W01 Levent Gurses X

  • View

  • Download

Embed Size (px)

Text of W01 Levent Gurses X

  • W1 Track Session 4/20/2016 10:00 AM

    "Usability vs. Security: Find the Right Balance in Mobile Apps"

    Presented by:

    Levent Gurses Movel

    Brought to you by:

    340 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 904-278-0524 info@techwell.com www.techwell.com


  • Levent Gurses Movel A developer, hacker, speaker, community organizer, and entrepreneur, Levent Gurses is president of Movel, a Washington DC area-based mobile app design and development company. Levents areas of expertise include mobile development, mobile and cloud security, wearables and Internet of Things (IoT), mobile user experience, maximizing the value of existing assets for hybrid and mobile-first apps, startups and strategies for building minimum viable products, mobile monetization, and enterprise mobility. Actively engaged in mobile and full-stack development communities, Levent frequently speaks on mobile strategy, user experience, and security at conferences, meetup groups, and user communities and associations.

  • Levent Gurses, Movel@gursesl

    Mobile Dev + Test2016

    The big idea Users will use, hackers will hack User experience Mobile security Wearables and IoT - usability vs. security Solution

    The art The science

  • Usability and security do not have to compete Good usability can improve security Whats needed is more thought and better tools

    Risk assessment Impact analysis Careful usability design Usability testing Usability & security analytics

    Total Protection Point Protection ID & secure areas of high risk and impact

  • Does data security matter?

    Do users value good app experience?

    Do app store reviews matter?

  • Users wouldn't have to authenticate - permanent,

    automatic, biometric authentication

    Apps would have all data needed, at all times

    All data would be secure

    Servers would be protected

    No data would be stolen

    Stolen/lost devices



    Man-in-the middle attacks

    Phishing attacks

  • Passwords have caused more security issues than probably any other factor

    Weak/ineffective passwords have caused most of the hacks in recent years

    Spear phishing campaign can result in administrator's username and password

    Non-admin user passwords are even harder to keep track of

    Solution: Make passwords more complex Mix of capital letters Lowercase and alpha Min length

    Drawbacks 70% of users forget a password if too long and/or complex. (Source: Ponemon

    Institute) 90% of users would just leave a site if they have forgotten a password, instead

    of recovering it. (Source: Janrain) 40% of respondents at least sometimes, or often, write passwords down

    (Source: Berkeley University Study) 7.9 - number of unique passwords for an average user (Source: Janrain)


  • Most passwords are not strong enough: users tend to choose meaningful, natural language words that they can remember

    However, overzealous password rules can be annoying.

    Password for the DHS E-file: Contain from 8 to 16 characters Contain at least 2 of the following 3 characters: uppercase alphabetic, lowercase

    alphabetic, numeric Contain at least 1 special character (e.g., @, #, $, %, & *, +, =) Begin and end with an alphabetic character Not contain spaces Not contain all or part of your UserID Not use 2 identical characters consecutively Not be a recently used password

  • Biometrics Fingerprints Iris recognition Facial recognition Voice recognition

    Tokens Physical Software

  • Better user engagement More secure apps Better reviews in the app store, which leads to

    Increased sales in the app store Brand value

    Better compliance Solid user and community growth

  • A threat model focuses on the intersection of likely attack vectors with the points of human interaction. The resulting area provides the surface to what needs to be monitored for user behavior and assessed for vulnerabilities.

  • User engagement - before & after sign up Drops in sign ups Password/PIN issues Forgot my password Response times to auth Usage of biometric devices

  • https://www.owasp.org/index.php/Application_Threat_Modeling

  • App authentication API authentication App authorization API authorization Cookie management Data/Input validation Encryption Local storage

    Error Handling/Information leakage Logging/Auditing Secure transport Certificate/key management Secure Code Environment Session Management

  • Create UX metrics - e.g. sign up dropout rate Create A/B split tests Use app analytics to monitor user behavior Discover the balance point between security and usability

    Usability and security can coexist

    True security is an outcome of great user experience

    Cross-functional teams are key

    Model, measure, tweak.


  • Resources http://www.movel.co








    W1_Cover Bio.pdf"Usability vs. Security: Find the Right Balance in Mobile Apps"