SlideShare une entreprise Scribd logo

Android Camp 2011 @ Silicon India

Avinash Birnale
Avinash Birnale

This is the presentation i gave at Android Camp and Mobile Developer Summit held in 2011.

1  sur  18
Télécharger pour lire hors ligne
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies
Session Contents •  Overview  of  Mobility  and  Mobile  Security   –  Introduc6on  to  Mobility   –  Mobile  Security   •  Best  Prac6ces  for  Secure  So:ware  Development   •  Android  OS     –  Security  Architecture  and  deployment   –  Android  A@ack  Surfaces   –  Enterprise  features,  What  can  we  leverage?   •  Ques6ons?   ©  2011  Endeavour  So:ware  Technologies   2  
Mobility •  A  Capability   Enterprise  Mobility   •  Communicate  and  Access     •  On  the  Move   The  ability  of  an  enterprise  to  connect  to  people   and  control  assets  from  any  loca6on.   •  Any6me     •  From  Anywhere   Technologies  that  support  enterprise  mobility   •  Voice,  Messages,  Data   include  wireless  networks,  mobile  applica9ons,   middleware,  devices,  and  security  and   management  so;ware.     Forrester  Research  Defini9on   ©  2011  Endeavour  So:ware  Technologies   3  
What is happening in the Corporate World? ©  2011  Endeavour  So:ware  Technologies   4  
Mobile Security – Everywhere! Applica6on   Device   Level   Level   Network  Level   ©  2011  Endeavour  So:ware  Technologies   5  
Mobile Security Considerations •  Mobility  Infrastructure   –  Security  is  a  key  focus  area.     –  Ensuring  exis6ng  policies  is  implemented   Infrastructure   –  Integra6on  with  exis6ng  tools,  systems   –  Keep  devices  light,  manageable   •  Mobile  Middleware  PlaXorm   –  Composite  Applica6ons  Landscape  and  devices   Middleware   –  Mobile  Device  Management   –  Mobile  Data  Synchroniza6on   –  Phased  approach  for  Common  Services  and   Applica3on   Mobile  Applica6ons   •  Mobile  Applica6ons  Distribu6on   –  Enterprise  distribu6on  through  OTA  to  specific   devices   ©  2011  Endeavour  So:ware  Technologies   6  
Application Security – Must Include User   Data  Security   Authen6ca6on   on  Device   Device   Management   Data  in  Transit   and   Issue   Applica6on   Provisioning   ©  2011  Endeavour  So:ware  Technologies   7  
Mobile Security Considerations •  Creden6als   •  IMEI/  2FA   Access   •  OTP,  User  –  Agent   •  Quick  Access  Code,  Token   •  Files   Storage   •  Key  Storage   •  Resources   •  Session   Transporta6on   •  Protocols   •  Connec6on  Points   ©  2011  Endeavour  So:ware  Technologies   8  
Enterprise Mobile Security – Do’s ©  2011  Endeavour  So:ware  Technologies   9  
Enterprise Mobile Security – Best Practices 1.  Protect  the  Brand  Your  Customers  Trust   2.  Know  Your  Business  and  Support  it  with  Secure   Solu6ons   3.  Understand  the  Technology  of  the  So:ware   4.  Ensure  Compliance  to  Governance,  Regula6ons,   and  Privacy   5.  Know  the  Basic  Tenets  of  So:ware  Security   6.  Ensure  the  Protec6on  of  Sensi6ve  Informa6on   7.  Design,  Develop  and  Deploy  So:ware  with  Secure   Features   ©  2011  Endeavour  So:ware  Technologies   10  
Android Security Architecture Permission   Based  Model   Remote  App   Sandbox   Management   ©  2011  Endeavour  So:ware  Technologies   11  
Android Security – Permission based model •  Permission-­‐based  Model   –  Linux  +  Android’s  Permission   –  Well  defined  at  system  level   –  Approved  by  user  at  install   –  High-­‐level  permissions  restricted  by  Android   run6me  framework   –  For  example,  an  applica6on  that  needs  to  monitor   incoming  SMS  messages  would  specify   <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> ... </manifest> ©  2011  Endeavour  So:ware  Technologies   12  
Android Security – Remote App Management •  Remote  Install/removal   –  Google  can  remove  or  install  apps  remotely   –  Users  can  install  apps  remotely  from  online   Android  Market   h@p://market.android.com   ©  2011  Endeavour  So:ware  Technologies   13  
Android Security - Sandbox ©  2011  Endeavour  So:ware  Technologies   14  
Android’s Attack Surfaces •  Isolated  applica6ons  is  like  having  mul6-­‐user  system   •  Single  UI/  Device    Secure  sharing  of  UI  and  IO   •  Principal  maps  to  code,  not  user  (like  browsers)   •  Appeals  to  user  for  all  security  decisions   •  Phishing  style  a@ach  risks   •  Linux,  not  Java,  Sandbox.  Na6ve  code  not  a  barrier   •  Any  java  App  can  execute  shell,  load  JNI  libraries,   write  and  exec  programs   Reference  –  iSEC  PARTNERS   ©  2011  Endeavour  So:ware  Technologies   15  
Enterprise features (Froyo/ GingerBread) •  Remote  wipe   –  Remotely  reset  the  device  to  factory  defaults   •  Improved  security     –  Addi6on  of  numeric  pin,  alphanumeric  passwords   to  unlock  the  device   •  Exchange  calendars   •  Auto-­‐discovery   •  Global  Address  List   •  C2DM*  –  Cloud  to  device  messaging   *S6ll  it  is  part  of  Google  Code  Labs   ©  2011  Endeavour  So:ware  Technologies   16  
Enterprise features (Honeycomb) •  New  device  administra6on  policies   –  Encrypted  storage   –  Password  expira6on   –  Password  history   –  Complex  characters  in  password   •  Configure  HTTP  proxy  for  each  connected  WiFi   access  point  (AOS  3.1  only)   •  Encrypted  storage  cards   ©  2011  Endeavour  So:ware  Technologies   17  
Thanks! •  You!   –  For  pa6ently  listening  to  us!   •  Silicon  India  team   •  Endeavour’s  Android  TCG  team   •  Happy  to  receive  feedback  and  ques6ons  at   tcg@techendeavour.com     18  

