SlideShare une entreprise Scribd logo

Mobile Security

Doug Robinson
Doug Robinson
Technologie
1  sur  19
Fresh Digital Group Building Mobile Security We Strategize. We Execute. We Deliver. On All Screens.
The Problem: Vulnerabilities  OS Vulnerabilities  Server  Clients  Transport Vulnerabilities  Network  App Vulnerabilities  Client  Middleware  Servers We Strategize. We Execute. We Deliver. On All Screens.
The Problem: App Security  Apps exist in market to make $$$  Not to protect you or your information  Gold Rush Mentality  Developers are extremely rushed to produce apps  Leading to security suffering We Strategize. We Execute. We Deliver. On All Screens.
The Problem: Enterprise Issues  Transforming how people work  Insurance agents close deals in real time on their iPad  Doctors can review secure messages and patient records from a restaurant  Social workers carry tablets to each clients home, takes images, updates records We Strategize. We Execute. We Deliver. On All Screens.
The Problem: Enterprise Issues  Mobile Ecosystem introduces an exponentially expanded attack surface compared to past introductions  Non-Managed Firmware  Non-Managed Networks  Non-Managed OSs  Non-Managed Applications  Non-Managed Data Flows  Significant economic impacts from past situations with fewer variables and complexities  Email- I Love You virus = $10B  Web Servers- Code Red = $9B  PC’s- Blaster = $5B We Strategize. We Execute. We Deliver. On All Screens.
Most Vulnerable Securities We Strategize. We Execute. We Deliver. On All Screens.
The Problem: Mobile Hacking  Old Process: 5 Steps to monetize a vulnerability Data Data Exploit Install Profit Theft Sale  New Process: 3 Steps to monetize a vulnerability Exploit Install Profit We Strategize. We Execute. We Deliver. On All Screens.
App Vulnerabilities: Mobile App Threat  Many considerations  Platforms vary substantially  Similar but still very different than traditional web app-- even when heavy with client-side code  It’s more than just apps  Cloud/network integration  Device platform considerations  Most mobile apps are basically web apps  But with more client “smarts,” almost all web weaknesses are relevant, and more We Strategize. We Execute. We Deliver. On All Screens.
Mobile Threat Model Missing Device Malicious Social Carrier Tampering Repudiation QR code Spoofing Engineering Network Breach Untrusted Weak NFC tag or Authorization Peer Toll Modifying Malware Local Insecure Fraud Improper Data WiFi Client Network Session Side Malicious Weak Injection Handling Application Authentication Push Crashing Malware Sandbox Compromised Notification Compromised Apps Escape Credentials Flooding Backend Device Breach Lost Flawed Excessive Weak Device Authentication API Usage Authorization Elevation Denial of Information Reverse of Service Engineering DDoS Disclosure Apps Privilege We Strategize. We Execute. We Deliver. On All Screens.
Biggest Issue: Lost/ Stolen Device  Anyone with physical access to your device can get to a wealth of data - PIN is not effective - App data - Keychains - Properties  Disk encryption helps, but we can’t count on users using it  Apps must protect users’ local data storage We Strategize. We Execute. We Deliver. On All Screens.
Lost/ Stolen Device  Insecure Data Storage  Sensitive data left unprotected  Applies to locally stored data + cloud synced Impact  Generally a result of:  Confidentiality of  Not Encrypting Data data lost  Caching data not intended for  Credentials long-term storage disclosed  Weak or global permissions  Privacy violations  Not leveraging platform best-  Non-compliance practices We Strategize. We Execute. We Deliver. On All Screens.
Second Biggest Issue: Insecure Comms  Without additional protection, mobile devices are susceptible to the “coffee shop attack”  Anyone on an open WiFi can eavesdrop on your data  No different than any other WiFi device really  Your apps MUST protect your users’ data in transit We Strategize. We Execute. We Deliver. On All Screens.
Case Study Examples: Mint.com  Mint.com : a financial service aggregator that relies on targeted marketing/ lead generation, 5M+ active users  How it works: - Create Mint.com account - Link financial accounts to Mint.com - Install mobile application and enter Mint.com credentials - View all financial account activity within app We Strategize. We Execute. We Deliver. On All Screens.
Lost Device Example  Physical iOS Exploit Scenario  Lost iPhone> Recovered by data harvester> 4-digit pin bypassed in 3 minutes> User partion copied> Mint.com cookies and configuration copied to attach iOS platform  Full Mint.com mobile access in 20 minutes or less We Strategize. We Execute. We Deliver. On All Screens.
Remote iOS Exploit Scenario  Un-patched iOS device is compromised through URL handling exploit  Attacker bundles keylogger as exploit payload  User installs Mint.com and links mobile application to Mint.com account  Attacker programs compromised phone to schedule daily dumps of keystroke logs We Strategize. We Execute. We Deliver. On All Screens.
Common Security Mechanisms: How to Build in Security  Input validation  Output escaping  Authentication  Session handling  Protecting secrets  At rest  In transit  SQL connections We Strategize. We Execute. We Deliver. On All Screens.
Authorization Basics  Question every action  Is the user allowed to access this: • File • Function • Data  By role or by user  Complexity issues  Maintainability issues  Creeping exceptions We Strategize. We Execute. We Deliver. On All Screens.
Security Solutions Address 4 Aspects Authentication 1 Enforce enterprise standards w/o compromising UX Data Security (Storage and Transit) 2 Isolate Corporate data, secure it, and provide DLP Control Corp. Data 3 Provision enterprise access, enforce policy and visibility App Creation 4 Native & HTML5, UX, Cross platform, getting business logic right We Strategize. We Execute. We Deliver. On All Screens.
Fresh Digital Group 111 John St 2nd FL New York, NY 10038 www. freshdigitalgroup.com Fresh Digital Group

