SlideShare a Scribd company logo

Whitepaper: Elevation of Mobile Security Risks in the Enterprise Threat Landscape - Happiest Minds

Happiest Minds Technologies
Happiest Minds Technologies

Enterprises are rapidly adopting innovative mobile applications to transform their business capabilities as the mobile presence is critical for businesses to attract, retain and communicate with customers; it has become an integral part at both work and in their personal lives.

Technology
1 of 8
Download to read offline
1 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved March 2014, HAPPIEST MINDS TECHNOLOGIES Elevation of Mobile Security Risks in the Enterprise Threat Landscape Author Khaleel Syed
2 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved Copyright Information This document is an exclusive property of Happiest Minds Technologies Pvt. Ltd. It is intended for limited circulation.
3 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved Elevation of Mobile Security Risks in the Enterprise Threat Landscape Enterprises are rapidly adopting innovative mobile applications to transform their business capabilities as the mobile presence is critical for businesses to attract, retain and communicate with customers; it has become an integral part at both work and in their personal lives. The newer mobile computing technologies are increasingly embraced by the consumers across the globe, and this exponential growth of mobile devices and business applications has attracted a large number of well-organized cyber criminals and independent hackers, who are seeking monetary benefits with highly competent modus operandi. Business Drivers Prevalence of mobile devices and applications in today’s market has been entirely recognized by many corporates and is subsequently being leveraged to boost the sales and marketing initiatives for new businesses through innovative enterprise mobile apps with enhanced functionalities. Transformational customer experience with access to exclusive content and wide range of personalized services available anytime and anywhere has been powered by customer-facing mobile apps. Organizations are rapidly adopting enterprise-class internal mobile apps for several business functions to drive greater efficiencies. A perspective of Happiest Minds on the proliferation of mobile devices & applications All customer-facing or enterprise internal apps are developed as either native apps, mobile web apps or hybrid apps: Mobile Native Apps are platform specific installable apps that can be downloaded from internal app bank for corporate use and available at online mobile app stores for personal use. The native apps take full advantage of the mobile device features such as contacts and location details; and are designed to work in both online and offline modes. Mobile Web Apps are platform independent, non-installable apps that are same as web applications, which are accessed by a browser and are typically written in HTML5, and designed to work in both online and offline modes. Hybrid Apps are a combination of native and mobile web apps, with the browser embedded within the native app.
4 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved An indicative list of categories of professional-grade apps The continuous advancements in mobile technologies have disrupted every industry across all regions in the past five years and continue to break its own records year after year. The categories of professional-grade mobile applications have greatly expanded with real-time updates to the consumers, which is led by Messaging & Social followed by Securities & Utilities, Work & Organizing, Productivity, Education, Finance, Entertainment & Media, Lifestyle & Shopping, Games & Sports, Health & Fitness and News& Magazines. Mobile Threats Mobile security threat landscape is a growing concern, as we witness the emerging trend of financial transactions using M-Commerce and M-Banking applications on mobile devices. Broadly, these mobile security threats can be categorized under the native app-based threats, mobile web-based threats and mobile device-based threats. Mobile device-based threats Rogue applications downloaded from untrusted sources and installation of unapproved applications that expose the mobile devices to all kinds of cyber-attacks and dangers. The inability to detect and prevent the use of jail-broken or rooted devices in corporate environments increases the threat landscape particularly when enterprises deploy the security infrastructures within the corporate intranet to control the mobile device connection but not in de-militarized zone or secured perimeter network. Alongside, improper policy enforcement by the mobile security products can lead to unexpected security vulnerabilities in the production environment. Mobile security threat categories Native application-based threats Installable native applications can be downloaded from several trusted or untrusted sources, where the threats can be broadly categorized under (1) vulnerable mobile applications that may have code flaws or tampered applications for fraudulent purposes; (2)malicious software or malware that performs undesirable actions or provides a backdoor to the attacker; (3) data privacy threats where a legitimate application or spywares gathers user’s sensitive information to perform identity theft or financial fraud.
5 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved Mobile web-based threats Not all the corporates create native applications considering the associated security risks, but would prefer to deliver the online services via web-based applications where the web-based threats such as browser exploits, drive-by downloads, cookie stealing, phishing scams and many more are applicable to the mobile devices. Security Controls As mobile devices and enterprise-grade applications continue to pervade the workplace, the corporate information security and privacy office is exploring and continuously researching on new mobile security solutions to safely deliver and manage the applications and services that employees need to conduct business. Enterprise mobile security risks have elevated from the device level issues to mobile apps and business data that is processed, exchanged and stored on the mobile device. Hence, protecting the mobile devices, applications and corporate data in a robust threat landscape must adopt a multi-layered security approach. Corporates dealing with mobile-based financial transactions must define a customized security policy for the mobile users, which should address all the applicable regulations and legislative requirements for payment security and data privacy. Device vendors and security software vendors offer a wide range of IT controls for securing mobile devices and applications. Basic security settings provide by the iOS, Android and Windows phone operating systems control the device access, avoid untrusted source for apps download, verify harmful apps prior installation and phone encryption. Security measures for mobile devices & applications The advanced security solutions delivered by product vendors offers more sophisticated security capabilities such as detection of malicious apps recently discovered, the native apps lock to control access to other installed apps, the safe browsing to warn or protect from the malicious websites against phishing and the anti-theft feature to remotely locate, lock down and wipe the stolen device. In addition, the antivirus on-demand scans of all installed apps and memory card content, as well as on-access scans of apps upon first execution, helps corporates protect against viruses, malware, adware, and spywares. The privacy scans that assess the access rights and intents of installed apps enable the organization to identify and manage potential privacy risks. Furthermore, some premium solutions have the ability to track and perform specified actions when the mobile device leaves a set perimeter.
