SlideShare une entreprise Scribd logo

Mobile Security

Fresh Digital Group
Fresh Digital Group
Technologie
1  sur  19
Fresh Digital Group Building Mobile Security We Strategize. We Execute. We Deliver. On All Screens.
The Problem: Vulnerabilities  OS Vulnerabilities  Server  Clients  Transport Vulnerabilities  Network  App Vulnerabilities  Client  Middleware  Servers We Strategize. We Execute. We Deliver. On All Screens.
The Problem: App Security  Apps exist in market to make $$$  Not to protect you or your information  Gold Rush Mentality  Developers are extremely rushed to produce apps  Leading to security suffering We Strategize. We Execute. We Deliver. On All Screens.
The Problem: Enterprise Issues  Transforming how people work  Insurance agents close deals in real time on their iPad  Doctors can review secure messages and patient records from a restaurant  Social workers carry tablets to each clients home, takes images, updates records We Strategize. We Execute. We Deliver. On All Screens.
The Problem: Enterprise Issues  Mobile Ecosystem introduces an exponentially expanded attack surface compared to past introductions  Non-Managed Firmware  Non-Managed Networks  Non-Managed OSs  Non-Managed Applications  Non-Managed Data Flows  Significant economic impacts from past situations with fewer variables and complexities  Email- I Love You virus = $10B  Web Servers- Code Red = $9B  PC’s- Blaster = $5B We Strategize. We Execute. We Deliver. On All Screens.
Most Vulnerable Securities We Strategize. We Execute. We Deliver. On All Screens.
The Problem: Mobile Hacking  Old Process: 5 Steps to monetize a vulnerability Data Data Exploit Install Profit Theft Sale  New Process: 3 Steps to monetize a vulnerability Exploit Install Profit We Strategize. We Execute. We Deliver. On All Screens.
App Vulnerabilities: Mobile App Threat  Many considerations  Platforms vary substantially  Similar but still very different than traditional web app-- even when heavy with client-side code  It’s more than just apps  Cloud/network integration  Device platform considerations  Most mobile apps are basically web apps  But with more client “smarts,” almost all web weaknesses are relevant, and more We Strategize. We Execute. We Deliver. On All Screens.
Mobile Threat Model Missing Device Malicious Social Carrier Tampering Repudiation QR code Spoofing Engineering Network Breach Untrusted Weak NFC tag or Authorization Peer Toll Modifying Malware Local Insecure Fraud Improper Data WiFi Client Network Session Side Malicious Weak Injection Handling Application Authentication Push Crashing Malware Sandbox Compromised Notification Compromised Apps Escape Credentials Flooding Backend Device Breach Lost Flawed Excessive Weak Device Authentication API Usage Authorization Elevation Denial of Information Reverse of Service Engineering DDoS Disclosure Apps Privilege We Strategize. We Execute. We Deliver. On All Screens.
Biggest Issue: Lost/ Stolen Device  Anyone with physical access to your device can get to a wealth of data - PIN is not effective - App data - Keychains - Properties  Disk encryption helps, but we can’t count on users using it  Apps must protect users’ local data storage We Strategize. We Execute. We Deliver. On All Screens.
Lost/ Stolen Device  Insecure Data Storage  Sensitive data left unprotected  Applies to locally stored data + cloud synced Impact  Generally a result of:  Confidentiality of  Not Encrypting Data data lost  Caching data not intended for  Credentials long-term storage disclosed  Weak or global permissions  Privacy violations  Not leveraging platform best-  Non-compliance practices We Strategize. We Execute. We Deliver. On All Screens.
Second Biggest Issue: Insecure Comms  Without additional protection, mobile devices are susceptible to the “coffee shop attack”  Anyone on an open WiFi can eavesdrop on your data  No different than any other WiFi device really  Your apps MUST protect your users’ data in transit We Strategize. We Execute. We Deliver. On All Screens.
Case Study Examples: Mint.com  Mint.com : a financial service aggregator that relies on targeted marketing/ lead generation, 5M+ active users  How it works: - Create Mint.com account - Link financial accounts to Mint.com - Install mobile application and enter Mint.com credentials - View all financial account activity within app We Strategize. We Execute. We Deliver. On All Screens.
Lost Device Example  Physical iOS Exploit Scenario  Lost iPhone> Recovered by data harvester> 4-digit pin bypassed in 3 minutes> User partion copied> Mint.com cookies and configuration copied to attach iOS platform  Full Mint.com mobile access in 20 minutes or less We Strategize. We Execute. We Deliver. On All Screens.
Remote iOS Exploit Scenario  Un-patched iOS device is compromised through URL handling exploit  Attacker bundles keylogger as exploit payload  User installs Mint.com and links mobile application to Mint.com account  Attacker programs compromised phone to schedule daily dumps of keystroke logs We Strategize. We Execute. We Deliver. On All Screens.
Common Security Mechanisms: How to Build in Security  Input validation  Output escaping  Authentication  Session handling  Protecting secrets  At rest  In transit  SQL connections We Strategize. We Execute. We Deliver. On All Screens.
Authorization Basics  Question every action  Is the user allowed to access this: • File • Function • Data  By role or by user  Complexity issues  Maintainability issues  Creeping exceptions We Strategize. We Execute. We Deliver. On All Screens.
Security Solutions Address 4 Aspects Authentication 1 Enforce enterprise standards w/o compromising UX Data Security (Storage and Transit) 2 Isolate Corporate data, secure it, and provide DLP Control Corp. Data 3 Provision enterprise access, enforce policy and visibility App Creation 4 Native & HTML5, UX, Cross platform, getting business logic right We Strategize. We Execute. We Deliver. On All Screens.
Fresh Digital Group 111 John St 2nd FL New York, NY 10038 www. freshdigitalgroup.com Fresh Digital Group

