Download - Mobile security services 2012
![Page 1: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/1.jpg)
Mobile Security
Service Overview
Nazar Tymoshyk Ph.D, R&D Manager/Security Consultant
![Page 2: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/2.jpg)
Call History
Messages
Social Networking
Visited websites
Contacts
Mobile Banking
VideosPhotosDocuments
PINs & Passwords
Who knows more about you than your
smartphone?
![Page 3: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/3.jpg)
always with you!
Always on
Your mobile
![Page 4: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/4.jpg)
All Apps are considered safe until proven guiltyby a security review
![Page 5: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/5.jpg)
Key Mobile Device Security Concerns
• Confidentiality– Commercial Data
• Ex: Financial, IP, etc.
– Personal Data• Ex: Customer, Employee records, PCI,
etc.• User Personal Data
– Diplomatic cables• Accessibility
– Resource uptime– High Availability / Recoverability– Archive
Maintain device flexibility while protecting against security risks
5
![Page 6: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/6.jpg)
THE ANYTIME, ANYWHERE YOUNG WORKER
Prefers an unconventional work schedule, working anytime and anywhere
Believes he should be allowed to access social media and personal websites from company-issued devices
Checks Facebook page at least once a day
Doesn’t believe he needs to be in the office on a regular basis
Believes that IT is ultimately responsible for security, not him
Will violate IT policies if it’snecessary to get the job done
Owns multiple devices, such as laptops, tablets, and mobile phones (often more than one)
![Page 7: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/7.jpg)
![Page 8: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/8.jpg)
Man in the Middle attacksPrevention of man-in-the-middle attack for
Wi-Fi
![Page 9: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/9.jpg)
Your company could be part or victim of mobile Botnet attack
Zeus bot for Mobil - Zitmo
![Page 10: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/10.jpg)
Mobile applications for Healthcare
Require HIPAA security assessments
![Page 11: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/11.jpg)
Competitors
They do all to get your secrets
![Page 12: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/12.jpg)
• Sensitive data leakage (inadvertent or side channel)
• Unsafe sensitive data storage• Unsafe sensitive data transmission• Hardcoded password/keys
Mobile application Vulnerabilities:
![Page 13: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/13.jpg)
Test Results regarding Availability of Secrets to Attackers in the Lost Device ScenarioTested Account Types
Secret Type Accessibility
AOL Email Password protected
Apple Push Certificate + Token w/o passcode
Apps using keychain with default protection depends on App
protected
Apple-token-sync (mobile me) Token w/o passcode
CalDav Password w/o passcode
Generic IMAP Password protected
Generic SMTP server Password protected
Google Mail Password protected
Google Mail as MS Exchange Account Password w/o passcode
iChat.VeniceRegistrationAgent Token w/o passcode
iOS Backup Password Password protected
LDAP Password w/o passcode
Lockdown Daemon Certificate w/o passcode
MS Exchange Password w/o passcode
Voicemail Password w/o passcode
VPN IPsec Shared Secret Password w/o passcode
VPN XAuth Password Password w/o passcode
VPN PPP Password Password w/o passcode
Website Account from Safari Password protected
WiFi (Company WPA with LEAP) Password w/o passcode
WiFi WPA Password w/o passcode
Yahoo Email Token + Cookie protected
![Page 14: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/14.jpg)
What You LOSE?
If your confidential data will be leaked?