Recommandé

Android sandbox
Android sandboxAndroid sandbox
Android sandbox
Anusha Chavan
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
Steve De Zitter
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
National Cheng Kung University
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
Tandhy Simanjuntak
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
Kelwin Yang
 
Смирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationСмирнов Александр, Security in Android Application
Смирнов Александр, Security in Android Application
SECON
 

Recommandé

Android sandbox
Android sandboxAndroid sandbox
Android sandbox
Anusha Chavan
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
Steve De Zitter
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
National Cheng Kung University
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
Tandhy Simanjuntak
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
Kelwin Yang
 
Смирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationСмирнов Александр, Security in Android Application
Смирнов Александр, Security in Android Application
SECON
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
BlrDroid
 
Android security
Android securityAndroid security
Android security
Midhun P Gopi
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
h4oxer
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
Sander Alberink
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
hackstuff
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
Ravishankar Kumar
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
Sperasoft
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
Pragati Rai
 
Android system security
Android system securityAndroid system security
Android system security
Chong-Kuan Chen
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
Asanka Dilruk
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Android Security
Android SecurityAndroid Security
Android Security
Mehrnaz Amoon
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
Michael Rushanan
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
Jose Manuel Ortega Candel
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
n|u - The Open Security Community
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
Oscon keynote: Working hard to keep it simple
Oscon keynote: Working hard to keep it simpleOscon keynote: Working hard to keep it simple
Oscon keynote: Working hard to keep it simple
Martin Odersky
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
Endeavour Software Technologies
 