Recommandé

Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)itforum-roundtable
 
Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC PresentationCloudComputing
 
Gigamon U - Eye Of The Fire, Network Malware Control System
Gigamon U - Eye Of The Fire, Network Malware Control SystemGigamon U - Eye Of The Fire, Network Malware Control System
Gigamon U - Eye Of The Fire, Network Malware Control SystemGrant Swanson
 
iScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceiScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceMAX Risk Intelligence by LOGICnow
 
Sxsw ppt voice-1
Sxsw ppt voice-1Sxsw ppt voice-1
Sxsw ppt voice-1Dan Miller
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USIBM Danmark
 
Penrillian.com - Mobile Money
Penrillian.com - Mobile MoneyPenrillian.com - Mobile Money
Penrillian.com - Mobile MoneyMobileMoney
 

Recommandé

Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)Securing the Human (人を守るセキュリティ)
Securing the Human (人を守るセキュリティ)itforum-roundtable
 
Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC PresentationCloudComputing
 
Gigamon U - Eye Of The Fire, Network Malware Control System
Gigamon U - Eye Of The Fire, Network Malware Control SystemGigamon U - Eye Of The Fire, Network Malware Control System
Gigamon U - Eye Of The Fire, Network Malware Control SystemGrant Swanson
 
iScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceiScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceMAX Risk Intelligence by LOGICnow
 
Sxsw ppt voice-1
Sxsw ppt voice-1Sxsw ppt voice-1
Sxsw ppt voice-1Dan Miller
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USIBM Danmark
 
Penrillian.com - Mobile Money
Penrillian.com - Mobile MoneyPenrillian.com - Mobile Money
Penrillian.com - Mobile MoneyMobileMoney
 
(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013STO STRATEGY
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
JustLook FRS -HRMS & VMS
JustLook FRS -HRMS & VMSJustLook FRS -HRMS & VMS
JustLook FRS -HRMS & VMSvyadav46
 
(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013STO STRATEGY
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionShane Rice
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013STO STRATEGY
 
Presentatie mc afee emm 2011
Presentatie mc afee emm 2011Presentatie mc afee emm 2011
Presentatie mc afee emm 2011SecutecGroup Baudewijns
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthIBM Security
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013STO STRATEGY
 
Operation High Roller: The need for a security ally!
Operation High Roller: The need for a security ally!Operation High Roller: The need for a security ally!
Operation High Roller: The need for a security ally!Jeff Danielson
 
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...Arrow ECS UK
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec
 
2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CASTCAST
 
5 Enterprise Mobility Management nightmares
5 Enterprise Mobility Management nightmares5 Enterprise Mobility Management nightmares
5 Enterprise Mobility Management nightmaresSprint Business
 
