Embed Size (px)
DESCRIPTION
Citation preview
Mobile Security
Service Overview
Nazar Tymoshyk Ph.D, R&D Manager/Security Consultant
Call History
Messages
Social Networking
Visited websites
Contacts
Mobile Banking
VideosPhotosDocuments
PINs & Passwords
Who knows more about you than your
smartphone?
always with you!
Always on
Your mobile
All Apps are considered safe until proven guiltyby a security review
Key Mobile Device Security Concerns
• Confidentiality– Commercial Data
• Ex: Financial, IP, etc.
– Personal Data• Ex: Customer, Employee records, PCI,
etc.• User Personal Data
– Diplomatic cables• Accessibility
– Resource uptime– High Availability / Recoverability– Archive
Maintain device flexibility while protecting against security risks
5
THE ANYTIME, ANYWHERE YOUNG WORKER
Prefers an unconventional work schedule, working anytime and anywhere
Believes he should be allowed to access social media and personal websites from company-issued devices
Checks Facebook page at least once a day
Doesn’t believe he needs to be in the office on a regular basis
Believes that IT is ultimately responsible for security, not him
Will violate IT policies if it’snecessary to get the job done
Owns multiple devices, such as laptops, tablets, and mobile phones (often more than one)
Man in the Middle attacksPrevention of man-in-the-middle attack for
Wi-Fi
Your company could be part or victim of mobile Botnet attack
Zeus bot for Mobil - Zitmo
Mobile applications for Healthcare
Require HIPAA security assessments
Competitors
They do all to get your secrets
• Sensitive data leakage (inadvertent or side channel)
• Unsafe sensitive data storage• Unsafe sensitive data transmission• Hardcoded password/keys
Mobile application Vulnerabilities:
Test Results regarding Availability of Secrets to Attackers in the Lost Device ScenarioTested Account Types
Secret Type Accessibility
AOL Email Password protected
Apple Push Certificate + Token w/o passcode
Apps using keychain with default protection depends on App
protected
Apple-token-sync (mobile me) Token w/o passcode
CalDav Password w/o passcode
Generic IMAP Password protected
Generic SMTP server Password protected
Google Mail Password protected
Google Mail as MS Exchange Account Password w/o passcode
iChat.VeniceRegistrationAgent Token w/o passcode
iOS Backup Password Password protected
LDAP Password w/o passcode
Lockdown Daemon Certificate w/o passcode
MS Exchange Password w/o passcode
Voicemail Password w/o passcode
VPN IPsec Shared Secret Password w/o passcode
VPN XAuth Password Password w/o passcode
VPN PPP Password Password w/o passcode
Website Account from Safari Password protected
WiFi (Company WPA with LEAP) Password w/o passcode
WiFi WPA Password w/o passcode
Yahoo Email Token + Cookie protected
What You LOSE?
If your confidential data will be leaked?
Reputation
TrustMoneyData TimeDisciplinary
actions
Clients
SoftServe Mobile Security Portfolio
Mobile Application Security Assessment Mobile Forensics
Mobile Network Security assessment
Mobile Device Management
SoftServe Mobile Security Framework
Mobile Forensics
1. Messaging (corporate Emails and banking SMS )2. Audio (calls activities and open microphone recording)3. Video (still and full-motion)4. Locations5. Contact list6. Call history7. Browsing history and passwords8. Input9. Data files
Vulnerability identification
• Manage policies• Manage mobile applications• Manage devices• Control security• Control passwords• Control access
Mobile Device Management
We are partner with MDM provider AirWatch
How we help you? (переробити на мобільна безпека)
Password vs. Bruteforce
Passcode Complexity Bruteforce time
4 digits 18 minutes
4 alphanumeric 51 hours
5 alphanumeric 8 years
8 alphanumeric 13,000 years
Mobile Banking
Our Methodology
• OWASP Mobile• Automatize Apps analysis– Static Analysis– Dynamic Analysis• OWASP Mobile Top 10 Risk mitigation
methodology
CLEAR TEXT SECRETS
• App fails to protect sensitive information, credentials• OWASP Mobile: M1- Insecure Data Storage
CLEAR TEXT SECRETS EXAMPLE:
CREDENTIALS MANAGER (CVE-2011-1840)
INSECURE CHANNELS EXAMPLE:SOCIAL NETWORKING
DEBUG ENABLED• App ships to market with logging or debugging• features enabled• Helps attacker to learn Apps internal• OWASP Mobile: M8- Side Channel• Data Leakage
CROSS SITE SCRIPTING (XSS) EXAMPLE, INCASE YOU MISSED IT
DATA VALIDATION
• App fails to perform appropriate data• validation• Accounts for many common risks• OWASP Mobile: M4- Client Side Injection
DATA VALIDATION MITIGATION
• Validate data for:– Valid– Safe– Length• For SQL queries use prepared statements• Validate (sanitize) and escape data before render
for web Apps• Use white list approach instead black list• approach. Check out OWASP ESAPI libraries
PII COMPROMISE
• App can collect plenty of PII information• – User: username, contacts, bookmarks• – Device: S.O. ver, device name, IMEI, IMSI,• kernel version, UUID• – General info: geolocalization• – OWASP Mobile Risk Classification: M8 – Side• Channel Data Leakage
PII COMPROMISE MITIGATION
• Apps don't need to collect all they can, just• what they need• • If collecting PII:• – Where is that info going?• • Log files• • Data storages• • Network• – Protect it:• • Transit• • At Rest
3RD PARTY LIBRARIES INTEGRATION
• App integrates 3rd party libraries:• – Facebook• – Greendroid• – Android.ads• – Apache• – google.android.apps.analytics• – Json• – Mozilla• – Javax• – xmlrpc.android• – slf4j
3RD PARTY LIBRARIES INTEGRATIONMITIGATION
• If using 3rd party libraries, use proven• libraries• What info are these libraries collecting?
• Do we really need social networking libs• integrated into our finance apps?
WEAK CRYPTO
• Incorrect use of crypto libraries• Implementing custom• bad ass crypto algorithm• M9 - Broken Cryptography
HARDCODED CREDENTIALS
App contains credentials embedded incode• Easy to spot by attackers• OWASP Mobile: M10- SensitiveInformation Disclosure
HARDCODED CREDENTIALS MITIGATION
• Easy, don't write credentials into code files• What happens when the credentials change? • You need to upload a new version on the app!• Credentials need to use secure data storages
Certifications
Ph.D in Security
Security Clients 2010-2011:
Do you have anyQUESTIONS?
