W1 Track Session 4/20/2016 10:00 AM
"Usability vs. Security: Find the Right Balance in Mobile Apps"
Levent Gurses Movel
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 904-278-0524 email@example.com www.techwell.com
Levent Gurses Movel A developer, hacker, speaker, community organizer, and entrepreneur, Levent Gurses is president of Movel, a Washington DC area-based mobile app design and development company. Levents areas of expertise include mobile development, mobile and cloud security, wearables and Internet of Things (IoT), mobile user experience, maximizing the value of existing assets for hybrid and mobile-first apps, startups and strategies for building minimum viable products, mobile monetization, and enterprise mobility. Actively engaged in mobile and full-stack development communities, Levent frequently speaks on mobile strategy, user experience, and security at conferences, meetup groups, and user communities and associations.
Levent Gurses, Movel@gursesl
Mobile Dev + Test2016
The big idea Users will use, hackers will hack User experience Mobile security Wearables and IoT - usability vs. security Solution
The art The science
Usability and security do not have to compete Good usability can improve security Whats needed is more thought and better tools
Risk assessment Impact analysis Careful usability design Usability testing Usability & security analytics
Total Protection Point Protection ID & secure areas of high risk and impact
Does data security matter?
Do users value good app experience?
Do app store reviews matter?
Users wouldn't have to authenticate - permanent,
automatic, biometric authentication
Apps would have all data needed, at all times
All data would be secure
Servers would be protected
No data would be stolen
Man-in-the middle attacks
Passwords have caused more security issues than probably any other factor
Weak/ineffective passwords have caused most of the hacks in recent years
Spear phishing campaign can result in administrator's username and password
Non-admin user passwords are even harder to keep track of
Solution: Make passwords more complex Mix of capital letters Lowercase and alpha Min length
Drawbacks 70% of users forget a password if too long and/or complex. (Source: Ponemon
Institute) 90% of users would just leave a site if they have forgotten a password, instead
of recovering it. (Source: Janrain) 40% of respondents at least sometimes, or often, write passwords down
(Source: Berkeley University Study) 7.9 - number of unique passwords for an average user (Source: Janrain)
Most passwords are not strong enough: users tend to choose meaningful, natural language words that they can remember
However, overzealous password rules can be annoying.
Password for the DHS E-file: Contain from 8 to 16 characters Contain at least 2 of the following 3 characters: uppercase alphabetic, lowercase
alphabetic, numeric Contain at least 1 special character (e.g., @, #, $, %, & *, +, =) Begin and end with an alphabetic character Not contain spaces Not contain all or part of your UserID Not use 2 identical characters consecutively Not be a recently used password
Biometrics Fingerprints Iris recognition Facial recognition Voice recognition
Tokens Physical Software
Better user engagement More secure apps Better reviews in the app store, which leads to
Increased sales in the app store Brand value
Better compliance Solid user and community growth
A threat model focuses on the intersection of likely attack vectors with the points of human interaction. The resulting area provides the surface to what needs to be monitored for user behavior and assessed for vulnerabilities.
User engagement - before & after sign up Drops in sign ups Password/PIN issues Forgot my password Response times to auth Usage of biometric devices
App authentication API authentication App authorization API authorization Cookie management Data/Input validation Encryption Local storage
Error Handling/Information leakage Logging/Auditing Secure transport Certificate/key management Secure Code Environment Session Management
Create UX metrics - e.g. sign up dropout rate Create A/B split tests Use app analytics to monitor user behavior Discover the balance point between security and usability
Usability and security can coexist
True security is an outcome of great user experience
Cross-functional teams are key
Model, measure, tweak.
W1_Cover Bio.pdf"Usability vs. Security: Find the Right Balance in Mobile Apps"