Mobile device management GFE
Mobile device management GFEMobile device management GFE
Mobile device management GFEpplester
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Ibm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckIbm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckArrow ECS UK
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modelingShantanu Mitra
 
Tablet Tips
Tablet TipsTablet Tips
Tablet TipsFresh Digital Group
 

Contenu connexe

Tendances

(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013STO STRATEGY
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santossantosomar
 
JustLook FRS -HRMS & VMS
JustLook FRS -HRMS & VMSJustLook FRS -HRMS & VMS
JustLook FRS -HRMS & VMSvyadav46
 
(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013STO STRATEGY
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionShane Rice
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009apompliano
 
(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013STO STRATEGY
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthIBM Security
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013STO STRATEGY
 
Operation High Roller: The need for a security ally!
Operation High Roller: The need for a security ally!Operation High Roller: The need for a security ally!
Operation High Roller: The need for a security ally!Jeff Danielson
 
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...Arrow ECS UK
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec
 
2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CASTCAST
 
5 Enterprise Mobility Management nightmares
5 Enterprise Mobility Management nightmares5 Enterprise Mobility Management nightmares
5 Enterprise Mobility Management nightmaresSprint Business
 
Mobile device management GFE
Mobile device management GFEMobile device management GFE
Mobile device management GFEpplester
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Ibm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckIbm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckArrow ECS UK
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 

Tendances (20)

(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013(Pdf) yury chemerkin hacktivity_2013
(Pdf) yury chemerkin hacktivity_2013
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
 
JustLook FRS -HRMS & VMS
JustLook FRS -HRMS & VMSJustLook FRS -HRMS & VMS
JustLook FRS -HRMS & VMS
 
(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013(Pdf) yury chemerkin hackfest.ca_2013
(Pdf) yury chemerkin hackfest.ca_2013
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout session
 
Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009Refense Security Risk Briefing July 2009
Refense Security Risk Briefing July 2009
 
(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013(Pptx) yury chemerkin hacker_halted_2013
(Pptx) yury chemerkin hacker_halted_2013
 
Presentatie mc afee emm 2011
Presentatie mc afee emm 2011Presentatie mc afee emm 2011
Presentatie mc afee emm 2011
 
Malware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient TruthMalware on Smartphones and Tablets: The Inconvenient Truth
Malware on Smartphones and Tablets: The Inconvenient Truth
 
(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013(Pdf) yury chemerkin intelligence_sec_2013
(Pdf) yury chemerkin intelligence_sec_2013
 
Operation High Roller: The need for a security ally!
Operation High Roller: The need for a security ally!Operation High Roller: The need for a security ally!
Operation High Roller: The need for a security ally!
 
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
Seeing Through the Clouds – the Vision of the CTO Office, Joe Baguley - Chief...
 
Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012Symantec Virtualization Launch VMworld 2012
Symantec Virtualization Launch VMworld 2012
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility Strategy
 
2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST
 
5 Enterprise Mobility Management nightmares
5 Enterprise Mobility Management nightmares5 Enterprise Mobility Management nightmares
5 Enterprise Mobility Management nightmares
 
Mobile device management GFE
Mobile device management GFEMobile device management GFE
Mobile device management GFE
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
 
Ibm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deckIbm security overview 2012 jan-18 sellers deck
Ibm security overview 2012 jan-18 sellers deck
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 

En vedette

Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modelingShantanu Mitra
 
10 Reasons to Adopt HTML5 for Mobile Apps
10 Reasons to Adopt HTML5 for Mobile Apps 10 Reasons to Adopt HTML5 for Mobile Apps
10 Reasons to Adopt HTML5 for Mobile Apps Fresh Digital Group
 
我喜欢网_奇虎360的内容构想
我喜欢网_奇虎360的内容构想我喜欢网_奇虎360的内容构想
我喜欢网_奇虎360的内容构想myers guo
 
Reflections project
Reflections projectReflections project
Reflections projectamanyharb
 
Using the intenet
Using the intenetUsing the intenet
Using the intenetshelter07
 
Snapchat: The Fastest Growing Platform Ever
Snapchat: The Fastest Growing Platform EverSnapchat: The Fastest Growing Platform Ever
Snapchat: The Fastest Growing Platform EverFresh Digital Group
 
The Future of Wearable Technology
The Future of Wearable TechnologyThe Future of Wearable Technology
The Future of Wearable TechnologyFresh Digital Group
 