Recommandé

Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)itforum-roundtable
 
Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC PresentationCloudComputing
 
Gigamon U - Eye Of The Fire, Network Malware Control System
Gigamon U - Eye Of The Fire, Network Malware Control SystemGigamon U - Eye Of The Fire, Network Malware Control System
Gigamon U - Eye Of The Fire, Network Malware Control SystemGrant Swanson
 
iScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceiScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceMAX Risk Intelligence by LOGICnow
 
Sxsw ppt voice-1
Sxsw ppt voice-1Sxsw ppt voice-1
Sxsw ppt voice-1Dan Miller
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USIBM Danmark
 
Penrillian.com - Mobile Money
Penrillian.com - Mobile MoneyPenrillian.com - Mobile Money
Penrillian.com - Mobile MoneyMobileMoney
 

Recommandé

Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)itforum-roundtable
 
Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC PresentationCloudComputing
 
Gigamon U - Eye Of The Fire, Network Malware Control System
Gigamon U - Eye Of The Fire, Network Malware Control SystemGigamon U - Eye Of The Fire, Network Malware Control System
Gigamon U - Eye Of The Fire, Network Malware Control SystemGrant Swanson
 
iScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceiScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceMAX Risk Intelligence by LOGICnow
 
Sxsw ppt voice-1
Sxsw ppt voice-1Sxsw ppt voice-1
Sxsw ppt voice-1Dan Miller
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USIBM Danmark
 
Penrillian.com - Mobile Money
Penrillian.com - Mobile MoneyPenrillian.com - Mobile Money
Penrillian.com - Mobile MoneyMobileMoney
 
(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013STO STRATEGY
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
JustLook FRS -HRMS & VMS
JustLook FRS -HRMS & VMSJustLook FRS -HRMS & VMS
JustLook FRS -HRMS & VMSvyadav46
 
(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013STO STRATEGY
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionShane Rice
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013STO STRATEGY
 
Presentatie mc afee emm 2011
Presentatie mc afee emm 2011Presentatie mc afee emm 2011
Presentatie mc afee emm 2011SecutecGroup Baudewijns
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthIBM Security
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013STO STRATEGY
 
Operation High Roller: The need for a security ally!
Operation High Roller: The need for a security ally!Operation High Roller: The need for a security ally!
Operation High Roller: The need for a security ally!Jeff Danielson
 