6 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved Small and medium-sized enterprises are aggressively adopting the independent mobile security software, but the large corporates prefer to deploy a centralized policy enforcement and management model that includes Mobile Device Management (MDM) and Mobile Application Management (MAM). Mobile security experts at Happiest Minds Technologies have enabled several corporates across various industry segments to identify and deploy the best suitable centralized solution for Mobile Security Management that helps corporates to standardize the mobile user and device authentication mechanism, integration of Active Directory (AD) infrastructure, manage secured remote access into corporate network for mobile users, control or restrict connectivity to the removable media devices and untrusted wireless networks, mobile device containerization to segregate the user’s workspace from personal space to protect the business applications and data from a wide spread of threats. Security Assurance Permitting the usage of mobile smartphone devices and multi-purpose or mission critical applications in corporate environments by conducting a detailed technical assessment of security controls would enable the stake holders to identify, assess and diligently manage mobile security risks. Mobile security assessment for device security and application security testing are broadly categorized as;  Native mobile application penetration testing  Mobile website penetration testing  Hybrid application & website penetration testing  Native application secure code review  Mobile device security & configuration review  Secure SDLC consulting on threat modeling & coding. Mobile Application Security Framework developed by Happiest Minds provides a range of specialized services across all the security assessment types, including security advisory and gap analysis. Mobile Application Security Framework Advisory and gap analysis covers review the mobile application artifacts such as security requirements based on asset value and data protection requirements in accordance with the applicable legislative and regulatory requirements. Recommend suitable countermeasures to mitigate the security design flaws and emerging threats for securing Enterprise Mobile Devices with reference to OWASP, CERT, SANS, NIST security standards and guidelines. Threat modelling for mobile applications involves understanding of the application functionality with entry points in mobile platforms, followed with defining attack vectors to cover all possible scenarios and attack surfaces such as exposed API or RPC, malicious users, third party components and services, mobile storage, web browsing ad content
7 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved handlers. Assurance services on threat modeling enables the developers in identifying the most credible threats that have the greatest potential impact to the mobile applications as indicated by industry standards & frameworks. Secure code review or static code analysis involves code crawling to understand the business logic with possible security vulnerabilities in the mobile native application code and mobile platforms by using automated tools and manual techniques to identify the business logic flaws and code level flaws or vulnerable codes such as insecure use of hybrid technologies, client-side data caching and storage issues, client-side reflection based attacks and incorrectly implemented application encoding and encryption including OWASP Source Code Flaw Categories, CERT, SANS and MSDN Secure Coding Standards. Penetration testing adopts the hybrid approach of specialized automated tools and manual assessment techniques in mobile application security testing to cover various usage scenarios and all the inherent threats in accordance with industry best practices and mobile security guidelines from applicable legal and regulations for payment security and data privacy. The security assessment team at Happiest Minds conducts both blackbox and graybox testing to ensure a comprehensive coverage of all the attack vectors and scenarios. Native applications penetration testing covers dynamic analysis with debugging of running applications on simulators, emulators and compatible mobile platforms to perform permission analysis, control flow analysis, dataflow analysis, security configuration, input validation, server side controls, session management, client side injection, authentication and authorization, side channel data leakage, broken cryptography, sensitive information disclosure, data protection, insufficient transport layer protection and exception handling. Mobile web application penetration testing covers all the security vulnerabilities applicable to the web applications that includes web server with unsafe configuration and software bugs, client-side vulnerabilities, insecure cookie handling, improper session handling, authentication bypass, circumventing application logic, input validation, function level access control, use of vulnerable components, insecure direct object referencing, shared hosting vulnerabilities, improper cryptography implementation and form manipulation. Mobile device configuration review covers the adequacy of device security and application security policy enforcement that includes use of unapproved applications, access control configuration, crytography implementation, restriction on removable media or wireless connections, mobile device containerization and relevant security settings for device hardedning. Security compliance testing primarily focuses on payment acceptance mobile applications that meets the security guidelines mandated by PCI Data Security Standard (PCI DSS), Data Privacy Act (DPA) and other applicable regulatory and legislative requirements.These security requirements would prevent the card holder account data from being intercepted when entered into a mobile device, from compromise while processed or stored within the mobile device and from interception upon transmission out of the mobile device.
8 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved Conclusion Mobile security experts at Happiest Minds will help assuage the enterprise mobility concerns by arming you with knowledge of mobile device security threats and how to implement protection measures and leverage mobile devices and applications that will protect the account data in the devices to boost sales. Mobile computing technology will be ruggedized to be unaffected by regimented threats from different sources.

