SlideShare a Scribd company logo

Mobile Security

Xavier Mertens
Xavier Mertens

Slides about mobile security presented during the BELTUG Security SIG ("Special Interest Group") in January 2013.

Technology
1 of 30
Download to read offline
Mobile Security “Bring war material with you from home but forage on the enemy” - Sun Tzu Xavier Mertens Beltug SIG Security - Jan 2013
Disclaimer “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
Agenda • Introduction: Top-10 mobile risks • Company owned devices • Employee owned device (BYOD) • Risks inherent in mobile devices • Mobile applications development
Top-10 Mobile Risks • Insecure data storage • Weak server side controls • Insufficient transport layer protection • Client side injection • Poor authentication & authorization • Improper session handling • Secure decision via untrusted input • Side channel data leakage • Broken cryptography • Sensitive information disclosure (Source: OWASP)
Top-10 Mobile Risks • Insecure data storage • Weak server side controls • Insufficient transport layer protection Mobile devices • Client side injection are • Poor authentication & authorization Computers! • Improper session handling • Secure decision via untrusted input • Side channel data leakage • Broken cryptography • Sensitive information disclosure (Source: OWASP)
Company Owned Devices
Easy? Really? • Limited set of manufacturers/OS • Full control of hell? • People try to evade from jail (like laptops) • Need procedures (backups, helpdesk)
Corporate Policy • Must be communicated & approved before the device provisioning • Communication channels: addendum to a contract, Intranet, a “check box”? • Restrictions (SD cards, Bluetooth, camera) • What about private data? (pictures, MP3, downloaded (paid!) apps?
Examples • Document already available on beltug.be (Members section) • Simple policy: http://www.security-marathon.be/?p=1466 (Jean-Sébastien Opdebeeck)
Data Classification • Another approach is implementing data classification • Implementation of the “least privileges” principle • Access to data is based on profiles • Work with any device! (benefit broader than the scope of mobile devices)
Data Classification Data Company Owned Personal Devices Classification Devices Top-Secret No No Highly Confidential No No Proprietary Yes No Internal Use Only Yes Yes Public Yes Yes
Employed Owned Devices
Why do people BTOD? • Devices became cheaper and powerful • The “Generation Y” • Always online everywhere!
First Question? • Are you ready to accept personal devices on your network? • It’s a question of ... risk! • Examples: • Data loss • Network intrusion • Data ex-filtration
“MDM”? • Do you need a MDM solution? (Mobile Device Management) • Can you trust $VENDORS? • Microsoft Exchange include ActiveSync for free • Most security $VENDORS propose (basic) tools to handle mobile devices
Minimum Requirements • Automatic lock + password • No jailbroken devices • Remote wipe • Backups (who’s responsible?)
Risks Inherent In Mobile Devices
Personal Hotspots • Tethering allows mobile devices to be used as hotspots • Corporate devices (laptops) could bypass Internet access controls • Risks of rogue routers (if IP-forwarding is enabled
Rogue App Stores • Mobile devices without apps is less useful • Owners tend to install any apps • Some apps may require much more rights than required • People trust Apps stores and developers • Developers must write good code
QR Codes
Geolocalization
NFC
Home & Cars
Mobile Application Development
OWASP Mobile Security Project • Mobile testing guide • Secure mobile development guide • Top-10 mobile controls and design principles https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Lack of/Bad Encryption • Developers re-invent the wheel: do not write a new encryption algorithm • Encrypt everything (data at rest, data in move)
Local VS. Remote Storage Pros Cons No network costs Risk of loss Local Speed Outdated Always updated Data network ($) Central No risk of loss Speed
Geolocalization • Again! But this time for good purposes • Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe • Combine with passwords for stronger authentication/authorization
Enterprise Appstores • Goal: Distribute, secure and manage mobile apps through your own company branded appstore. • Application available in the appstore have been approved by a strong validation process.
Thank You! Xavier Mertens xavier@rootshell.be @xme http://blog.rootshell.be

Recommended

Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
Manish Gupta
 
Mobile security
Mobile securityMobile security
Mobile security
CyberoamAcademy
 
Mobile device security
Mobile device securityMobile device security
Mobile device security
Lisa Herrera
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
Lookout
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device Security
Quick Heal Technologies Ltd.
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
MarketingArrowECS_CZ
 
Mobile security
Mobile security Mobile security
Mobile security
Himmatsingh Rajpurohit
 

