Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Protecng	  Mobile	  Apps	  and	  security	  in	  the	  context	  of	  Bring	  Your	  Own	  Device	  	  Shane	  Williams	  ...
InfoQ.com: News & Community Site• 750,000 unique visitors/month• Published in 4 languages (English, Chinese, Japanese and ...
Presented at QCon Londonwww.qconlondon.comPurpose of QCon- to empower software development by facilitating the spread ofkn...
THE	  BASICS	  AND	  BACKGROUND	  
Basics	  –	  Security	  is	  the	  same	  Confiden9ality	  	  LOSS	  =	  unauthorized	  disclosure	  of	  informa9on.	  	  
Basics	  –	  Security	  is	  the	  same	  Availability	  LOSS	  =	  disrup9on	  of	  access	  to	  or	  use	  of	  informa...
Basics	  –	  Security	  is	  the	  same	  Integrity	  LOSS	  =	  unauthorized	  modifica9on	  or	  destruc9on	  of	  inform...
Basics	  –	  Security	  is	  the	  same	  Confiden9ality	  	  Integrity	   Availability	  LOSS	  =	  unauthorized	  disclos...
Mobile	  Threat	  Model	  WEB	  Cloud	  Storage	  App	  Stores	  Websites	  Web	  Services	  Corp	  Networks	  Hardware	  ...
Threat	  paths	  Threat	  	  Agents	  A]ack	  Vectors	  Security	  Weaknesses	  (Vulnerabili9es)	  Security	  Controls	  T...
Threat	  paths	  Threat	  	  Agents	  A]ack	  Vectors	  Security	  Weaknesses	  (Vulnerabili9es)	  Security	  Controls	  T...
Threat	  paths	  Threat	  	  Agents	  A]ack	  Vectors	  Security	  Weaknesses	  (Vulnerabili9es)	  Security	  Controls	  T...
Threat	  paths	  Threat	  	  Agents	  A]ack	  Vectors	  Security	  Weaknesses	  (Vulnerabili9es)	  Security	  Controls	  T...
Threat	  paths	  Threat	  	  Agents	  A]ack	  Vectors	  Security	  Weaknesses	  (Vulnerabili9es)	  Security	  Controls	  T...
Threat	  paths	  Threat	  	  Agents	  A]ack	  Vectors	  Security	  Weaknesses	  (Vulnerabili9es)	  Security	  Controls	  T...
Threat	  paths	  Threat	  	  Agents	  A]ack	  Vectors	  Security	  Weaknesses	  (Vulnerabili9es)	  Security	  Controls	  T...
Threat	  paths	  A]ack	  A]ack	  A]ack	  Weakness	  Weakness	  Control	  Control	  Control	  Asset	  Func9on	  Asset	  Imp...
Threat	  paths	  A]ack	  A]ack	  A]ack	  Weakness	  Weakness	  Control	  Control	  Control	  Asset	  Func9on	  Asset	  Imp...
Top	  10	  Mobile	  Risks	  	  ?	  The	  poten3al	  that	  a	  given	  threat	  will	  exploit	  vulnerabili3es	  of	  an	...
Top	  10	  Mobile	  Risks	  1.  Insecure	  Data	  Storage	  2.  Weak	  Server	  Side	  Controls	  3.  Insufficient	  Transpo...
A]acks	  
A]acks	  
A]acks	  
A]acks	  S	   R	  S	   R	  Eavesdrop/Copy	  Stop/Delay/Modify	  A]ack	  Confiden9ality	  A]ack	  Integrity	  S	   R	  Masqu...
Ø Eavesdropping	  Ø No	  Physical	  Boundaries	  Ø Tracing/Tracking	  Ø Device	  Capture	  S	   R	  A]ack	  Confiden9al...
S	   R	  A]ack	  Integrity	   S	   R	  Ø SSL	  Stripping	  Ø Reputa9on	  Ø Fraud	  (Monetary/Iden9ty)	  Ø Browser	  ic...