Recommended

Flipping Coins in the War Room: Skill and Chance in the NFL Draft
Flipping Coins in the War Room: Skill and Chance in the NFL DraftFlipping Coins in the War Room: Skill and Chance in the NFL Draft
Flipping Coins in the War Room: Skill and Chance in the NFL DraftSloan Sports Conference
 
Equipo 5
Equipo 5Equipo 5
Equipo 5IE Simona Duque
 
Mapa[1]
Mapa[1]Mapa[1]
Mapa[1]IE Simona Duque
 
PRPC BA Objectives and Requirements (1)
PRPC BA Objectives and Requirements (1)PRPC BA Objectives and Requirements (1)
PRPC BA Objectives and Requirements (1)Ashock Kumar
 
Daniel_Akinjise(2)
Daniel_Akinjise(2)Daniel_Akinjise(2)
Daniel_Akinjise(2)Akinjise Daniel
 
DSC_0293
DSC_0293DSC_0293
DSC_0293Ammar H.Hussein
 
Colonia3D (EuroMed 2010)
Colonia3D (EuroMed 2010)Colonia3D (EuroMed 2010)
Colonia3D (EuroMed 2010)Matthias Trapp
 
WA CLEAN leaflet
WA CLEAN leafletWA CLEAN leaflet
WA CLEAN leafletJoe Craig
 

Recommended

Flipping Coins in the War Room: Skill and Chance in the NFL Draft
Flipping Coins in the War Room: Skill and Chance in the NFL DraftFlipping Coins in the War Room: Skill and Chance in the NFL Draft
Flipping Coins in the War Room: Skill and Chance in the NFL DraftSloan Sports Conference
 