![Page 15: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/15.jpg)
Reputation
TrustMoneyData TimeDisciplinary
actions
Clients
![Page 16: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/16.jpg)
SoftServe Mobile Security Portfolio
Mobile Application Security Assessment Mobile Forensics
Mobile Network Security assessment
Mobile Device Management
![Page 17: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/17.jpg)
SoftServe Mobile Security Framework
![Page 18: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/18.jpg)
Mobile Forensics
1. Messaging (corporate Emails and banking SMS )2. Audio (calls activities and open microphone recording)3. Video (still and full-motion)4. Locations5. Contact list6. Call history7. Browsing history and passwords8. Input9. Data files
![Page 19: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/19.jpg)
Vulnerability identification
![Page 20: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/20.jpg)
• Manage policies• Manage mobile applications• Manage devices• Control security• Control passwords• Control access
Mobile Device Management
We are partner with MDM provider AirWatch
![Page 21: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/21.jpg)
How we help you? (переробити на мобільна безпека)
![Page 22: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/22.jpg)
![Page 23: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/23.jpg)
Password vs. Bruteforce
Passcode Complexity Bruteforce time
4 digits 18 minutes
4 alphanumeric 51 hours
5 alphanumeric 8 years
8 alphanumeric 13,000 years
![Page 24: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/24.jpg)
Mobile Banking
![Page 25: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/25.jpg)
Our Methodology
• OWASP Mobile• Automatize Apps analysis– Static Analysis– Dynamic Analysis• OWASP Mobile Top 10 Risk mitigation
methodology
![Page 26: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/26.jpg)
CLEAR TEXT SECRETS
• App fails to protect sensitive information, credentials• OWASP Mobile: M1- Insecure Data Storage
![Page 27: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/27.jpg)
CLEAR TEXT SECRETS EXAMPLE:
CREDENTIALS MANAGER (CVE-2011-1840)
![Page 28: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/28.jpg)
INSECURE CHANNELS EXAMPLE:SOCIAL NETWORKING
![Page 29: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/29.jpg)
DEBUG ENABLED• App ships to market with logging or debugging• features enabled• Helps attacker to learn Apps internal• OWASP Mobile: M8- Side Channel• Data Leakage
![Page 30: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/30.jpg)
CROSS SITE SCRIPTING (XSS) EXAMPLE, INCASE YOU MISSED IT
![Page 31: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/31.jpg)
DATA VALIDATION
• App fails to perform appropriate data• validation• Accounts for many common risks• OWASP Mobile: M4- Client Side Injection
![Page 32: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/32.jpg)
DATA VALIDATION MITIGATION
• Validate data for:– Valid– Safe– Length• For SQL queries use prepared statements• Validate (sanitize) and escape data before render
for web Apps• Use white list approach instead black list• approach. Check out OWASP ESAPI libraries
![Page 33: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/33.jpg)
PII COMPROMISE
• App can collect plenty of PII information• – User: username, contacts, bookmarks• – Device: S.O. ver, device name, IMEI, IMSI,• kernel version, UUID• – General info: geolocalization• – OWASP Mobile Risk Classification: M8 – Side• Channel Data Leakage
![Page 34: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/34.jpg)
PII COMPROMISE MITIGATION
• Apps don't need to collect all they can, just• what they need• • If collecting PII:• – Where is that info going?• • Log files• • Data storages• • Network• – Protect it:• • Transit• • At Rest
![Page 35: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/35.jpg)
3RD PARTY LIBRARIES INTEGRATION
• App integrates 3rd party libraries:• – Facebook• – Greendroid• – Android.ads• – Apache• – google.android.apps.analytics• – Json• – Mozilla• – Javax• – xmlrpc.android• – slf4j
![Page 36: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/36.jpg)
3RD PARTY LIBRARIES INTEGRATIONMITIGATION
• If using 3rd party libraries, use proven• libraries• What info are these libraries collecting?
• Do we really need social networking libs• integrated into our finance apps?
![Page 37: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/37.jpg)
WEAK CRYPTO
• Incorrect use of crypto libraries• Implementing custom• bad ass crypto algorithm• M9 - Broken Cryptography
![Page 38: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/38.jpg)
HARDCODED CREDENTIALS
App contains credentials embedded incode• Easy to spot by attackers• OWASP Mobile: M10- SensitiveInformation Disclosure
![Page 39: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/39.jpg)
HARDCODED CREDENTIALS MITIGATION
• Easy, don't write credentials into code files• What happens when the credentials change? • You need to upload a new version on the app!• Credentials need to use secure data storages
![Page 40: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/40.jpg)
![Page 41: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/41.jpg)
Certifications
Ph.D in Security
![Page 42: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/42.jpg)
Security Clients 2010-2011:
![Page 43: Mobile security services 2012](https://reader033.vdocuments.us/reader033/viewer/2022061106/5415d6aa8d7f72316c8b481b/html5/thumbnails/43.jpg)
Do you have anyQUESTIONS?