1. Ascure (c) - www.ascure.com March 2011
Mobile Security
From a strategic, tactical and operational
point of view
Bart De Win
March 28, 2011
About Ascure & the speaker
• Ascure
– Ascure is a leading, independent provider of information
security services
– We combine in-depth knowledge with the necessary
experience to meet your organization’s information security
challenges and needs.
– Multi-disciplinary teams to provide the right strategic,
architectural and operational services & technologies
– Ascure Academy
• Myself
– Principal Risk Management Consultant
– Leading the competence center on Secure Applications
– Ph.D. in CS (topic: application security)
– Author of >60 scientific publications
Mobile Security - Mobile in Business 1
2. Ascure (c) - www.ascure.com March 2011
Mobile Platforms
• Your enterprise will be faced with integrating mobile platforms
• People will be using their favorite platform in your environment
3
Mobile malware
4
Mobile Security - Mobile in Business 2
3. Ascure (c) - www.ascure.com March 2011
Agenda
• Enterprise strategy
• Secure platform
• Secure application
Titel - Datum
Enterprise Strategy
Mobile Security - Mobile in Business 3
4. Ascure (c) - www.ascure.com March 2011
Philosophy
• There is no such thing as the best platform
• Strategic considerations:
– Controlled vs. open platform
– Within or beyond enterprise boundaries
– Is it considered a trusted part of your network
– Does it make sense to separate business/private or
high/low risk
7
Data Protection
• Enterprise data will be stored on smartphones
– Mail, Office documents, Customer data, ...
• Strategic considerations
– Which data (public vs. confidential)
– Enterprise policy
– Full device encryption (including SD!)
– Remote wipe & localization
8
Mobile Security - Mobile in Business 4
5. Ascure (c) - www.ascure.com March 2011
Application Management
• A Smartphone without applications
is like ...
• Do you support trusted vs. arbitrary apps
– Who defines and assesses trust ?
• Think of the difference between the iPhone AppStore
and the Android Market
9
Incident Management & Disaster Recovery ?
10
Mobile Security - Mobile in Business 5
6. Ascure (c) - www.ascure.com March 2011
Secure Platform Considerations
Physical device security
• Small & agile devices -> high risk of loss
• Real solutions are scarce
– Do they really provide benefits ?
• Consider remote disabling & tracking software
12
Mobile Security - Mobile in Business 6
7. Ascure (c) - www.ascure.com March 2011
System hardening
• User authentication
• Update & Patch management
– Core libraries vs. applications
• Virus scanners
• Running services
• And then there is jailbreaking ...
13
Privilege management
• Enforce whether users can:
– Install/update software
– Use communication technology
• WLAN
• Bluetooth
– Synchronize with arbitrary devices
– ...
• And then there is jailbreaking ...
14
Mobile Security - Mobile in Business 7
8. Ascure (c) - www.ascure.com March 2011
Secure Application Considerations
Titel - Datum 15
It’s life Jim, but not (exactly) as we know it …
• Many commonalities with regular (web)applications
– Computing paradigm
– Fully functional platforms
– Never trust the client
– Insecure programming models
• But, also important differences
– Different security models
– Restricted security mechanisms
– Multiple communication mechanisms
16
Mobile Security - Mobile in Business 8
9. Ascure (c) - www.ascure.com March 2011
Common security models
• All-or-nothing vs. more fine-grained models
– Typically based on code signing
• Sometimes apps can access each other ...
17
Rights Management
• Typically based on application signatures
• Application Rights Management can be complex
• Android vs. iPhone approach
– Android has 117 different permissions
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.android.app.myapp" >
<uses-permission android:name="android.permission.RECEIVE_SMS" />
...
</manifest>
18
Mobile Security - Mobile in Business 9
10. Ascure (c) - www.ascure.com March 2011
Top 10 mobile risks (OWASP)
• Insecure or unnecessary client-side data storage
• Lack of data protection in transit
• Personal data leakage
• Failure to protect resources with strong authentication
• Failure to implement least privilege authorization policy
• Client-side injection
• Client-side DOS
• Malicious third-party code
• Client-side buffer overflow
• Failure to apply server-side controls
19
Top 10 Security Controls (OWASP)
• Protect data at rest
• Protect data in transport
• Multi-factor authentication
• Session management
• Least privilege access control
• Untrusted data validation
• Output encoding
• Enterprise device management
• Keep business logic on the server
• Platform security
20
Mobile Security - Mobile in Business 10
11. Ascure (c) - www.ascure.com March 2011
Application Testing
• Importance of static & dynamic testing
– Source code review, disassembly, reverse
engineering, patch analysis
– Debugging, network traffic analysis, remote service
attacking
=>Tools are available for key platforms
• Emulators come in handy to “play” with
security/platform assumptions
• Communication facilities
21
Conclusion
• Mobile security is not a new type of game, although it
has its specificities
• You’re working with a fully functional platform !
• Enterprise roll-out requires careful considerations
• Application security is a must and a challenge
22
Mobile Security - Mobile in Business 11