Equipo 5
Equipo 5Equipo 5
Equipo 5IE Simona Duque
 
Mapa[1]
Mapa[1]Mapa[1]
Mapa[1]IE Simona Duque
 
PRPC BA Objectives and Requirements (1)
PRPC BA Objectives and Requirements (1)PRPC BA Objectives and Requirements (1)
PRPC BA Objectives and Requirements (1)Ashock Kumar
 
Daniel_Akinjise(2)
Daniel_Akinjise(2)Daniel_Akinjise(2)
Daniel_Akinjise(2)Akinjise Daniel
 
DSC_0293
DSC_0293DSC_0293
DSC_0293Ammar H.Hussein
 
Colonia3D (EuroMed 2010)
Colonia3D (EuroMed 2010)Colonia3D (EuroMed 2010)
Colonia3D (EuroMed 2010)Matthias Trapp
 
WA CLEAN leaflet
WA CLEAN leafletWA CLEAN leaflet
WA CLEAN leafletJoe Craig
 
Proyecto d tecnologia 15454
Proyecto d tecnologia 15454Proyecto d tecnologia 15454
Proyecto d tecnologia 15454IE Simona Duque
 
2.5D Clip-Surfaces for Technical Visualization
2.5D Clip-Surfaces for Technical Visualization2.5D Clip-Surfaces for Technical Visualization
2.5D Clip-Surfaces for Technical VisualizationMatthias Trapp
 
Cisco - IoT Buyer
Cisco - IoT BuyerCisco - IoT Buyer
Cisco - IoT BuyerThe Fiction Tribe ®
 
AMA Nebraska - SurveyMonkey (08-14)
AMA Nebraska - SurveyMonkey (08-14)AMA Nebraska - SurveyMonkey (08-14)
AMA Nebraska - SurveyMonkey (08-14)Brent Chudoba
 
Chapter 5 - Floods (Part 2)
Chapter 5 - Floods (Part 2)Chapter 5 - Floods (Part 2)
Chapter 5 - Floods (Part 2)GeographyByTian
 
Cement Brick & Concrete Block Making
Cement Brick & Concrete Block MakingCement Brick & Concrete Block Making
Cement Brick & Concrete Block MakingMethod Machine Works
 
WFG Qualified Plan Services Brochure
WFG Qualified Plan Services BrochureWFG Qualified Plan Services Brochure
WFG Qualified Plan Services BrochureWashington Financial Group
 
Largest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case StudyLargest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case StudyHappiest Minds Technologies
 
BFSI GLOBAL TRENDS FY 24
BFSI GLOBAL TRENDS FY 24BFSI GLOBAL TRENDS FY 24
BFSI GLOBAL TRENDS FY 24Happiest Minds Technologies
 
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKINGARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKINGHappiest Minds Technologies
 
DIGITAL MANUFACTURING
DIGITAL MANUFACTURINGDIGITAL MANUFACTURING
DIGITAL MANUFACTURINGHappiest Minds Technologies
 
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & InsuranceExploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & InsuranceHappiest Minds Technologies
 
AN OVERVIEW OF THE METAVERSE
AN OVERVIEW OF THE METAVERSEAN OVERVIEW OF THE METAVERSE
AN OVERVIEW OF THE METAVERSEHappiest Minds Technologies
 
VMware to AWS Cloud Migration
VMware to AWS Cloud MigrationVMware to AWS Cloud Migration
VMware to AWS Cloud MigrationHappiest Minds Technologies
 
Digital-Content-Monetization-DCM-Platform-2.pdf
Digital-Content-Monetization-DCM-Platform-2.pdfDigital-Content-Monetization-DCM-Platform-2.pdf
Digital-Content-Monetization-DCM-Platform-2.pdfHappiest Minds Technologies
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0Happiest Minds Technologies
 
Cloud Reshaping Banking
Cloud Reshaping BankingCloud Reshaping Banking
Cloud Reshaping BankingHappiest Minds Technologies
 
Automating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKAutomating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKHappiest Minds Technologies
 
