2. $ cat disclaimer.txt
“The opinions expressed in this presentation are
those of the speaker and do not necessarily
reflect those of past, present employers,
partners or customers.”
2
4. Agenda
• There is an App for that
• Risks inherent in mobile devices
• Employee owned device (BYOD)
• Mobile applications development
• Enterprise AppStores
4
10. The “Apps Storm”
• 550.000 apps available on the Apple
AppStore
• 45.455 download per app (average)
• 315 millions IOS devices in use
• 80 apps installed per IOS device (average)
(Source: thenextweb.com)
10
11. Android Jungle
Android Pit
Google Play AppsLib GetJar Appbackr
SlideMe Samsung Apps 1Mobile
Cnet
LG Mobile Camangi Market Appia
MVStore Vodafone Verizon Wireless Mobile24
Amazone Appstore Mobango
Extent Mobireach
Nook Developer
Android Freeware
Blue Via Handster
FastApp
11
17. Rogue App Stores
• Owners tend to install any apps
• Social engineering works!
• Some apps may require much more rights
than required
• People trust Apps stores and developers
• Developers must write good code
17
18. Fake Apps
• Take a popular app
• Add malicious behavior
• Repack & republish
• Wait & enjoy!
18
24. Why Do People BTOD
• Devices became cheaper and powerful
• The “Generation Y”
• Always online everywhere!
• Company devices are sometimes old-
fashioned
24
25. First Question?
• Are you ready to accept personal devices
on your network?
• It’s a question of ... risk!
• Examples:
• Data loss
• Network intrusion
• Data ex-filtration
25
26. “MDM”?
• Do you need a MDM solution?
(Mobile Device Management)
• Microsoft Exchange include ActiveSync for
free
• Most security $VENDORS propose (basic)
tools to handle mobile devices
26
27. MDM & Security
• MDM solutions are connected to an
existing infrastructure
• Integration is the key
• Review requirements (Is is normal to allow
a full LDAP access on your AD?)
27
29. Data Classification
• Another approach is implementing data
classification
• Implementation of the “least privileges”
principle
• Access to data is based on profiles
• Work with any device! (benefit broader
than the scope of mobile devices)
29
30. Locations
• Access to data has a direct relation with
the user/device location
• Three situations
Source Risk
Local access LAN, corporate Wi-Fi Low
VPN / SSL VPN Medium
Remote access
Wild High
30
31. Data Classification
Company Owned
Personal Devices
Devices
Data Remote Remote
Local Remote Local Remote
Classification (Wild) (Wild)
Top-Secret No No No No No No
Highly
Yes No No No No No
Confidential
Proprietary Yes Yes No Yes No No
Internal Use
Yes Yes No Yes Yes No
Only
Public Yes Yes Yes Yes Yes Yes
31
33. Top-10 Mobile Risks
• Insecure data storage • Improper session handling
• Weak server side • Secure decision via
controls untrusted input
• Insufficient transport layer • Side channel data leakage
protection
• Broken cryptography
• Client side injection
• Sensitive information
• Poor authentication & disclosure
authorization
(Source: OWASP)
33
34. OWASP Mobile
Security Project
• Mobile testing guide
• Secure mobile development guide
• Top-10 mobile controls and design
principles
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
34
35. Types of Applications
• Browser based (m.company.com)
• Common web vulnerabilities apply
• Installed application
• Storage of data
• Communications
• Authentication / session management
35
36. Use of Environment
• Access
• 3G/GPRS/Edge
• Wi-Fi
• Hardware
• NFC, Bluetooth
• GPS
• Camera / Mic
• Sensors
• USB
36
37. Lack of / Bad Crypto
• Data must be encrypted (data at rest, data
in transit)
• No not re-invent the wheel. Writing a
crypto algorithm is not easy. Use existing
libs
37
38. Local VS. Remote
Storage
Pros Cons
No network costs Risk of loss
Local Speed Outdated
Always updated
Data network ($)
Central No risk of loss
Speed
38
39. Geolocalization
• Again! But this time for good purposes
• Do not allow some actions or apps (ex:
opening a wallet) if GPS data shows the
phone outside Europe
• Combine with passwords for stronger
authentication/authorization
39
41. Best Practices
• Do not hardcode data or store the
minimum required
• Do no use memory cards for sensitive data
• Encrypt again & again (BASE64 != Crypto)
• Protect the central server (!)
• Sanitize user inputs
• Provide correct auth (UDID != auth)
41
43. Goal & Facts
• Distribute mobile apps through your own
company branded AppStore.
• Reduce risks of rogue apps
• Help the users to find their way
• Only for “big” companies (only 10% have
one)
43
44. Challenges
• Decide which apps to include
• Generic vs custom apps
• Support the users & their apps
• Licenses for commercial apps
44
45. Benefits
Benefits Constraints
Same time & effort
Users Efficient selection
Limited offer
Companies Reduced risks Takes time/$$$
45
46. Conclusion
• Don’t look at the device itself
• Person App
• Look at data and application
(BYOD BYOA)
• Perform security assessments of your apps
46