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...Arrow ECS UK
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec
 
2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CASTCAST
 
5 Enterprise Mobility Management nightmares
5 Enterprise Mobility Management nightmares5 Enterprise Mobility Management nightmares
5 Enterprise Mobility Management nightmaresSprint Business
 
Mobile device management GFE
Mobile device management GFEMobile device management GFE
Mobile device management GFEpplester
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Ibm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckIbm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckArrow ECS UK
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Informatica antivirus y virus
Informatica antivirus y virusInformatica antivirus y virus
Informatica antivirus y virusFelipe Ruiz
 
Common days 07
Common days 07Common days 07
Common days 07AlternRealityStudios
 

Contenu connexe

Tendances

(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013STO STRATEGY
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
JustLook FRS -HRMS & VMS
JustLook FRS -HRMS & VMSJustLook FRS -HRMS & VMS
JustLook FRS -HRMS & VMSvyadav46
 
(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013STO STRATEGY
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionShane Rice
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013STO STRATEGY
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthIBM Security
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013STO STRATEGY
 
Operation High Roller: The need for a security ally!
Operation High Roller: The need for a security ally!Operation High Roller: The need for a security ally!
Operation High Roller: The need for a security ally!Jeff Danielson
 
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...Arrow ECS UK
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec
 
2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CASTCAST
 
5 Enterprise Mobility Management nightmares
5 Enterprise Mobility Management nightmares5 Enterprise Mobility Management nightmares
5 Enterprise Mobility Management nightmaresSprint Business
 
Mobile device management GFE
Mobile device management GFEMobile device management GFE
Mobile device management GFEpplester
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Ibm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckIbm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckArrow ECS UK
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 

Tendances (20)

(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
 
JustLook FRS -HRMS & VMS
JustLook FRS -HRMS & VMSJustLook FRS -HRMS & VMS
JustLook FRS -HRMS & VMS
 
(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout session
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009
 
(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013
 
Presentatie mc afee emm 2011
Presentatie mc afee emm 2011Presentatie mc afee emm 2011
Presentatie mc afee emm 2011
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient Truth
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013
 
Operation High Roller: The need for a security ally!
Operation High Roller: The need for a security ally!Operation High Roller: The need for a security ally!
Operation High Roller: The need for a security ally!
 
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility Strategy
 
2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST
 
5 Enterprise Mobility Management nightmares
5 Enterprise Mobility Management nightmares5 Enterprise Mobility Management nightmares
5 Enterprise Mobility Management nightmares
 
Mobile device management GFE
Mobile device management GFEMobile device management GFE
Mobile device management GFE
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
 
Ibm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckIbm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deck
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 

En vedette

Informatica antivirus y virus
Informatica antivirus y virusInformatica antivirus y virus
Informatica antivirus y virusFelipe Ruiz
 
Ada, Pecha Kucha Night Sofia 2
Ada, Pecha Kucha Night Sofia 2Ada, Pecha Kucha Night Sofia 2
Ada, Pecha Kucha Night Sofia 2Maya Georgieva
 

En vedette (8)

Informatica antivirus y virus
Informatica antivirus y virusInformatica antivirus y virus
Informatica antivirus y virus
 
Common days 07
Common days 07Common days 07
Common days 07
 
Informatica
InformaticaInformatica
Informatica
 
Kenedy
KenedyKenedy
Kenedy
 
Cine
CineCine
Cine
 
10 promesas de dios
10 promesas de dios10 promesas de dios
10 promesas de dios
 
Seguridad informatica
Seguridad informaticaSeguridad informatica
Seguridad informatica
 
Ada, Pecha Kucha Night Sofia 2
Ada, Pecha Kucha Night Sofia 2Ada, Pecha Kucha Night Sofia 2
Ada, Pecha Kucha Night Sofia 2
 

Similaire à Mobile Security

F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence ServiceF5 Networks
 
Security and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightSecurity and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightIBM WebSphereIndia
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutionsfrontone
 
Jerry Romanek series mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end reviewJerry Romanek series mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end reviewLeigh Williamson
 