Alignment Through Engagement
Alignment Through EngagementAlignment Through Engagement
Alignment Through Engagementmagniarini
 
A Marketer's Guide to Millenials
A Marketer's Guide to MillenialsA Marketer's Guide to Millenials
A Marketer's Guide to MillenialsFresh Digital Group
 

En vedette (20)

Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
 
Tablet Tips
Tablet TipsTablet Tips
Tablet Tips
 
Mobile Trends
Mobile TrendsMobile Trends
Mobile Trends
 
FDG 2014 Predictions
FDG 2014 PredictionsFDG 2014 Predictions
FDG 2014 Predictions
 
The Power of Mobile Video
The Power of Mobile Video The Power of Mobile Video
The Power of Mobile Video
 
10 Reasons to Adopt HTML5 for Mobile Apps
10 Reasons to Adopt HTML5 for Mobile Apps 10 Reasons to Adopt HTML5 for Mobile Apps
10 Reasons to Adopt HTML5 for Mobile Apps
 
Go Native Or Go Home
Go Native Or Go HomeGo Native Or Go Home
Go Native Or Go Home
 
Rethink 2015
Rethink 2015Rethink 2015
Rethink 2015
 
我喜欢网_奇虎360的内容构想
我喜欢网_奇虎360的内容构想我喜欢网_奇虎360的内容构想
我喜欢网_奇虎360的内容构想
 
Mobile Analytics
Mobile AnalyticsMobile Analytics
Mobile Analytics
 
Reflections project
Reflections projectReflections project
Reflections project
 
Mobile and Retail
Mobile and RetailMobile and Retail
Mobile and Retail
 
Using the intenet
Using the intenetUsing the intenet
Using the intenet
 
Pre-Launch App Tips
Pre-Launch App TipsPre-Launch App Tips
Pre-Launch App Tips
 
SXSW 2016
SXSW 2016SXSW 2016
SXSW 2016
 
Snapchat: The Fastest Growing Platform Ever
Snapchat: The Fastest Growing Platform EverSnapchat: The Fastest Growing Platform Ever
Snapchat: The Fastest Growing Platform Ever
 
The Future of Wearable Technology
The Future of Wearable TechnologyThe Future of Wearable Technology
The Future of Wearable Technology
 
Snapchat For Brands, Yes Or No?
Snapchat For Brands, Yes Or No?Snapchat For Brands, Yes Or No?
Snapchat For Brands, Yes Or No?
 
Alignment Through Engagement
Alignment Through EngagementAlignment Through Engagement
Alignment Through Engagement
 
A Marketer's Guide to Millenials
A Marketer's Guide to MillenialsA Marketer's Guide to Millenials
A Marketer's Guide to Millenials
 

Similaire à Mobile Security

F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence ServiceF5 Networks
 
Security and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightSecurity and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightIBM WebSphereIndia
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutionsfrontone
 
Jerry Romanek series mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end reviewJerry Romanek series mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end reviewLeigh Williamson
 
Securing Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD WorldSecuring Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD WorldApperian
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012Symantec
 
IBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit IndiaIBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit IndiaLeigh Williamson
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security SuiteCharles McNeil
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009johndyson1
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security MonitoringAnton Goncharov
 
Real-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware InfectionReal-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware InfectionWebroot
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security ProductsDaveEdwards12
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Amazon Web Services
 

Similaire à Mobile Security (20)

F5's IP Intelligence Service
F5's IP Intelligence ServiceF5's IP Intelligence Service
F5's IP Intelligence Service
 
Security and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightSecurity and Mobile Application Management with Worklight
Security and Mobile Application Management with Worklight
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded Devices
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
 
Jerry Romanek series mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end reviewJerry Romanek series mobile development 2012 year end review
Jerry Romanek series mobile development 2012 year end review
 
Securing Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD WorldSecuring Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD World
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012RSA 2012 Virtualization Security February 2012
RSA 2012 Virtualization Security February 2012
 
Globally.docx
Globally.docxGlobally.docx
Globally.docx
 
IBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit IndiaIBM Presentation for Mobile Developer Summit India
IBM Presentation for Mobile Developer Summit India
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
 
MBM's InterGuard Security Suite
MBM's InterGuard Security SuiteMBM's InterGuard Security Suite
MBM's InterGuard Security Suite
 
