at rest
Friday, May 20, 2011
![Page 39: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/39.jpg)
© 2011
Security Compass inc.
Develop guidelinesDefensive mobile coding
Friday, May 20, 2011
![Page 40: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/40.jpg)
© 2011
Security Compass inc.
Develop guidelinesMobile incident response
Friday, May 20, 2011
![Page 41: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/41.jpg)
© 2011
Security Compass inc.
What can you do?As a user
Friday, May 20, 2011
![Page 42: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/42.jpg)
© 2011
Security Compass inc.
This is how we mitigate the risk of stolen laptops
Friday, May 20, 2011
![Page 43: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/43.jpg)
© 2011
Security Compass inc.
Tell Android I sent you!
• http://code.google.com/p/android/issues/detail?id=10809
• http://code.google.com/p/android/issues/detail?id=11211
Friday, May 20, 2011
![Page 44: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/44.jpg)
© 2011
Security Compass inc.
Full disk encryptionWhisperCore
limited phone supportbeta
Friday, May 20, 2011
![Page 45: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/45.jpg)
© 2011
Security Compass inc.
Be careful!
Friday, May 20, 2011
![Page 46: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/46.jpg)
© 2011
Security Compass inc.
• http://www.flickr.com/photos/ripper/273262947/
• http://www.flickr.com/photos/boyce-d/5096202428/
• http://www.flickr.com/photos/arselectronica/5056212669/
• http://www.flickr.com/photos/robnwatkins/397488557/
• http://www.flickr.com/photos/miiitch/4880022048/
• http://www.flickr.com/photos/moxiemarlinspike/4730390878/
Photos
Friday, May 20, 2011
![Page 47: Mobile Security - OWASP...Me • Max Veytsman • Security Consultant at Security Compass • max@securitycompass.com Friday, May 20, 2011 ...](https://reader033.fdocuments.net/reader033/viewer/2022053119/60a165ecb7a9405b9c2691d3/html5/thumbnails/47.jpg)
© 2011
Security Compass inc.
Questions?
• @mveytsman (I’m a sporadic twitter user, but trying to change)
Friday, May 20, 2011