Securing Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD WorldSecuring Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD WorldApperian
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012Symantec
 
IBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit IndiaIBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit IndiaLeigh Williamson
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security SuiteCharles McNeil
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security MonitoringAnton Goncharov
 
Real-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware InfectionReal-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware InfectionWebroot
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security ProductsDaveEdwards12
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Amazon Web Services
 

Similaire à Mobile Security (20)

F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
 
Security and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightSecurity and Mobile Application Management with Worklight
Security and Mobile Application Management with Worklight
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded Devices
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
 
Jerry Romanek series mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end reviewJerry Romanek series mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end review
 
Securing Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD WorldSecuring Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD World
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012
 
Globally.docx
Globally.docxGlobally.docx
Globally.docx
 
IBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit IndiaIBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit India
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security Suite
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security Monitoring
 
Real-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware InfectionReal-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware Infection
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
 

Plus de Doug Robinson

1o1 on Conversational Agents
1o1 on Conversational Agents1o1 on Conversational Agents
1o1 on Conversational AgentsDoug Robinson
 
Tech & Digital Predictions 2017
Tech & Digital Predictions 2017Tech & Digital Predictions 2017
Tech & Digital Predictions 2017Doug Robinson
 
Snapchat: The Fastest Growing Platform Ever
Snapchat: The Fastest Growing Platform EverSnapchat: The Fastest Growing Platform Ever
Snapchat: The Fastest Growing Platform EverDoug Robinson
 
mCommerce - A Frsh Look At Why It Matters
mCommerce - A Frsh Look At Why It Matters mCommerce - A Frsh Look At Why It Matters
mCommerce - A Frsh Look At Why It Matters Doug Robinson
 
A Marketer's Guide to Millenials
A Marketer's Guide to MillenialsA Marketer's Guide to Millenials
A Marketer's Guide to MillenialsDoug Robinson
 
Why Apple Watch Matters
Why Apple Watch MattersWhy Apple Watch Matters
Why Apple Watch MattersDoug Robinson
 
Drones: Present & Future
Drones: Present & FutureDrones: Present & Future
Drones: Present & FutureDoug Robinson
 
The Future of Wearable Technology
The Future of Wearable TechnologyThe Future of Wearable Technology
The Future of Wearable TechnologyDoug Robinson
 
Snapchat For Brands, Yes Or No?
Snapchat For Brands, Yes Or No?Snapchat For Brands, Yes Or No?
Snapchat For Brands, Yes Or No?Doug Robinson
 
Go Native Or Go Home
Go Native Or Go HomeGo Native Or Go Home
Go Native Or Go HomeDoug Robinson
 
FDG 2014 Predictions
FDG 2014 PredictionsFDG 2014 Predictions
FDG 2014 PredictionsDoug Robinson
 
The Beacon Technology
The Beacon TechnologyThe Beacon Technology
The Beacon TechnologyDoug Robinson
 
10 Reasons to Adopt HTML5 for Mobile Apps
10 Reasons to Adopt HTML5 for Mobile Apps10 Reasons to Adopt HTML5 for Mobile Apps
10 Reasons to Adopt HTML5 for Mobile AppsDoug Robinson
 
The Case for Mobile RTB
The Case for Mobile RTBThe Case for Mobile RTB
The Case for Mobile RTBDoug Robinson
 
ESPN InPlay Whitepaper/Case Study
ESPN InPlay Whitepaper/Case StudyESPN InPlay Whitepaper/Case Study
ESPN InPlay Whitepaper/Case StudyDoug Robinson
 

Plus de Doug Robinson (20)

1o1 on Conversational Agents
1o1 on Conversational Agents1o1 on Conversational Agents
1o1 on Conversational Agents
 
Tech & Digital Predictions 2017
Tech & Digital Predictions 2017Tech & Digital Predictions 2017
Tech & Digital Predictions 2017
 
Snapchat: The Fastest Growing Platform Ever
Snapchat: The Fastest Growing Platform EverSnapchat: The Fastest Growing Platform Ever
Snapchat: The Fastest Growing Platform Ever
 