S	   R	  A]ack	  Availability	  Ø Distributed	  Denial	  of	  Service	  Ø Bandwidth	  Constraints	  Ø Interference	  an...
Recent	  Real	  World	  Examples	  •  Feb	  2013	  –	  Watering	  Hole	  a]ack	  •  Notable	  and	  news	  worthy	  	  
SECURITY	  CONTROLS	  
Security	  controls	  Plakorm	  Controls	  Custom	  Controls	  
Custom	  controls	  BYOD	  Personal	  Data	  Company	  Data	  LOA2+	  Client	  Data	  Employee	  Data	  
NIST	  Levels	  of	  assurance	  Level	  of	  Assurance	   Data	  Classificaon	  Data	  Examples	   Cumulave	  Authencaon	 ...
Control	  categories	  Secure	  Boot	  Code	  Protec9on	  Data	  Protec9on	  Mobile	  Management	  Server	  Protec9on	  
Secure	  Boot	  –	  Apple	  Example	  Ø Protec9ng	  low	  level	  to	  create	  start	  of	  a	  chain	  of	  trust	  Ø ...
Code	  Protec9on	  Plakorm	  Signed	  applica9on	  Ve]ed	  applica9ons	  ASLR	  Applica9on	  sandboxing	  
Code	  Protec9on	  Custom	  Sta9c	  code	  analysis	  Code	  obfusca9on	  Jailbreak	  Detec9on	  Trusted	  Execu9on	  Envi...
Code	  Protec9on	  Plakorm	  Signed	  applica9on	  Ve]ed	  applica9ons	  ASLR	  Applica9on	  sandboxing	  Custom	  Sta9c	 ...
DATA	  Protec9on	  Plakorm	  User	  Authen9ca9on	  Hardware	  Encryp9on	  Device	  VPN	  
Data	  Protec9on	  -­‐	  Encryp9on	  Hybrid	  •  Symmetric	  •  Asymmetric	  Homomorphic	  
Data	  protec9on	  Custom	  Container	  FIPS	  140-­‐2	  Encryp9on	  Container	  Tunnels	  Digital	  Rights	  Management	 ...
Data	  Protec9on	  -­‐	  Encryp9on	  Hardware	  Embedded	  TPM	   HSM	  Standalone	  (Independent)	  SmartCard	  Hyperviso...
Data	  Protec9on	  -­‐	  Encryp9on	  Keys	  Effaceable	  Memory	  HW	  Crypto	  API	  App	  Code	  PKCS#11	  over	  PS/SC	  
Data	  Protec9on	  -­‐	  Authen9ca9on	  Ease	  of	  use	   Protec9on	  PIN	   Freq	  #1	   1234	   10.71%	  #2	   1111	   ...
Data	  Protec9on	  -­‐	  Authen9ca9on	  Basic	  (1FA)	  PIN	   Password	  Cryptographic	  (MFA)	  Son	  Cer9ficate	  Hard	 ...
Data	  Protec9on	  -­‐	  Authen9ca9on	  Mutual	   Nego9ated	   SSO	   Federated	   Delegated	  
Data	  protec9on	  Plakorm	  User	  Authen9ca9on	  Hardware	  Encryp9on	  Device	  VPN	  Custom	  Container	  FIPS	  140-­...
Mobile	  Management	  Plakorm	  Mobile	  Device	  Management	  
Mobile	  Management	  Custom	  Mobile	  Applica9on	  Management	  Mobile	  Hypervisor	  Management	  
Mobile	  Management	  Plakorm	  Mobile	  Device	  Management	  Custom	  Mobile	  Applica9on	  Management	  Mobile	  Hyperv...
Securing	  Access	  to	  Services	  Reverse	  Proxy	  Applica9on	  Server	  Internet	  
Securing	  Access	  to	  Services	  Ø Risk	  Assessment	  
Securing	  Access	  to	  Services	  Ø Black	  Hats	  and	  White	  Hats	  
Securing	  Access	  to	  Services	  Ø Penetra9on	  Test	  
Closing	  Thoughts	  Ø You	  get	  a	  lot	  without	  trying	  on	  mobile	  plakorm	  Ø You	  have	  to	  spend	  the	...
Thank	  You!	  And	  Stay	  Safe	  Shane	  Williams	  Alex	  Batlin	  
Upcoming SlideShare
Loading in …5
×

