Presentation about mobile devices security given at (ISC2) SecureAmsterdam Workshop

1. Mobile Security
Xavier Mertens
ISC2 Secure Amsterdam - Apr 2013
1

2. $ cat disclaimer.txt
“The opinions expressed in this presentation are
those of the speaker and do not necessarily
reflect those of past, present employers,
partners or customers.”
2

3. $ whoami
• Xavier Mertens
• Independent Security Consultant
• Security Blogger (blog.rootshell.be)
• Giving spare time for security projects
3

4. Agenda
• There is an App for that
• Risks inherent in mobile devices
• Employee owned device (BYOD)
• Mobile applications development
• Enterprise AppStores
4

5. “There is an App
for that!”
5

6. Once Upon A Time...
6

7. What if...
7

8. Reality...
8

9. Today...
9

10. The “Apps Storm”
• 550.000 apps available on the Apple
AppStore
• 45.455 download per app (average)
• 315 millions IOS devices in use
• 80 apps installed per IOS device (average)
(Source: thenextweb.com)
10

11. Android Jungle
Android Pit
Google Play AppsLib GetJar Appbackr
SlideMe Samsung Apps 1Mobile
Cnet
LG Mobile Camangi Market Appia
MVStore Vodafone Verizon Wireless Mobile24
Amazone Appstore Mobango
Extent Mobireach
Nook Developer
Android Freeware
Blue Via Handster
FastApp
11

12. What’s This?
12

13. Risks Inherent In
Mobile Devices
13

14. Ooops!
14

15. The Mobile Landscape
15

16. Apps Permissions
16

17. Rogue App Stores
• Owners tend to install any apps
• Social engineering works!
• Some apps may require much more rights
than required
• People trust Apps stores and developers
• Developers must write good code
17

18. Fake Apps
• Take a popular app
• Add malicious behavior
• Repack & republish
• Wait & enjoy!
18

19. QR Codes
(Will you scan this code?)
19

20. Geolocalization
20

21. NFC
21

22. Home & Cars
22

23. Employee Own
Devices
23

24. Why Do People BTOD
• Devices became cheaper and powerful
• The “Generation Y”
• Always online everywhere!
• Company devices are sometimes old-
fashioned
24

25. First Question?
• Are you ready to accept personal devices
on your network?
• It’s a question of ... risk!
• Examples:
• Data loss
• Network intrusion
• Data ex-filtration
25

26. “MDM”?
• Do you need a MDM solution?
(Mobile Device Management)
• Microsoft Exchange include ActiveSync for
free
• Most security $VENDORS propose (basic)
tools to handle mobile devices
26

27. MDM & Security
• MDM solutions are connected to an
existing infrastructure
• Integration is the key
• Review requirements (Is is normal to allow
a full LDAP access on your AD?)
27

28. Minimum Requirements
• Automatic lock + password
• No jailbroken devices
• Remote wipe
• Backups (who’s responsible?)
28

29. Data Classification
• Another approach is implementing data
classification
• Implementation of the “least privileges”
principle
• Access to data is based on profiles
• Work with any device! (benefit broader
than the scope of mobile devices)
29

30. Locations
• Access to data has a direct relation with
the user/device location
• Three situations
Source Risk
Local access LAN, corporate Wi-Fi Low
VPN / SSL VPN Medium
Remote access
Wild High
30

31. Data Classification
Company Owned
Personal Devices
Devices
Data Remote Remote
Local Remote Local Remote
Classification (Wild) (Wild)
Top-Secret No No No No No No
Highly
Yes No No No No No
Confidential
Proprietary Yes Yes No Yes No No
Internal Use
Yes Yes No Yes Yes No
Only
Public Yes Yes Yes Yes Yes Yes
31

32. Mobile Application
Development
32

33. Top-10 Mobile Risks
• Insecure data storage • Improper session handling
• Weak server side • Secure decision via
controls untrusted input
• Insufficient transport layer • Side channel data leakage
protection
• Broken cryptography
• Client side injection
• Sensitive information
• Poor authentication & disclosure
authorization
(Source: OWASP)
33

34. OWASP Mobile
Security Project
• Mobile testing guide
• Secure mobile development guide
• Top-10 mobile controls and design
principles
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
34

35. Types of Applications
• Browser based (m.company.com)
• Common web vulnerabilities apply
• Installed application
• Storage of data
• Communications
• Authentication / session management
35

36. Use of Environment
• Access
• 3G/GPRS/Edge
• Wi-Fi
• Hardware
• NFC, Bluetooth
• GPS
• Camera / Mic
• Sensors
• USB
36

37. Lack of / Bad Crypto
• Data must be encrypted (data at rest, data
in transit)
• No not re-invent the wheel. Writing a
crypto algorithm is not easy. Use existing
libs
37

38. Local VS. Remote
Storage
Pros Cons
No network costs Risk of loss
Local Speed Outdated
Always updated
Data network ($)
Central No risk of loss
Speed
38

39. Geolocalization
• Again! But this time for good purposes
• Do not allow some actions or apps (ex:
opening a wallet) if GPS data shows the
phone outside Europe
• Combine with passwords for stronger
authentication/authorization
39

40. Security Assessment
• Static analysis
• Network capture (MitM)
• Smartphone Pentest
Framework(*)
(*)
http://www.bulbsecurity.com/smartphone-pentest-framework/
40

41. Best Practices
• Do not hardcode data or store the
minimum required
• Do no use memory cards for sensitive data
• Encrypt again & again (BASE64 != Crypto)
• Protect the central server (!)
• Sanitize user inputs
• Provide correct auth (UDID != auth)
41

42. Enterprise AppStores
42

43. Goal & Facts
• Distribute mobile apps through your own
company branded AppStore.
• Reduce risks of rogue apps
• Help the users to find their way
• Only for “big” companies (only 10% have
one)
43

44. Challenges
• Decide which apps to include
• Generic vs custom apps
• Support the users & their apps
• Licenses for commercial apps
44

45. Benefits
Benefits Constraints
Same time & effort
Users Efficient selection
Limited offer
Companies Reduced risks Takes time/$$$
45

46. Conclusion
• Don’t look at the device itself
• Person App
• Look at data and application
(BYOD BYOA)
• Perform security assessments of your apps
46

47. Thank You!
?
Xavier Mertens | xavier@truesec.be | @xme | https://www.truesec.be
47