Siem Overview 2009
Siem Overview 2009Siem Overview 2009
Siem Overview 2009
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security Monitoring
 
Real-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware InfectionReal-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware Infection
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
 

Plus de Fresh Digital Group

mCommerce - A Frsh Look At Why It Matters
mCommerce - A Frsh Look At Why It Matters mCommerce - A Frsh Look At Why It Matters
mCommerce - A Frsh Look At Why It Matters Fresh Digital Group
 
ESPN InPlay Whitepaper/Case Study
ESPN InPlay Whitepaper/Case StudyESPN InPlay Whitepaper/Case Study
ESPN InPlay Whitepaper/Case StudyFresh Digital Group
 
Social Stream is the true Second Screen
Social Stream is the true Second ScreenSocial Stream is the true Second Screen
Social Stream is the true Second ScreenFresh Digital Group
 

Plus de Fresh Digital Group (13)

1o1 on Conversational Agents
1o1 on Conversational Agents1o1 on Conversational Agents
1o1 on Conversational Agents
 
Tech & Digital Predictions 2017
Tech & Digital Predictions 2017Tech & Digital Predictions 2017
Tech & Digital Predictions 2017
 
mCommerce - A Frsh Look At Why It Matters
mCommerce - A Frsh Look At Why It Matters mCommerce - A Frsh Look At Why It Matters
mCommerce - A Frsh Look At Why It Matters
 
Why Apple Watch Matters
Why Apple Watch MattersWhy Apple Watch Matters
Why Apple Watch Matters
 
Drones: Present & Future
Drones: Present & FutureDrones: Present & Future
Drones: Present & Future
 
FreshBeacon Technology
FreshBeacon TechnologyFreshBeacon Technology
FreshBeacon Technology
 
The Beacon Technology
The Beacon TechnologyThe Beacon Technology
The Beacon Technology
 
Augmented Reality
Augmented RealityAugmented Reality
Augmented Reality
 
The Case for Mobile RTB
The Case for Mobile RTBThe Case for Mobile RTB
The Case for Mobile RTB
 
ESPN InPlay Whitepaper/Case Study
ESPN InPlay Whitepaper/Case StudyESPN InPlay Whitepaper/Case Study
ESPN InPlay Whitepaper/Case Study
 
Why Mobile Advertising Matters
Why Mobile Advertising MattersWhy Mobile Advertising Matters
Why Mobile Advertising Matters
 
Social Stream is the true Second Screen
Social Stream is the true Second ScreenSocial Stream is the true Second Screen
Social Stream is the true Second Screen
 
Making Mobile Work For You
Making Mobile Work For YouMaking Mobile Work For You
Making Mobile Work For You
 