Protecting Mobile Apps and Security around Bring Your Own Device

960 views

Published on

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/14bpf2V.

Alex Batlin and Shane Williams explore the challenges faced maintaining the security of mobile apps and also take a look at the enterprise implications with the push for BYOD. Filmed at qconlondon.com.

Shane is currently regional head of mobile development in Switzerland, developing secure mobile applications across the UBS group. Alex is a Director in UBS's technology innovation, research and development team covering emerging and trending technology topics like big data analytics, social media, cloud and mobile computing, unified communication, post-PC consumer BYOD enterprise architecture.

Published in: Technology, News & Politics
  • Login to see the comments

  • Be the first to like this

Protecting Mobile Apps and Security around Bring Your Own Device

  1. 1. Protecng  Mobile  Apps  and  security  in  the  context  of  Bring  Your  Own  Device    Shane  Williams  Alex  Batlin  
  2. 2. InfoQ.com: News & Community Site• 750,000 unique visitors/month• Published in 4 languages (English, Chinese, Japanese and BrazilianPortuguese)• Post content from our QCon conferences• News 15-20 / week• Articles 3-4 / week• Presentations (videos) 12-15 / week• Interviews 2-3 / week• Books 1 / monthWatch the video with slidesynchronization on InfoQ.com!http://www.infoq.com/presentations/mobile-security-byod
  3. 3. Presented at QCon Londonwww.qconlondon.comPurpose of QCon- to empower software development by facilitating the spread ofknowledge and innovationStrategy- practitioner-driven conference designed for YOU: influencers ofchange and innovation in your teams- speakers and topics driving the evolution and innovation- connecting and catalyzing the influencers and innovatorsHighlights- attended by more than 12,000 delegates since 2007- held in 9 cities worldwide
  4. 4. THE  BASICS  AND  BACKGROUND  
  5. 5. Basics  –  Security  is  the  same  Confiden9ality    LOSS  =  unauthorized  disclosure  of  informa9on.    
  6. 6. Basics  –  Security  is  the  same  Availability  LOSS  =  disrup9on  of  access  to  or  use  of  informa9on  or  an  informa9on  system.    
  7. 7. Basics  –  Security  is  the  same  Integrity  LOSS  =  unauthorized  modifica9on  or  destruc9on  of  informa9on  
  8. 8. Basics  –  Security  is  the  same  Confiden9ality    Integrity   Availability  LOSS  =  unauthorized  disclosure  of  informa9on.    LOSS  =  unauthorized  modifica9on  or  destruc9on  of  informa9on  LOSS  =  disrup9on  of  access  to  or  use  of  informa9on  or  an  informa9on  system.    
  9. 9. Mobile  Threat  Model  WEB  Cloud  Storage  App  Stores  Websites  Web  Services  Corp  Networks  Hardware  Radio,  GPS,  Sensor  OS  Kernel,  Drivers,  FS  Run9me  Libs,  Deps,  VM’s  Apps  Card  reader  Sensors  Laptop  Peer  Device  Payments  Laptop  802.11  NFC  Bluetooth  SMS  Voice  Carrier  Network  Local  Network    (Wi-­‐Fi,  VPN,  etc)  OWASP  Trust  Boundary  CORP   CONS   BUILTIN  
  10. 10. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  
  11. 11. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  Ø Mo9va9on  Ø Financial  Ø Poli9cal  Ø Publicity    Threat-­‐Source  
  12. 12. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  Threat-­‐  Source  A]ack  A]ack  A]ack  
  13. 13. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  Threat-­‐  Source  A]ack  A]ack  A]ack  
  14. 14. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  Threat-­‐  Source  A]ack  A]ack  A]ack  
  15. 15. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  Threat-­‐  Source  A]ack  A]ack  A]ack  0wned
  16. 16. Threat  paths  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Weakness  Weakness  Control  Control  Control  Weakness  Weakness  Threat-­‐  Source  A]ack  A]ack  A]ack  Func9on  Impact  
