1. Fresh Digital Group
Building Mobile Security
We Strategize. We Execute. We Deliver. On All Screens.
2. The Problem: Vulnerabilities
OS Vulnerabilities
Server
Clients
Transport Vulnerabilities
Network
App Vulnerabilities
Client
Middleware
Servers
We Strategize. We Execute. We Deliver. On All Screens.
3. The Problem: App Security
Apps exist in market to make
$$$
Not to protect you or
your information
Gold Rush Mentality
Developers are
extremely rushed to
produce apps
Leading to security
suffering
We Strategize. We Execute. We Deliver. On All Screens.
4. The Problem: Enterprise Issues
Transforming how people work
Insurance agents close deals in
real time on their iPad
Doctors can review secure
messages and patient records
from a restaurant
Social workers carry tablets to
each clients home, takes
images, updates records
We Strategize. We Execute. We Deliver. On All Screens.
5. The Problem: Enterprise Issues
Mobile Ecosystem introduces an exponentially expanded attack
surface compared to past introductions
Non-Managed Firmware
Non-Managed Networks
Non-Managed OSs
Non-Managed Applications
Non-Managed Data Flows
Significant economic impacts from past situations with fewer
variables and complexities
Email- I Love You virus = $10B
Web Servers- Code Red = $9B
PC’s- Blaster = $5B
We Strategize. We Execute. We Deliver. On All Screens.
7. The Problem: Mobile Hacking
Old Process: 5 Steps to monetize a vulnerability
Data Data
Exploit Install Profit
Theft Sale
New Process: 3 Steps to monetize a vulnerability
Exploit Install Profit
We Strategize. We Execute. We Deliver. On All Screens.
8. App Vulnerabilities: Mobile App Threat
Many considerations
Platforms vary substantially
Similar but still very different than traditional web app--
even when heavy with client-side code
It’s more than just apps
Cloud/network integration
Device platform considerations
Most mobile apps are basically web apps
But with more client “smarts,” almost all web weaknesses
are relevant, and more
We Strategize. We Execute. We Deliver. On All Screens.
9. Mobile Threat Model
Missing
Device Malicious Social Carrier Tampering
Repudiation QR code Spoofing Engineering Network
Breach
Untrusted Weak
NFC tag or Authorization
Peer
Toll Modifying
Malware Local Insecure
Fraud
Improper Data WiFi
Client Network
Session
Side Malicious Weak
Injection Handling
Application Authentication
Push
Crashing
Malware Sandbox Compromised Notification
Compromised Apps
Escape Credentials Flooding
Backend Device
Breach
Lost Flawed Excessive
Weak
Device Authentication API Usage
Authorization
Elevation Denial of
Information Reverse of Service
Engineering DDoS
Disclosure Apps Privilege
We Strategize. We Execute. We Deliver. On All Screens.
10. Biggest Issue: Lost/ Stolen Device
Anyone with physical access to your device can get
to a wealth of data
- PIN is not effective
- App data
- Keychains
- Properties
Disk encryption helps, but we can’t count on users
using it
Apps must protect users’ local data storage
We Strategize. We Execute. We Deliver. On All Screens.
11. Lost/ Stolen Device Insecure Data Storage
Sensitive data left unprotected
Applies to locally stored data +
cloud synced Impact
Generally a result of: Confidentiality of
Not Encrypting Data data lost
Caching data not intended for Credentials
long-term storage disclosed
Weak or global permissions Privacy violations
Not leveraging platform best-
Non-compliance
practices
We Strategize. We Execute. We Deliver. On All Screens.
12. Second Biggest Issue: Insecure Comms
Without additional protection, mobile devices are
susceptible to the “coffee shop attack”
Anyone on an open WiFi can eavesdrop on
your data
No different than any other WiFi device really
Your apps MUST protect your users’ data in
transit
We Strategize. We Execute. We Deliver. On All Screens.
13. Case Study Examples: Mint.com
Mint.com : a financial service aggregator that relies on
targeted marketing/ lead generation, 5M+ active users
How it works:
- Create Mint.com account
- Link financial accounts to
Mint.com
- Install mobile application and
enter Mint.com credentials
- View all financial account activity
within app
We Strategize. We Execute. We Deliver. On All Screens.
14. Lost Device Example
Physical iOS Exploit Scenario
Lost iPhone> Recovered by data harvester> 4-digit pin
bypassed in 3 minutes> User partion copied> Mint.com
cookies and configuration copied to attach iOS platform
Full Mint.com mobile access in 20 minutes or less
We Strategize. We Execute. We Deliver. On All Screens.
15. Remote iOS Exploit Scenario
Un-patched iOS device is
compromised through URL
handling exploit
Attacker bundles keylogger as
exploit payload
User installs Mint.com and links
mobile application to Mint.com
account
Attacker programs compromised
phone to schedule daily dumps of
keystroke logs
We Strategize. We Execute. We Deliver. On All Screens.
16. Common Security Mechanisms: How to
Build in Security
Input validation
Output escaping
Authentication
Session handling
Protecting secrets
At rest
In transit
SQL connections
We Strategize. We Execute. We Deliver. On All Screens.
17. Authorization Basics
Question every action
Is the user allowed to access this:
• File
• Function
• Data
By role or by user
Complexity issues
Maintainability issues
Creeping exceptions
We Strategize. We Execute. We Deliver. On All Screens.
18. Security Solutions Address 4 Aspects
Authentication
1 Enforce enterprise standards w/o compromising UX
Data Security (Storage and Transit)
2 Isolate Corporate data, secure it, and provide DLP
Control Corp. Data
3 Provision enterprise access, enforce policy and visibility
App Creation
4 Native & HTML5, UX, Cross platform, getting business logic right
We Strategize. We Execute. We Deliver. On All Screens.
19. Fresh Digital Group
111 John St 2nd FL
New York, NY 10038
www. freshdigitalgroup.com
Fresh Digital Group