Dernier

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 

Dernier (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 

Mobile Security

  • 1. Fresh Digital Group Building Mobile Security We Strategize. We Execute. We Deliver. On All Screens.
  • 2. The Problem: Vulnerabilities  OS Vulnerabilities  Server  Clients  Transport Vulnerabilities  Network  App Vulnerabilities  Client  Middleware  Servers We Strategize. We Execute. We Deliver. On All Screens.
  • 3. The Problem: App Security  Apps exist in market to make $$$  Not to protect you or your information  Gold Rush Mentality  Developers are extremely rushed to produce apps  Leading to security suffering We Strategize. We Execute. We Deliver. On All Screens.
  • 4. The Problem: Enterprise Issues  Transforming how people work  Insurance agents close deals in real time on their iPad  Doctors can review secure messages and patient records from a restaurant  Social workers carry tablets to each clients home, takes images, updates records We Strategize. We Execute. We Deliver. On All Screens.
  • 5. The Problem: Enterprise Issues  Mobile Ecosystem introduces an exponentially expanded attack surface compared to past introductions  Non-Managed Firmware  Non-Managed Networks  Non-Managed OSs  Non-Managed Applications  Non-Managed Data Flows  Significant economic impacts from past situations with fewer variables and complexities  Email- I Love You virus = $10B  Web Servers- Code Red = $9B  PC’s- Blaster = $5B We Strategize. We Execute. We Deliver. On All Screens.
  • 6. Most Vulnerable Securities We Strategize. We Execute. We Deliver. On All Screens.
  • 7. The Problem: Mobile Hacking  Old Process: 5 Steps to monetize a vulnerability Data Data Exploit Install Profit Theft Sale  New Process: 3 Steps to monetize a vulnerability Exploit Install Profit We Strategize. We Execute. We Deliver. On All Screens.
  • 8. App Vulnerabilities: Mobile App Threat  Many considerations  Platforms vary substantially  Similar but still very different than traditional web app-- even when heavy with client-side code  It’s more than just apps  Cloud/network integration  Device platform considerations  Most mobile apps are basically web apps  But with more client “smarts,” almost all web weaknesses are relevant, and more We Strategize. We Execute. We Deliver. On All Screens.
  • 9. Mobile Threat Model Missing Device Malicious Social Carrier Tampering Repudiation QR code Spoofing Engineering Network Breach Untrusted Weak NFC tag or Authorization Peer Toll Modifying Malware Local Insecure Fraud Improper Data WiFi Client Network Session Side Malicious Weak Injection Handling Application Authentication Push Crashing Malware Sandbox Compromised Notification Compromised Apps Escape Credentials Flooding Backend Device Breach Lost Flawed Excessive Weak Device Authentication API Usage Authorization Elevation Denial of Information Reverse of Service Engineering DDoS Disclosure Apps Privilege We Strategize. We Execute. We Deliver. On All Screens.
  • 10. Biggest Issue: Lost/ Stolen Device  Anyone with physical access to your device can get to a wealth of data - PIN is not effective - App data - Keychains - Properties  Disk encryption helps, but we can’t count on users using it  Apps must protect users’ local data storage We Strategize. We Execute. We Deliver. On All Screens.
  • 11. Lost/ Stolen Device  Insecure Data Storage  Sensitive data left unprotected  Applies to locally stored data + cloud synced Impact  Generally a result of:  Confidentiality of  Not Encrypting Data data lost  Caching data not intended for  Credentials long-term storage disclosed  Weak or global permissions  Privacy violations  Not leveraging platform best-  Non-compliance practices We Strategize. We Execute. We Deliver. On All Screens.
  • 12. Second Biggest Issue: Insecure Comms  Without additional protection, mobile devices are susceptible to the “coffee shop attack”  Anyone on an open WiFi can eavesdrop on your data  No different than any other WiFi device really  Your apps MUST protect your users’ data in transit We Strategize. We Execute. We Deliver. On All Screens.
  • 13. Case Study Examples: Mint.com  Mint.com : a financial service aggregator that relies on targeted marketing/ lead generation, 5M+ active users  How it works: - Create Mint.com account - Link financial accounts to Mint.com - Install mobile application and enter Mint.com credentials - View all financial account activity within app We Strategize. We Execute. We Deliver. On All Screens.
  • 14. Lost Device Example  Physical iOS Exploit Scenario  Lost iPhone> Recovered by data harvester> 4-digit pin bypassed in 3 minutes> User partion copied> Mint.com cookies and configuration copied to attach iOS platform  Full Mint.com mobile access in 20 minutes or less We Strategize. We Execute. We Deliver. On All Screens.
  • 15. Remote iOS Exploit Scenario  Un-patched iOS device is compromised through URL handling exploit  Attacker bundles keylogger as exploit payload  User installs Mint.com and links mobile application to Mint.com account  Attacker programs compromised phone to schedule daily dumps of keystroke logs We Strategize. We Execute. We Deliver. On All Screens.
  • 16. Common Security Mechanisms: How to Build in Security  Input validation  Output escaping  Authentication  Session handling  Protecting secrets  At rest  In transit  SQL connections We Strategize. We Execute. We Deliver. On All Screens.
  • 17. Authorization Basics  Question every action  Is the user allowed to access this: • File • Function • Data  By role or by user  Complexity issues  Maintainability issues  Creeping exceptions We Strategize. We Execute. We Deliver. On All Screens.
  • 18. Security Solutions Address 4 Aspects Authentication 1 Enforce enterprise standards w/o compromising UX Data Security (Storage and Transit) 2 Isolate Corporate data, secure it, and provide DLP Control Corp. Data 3 Provision enterprise access, enforce policy and visibility App Creation 4 Native & HTML5, UX, Cross platform, getting business logic right We Strategize. We Execute. We Deliver. On All Screens.
  • 19. Fresh Digital Group 111 John St 2nd FL New York, NY 10038 www. freshdigitalgroup.com Fresh Digital Group