PAMaaS- Powered by CyberArk
PAMaaS- Powered by CyberArkPAMaaS- Powered by CyberArk
PAMaaS- Powered by CyberArkHappiest Minds Technologies
 
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...Happiest Minds Technologies
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESHappiest Minds Technologies
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Happiest Minds Technologies
 

More Related Content

Viewers also liked

Proyecto d tecnologia 15454
Proyecto d tecnologia 15454Proyecto d tecnologia 15454
Proyecto d tecnologia 15454IE Simona Duque
 
2.5D Clip-Surfaces for Technical Visualization
2.5D Clip-Surfaces for Technical Visualization2.5D Clip-Surfaces for Technical Visualization
2.5D Clip-Surfaces for Technical VisualizationMatthias Trapp
 
AMA Nebraska - SurveyMonkey (08-14)
AMA Nebraska - SurveyMonkey (08-14)AMA Nebraska - SurveyMonkey (08-14)
AMA Nebraska - SurveyMonkey (08-14)Brent Chudoba
 
Chapter 5 - Floods (Part 2)
Chapter 5 - Floods (Part 2)Chapter 5 - Floods (Part 2)
Chapter 5 - Floods (Part 2)GeographyByTian
 
Cement Brick & Concrete Block Making
Cement Brick & Concrete Block MakingCement Brick & Concrete Block Making
Cement Brick & Concrete Block MakingMethod Machine Works
 

Viewers also liked (7)

Proyecto d tecnologia 15454
Proyecto d tecnologia 15454Proyecto d tecnologia 15454
Proyecto d tecnologia 15454
 
2.5D Clip-Surfaces for Technical Visualization
2.5D Clip-Surfaces for Technical Visualization2.5D Clip-Surfaces for Technical Visualization
2.5D Clip-Surfaces for Technical Visualization
 
Cisco - IoT Buyer
Cisco - IoT BuyerCisco - IoT Buyer
Cisco - IoT Buyer
 
AMA Nebraska - SurveyMonkey (08-14)
AMA Nebraska - SurveyMonkey (08-14)AMA Nebraska - SurveyMonkey (08-14)
AMA Nebraska - SurveyMonkey (08-14)
 
Chapter 5 - Floods (Part 2)
Chapter 5 - Floods (Part 2)Chapter 5 - Floods (Part 2)
Chapter 5 - Floods (Part 2)
 
Cement Brick & Concrete Block Making
Cement Brick & Concrete Block MakingCement Brick & Concrete Block Making
Cement Brick & Concrete Block Making
 
WFG Qualified Plan Services Brochure
WFG Qualified Plan Services BrochureWFG Qualified Plan Services Brochure
WFG Qualified Plan Services Brochure
 

More from Happiest Minds Technologies

Largest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case StudyLargest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case StudyHappiest Minds Technologies
 
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & InsuranceExploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & InsuranceHappiest Minds Technologies
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0Happiest Minds Technologies
 
Automating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKAutomating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKHappiest Minds Technologies
 
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...Happiest Minds Technologies
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Happiest Minds Technologies
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Happiest Minds Technologies
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITHappiest Minds Technologies
 
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDITHappiest Minds Technologies
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITHappiest Minds Technologies
 

More from Happiest Minds Technologies (20)

Largest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case StudyLargest Electricity provider in the US- Case Study
Largest Electricity provider in the US- Case Study
 
BFSI GLOBAL TRENDS FY 24
BFSI GLOBAL TRENDS FY 24BFSI GLOBAL TRENDS FY 24
BFSI GLOBAL TRENDS FY 24
 
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKINGARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
ARTIFICIAL INTELLIGENCE IN DIGITAL BANKING
 
DIGITAL MANUFACTURING
DIGITAL MANUFACTURINGDIGITAL MANUFACTURING
DIGITAL MANUFACTURING
 
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & InsuranceExploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
Exploring the Potential of ChatGPT in Banking, Financial SERVICES & Insurance
 