SXSW 2016
SXSW 2016SXSW 2016
SXSW 2016
 
mCommerce - A Frsh Look At Why It Matters
mCommerce - A Frsh Look At Why It Matters mCommerce - A Frsh Look At Why It Matters
mCommerce - A Frsh Look At Why It Matters
 
A Marketer's Guide to Millenials
A Marketer's Guide to MillenialsA Marketer's Guide to Millenials
A Marketer's Guide to Millenials
 
Why Apple Watch Matters
Why Apple Watch MattersWhy Apple Watch Matters
Why Apple Watch Matters
 
Drones: Present & Future
Drones: Present & FutureDrones: Present & Future
Drones: Present & Future
 
Rethink 2015
Rethink 2015Rethink 2015
Rethink 2015
 
The Future of Wearable Technology
The Future of Wearable TechnologyThe Future of Wearable Technology
The Future of Wearable Technology
 
Snapchat For Brands, Yes Or No?
Snapchat For Brands, Yes Or No?Snapchat For Brands, Yes Or No?
Snapchat For Brands, Yes Or No?
 
Go Native Or Go Home
Go Native Or Go HomeGo Native Or Go Home
Go Native Or Go Home
 
FDG 2014 Predictions
FDG 2014 PredictionsFDG 2014 Predictions
FDG 2014 Predictions
 
The Beacon Technology
The Beacon TechnologyThe Beacon Technology
The Beacon Technology
 
Mobile and Retail
Mobile and RetailMobile and Retail
Mobile and Retail
 
10 Reasons to Adopt HTML5 for Mobile Apps
10 Reasons to Adopt HTML5 for Mobile Apps10 Reasons to Adopt HTML5 for Mobile Apps
10 Reasons to Adopt HTML5 for Mobile Apps
 
Augmented Reality
Augmented RealityAugmented Reality
Augmented Reality
 
The Case for Mobile RTB
The Case for Mobile RTBThe Case for Mobile RTB
The Case for Mobile RTB
 
ESPN InPlay Whitepaper/Case Study
ESPN InPlay Whitepaper/Case StudyESPN InPlay Whitepaper/Case Study
ESPN InPlay Whitepaper/Case Study
 
Mobile Analytics
Mobile Analytics Mobile Analytics
Mobile Analytics
 

Dernier

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Dernier (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Mobile Security

