SlideShare une entreprise Scribd logo

Mobile Security

Xavier Mertens
Xavier Mertens

Slides about mobile security presented during the BELTUG Security SIG ("Special Interest Group") in January 2013.

Technologie
1  sur  30
Télécharger pour lire hors ligne
Mobile Security “Bring war material with you from home but forage on the enemy” - Sun Tzu Xavier Mertens Beltug SIG Security - Jan 2013
Disclaimer “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
Agenda • Introduction: Top-10 mobile risks • Company owned devices • Employee owned device (BYOD) • Risks inherent in mobile devices • Mobile applications development
Top-10 Mobile Risks • Insecure data storage • Weak server side controls • Insufficient transport layer protection • Client side injection • Poor authentication & authorization • Improper session handling • Secure decision via untrusted input • Side channel data leakage • Broken cryptography • Sensitive information disclosure (Source: OWASP)
Top-10 Mobile Risks • Insecure data storage • Weak server side controls • Insufficient transport layer protection Mobile devices • Client side injection are • Poor authentication & authorization Computers! • Improper session handling • Secure decision via untrusted input • Side channel data leakage • Broken cryptography • Sensitive information disclosure (Source: OWASP)
Company Owned Devices
Easy? Really? • Limited set of manufacturers/OS • Full control of hell? • People try to evade from jail (like laptops) • Need procedures (backups, helpdesk)
Corporate Policy • Must be communicated & approved before the device provisioning • Communication channels: addendum to a contract, Intranet, a “check box”? • Restrictions (SD cards, Bluetooth, camera) • What about private data? (pictures, MP3, downloaded (paid!) apps?
Examples • Document already available on beltug.be (Members section) • Simple policy: http://www.security-marathon.be/?p=1466 (Jean-Sébastien Opdebeeck)
Data Classification • Another approach is implementing data classification • Implementation of the “least privileges” principle • Access to data is based on profiles • Work with any device! (benefit broader than the scope of mobile devices)
Data Classification Data Company Owned Personal Devices Classification Devices Top-Secret No No Highly Confidential No No Proprietary Yes No Internal Use Only Yes Yes Public Yes Yes
Employed Owned Devices
Why do people BTOD? • Devices became cheaper and powerful • The “Generation Y” • Always online everywhere!
First Question? • Are you ready to accept personal devices on your network? • It’s a question of ... risk! • Examples: • Data loss • Network intrusion • Data ex-filtration
“MDM”? • Do you need a MDM solution? (Mobile Device Management) • Can you trust $VENDORS? • Microsoft Exchange include ActiveSync for free • Most security $VENDORS propose (basic) tools to handle mobile devices
Minimum Requirements • Automatic lock + password • No jailbroken devices • Remote wipe • Backups (who’s responsible?)
Risks Inherent In Mobile Devices
Personal Hotspots • Tethering allows mobile devices to be used as hotspots • Corporate devices (laptops) could bypass Internet access controls • Risks of rogue routers (if IP-forwarding is enabled
Rogue App Stores • Mobile devices without apps is less useful • Owners tend to install any apps • Some apps may require much more rights than required • People trust Apps stores and developers • Developers must write good code
QR Codes
Geolocalization
NFC
Home & Cars
Mobile Application Development
OWASP Mobile Security Project • Mobile testing guide • Secure mobile development guide • Top-10 mobile controls and design principles https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Lack of/Bad Encryption • Developers re-invent the wheel: do not write a new encryption algorithm • Encrypt everything (data at rest, data in move)
Local VS. Remote Storage Pros Cons No network costs Risk of loss Local Speed Outdated Always updated Data network ($) Central No risk of loss Speed
Geolocalization • Again! But this time for good purposes • Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe • Combine with passwords for stronger authentication/authorization
Enterprise Appstores • Goal: Distribute, secure and manage mobile apps through your own company branded appstore. • Application available in the appstore have been approved by a strong validation process.
Thank You! Xavier Mertens xavier@rootshell.be @xme http://blog.rootshell.be

Recommandé

Mobile Security
Mobile SecurityMobile Security
Mobile SecurityMarketingArrowECS_CZ
 
Smartphone security
Smartphone securitySmartphone security
Smartphone securityManish Gupta
 
Mobile security
Mobile security Mobile security
Mobile security Himmatsingh Rajpurohit
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Mobile security
Mobile securityMobile security
Mobile securityCyberoamAcademy
 
Mobile device security
Mobile device securityMobile device security
Mobile device securityLisa Herrera
 
Mobile security
Mobile securityMobile security
Mobile securityMphasis
 
Mobile security
Mobile securityMobile security
Mobile securityTapan Khilar
 

Recommandé

Mobile Security
Mobile SecurityMobile Security
Mobile SecurityMarketingArrowECS_CZ
 
Smartphone security
Smartphone securitySmartphone security
Smartphone securityManish Gupta
 