AN OVERVIEW OF THE METAVERSE
AN OVERVIEW OF THE METAVERSEAN OVERVIEW OF THE METAVERSE
AN OVERVIEW OF THE METAVERSE
 
VMware to AWS Cloud Migration
VMware to AWS Cloud MigrationVMware to AWS Cloud Migration
VMware to AWS Cloud Migration
 
Digital-Content-Monetization-DCM-Platform-2.pdf
Digital-Content-Monetization-DCM-Platform-2.pdfDigital-Content-Monetization-DCM-Platform-2.pdf
Digital-Content-Monetization-DCM-Platform-2.pdf
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
 
Cloud Reshaping Banking
Cloud Reshaping BankingCloud Reshaping Banking
Cloud Reshaping Banking
 
Automating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UKAutomating SOC1/2 Compliance- For a leading Software solution company in UK
Automating SOC1/2 Compliance- For a leading Software solution company in UK
 
PAMaaS- Powered by CyberArk
PAMaaS- Powered by CyberArkPAMaaS- Powered by CyberArk
PAMaaS- Powered by CyberArk
 
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
GUIDE TO KEEP YOUR END-USERS CONNECTED TO THE DIGITAL WORKPLACE DURING DISRUP...
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
 
Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)Complete Guide to General Data Protection Regulation (GDPR)
Complete Guide to General Data Protection Regulation (GDPR)
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
 
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN CPG THROUGH INTELLIGENT FREIGHT AUDIT
 
How to Approach Tool Integrations
How to Approach Tool IntegrationsHow to Approach Tool Integrations
How to Approach Tool Integrations
 
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDITREDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
REDUCING TRANSPORTATION COSTS IN RETAIL THROUGH INTELLIGENT FREIGHT AUDIT
 

Recently uploaded

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 

Recently uploaded (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

Whitepaper: Elevation of Mobile Security Risks in the Enterprise Threat Landscape - Happiest Minds