Recommended

Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
Manish Gupta
 
Mobile security
Mobile securityMobile security
Mobile security
CyberoamAcademy
 
Mobile device security
Mobile device securityMobile device security
Mobile device security
Lisa Herrera
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
Lookout
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device Security
Quick Heal Technologies Ltd.
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
MarketingArrowECS_CZ
 
Mobile security
Mobile security Mobile security
Mobile security
Himmatsingh Rajpurohit
 
Mobile protection
Mobile protection Mobile protection
Mobile protection
preetpatel72
 
Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 
Mobile security
Mobile securityMobile security
Mobile security
Naveen Kumar
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
Geo Marian
 
Mobile security
Mobile securityMobile security
Mobile security
Mphasis
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITY
JASHU JASWANTH
 
mobile application security
mobile application securitymobile application security
mobile application security
-jyothish kumar sirigidi
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
Allan Pratt MBA
 
Cyber attacks
Cyber attacks Cyber attacks
Cyber attacks
Anuradha Moti T
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
anupriti
 
Mobile Phone and SIM card cloning
Mobile Phone and SIM card cloningMobile Phone and SIM card cloning
Mobile Phone and SIM card cloning
Ankur Kumar
 
Mobile Application Development Services and Why We Need It?
Mobile Application Development Services and Why We Need It?Mobile Application Development Services and Why We Need It?
Mobile Application Development Services and Why We Need It?
Mobile Application Development Company
 
Attacks on Mobiles\Cell Phones
Attacks on Mobiles\Cell PhonesAttacks on Mobiles\Cell Phones
Attacks on Mobiles\Cell Phones
Faizan Shaikh
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu Khimani
Dr Raghu Khimani
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
PriSim
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
Akash Dhiman
 
Mobile security
Mobile securityMobile security
Mobile security
home
 
Mobile security
Mobile securityMobile security
Mobile security
Basant Kumar
 

More Related Content

What's hot

What's hot (20)

Mobile protection
Mobile protection Mobile protection
Mobile protection
 
Mobile security
Mobile securityMobile security
Mobile security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
 
Mobile security
Mobile securityMobile security
Mobile security
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITY
 
mobile application security
mobile application securitymobile application security
mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
 
Cyber attacks
Cyber attacks Cyber attacks
Cyber attacks
 
Android security
Android securityAndroid security
Android security
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
 
Mobile Phone and SIM card cloning
Mobile Phone and SIM card cloningMobile Phone and SIM card cloning
Mobile Phone and SIM card cloning
 
Mobile Application Development Services and Why We Need It?
Mobile Application Development Services and Why We Need It?Mobile Application Development Services and Why We Need It?
Mobile Application Development Services and Why We Need It?
 
Attacks on Mobiles\Cell Phones
Attacks on Mobiles\Cell PhonesAttacks on Mobiles\Cell Phones
Attacks on Mobiles\Cell Phones
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu Khimani
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurityCybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
 

Viewers also liked

Mobile security
Mobile securityMobile security
Mobile security
home
 
2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?
IBM Security
 

Viewers also liked (6)

Mobile security
Mobile securityMobile security
Mobile security
 
Mobile security
Mobile securityMobile security
Mobile security
 
2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 
E commerce ppt
E commerce pptE commerce ppt
E commerce ppt
 

Similar to Mobile Security

IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Lenin Aboagye
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
Pragati Rai
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final Public
Tjylen Veselyj
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash
 
Wso2 con byod-shan-ppt
Wso2 con byod-shan-pptWso2 con byod-shan-ppt
Wso2 con byod-shan-ppt
WSO2
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2
 

Similar to Mobile Security (20)

Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile Applications
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
BYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, WestBYOD: Device Control in the Wild, Wild, West
BYOD: Device Control in the Wild, Wild, West
 
Outside the Office: Mobile Security
Outside the Office: Mobile SecurityOutside the Office: Mobile Security
Outside the Office: Mobile Security
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final Public
 
Mobile Security
Mobile Security Mobile Security
Mobile Security
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Fake Devices - Countering a Hidden and Growing Threat
Fake Devices - Countering a Hidden and Growing ThreatFake Devices - Countering a Hidden and Growing Threat
Fake Devices - Countering a Hidden and Growing Threat
 
Wso2 con byod-shan-ppt
Wso2 con byod-shan-pptWso2 con byod-shan-ppt
Wso2 con byod-shan-ppt
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 -  Embracing BYOD Trend Without Compromising Security, Emp...
 