Mobile security
Mobile security Mobile security
Mobile security Himmatsingh Rajpurohit
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Mobile security
Mobile securityMobile security
Mobile securityCyberoamAcademy
 
Mobile device security
Mobile device securityMobile device security
Mobile device securityLisa Herrera
 
Mobile security
Mobile securityMobile security
Mobile securityMphasis
 
Mobile security
Mobile securityMobile security
Mobile securityTapan Khilar
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYJASHU JASWANTH
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber SecurityGeo Marian
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101Lookout
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Mobile protection
Mobile protection Mobile protection
Mobile protection preetpatel72
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile securityPushkar Pashupat
 
Mobile security
Mobile securityMobile security
Mobile securityNaveen Kumar
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device SecurityQuick Heal Technologies Ltd.
 
Cell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsCell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsArthyR3
 
Cyber security
Cyber securityCyber security
Cyber securityDr. Kishor Nikam
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device securityCAS
 
Cyber security
Cyber securityCyber security
Cyber securityAman Pradhan
 
Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2NetLockSmith
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device SecurityNemwos
 
Network Security
Network Security Network Security
Network Security Abdul Qadir Pattal
 
Cyber Security A Challenges For Mankind
Cyber Security A Challenges For MankindCyber Security A Challenges For Mankind
Cyber Security A Challenges For MankindSaurabh Kheni
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile MalwareMartin Holovský
 
Mobile security
Mobile securityMobile security
Mobile securitydilipdubey5
 
Mobile security
Mobile securityMobile security
Mobile securityhome
 
Mobile security
Mobile securityMobile security
Mobile securityBasant Kumar
 

Contenu connexe

Tendances

MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYJASHU JASWANTH
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber SecurityGeo Marian
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101Lookout
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Mobile protection
Mobile protection Mobile protection
Mobile protection preetpatel72
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile securityPushkar Pashupat
 
Cell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsCell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsArthyR3
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device securityCAS
 
Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2NetLockSmith
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device SecurityNemwos
 
Cyber Security A Challenges For Mankind
Cyber Security A Challenges For MankindCyber Security A Challenges For Mankind
Cyber Security A Challenges For MankindSaurabh Kheni
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 

Tendances (20)

MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITY
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Mobile protection
Mobile protection Mobile protection
Mobile protection
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device Security
 
Cell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices ForensicsCell Phone and Mobile Devices Forensics
Cell Phone and Mobile Devices Forensics
 
Cyber security
Cyber securityCyber security
Cyber security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2Cybersecurity Awareness Posters - Set #2
Cybersecurity Awareness Posters - Set #2
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
 
Network Security
Network Security Network Security
Network Security
 
Cyber Security A Challenges For Mankind
Cyber Security A Challenges For MankindCyber Security A Challenges For Mankind
Cyber Security A Challenges For Mankind
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile Malware
 
Mobile security
Mobile securityMobile security
Mobile security
 

En vedette

Mobile security
Mobile securityMobile security
Mobile securityhome
 
2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?IBM Security
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 

En vedette (6)

Mobile security
Mobile securityMobile security
Mobile security
 
Mobile security
Mobile securityMobile security
Mobile security
 
2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
E commerce ppt
E commerce pptE commerce ppt
E commerce ppt
 

Similaire à Mobile Security

Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile ApplicationsGreg Patton
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityLenin Aboagye
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestJay McLaughlin
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicTjylen Veselyj
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Fake Devices - Countering a Hidden and Growing Threat
Fake Devices - Countering a Hidden and Growing ThreatFake Devices - Countering a Hidden and Growing Threat
Fake Devices - Countering a Hidden and Growing ThreatDeviceAssure
 
Wso2 con byod-shan-ppt
Wso2 con byod-shan-pptWso2 con byod-shan-ppt
Wso2 con byod-shan-pptWSO2
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)HITCON GIRLS
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
 
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...WSO2
 

Similaire à Mobile Security (20)

Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile Applications
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, West
 
Outside the Office: Mobile Security
Outside the Office: Mobile SecurityOutside the Office: Mobile Security
Outside the Office: Mobile Security
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final Public
 
Mobile Security
Mobile Security Mobile Security
Mobile Security
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Fake Devices - Countering a Hidden and Growing Threat
Fake Devices - Countering a Hidden and Growing ThreatFake Devices - Countering a Hidden and Growing Threat
Fake Devices - Countering a Hidden and Growing Threat
 
Wso2 con byod-shan-ppt
Wso2 con byod-shan-pptWso2 con byod-shan-ppt
Wso2 con byod-shan-ppt
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
 

Plus de Xavier Mertens

FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)Xavier Mertens
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018Xavier Mertens
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusXavier Mertens
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerXavier Mertens
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE EditionXavier Mertens
 