  • 1. 1 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved March 2014, HAPPIEST MINDS TECHNOLOGIES Elevation of Mobile Security Risks in the Enterprise Threat Landscape Author Khaleel Syed
  • 2. 2 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved Copyright Information This document is an exclusive property of Happiest Minds Technologies Pvt. Ltd. It is intended for limited circulation.
  • 3. 3 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved Elevation of Mobile Security Risks in the Enterprise Threat Landscape Enterprises are rapidly adopting innovative mobile applications to transform their business capabilities as the mobile presence is critical for businesses to attract, retain and communicate with customers; it has become an integral part at both work and in their personal lives. The newer mobile computing technologies are increasingly embraced by the consumers across the globe, and this exponential growth of mobile devices and business applications has attracted a large number of well-organized cyber criminals and independent hackers, who are seeking monetary benefits with highly competent modus operandi. Business Drivers Prevalence of mobile devices and applications in today’s market has been entirely recognized by many corporates and is subsequently being leveraged to boost the sales and marketing initiatives for new businesses through innovative enterprise mobile apps with enhanced functionalities. Transformational customer experience with access to exclusive content and wide range of personalized services available anytime and anywhere has been powered by customer-facing mobile apps. Organizations are rapidly adopting enterprise-class internal mobile apps for several business functions to drive greater efficiencies. A perspective of Happiest Minds on the proliferation of mobile devices & applications All customer-facing or enterprise internal apps are developed as either native apps, mobile web apps or hybrid apps: Mobile Native Apps are platform specific installable apps that can be downloaded from internal app bank for corporate use and available at online mobile app stores for personal use. The native apps take full advantage of the mobile device features such as contacts and location details; and are designed to work in both online and offline modes. Mobile Web Apps are platform independent, non-installable apps that are same as web applications, which are accessed by a browser and are typically written in HTML5, and designed to work in both online and offline modes. Hybrid Apps are a combination of native and mobile web apps, with the browser embedded within the native app.
  • 4. 4 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved An indicative list of categories of professional-grade apps The continuous advancements in mobile technologies have disrupted every industry across all regions in the past five years and continue to break its own records year after year. The categories of professional-grade mobile applications have greatly expanded with real-time updates to the consumers, which is led by Messaging & Social followed by Securities & Utilities, Work & Organizing, Productivity, Education, Finance, Entertainment & Media, Lifestyle & Shopping, Games & Sports, Health & Fitness and News& Magazines. Mobile Threats Mobile security threat landscape is a growing concern, as we witness the emerging trend of financial transactions using M-Commerce and M-Banking applications on mobile devices. Broadly, these mobile security threats can be categorized under the native app-based threats, mobile web-based threats and mobile device-based threats. Mobile device-based threats Rogue applications downloaded from untrusted sources and installation of unapproved applications that expose the mobile devices to all kinds of cyber-attacks and dangers. The inability to detect and prevent the use of jail-broken or rooted devices in corporate environments increases the threat landscape particularly when enterprises deploy the security infrastructures within the corporate intranet to control the mobile device connection but not in de-militarized zone or secured perimeter network. Alongside, improper policy enforcement by the mobile security products can lead to unexpected security vulnerabilities in the production environment. Mobile security threat categories Native application-based threats Installable native applications can be downloaded from several trusted or untrusted sources, where the threats can be broadly categorized under (1) vulnerable mobile applications that may have code flaws or tampered applications for fraudulent purposes; (2)malicious software or malware that performs undesirable actions or provides a backdoor to the attacker; (3) data privacy threats where a legitimate application or spywares gathers user’s sensitive information to perform identity theft or financial fraud.
  • 5. 5 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved Mobile web-based threats Not all the corporates create native applications considering the associated security risks, but would prefer to deliver the online services via web-based applications where the web-based threats such as browser exploits, drive-by downloads, cookie stealing, phishing scams and many more are applicable to the mobile devices. Security Controls As mobile devices and enterprise-grade applications continue to pervade the workplace, the corporate information security and privacy office is exploring and continuously researching on new mobile security solutions to safely deliver and manage the applications and services that employees need to conduct business. Enterprise mobile security risks have elevated from the device level issues to mobile apps and business data that is processed, exchanged and stored on the mobile device. Hence, protecting the mobile devices, applications and corporate data in a robust threat landscape must adopt a multi-layered security approach. Corporates dealing with mobile-based financial transactions must define a customized security policy for the mobile users, which should address all the applicable regulations and legislative requirements for payment security and data privacy. Device vendors and security software vendors offer a wide range of IT controls for securing mobile devices and applications. Basic security settings provide by the iOS, Android and Windows phone operating systems control the device access, avoid untrusted source for apps download, verify harmful apps prior installation and phone encryption. Security measures for mobile devices & applications The advanced security solutions delivered by product vendors offers more sophisticated security capabilities such as detection of malicious apps recently discovered, the native apps lock to control access to other installed apps, the safe browsing to warn or protect from the malicious websites against phishing and the anti-theft feature to remotely locate, lock down and wipe the stolen device. In addition, the antivirus on-demand scans of all installed apps and memory card content, as well as on-access scans of apps upon first execution, helps corporates protect against viruses, malware, adware, and spywares. The privacy scans that assess the access rights and intents of installed apps enable the organization to identify and manage potential privacy risks. Furthermore, some premium solutions have the ability to track and perform specified actions when the mobile device leaves a set perimeter.