More from Xavier Mertens

What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?
Xavier Mertens
 

More from Xavier Mertens (20)

FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes Strength
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from Venus
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
 
Automatic MIME Attachments Triage
Automatic MIME Attachments TriageAutomatic MIME Attachments Triage
Automatic MIME Attachments Triage
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015
 
$HOME Sweet $HOME
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOME
 
Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web Coding
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free Software
 
Because we are just humans
Because we are just humansBecause we are just humans
Because we are just humans
 
You have a SIEM! And now?
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" Network
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?
 
Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013
 
Unity makes strength
Unity makes strengthUnity makes strength
Unity makes strength
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Mobile Security

  • 1. Mobile Security “Bring war material with you from home but forage on the enemy” - Sun Tzu Xavier Mertens Beltug SIG Security - Jan 2013
  • 2. Disclaimer “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
  • 3. Agenda • Introduction: Top-10 mobile risks • Company owned devices • Employee owned device (BYOD) • Risks inherent in mobile devices • Mobile applications development
  • 4. Top-10 Mobile Risks • Insecure data storage • Weak server side controls • Insufficient transport layer protection • Client side injection • Poor authentication & authorization • Improper session handling • Secure decision via untrusted input • Side channel data leakage • Broken cryptography • Sensitive information disclosure (Source: OWASP)
  • 5. Top-10 Mobile Risks • Insecure data storage • Weak server side controls • Insufficient transport layer protection Mobile devices • Client side injection are • Poor authentication & authorization Computers! • Improper session handling • Secure decision via untrusted input • Side channel data leakage • Broken cryptography • Sensitive information disclosure (Source: OWASP)
  • 6. Company Owned Devices
  • 7. Easy? Really? • Limited set of manufacturers/OS • Full control of hell? • People try to evade from jail (like laptops) • Need procedures (backups, helpdesk)
  • 8. Corporate Policy • Must be communicated & approved before the device provisioning • Communication channels: addendum to a contract, Intranet, a “check box”? • Restrictions (SD cards, Bluetooth, camera) • What about private data? (pictures, MP3, downloaded (paid!) apps?
  • 9. Examples • Document already available on beltug.be (Members section) • Simple policy: http://www.security-marathon.be/?p=1466 (Jean-Sébastien Opdebeeck)
  • 10. Data Classification • Another approach is implementing data classification • Implementation of the “least privileges” principle • Access to data is based on profiles • Work with any device! (benefit broader than the scope of mobile devices)
  • 11. Data Classification Data Company Owned Personal Devices Classification Devices Top-Secret No No Highly Confidential No No Proprietary Yes No Internal Use Only Yes Yes Public Yes Yes
  • 12. Employed Owned Devices
  • 13. Why do people BTOD? • Devices became cheaper and powerful • The “Generation Y” • Always online everywhere!
  • 14. First Question? • Are you ready to accept personal devices on your network? • It’s a question of ... risk! • Examples: • Data loss • Network intrusion • Data ex-filtration
  • 15. “MDM”? • Do you need a MDM solution? (Mobile Device Management) • Can you trust $VENDORS? • Microsoft Exchange include ActiveSync for free • Most security $VENDORS propose (basic) tools to handle mobile devices
  • 16. Minimum Requirements • Automatic lock + password • No jailbroken devices • Remote wipe • Backups (who’s responsible?)
  • 18. Personal Hotspots • Tethering allows mobile devices to be used as hotspots • Corporate devices (laptops) could bypass Internet access controls • Risks of rogue routers (if IP-forwarding is enabled
  • 19. Rogue App Stores • Mobile devices without apps is less useful • Owners tend to install any apps • Some apps may require much more rights than required • People trust Apps stores and developers • Developers must write good code
  • 22. NFC
  • 25. OWASP Mobile Security Project • Mobile testing guide • Secure mobile development guide • Top-10 mobile controls and design principles https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  • 26. Lack of/Bad Encryption • Developers re-invent the wheel: do not write a new encryption algorithm • Encrypt everything (data at rest, data in move)
  • 27. Local VS. Remote Storage Pros Cons No network costs Risk of loss Local Speed Outdated Always updated Data network ($) Central No risk of loss Speed
  • 28. Geolocalization • Again! But this time for good purposes • Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe • Combine with passwords for stronger authentication/authorization
  • 29. Enterprise Appstores • Goal: Distribute, secure and manage mobile apps through your own company branded appstore. • Application available in the appstore have been approved by a strong validation process.