  17. 17. Threat  paths  A]ack  A]ack  A]ack  Weakness  Weakness  Control  Control  Control  Asset  Func9on  Asset  Impact  Impact  Impact  Weakness  Weakness  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  ©  2002-­‐2013  OWASP  Founda3on  Threat-­‐  Source  
  18. 18. Threat  paths  A]ack  A]ack  A]ack  Weakness  Weakness  Control  Control  Control  Asset  Func9on  Asset  Impact  Impact  Impact  Weakness  Weakness  Threat    Agents  A]ack  Vectors  Security  Weaknesses  (Vulnerabili9es)  Security  Controls  Technical  Impacts  Business  Impacts  Threat-­‐  Source  
  19. 19. Top  10  Mobile  Risks    ?  The  poten3al  that  a  given  threat  will  exploit  vulnerabili3es  of  an  asset  or  group  of  assets  and  thereby  cause  harm  to  the  organiza3on.  ISO  13335  –  Informa9on  Technology  Security  Techniques  
  20. 20. Top  10  Mobile  Risks  1.  Insecure  Data  Storage  2.  Weak  Server  Side  Controls  3.  Insufficient  Transport  Layer  Protec9on  4.  Client  Side  Injec9on  5.  Poor  Authoriza9on  and  Authen9ca9on  6.  Improper  Session  Handling  7.  Security  Decisions  Via  Untrusted  Inputs  8.  Side  Channel  Data  Leakage  9.  Broken  Cryptography  10.  Sensi9ve  Informa9on  Disclosure  The  Open  Web  Applica9on  Security  Project  (OWASP)  -­‐  Mobile  Security  Project    Data  at  rest  control  Bypass  client  to  a]ack  Over-­‐the-­‐wire  XSS,  etc.  Low  factors  Allow  Hijacking  Keyboards  Listening,  in-­‐Sophis9cated    Easily  breakable,  WEP  Data  leakage,  Social    
  21. 21. A]acks  
  22. 22. A]acks  
  23. 23. A]acks  
  24. 24. A]acks  S   R  S   R  Eavesdrop/Copy  Stop/Delay/Modify  A]ack  Confiden9ality  A]ack  Integrity  S   R  Masquerade/  Assume  iden9ty/Authen9city  S   R  Destroy  channel,  corrupt,  overwhelm  A]ack  Availability  
  25. 25. Ø Eavesdropping  Ø No  Physical  Boundaries  Ø Tracing/Tracking  Ø Device  Capture  S   R  A]ack  Confiden9ality  
  26. 26. S   R  A]ack  Integrity   S   R  Ø SSL  Stripping  Ø Reputa9on  Ø Fraud  (Monetary/Iden9ty)  Ø Browser  icons  common  
  27. 27. S   R  A]ack  Availability  Ø Distributed  Denial  of  Service  Ø Bandwidth  Constraints  Ø Interference  and  Jamming  
  28. 28. Recent  Real  World  Examples  •  Feb  2013  –  Watering  Hole  a]ack  •  Notable  and  news  worthy    
  29. 29. SECURITY  CONTROLS  
  30. 30. Security  controls  Plakorm  Controls  Custom  Controls  
  31. 31. Custom  controls  BYOD  Personal  Data  Company  Data  LOA2+  Client  Data  Employee  Data  
  32. 32. NIST  Levels  of  assurance  Level  of  Assurance   Data  Classificaon  Data  Examples   Cumulave  Authencaon  Requirements  Authencaon  Examples  L0  –  No  knowledge  of  iden9ty.  Public  Anonymous  Public  Website   None   Public  website  L1  -­‐  Li]le  or  no  confidence  in  the  asserted  iden9ty’s  validity.  Public   Public  discussion  forum   One  of  any  factor   Username  +  password  i.e.  something  you  know    L2  -­‐  Some  confidence  in  the  asserted  iden9ty’s  validity.  Internal   Team  process  documents  in  SharePoint  One  of  any  factor  Verified  iden9ty  Username  +  password  i.e.  something  you  know,  checked  against  company  HR  controlled  LDAP  directory.  L3  -­‐  High  confidence  in  the  asserted  iden9ty’s  validity.  Confiden9al   Company  strategy  presenta9on  Two  or  more  of  any  factor   Password  protected    X509  son  cer9ficate,  is  both  something  you  have  and  something  you  know.  L4  -­‐Very  high  confidence  in  the  asserted  iden9ty’s  validity.  Strictly  Confiden9al  Client  or  employee  iden9fying  documents  Two  or  more  factors  One  hard  FIPS  140-­‐2  token  Independent  reader  Password  protected  smartcard  over  reader  with  bu]on  Factors:  something  you  know(username,  password),  you  have  (smartcard),  you  are  (fingerprints)  