  • 6. 6 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved Small and medium-sized enterprises are aggressively adopting the independent mobile security software, but the large corporates prefer to deploy a centralized policy enforcement and management model that includes Mobile Device Management (MDM) and Mobile Application Management (MAM). Mobile security experts at Happiest Minds Technologies have enabled several corporates across various industry segments to identify and deploy the best suitable centralized solution for Mobile Security Management that helps corporates to standardize the mobile user and device authentication mechanism, integration of Active Directory (AD) infrastructure, manage secured remote access into corporate network for mobile users, control or restrict connectivity to the removable media devices and untrusted wireless networks, mobile device containerization to segregate the user’s workspace from personal space to protect the business applications and data from a wide spread of threats. Security Assurance Permitting the usage of mobile smartphone devices and multi-purpose or mission critical applications in corporate environments by conducting a detailed technical assessment of security controls would enable the stake holders to identify, assess and diligently manage mobile security risks. Mobile security assessment for device security and application security testing are broadly categorized as;  Native mobile application penetration testing  Mobile website penetration testing  Hybrid application & website penetration testing  Native application secure code review  Mobile device security & configuration review  Secure SDLC consulting on threat modeling & coding. Mobile Application Security Framework developed by Happiest Minds provides a range of specialized services across all the security assessment types, including security advisory and gap analysis. Mobile Application Security Framework Advisory and gap analysis covers review the mobile application artifacts such as security requirements based on asset value and data protection requirements in accordance with the applicable legislative and regulatory requirements. Recommend suitable countermeasures to mitigate the security design flaws and emerging threats for securing Enterprise Mobile Devices with reference to OWASP, CERT, SANS, NIST security standards and guidelines. Threat modelling for mobile applications involves understanding of the application functionality with entry points in mobile platforms, followed with defining attack vectors to cover all possible scenarios and attack surfaces such as exposed API or RPC, malicious users, third party components and services, mobile storage, web browsing ad content
  • 7. 7 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved handlers. Assurance services on threat modeling enables the developers in identifying the most credible threats that have the greatest potential impact to the mobile applications as indicated by industry standards & frameworks. Secure code review or static code analysis involves code crawling to understand the business logic with possible security vulnerabilities in the mobile native application code and mobile platforms by using automated tools and manual techniques to identify the business logic flaws and code level flaws or vulnerable codes such as insecure use of hybrid technologies, client-side data caching and storage issues, client-side reflection based attacks and incorrectly implemented application encoding and encryption including OWASP Source Code Flaw Categories, CERT, SANS and MSDN Secure Coding Standards. Penetration testing adopts the hybrid approach of specialized automated tools and manual assessment techniques in mobile application security testing to cover various usage scenarios and all the inherent threats in accordance with industry best practices and mobile security guidelines from applicable legal and regulations for payment security and data privacy. The security assessment team at Happiest Minds conducts both blackbox and graybox testing to ensure a comprehensive coverage of all the attack vectors and scenarios. Native applications penetration testing covers dynamic analysis with debugging of running applications on simulators, emulators and compatible mobile platforms to perform permission analysis, control flow analysis, dataflow analysis, security configuration, input validation, server side controls, session management, client side injection, authentication and authorization, side channel data leakage, broken cryptography, sensitive information disclosure, data protection, insufficient transport layer protection and exception handling. Mobile web application penetration testing covers all the security vulnerabilities applicable to the web applications that includes web server with unsafe configuration and software bugs, client-side vulnerabilities, insecure cookie handling, improper session handling, authentication bypass, circumventing application logic, input validation, function level access control, use of vulnerable components, insecure direct object referencing, shared hosting vulnerabilities, improper cryptography implementation and form manipulation. Mobile device configuration review covers the adequacy of device security and application security policy enforcement that includes use of unapproved applications, access control configuration, crytography implementation, restriction on removable media or wireless connections, mobile device containerization and relevant security settings for device hardedning. Security compliance testing primarily focuses on payment acceptance mobile applications that meets the security guidelines mandated by PCI Data Security Standard (PCI DSS), Data Privacy Act (DPA) and other applicable regulatory and legislative requirements.These security requirements would prevent the card holder account data from being intercepted when entered into a mobile device, from compromise while processed or stored within the mobile device and from interception upon transmission out of the mobile device.
  • 8. 8 © 2013 Happiest Minds Technologies Pvt. Ltd. All Rights Reserved Conclusion Mobile security experts at Happiest Minds will help assuage the enterprise mobility concerns by arming you with knowledge of mobile device security threats and how to implement protection measures and leverage mobile devices and applications that will protect the account data in the devices to boost sales. Mobile computing technology will be ruggedized to be unaffected by regimented threats from different sources.