Automatic MIME Attachments Triage
Automatic MIME Attachments TriageAutomatic MIME Attachments Triage
Automatic MIME Attachments TriageXavier Mertens
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015Xavier Mertens
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free SoftwareXavier Mertens
 
Because we are just humans
Because we are just humansBecause we are just humans
Because we are just humansXavier Mertens
 
You have a SIEM! And now?
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?Xavier Mertens
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)Xavier Mertens
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" NetworkXavier Mertens
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?Xavier Mertens
 
Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Xavier Mertens
 

Plus de Xavier Mertens (20)

FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes Strength
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from Venus
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
 
Automatic MIME Attachments Triage
Automatic MIME Attachments TriageAutomatic MIME Attachments Triage
Automatic MIME Attachments Triage
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015
 
$HOME Sweet $HOME
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOME
 
Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web Coding
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free Software
 
Because we are just humans
Because we are just humansBecause we are just humans
Because we are just humans
 
You have a SIEM! And now?
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" Network
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?
 
Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013
 
Unity makes strength
Unity makes strengthUnity makes strength
Unity makes strength
 

Dernier

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Dernier (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Mobile Security

  • 1. Mobile Security “Bring war material with you from home but forage on the enemy” - Sun Tzu Xavier Mertens Beltug SIG Security - Jan 2013
  • 2. Disclaimer “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
  • 3. Agenda • Introduction: Top-10 mobile risks • Company owned devices • Employee owned device (BYOD) • Risks inherent in mobile devices • Mobile applications development
  • 4. Top-10 Mobile Risks • Insecure data storage • Weak server side controls • Insufficient transport layer protection • Client side injection • Poor authentication & authorization • Improper session handling • Secure decision via untrusted input • Side channel data leakage • Broken cryptography • Sensitive information disclosure (Source: OWASP)
  • 5. Top-10 Mobile Risks • Insecure data storage • Weak server side controls • Insufficient transport layer protection Mobile devices • Client side injection are • Poor authentication & authorization Computers! • Improper session handling • Secure decision via untrusted input • Side channel data leakage • Broken cryptography • Sensitive information disclosure (Source: OWASP)
  • 6. Company Owned Devices
  • 7. Easy? Really? • Limited set of manufacturers/OS • Full control of hell? • People try to evade from jail (like laptops) • Need procedures (backups, helpdesk)
  • 8. Corporate Policy • Must be communicated & approved before the device provisioning • Communication channels: addendum to a contract, Intranet, a “check box”? • Restrictions (SD cards, Bluetooth, camera) • What about private data? (pictures, MP3, downloaded (paid!) apps?
  • 9. Examples • Document already available on beltug.be (Members section) • Simple policy: http://www.security-marathon.be/?p=1466 (Jean-Sébastien Opdebeeck)
  • 10. Data Classification • Another approach is implementing data classification • Implementation of the “least privileges” principle • Access to data is based on profiles • Work with any device! (benefit broader than the scope of mobile devices)
  • 11. Data Classification Data Company Owned Personal Devices Classification Devices Top-Secret No No Highly Confidential No No Proprietary Yes No Internal Use Only Yes Yes Public Yes Yes
  • 12. Employed Owned Devices
  • 13. Why do people BTOD? • Devices became cheaper and powerful • The “Generation Y” • Always online everywhere!
  • 14. First Question? • Are you ready to accept personal devices on your network? • It’s a question of ... risk! • Examples: • Data loss • Network intrusion • Data ex-filtration
  • 15. “MDM”? • Do you need a MDM solution? (Mobile Device Management) • Can you trust $VENDORS? • Microsoft Exchange include ActiveSync for free • Most security $VENDORS propose (basic) tools to handle mobile devices
  • 16. Minimum Requirements • Automatic lock + password • No jailbroken devices • Remote wipe • Backups (who’s responsible?)
  • 18. Personal Hotspots • Tethering allows mobile devices to be used as hotspots • Corporate devices (laptops) could bypass Internet access controls • Risks of rogue routers (if IP-forwarding is enabled
  • 19. Rogue App Stores • Mobile devices without apps is less useful • Owners tend to install any apps • Some apps may require much more rights than required • People trust Apps stores and developers • Developers must write good code
  • 22. NFC
  • 25. OWASP Mobile Security Project • Mobile testing guide • Secure mobile development guide • Top-10 mobile controls and design principles https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  • 26. Lack of/Bad Encryption • Developers re-invent the wheel: do not write a new encryption algorithm • Encrypt everything (data at rest, data in move)
  • 27. Local VS. Remote Storage Pros Cons No network costs Risk of loss Local Speed Outdated Always updated Data network ($) Central No risk of loss Speed
  • 28. Geolocalization • Again! But this time for good purposes • Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe • Combine with passwords for stronger authentication/authorization
  • 29. Enterprise Appstores • Goal: Distribute, secure and manage mobile apps through your own company branded appstore. • Application available in the appstore have been approved by a strong validation process.