  33. 33. Control  categories  Secure  Boot  Code  Protec9on  Data  Protec9on  Mobile  Management  Server  Protec9on  
  34. 34. Secure  Boot  –  Apple  Example  Ø Protec9ng  low  level  to  create  start  of  a  chain  of  trust  Ø  Processor  boots  from  read-­‐only  boot  ROM  –  trusted  –  Protects  Integrity  Ø  Contains  the  Apple  Root  CA  Ø  Verifies  Low-­‐Level  boot  loader  is  signed  by  Apple  Ø  Secure  boot  chain  ensures  lowest  levels  of  sonware  are  tamper  free  Ø  Boot  process  ensures  only  Apple  signed  code  can  run  on  the  device  Ø  Jailbreaks  have  exploited  boot  loader  vulnerabili9es  OS  Par99on  Kernel  Crypto  Engine  Device  Key  Group  Key  Apple  Root  Cer9ficate  Encrypted  File  System  User  Par99on    App  Sandbox  Sonware  Hardware  and  Firmware  
  35. 35. Code  Protec9on  Plakorm  Signed  applica9on  Ve]ed  applica9ons  ASLR  Applica9on  sandboxing  
  36. 36. Code  Protec9on  Custom  Sta9c  code  analysis  Code  obfusca9on  Jailbreak  Detec9on  Trusted  Execu9on  Environment  An9-­‐malware  
  37. 37. Code  Protec9on  Plakorm  Signed  applica9on  Ve]ed  applica9ons  ASLR  Applica9on  sandboxing  Custom  Sta9c  code  analysis  Code  obfusca9on  Jailbreak  Detec9on  Trusted  Execu9on  Environment  An9-­‐malware  
  38. 38. DATA  Protec9on  Plakorm  User  Authen9ca9on  Hardware  Encryp9on  Device  VPN  
  39. 39. Data  Protec9on  -­‐  Encryp9on  Hybrid  •  Symmetric  •  Asymmetric  Homomorphic  
  40. 40. Data  protec9on  Custom  Container  FIPS  140-­‐2  Encryp9on  Container  Tunnels  Digital  Rights  Management  Secure  Tokens  &  OS  
  41. 41. Data  Protec9on  -­‐  Encryp9on  Hardware  Embedded  TPM   HSM  Standalone  (Independent)  SmartCard  Hypervisor  TEE  Sonware  API  OpenSSL  
  42. 42. Data  Protec9on  -­‐  Encryp9on  Keys  Effaceable  Memory  HW  Crypto  API  App  Code  PKCS#11  over  PS/SC  
  43. 43. Data  Protec9on  -­‐  Authen9ca9on  Ease  of  use   Protec9on  PIN   Freq  #1   1234   10.71%  #2   1111   6.02%  #3   0000   1.88%  #4   1212   1.20%  #5   7777   0.75%  #6   1004   0.62%  #7   2000   0.61%  #8   4444   0.53%  #9   2222   0.52%  #10   6969   0.51%  #11   9999   0.45%  #12   3333   0.42%  #13   5555   0.40%  #14   6666   0.39%  #15   1122   0.37%  #16   1313   0.30%  #17   8888   0.30%  #18   4321   0.29%  #19   2001   0.29%  #20   1010   0.29%  #22  =  2580  ?  No  Password   Long  Password  Top  20  used  pins…do  you  have  one?  
  44. 44. Data  Protec9on  -­‐  Authen9ca9on  Basic  (1FA)  PIN   Password  Cryptographic  (MFA)  Son  Cer9ficate  Hard  Token  (OTP/SC)  Biometrics  
  45. 45. Data  Protec9on  -­‐  Authen9ca9on  Mutual   Nego9ated   SSO   Federated   Delegated  
  46. 46. Data  protec9on  Plakorm  User  Authen9ca9on  Hardware  Encryp9on  Device  VPN  Custom  Container  FIPS  140-­‐2  Encryp9on  Container  Tunnels  Digital  Rights  Management  Secure  Tokens  &  OS  
  47. 47. Mobile  Management  Plakorm  Mobile  Device  Management  
  48. 48. Mobile  Management  Custom  Mobile  Applica9on  Management  Mobile  Hypervisor  Management  
  49. 49. Mobile  Management  Plakorm  Mobile  Device  Management  Custom  Mobile  Applica9on  Management  Mobile  Hypervisor  Management  
  50. 50. Securing  Access  to  Services  Reverse  Proxy  Applica9on  Server  Internet  
  51. 51. Securing  Access  to  Services  Ø Risk  Assessment  
  52. 52. Securing  Access  to  Services  Ø Black  Hats  and  White  Hats  
  53. 53. Securing  Access  to  Services  Ø Penetra9on  Test  
  54. 54. Closing  Thoughts  Ø You  get  a  lot  without  trying  on  mobile  plakorm  Ø You  have  to  spend  the  effort  on  the  controls  (Client  /  Server)  Ø Technology  is  improving  to  support  security  
  55. 55. Thank  You!  And  Stay  Safe  Shane  Williams  Alex  Batlin  

×