Contenu connexe

Tendances

Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
Ravishankar Kumar
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 

Tendances (20)

Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Android security
Android securityAndroid security
Android security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
Android security
Android securityAndroid security
Android security
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Android system security
Android system securityAndroid system security
Android system security
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Android Security
Android SecurityAndroid Security
Android Security
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 

En vedette

Clean architecture: Android
Clean architecture: AndroidClean architecture: Android
Clean architecture: Android
intive
 
[DSC 2016] 系列活動:李宏毅 / 一天搞懂深度學習
[DSC 2016] 系列活動:李宏毅 / 一天搞懂深度學習[DSC 2016] 系列活動:李宏毅 / 一天搞懂深度學習
[DSC 2016] 系列活動:李宏毅 / 一天搞懂深度學習
台灣資料科學年會
 

En vedette (12)

Oscon keynote: Working hard to keep it simple
Oscon keynote: Working hard to keep it simpleOscon keynote: Working hard to keep it simple
Oscon keynote: Working hard to keep it simple
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
 
Clean architecture on Android
Clean architecture on AndroidClean architecture on Android
Clean architecture on Android
 
Clean architecture: Android
Clean architecture: AndroidClean architecture: Android
Clean architecture: Android
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
 
Android Security
Android SecurityAndroid Security
Android Security
 
Scheduling in Android
Scheduling in AndroidScheduling in Android
Scheduling in Android
 
Embedded Android Workshop with Nougat
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
 
[DSC 2016] 系列活動:李宏毅 / 一天搞懂深度學習
[DSC 2016] 系列活動:李宏毅 / 一天搞懂深度學習[DSC 2016] 系列活動:李宏毅 / 一天搞懂深度學習
[DSC 2016] 系列活動:李宏毅 / 一天搞懂深度學習
 
Android ppt
Android ppt Android ppt
Android ppt
 

Similaire à Android Camp 2011 @ Silicon India

IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Security
 
Zenprise ctia 10-11-2011_v02
Zenprise ctia 10-11-2011_v02Zenprise ctia 10-11-2011_v02
Zenprise ctia 10-11-2011_v02
Shafaq Abdullah
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and Centrify
Sumana Mehta
 
Future of testing – impact of mobile devices somenath nag- calsoft labs
Future of testing – impact of mobile devices somenath nag- calsoft labsFuture of testing – impact of mobile devices somenath nag- calsoft labs
Future of testing – impact of mobile devices somenath nag- calsoft labs
Somenath Nag
 
Mobile – Adoption and Adaption in 2012
Mobile – Adoption and Adaption in 2012Mobile – Adoption and Adaption in 2012
Mobile – Adoption and Adaption in 2012
Global Business Events - the Heart of your Network.
 
Oracle - Soluções do device ao Datacenter
Oracle - Soluções do device ao DatacenterOracle - Soluções do device ao Datacenter
Oracle - Soluções do device ao Datacenter
GeneXus
 

Similaire à Android Camp 2011 @ Silicon India (20)

Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM USUdløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
Udløs potentialet i Enterprise Mobility, Vijay Dheap, IBM US
 
Ascure session
Ascure sessionAscure session
Ascure session
 
Mobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net DevelopersMobile Security - Dutch Mobile .Net Developers
Mobile Security - Dutch Mobile .Net Developers
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Mobile Security
Mobile Security Mobile Security
Mobile Security
 
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) PolicyDevelop and Enforce a Bring-Your-Own-Device (BYOD) Policy
Develop and Enforce a Bring-Your-Own-Device (BYOD) Policy
 
Zenprise ctia 10-11-2011_v02
Zenprise ctia 10-11-2011_v02Zenprise ctia 10-11-2011_v02
Zenprise ctia 10-11-2011_v02
 
Zenprise ctia 10-11-2011_v02
Zenprise ctia 10-11-2011_v02Zenprise ctia 10-11-2011_v02
Zenprise ctia 10-11-2011_v02
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility Strategy
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
VMware Workspace One
VMware Workspace OneVMware Workspace One
VMware Workspace One
 