  • 1. Fresh Digital Group Building Mobile Security We Strategize. We Execute. We Deliver. On All Screens.
  • 2. The Problem: Vulnerabilities  OS Vulnerabilities  Server  Clients  Transport Vulnerabilities  Network  App Vulnerabilities  Client  Middleware  Servers We Strategize. We Execute. We Deliver. On All Screens.
  • 3. The Problem: App Security  Apps exist in market to make $$$  Not to protect you or your information  Gold Rush Mentality  Developers are extremely rushed to produce apps  Leading to security suffering We Strategize. We Execute. We Deliver. On All Screens.
  • 4. The Problem: Enterprise Issues  Transforming how people work  Insurance agents close deals in real time on their iPad  Doctors can review secure messages and patient records from a restaurant  Social workers carry tablets to each clients home, takes images, updates records We Strategize. We Execute. We Deliver. On All Screens.
  • 5. The Problem: Enterprise Issues  Mobile Ecosystem introduces an exponentially expanded attack surface compared to past introductions  Non-Managed Firmware  Non-Managed Networks  Non-Managed OSs  Non-Managed Applications  Non-Managed Data Flows  Significant economic impacts from past situations with fewer variables and complexities  Email- I Love You virus = $10B  Web Servers- Code Red = $9B  PC’s- Blaster = $5B We Strategize. We Execute. We Deliver. On All Screens.
  • 6. Most Vulnerable Securities We Strategize. We Execute. We Deliver. On All Screens.
  • 7. The Problem: Mobile Hacking  Old Process: 5 Steps to monetize a vulnerability Data Data Exploit Install Profit Theft Sale  New Process: 3 Steps to monetize a vulnerability Exploit Install Profit We Strategize. We Execute. We Deliver. On All Screens.
  • 8. App Vulnerabilities: Mobile App Threat  Many considerations  Platforms vary substantially  Similar but still very different than traditional web app-- even when heavy with client-side code  It’s more than just apps  Cloud/network integration  Device platform considerations  Most mobile apps are basically web apps  But with more client “smarts,” almost all web weaknesses are relevant, and more We Strategize. We Execute. We Deliver. On All Screens.
  • 9. Mobile Threat Model Missing Device Malicious Social Carrier Tampering Repudiation QR code Spoofing Engineering Network Breach Untrusted Weak NFC tag or Authorization Peer Toll Modifying Malware Local Insecure Fraud Improper Data WiFi Client Network Session Side Malicious Weak Injection Handling Application Authentication Push Crashing Malware Sandbox Compromised Notification Compromised Apps Escape Credentials Flooding Backend Device Breach Lost Flawed Excessive Weak Device Authentication API Usage Authorization Elevation Denial of Information Reverse of Service Engineering DDoS Disclosure Apps Privilege We Strategize. We Execute. We Deliver. On All Screens.
  • 10. Biggest Issue: Lost/ Stolen Device  Anyone with physical access to your device can get to a wealth of data - PIN is not effective - App data - Keychains - Properties  Disk encryption helps, but we can’t count on users using it  Apps must protect users’ local data storage We Strategize. We Execute. We Deliver. On All Screens.
  • 11. Lost/ Stolen Device  Insecure Data Storage  Sensitive data left unprotected  Applies to locally stored data + cloud synced Impact  Generally a result of:  Confidentiality of  Not Encrypting Data data lost  Caching data not intended for  Credentials long-term storage disclosed  Weak or global permissions  Privacy violations  Not leveraging platform best-  Non-compliance practices We Strategize. We Execute. We Deliver. On All Screens.
  • 12. Second Biggest Issue: Insecure Comms  Without additional protection, mobile devices are susceptible to the “coffee shop attack”  Anyone on an open WiFi can eavesdrop on your data  No different than any other WiFi device really  Your apps MUST protect your users’ data in transit We Strategize. We Execute. We Deliver. On All Screens.
  • 13. Case Study Examples: Mint.com  Mint.com : a financial service aggregator that relies on targeted marketing/ lead generation, 5M+ active users  How it works: - Create Mint.com account - Link financial accounts to Mint.com - Install mobile application and enter Mint.com credentials - View all financial account activity within app We Strategize. We Execute. We Deliver. On All Screens.
  • 14. Lost Device Example  Physical iOS Exploit Scenario  Lost iPhone> Recovered by data harvester> 4-digit pin bypassed in 3 minutes> User partion copied> Mint.com cookies and configuration copied to attach iOS platform  Full Mint.com mobile access in 20 minutes or less We Strategize. We Execute. We Deliver. On All Screens.
  • 15. Remote iOS Exploit Scenario  Un-patched iOS device is compromised through URL handling exploit  Attacker bundles keylogger as exploit payload  User installs Mint.com and links mobile application to Mint.com account  Attacker programs compromised phone to schedule daily dumps of keystroke logs We Strategize. We Execute. We Deliver. On All Screens.
  • 16. Common Security Mechanisms: How to Build in Security  Input validation  Output escaping  Authentication  Session handling  Protecting secrets  At rest  In transit  SQL connections We Strategize. We Execute. We Deliver. On All Screens.
  • 17. Authorization Basics  Question every action  Is the user allowed to access this: • File • Function • Data  By role or by user  Complexity issues  Maintainability issues  Creeping exceptions We Strategize. We Execute. We Deliver. On All Screens.
  • 18. Security Solutions Address 4 Aspects Authentication 1 Enforce enterprise standards w/o compromising UX Data Security (Storage and Transit) 2 Isolate Corporate data, secure it, and provide DLP Control Corp. Data 3 Provision enterprise access, enforce policy and visibility App Creation 4 Native & HTML5, UX, Cross platform, getting business logic right We Strategize. We Execute. We Deliver. On All Screens.
  • 19. Fresh Digital Group 111 John St 2nd FL New York, NY 10038 www. freshdigitalgroup.com Fresh Digital Group