W1 Track Session 4/20/2016 10:00 AM

"Usability vs. Security: Find the Right Balance in Mobile Apps"

Presented by:

Levent Gurses Movel

Brought to you by:

340 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 ∙ 904-278-0524 ∙ info@techwell.com ∙ www.techwell.com

Levent Gurses Movel A developer, hacker, speaker, community organizer, and entrepreneur, Levent Gurses is president of Movel, a Washington DC area-based mobile app design and development company. Levent’s areas of expertise include mobile development, mobile and cloud security, wearables and Internet of Things (IoT), mobile user experience, maximizing the value of existing assets for hybrid and mobile-first apps, startups and strategies for building minimum viable products, mobile monetization, and enterprise mobility. Actively engaged in mobile and full-stack development communities, Levent frequently speaks on mobile strategy, user experience, and security at conferences, meetup groups, and user communities and associations.

Levent Gurses, Movel@gursesl

Mobile Dev + Test2016

● The big idea● Users will use, hackers will hack● User experience● Mobile security● Wearables and IoT - usability vs. security● Solution

○ The art○ The science

● Usability and security do not have to compete● Good usability can improve security● What’s needed is more thought and better tools

○ Risk assessment○ Impact analysis○ Careful usability design○ Usability testing○ Usability & security analytics

● Total Protection →Point Protection○ ID & secure areas of high risk and impact

● Does data security matter?

● Do users value good app experience?

● Do app store reviews matter?

● Users wouldn't have to authenticate - permanent,

automatic, biometric authentication

● Apps would have all data needed, at all times

● All data would be secure

● Servers would be protected

● No data would be stolen

● Stolen/lost devices

● Jailbreaking

● Rooting

● Man-in-the middle attacks

● Phishing attacks

● Passwords have caused more security issues than probably any other factor

● Weak/ineffective passwords have caused most of the hacks in recent years

● Spear phishing campaign can result in administrator's username and password

● Non-admin user passwords are even harder to keep track of

● Solution: Make passwords more complex○ Mix of capital letters○ Lowercase and alpha○ Min length

● Drawbacks○ 70% of users forget a password if too long and/or complex. (Source: Ponemon

Institute)○ 90% of users would just leave a site if they have forgotten a password, instead

of recovering it. (Source: Janrain)○ 40% of respondents at least sometimes, or often, write passwords down

(Source: Berkeley University Study)○ 7.9 - number of unique passwords for an average user (Source: Janrain)

Most passwords are not strong enough: users tend to choose meaningful, natural language words that they can remember

However, overzealous password rules can be annoying.

Password for the DHS E-file:● Contain from 8 to 16 characters● Contain at least 2 of the following 3 characters: uppercase alphabetic, lowercase

alphabetic, numeric● Contain at least 1 special character (e.g., @, #, $, %, & *, +, =)● Begin and end with an alphabetic character● Not contain spaces● Not contain all or part of your UserID● Not use 2 identical characters consecutively● Not be a recently used password

● Biometrics○ Fingerprints○ Iris recognition○ Facial recognition○ Voice recognition

● Tokens○ Physical○ Software

●

●

● Better user engagement● More secure apps● Better reviews in the app store, which leads to

○ Increased sales in the app store○ Brand value

● Better compliance● Solid user and community growth

A threat model focuses on the intersection of likely attack vectors with the points of human interaction. The resulting area provides the surface to what needs to be monitored for user behavior and assessed for vulnerabilities.

● User engagement - before & after sign up● Drops in sign ups● Password/PIN issues● Forgot my password● Response times to auth● Usage of biometric devices

●

●

●

●

●

●

●

●○○○○○○

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●●●●●●●●●●

●●●●●●●●●●●

● App authentication● API authentication● App authorization● API authorization● Cookie management● Data/Input validation● Encryption● Local storage

● Error Handling/Information leakage● Logging/Auditing● Secure transport● Certificate/key management● Secure Code Environment● Session Management

● Create UX metrics - e.g. sign up dropout rate● Create A/B split tests● Use app analytics to monitor user behavior● Discover the balance point between security and usability

● Usability and security can coexist

● True security is an outcome of great user experience

● Cross-functional teams are key

● Model, measure, tweak.

● Repeat.

Resources● http://www.movel.co

● http://www.movel.co/company/events

● http://www.ponemon.org/local/upload/file/NokNokWP_FINAL_3.pdf

● https://www.owasp.org/index.php/Application_Threat_Modeling

● http://passwordresearch.com/stats/statistic101.html

● http://www1.janrain.com/rs/janrain/images/Industry-Research-Consumer-

Perceptions-of-Online-Registration-and-Social-Login-2012.pdf