Con8896 securely enabling mobile access for business transformation - final
Con8896 securely enabling mobile access for business transformation - finalCon8896 securely enabling mobile access for business transformation - final
Con8896 securely enabling mobile access for business transformation - final
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and Centrify
 
Future of testing – impact of mobile devices somenath nag- calsoft labs
Future of testing – impact of mobile devices somenath nag- calsoft labsFuture of testing – impact of mobile devices somenath nag- calsoft labs
Future of testing – impact of mobile devices somenath nag- calsoft labs
 
Mobile Security for the Enterprise
Mobile Security for the EnterpriseMobile Security for the Enterprise
Mobile Security for the Enterprise
 
Mobile – Adoption and Adaption in 2012
Mobile – Adoption and Adaption in 2012Mobile – Adoption and Adaption in 2012
Mobile – Adoption and Adaption in 2012
 
Symantec Enterprise Mobility Enhancements
Symantec Enterprise Mobility EnhancementsSymantec Enterprise Mobility Enhancements
Symantec Enterprise Mobility Enhancements
 
Enterprise Mobile Security
Enterprise Mobile SecurityEnterprise Mobile Security
Enterprise Mobile Security
 
Oracle - Soluções do device ao Datacenter
Oracle - Soluções do device ao DatacenterOracle - Soluções do device ao Datacenter
Oracle - Soluções do device ao Datacenter
 

Android Camp 2011 @ Silicon India

  • 1. Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies
  • 2. Session Contents •  Overview  of  Mobility  and  Mobile  Security   –  Introduc6on  to  Mobility   –  Mobile  Security   •  Best  Prac6ces  for  Secure  So:ware  Development   •  Android  OS     –  Security  Architecture  and  deployment   –  Android  A@ack  Surfaces   –  Enterprise  features,  What  can  we  leverage?   •  Ques6ons?   ©  2011  Endeavour  So:ware  Technologies   2  
  • 3. Mobility •  A  Capability   Enterprise  Mobility   •  Communicate  and  Access     •  On  the  Move   The  ability  of  an  enterprise  to  connect  to  people   and  control  assets  from  any  loca6on.   •  Any6me     •  From  Anywhere   Technologies  that  support  enterprise  mobility   •  Voice,  Messages,  Data   include  wireless  networks,  mobile  applica9ons,   middleware,  devices,  and  security  and   management  so;ware.     Forrester  Research  Defini9on   ©  2011  Endeavour  So:ware  Technologies   3  
  • 4. What is happening in the Corporate World? ©  2011  Endeavour  So:ware  Technologies   4  
  • 5. Mobile Security – Everywhere! Applica6on   Device   Level   Level   Network  Level   ©  2011  Endeavour  So:ware  Technologies   5  
  • 6. Mobile Security Considerations •  Mobility  Infrastructure   –  Security  is  a  key  focus  area.     –  Ensuring  exis6ng  policies  is  implemented   Infrastructure   –  Integra6on  with  exis6ng  tools,  systems   –  Keep  devices  light,  manageable   •  Mobile  Middleware  PlaXorm   –  Composite  Applica6ons  Landscape  and  devices   Middleware   –  Mobile  Device  Management   –  Mobile  Data  Synchroniza6on   –  Phased  approach  for  Common  Services  and   Applica3on   Mobile  Applica6ons   •  Mobile  Applica6ons  Distribu6on   –  Enterprise  distribu6on  through  OTA  to  specific   devices   ©  2011  Endeavour  So:ware  Technologies   6  
  • 7. Application Security – Must Include User   Data  Security   Authen6ca6on   on  Device   Device   Management   Data  in  Transit   and   Issue   Applica6on   Provisioning   ©  2011  Endeavour  So:ware  Technologies   7  
  • 8. Mobile Security Considerations •  Creden6als   •  IMEI/  2FA   Access   •  OTP,  User  –  Agent   •  Quick  Access  Code,  Token   •  Files   Storage   •  Key  Storage   •  Resources   •  Session   Transporta6on   •  Protocols   •  Connec6on  Points   ©  2011  Endeavour  So:ware  Technologies   8  
  • 9. Enterprise Mobile Security – Do’s ©  2011  Endeavour  So:ware  Technologies   9  
  • 10. Enterprise Mobile Security – Best Practices 1.  Protect  the  Brand  Your  Customers  Trust   2.  Know  Your  Business  and  Support  it  with  Secure   Solu6ons   3.  Understand  the  Technology  of  the  So:ware   4.  Ensure  Compliance  to  Governance,  Regula6ons,   and  Privacy   5.  Know  the  Basic  Tenets  of  So:ware  Security   6.  Ensure  the  Protec6on  of  Sensi6ve  Informa6on   7.  Design,  Develop  and  Deploy  So:ware  with  Secure   Features   ©  2011  Endeavour  So:ware  Technologies   10  
  • 11. Android Security Architecture Permission   Based  Model   Remote  App   Sandbox   Management   ©  2011  Endeavour  So:ware  Technologies   11  
  • 12. Android Security – Permission based model •  Permission-­‐based  Model   –  Linux  +  Android’s  Permission   –  Well  defined  at  system  level   –  Approved  by  user  at  install   –  High-­‐level  permissions  restricted  by  Android   run6me  framework   –  For  example,  an  applica6on  that  needs  to  monitor   incoming  SMS  messages  would  specify   <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.RECEIVE_SMS" /> ... </manifest> ©  2011  Endeavour  So:ware  Technologies   12  
  • 13. Android Security – Remote App Management •  Remote  Install/removal   –  Google  can  remove  or  install  apps  remotely   –  Users  can  install  apps  remotely  from  online   Android  Market   h@p://market.android.com   ©  2011  Endeavour  So:ware  Technologies   13  
  • 14. Android Security - Sandbox ©  2011  Endeavour  So:ware  Technologies   14  
  • 15. Android’s Attack Surfaces •  Isolated  applica6ons  is  like  having  mul6-­‐user  system   •  Single  UI/  Device    Secure  sharing  of  UI  and  IO   •  Principal  maps  to  code,  not  user  (like  browsers)   •  Appeals  to  user  for  all  security  decisions   •  Phishing  style  a@ach  risks   •  Linux,  not  Java,  Sandbox.  Na6ve  code  not  a  barrier   •  Any  java  App  can  execute  shell,  load  JNI  libraries,   write  and  exec  programs   Reference  –  iSEC  PARTNERS   ©  2011  Endeavour  So:ware  Technologies   15  
  • 16. Enterprise features (Froyo/ GingerBread) •  Remote  wipe   –  Remotely  reset  the  device  to  factory  defaults   •  Improved  security     –  Addi6on  of  numeric  pin,  alphanumeric  passwords   to  unlock  the  device   •  Exchange  calendars   •  Auto-­‐discovery   •  Global  Address  List   •  C2DM*  –  Cloud  to  device  messaging   *S6ll  it  is  part  of  Google  Code  Labs   ©  2011  Endeavour  So:ware  Technologies   16  
  • 17. Enterprise features (Honeycomb) •  New  device  administra6on  policies   –  Encrypted  storage   –  Password  expira6on   –  Password  history   –  Complex  characters  in  password   •  Configure  HTTP  proxy  for  each  connected  WiFi   access  point  (AOS  3.1  only)   •  Encrypted  storage  cards   ©  2011  Endeavour  So:ware  Technologies   17  
  • 18. Thanks! •  You!   –  For  pa6ently  listening  to  us!   •  Silicon  India  team   •  Endeavour’s  Android  TCG  team   •  Happy  to  receive  feedback  and  ques6ons  at   tcg@techendeavour.com     18