SlideShare una empresa de Scribd logo

ASFWS 2011 - Secure software development for mobile devices

Cyber Security Alliance
Cyber Security Alliance

Application Security Forum 2011 27.10.2011 - Yverdon-les-Bains (Switzerland) Speaker: Julien Probst

Tecnología
1 de 24
Descargar para leer sin conexión
DÉVELOPPEMENT D’APPLICATIONS MOBILES SÉCURISÉES Julien Probst Cofondateur Sysmosoft SA Application Security Forum Western Switzerland 27 octobre 2011 - HEIGVD Yverdon-les-Bains http://appsec-forum.ch 27.10.2011 Application Security Forum - Western Switzerland - 2011 1
Swiss based company Specialized in Mobile Security Spinoff of the University of Applied Sciences in Yverdon-les-Bains (HEIG-VD) Mobility Working since 2008 with private banks to create an adapted solution In production since 2010 Security Threat and vulnerability analysis linked to mobility Agile & Security Development Lifecycle 2
Theft/Lost Property of the enterprise Virus/Malwares Unauthorized User’s personal access phone Outside Company Network 3
4
Purpose ‒ Install Free Apps from “Alternative Stores” ‒ Unlock some new device features Security Issues ‒ All OS Security mechanisms are disabled… ‒ … So all data can potentially be accessed ‒ “Alternative stores” do not verify Apps JailbreakMe ‒ Jailbreak your iPhone/iPad from a web page ‒ Uses a third party App Security Flaw ‒ Versions : v1 2007, v2 2010, v3 2011 Source : jailbreakme.com 5
Purpose ‒ To improve user’s experience, some data are shared between Apps ‒ “Official” APIs are usually provided by the OS Security Issues ‒ Easy for Developers to access your shared data… ‒ …and do what they want with it Wall Street Journal Analysis ‒ Over 100 analyzed legal applications ‒ 5 of them transmitted address book to outsiders Source : Wall Street Journal, Your Apps Are Watching You, 17 Dec. 2010 6
PoC How It Works 1. Get access to an iPhone 2. Execute a Jailbreak 3. Install and run the Fraunhofer’s script 4. Wait for the OS to decrypt the Keychain — The PIN Code is not required — Not all secrets are decrypted 5. Access user’s secrets in 6 minutes Source : http://www.fraunhofer.de/ 7
Purpose ‒ Commercial and Free/Open Source solutions ‒ Access “all” data stored on a Smartphone Grant Access to iOS 4.x Physical imaging Logical imaging Passcode recovery Keychain decryption Disk decryption Source : www.viaforensic.com & www.elcomsoft.com 8
Compromised data Affected Shared Keychain Application Data Device Attack users Data Data Data Transport Specific. Malicious legal App. JailBreak (with malicious App.) Fraunhofer’s PoC Forensic Solution 9
10
Professional Configuration Operating System Device Security features Device Configuration Applications Resources 11
Prof. Config. User Config. Operating System Device Security features Device Configuration Applications Secure Application Resources Security Business 12
13
Device OS User’s secrets Interface “Screenshots” Keychain Display Memory Application Output Manag. Memory’s Data Keyboard Data Input Transport Dictionary cache OS App. Application’s State Backup Manager Storage Device’s Data Shared Data Application Data 14
OS Application : Secure Document Reader OS Security Protection Business Prevention Features Clean Keyboard Keychain Encrypt keyboard Input on exit Clean OS App. Storage Encrypt state on Manager standby Clean Data Auth & Memory mem. on Transport Encrypt Manag. standby 15
Cryptographic algorithms Implements all cryptographic algorithms at the application level Usually the strongest part of the application Key Management Manages all cryptographic keys at the application level Usually a weak point of the application 16
View Mode – Best security Do not store data on the device Only use the established ephemeral session key to exchange the data Cache Mode – Best compromise Encrypt data on the device Store and protect the key on the server only Offline Mode – Less Secure Encrypt data on the device Store and protect the key on the device 17
Offline authentication limitation ‒ Device ID cannot be verified by the device itself ‒ Hardware Tokens ID are verified by a trusted server ‒ Only the user’s ID can be verified by the device Potential attacks against offline authentication ‒ Social engineering to obtain user’s credentials ‒ Brute force attack against data encryption’s key • Even if crypto algorithms (PBKDF2) are used 18
Check the operating system Verify the version of the OS Control the integrity of the OS (jailbreak, etc.) Check for systems unsecure caches and features Avoid/Clean caches (keyboard, pasteboard, screenshots, etc.) Detect undesired features (multitasking manage., backup, etc.) Apply device specific best practice Security recommendations Memory management, … 19
20
Comply with company security policies Countermeasures are implemented according to the security needs Use high level standards cryptographic algorithms Crypto algorithms can be used without limitation or restrictions Apply the same security mechanisms to each platform Same mechanisms can be implemented and managed for each platform 21
The Application still relies on the operating system Critical flaw in the OS can potentially lead to data breach Some mechanisms remain out of the control of the application OS Prevention/Control mechanisms must be developed (cache cleaning, etc.) Offline Mode remains a potential issue Trusted specific hardware can potentially be used Implementing security inside Apps. requires experience and time Integrating a Security Development Lifecycle (SDLC) is recommended 22
Mobile Devices are new threat vectors for companies’ data Misconfigured devices are vulnerable to a multitude of new types of attacks Conventional security solutions are not really adapted for mobility Applying company security policies to personal mobile devices is not possible Integrate security inside Apps and not rely only on OS or infrastructure Sensitive data is protected by additional applicative security mechanisms Isolate sensitive or corporate data from private data End users keep their habits while companies apply specific rules to sensitive data 23
Contact Rue Galilée 9 Sysmosoft SA 1400 Yverdon-les-Bains +41 (0) 24 524 10 36 Julien Probst Julien.probst@sysmosoft.com 24

Recomendados

Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesBee_Ware
 
How PUF Technology is Securing Io
How PUF Technology is Securing IoHow PUF Technology is Securing Io
How PUF Technology is Securing IoAbacus Technologies
 
Real-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware InfectionReal-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware InfectionWebroot
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Security Lock Down Your Computer Like the National Security Agency (NSA)
Security Lock Down Your Computer Like the National Security Agency (NSA)Security Lock Down Your Computer Like the National Security Agency (NSA)
Security Lock Down Your Computer Like the National Security Agency (NSA)José Ferreiro
 

Recomendados

Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesBee_Ware
 
How PUF Technology is Securing Io
How PUF Technology is Securing IoHow PUF Technology is Securing Io
How PUF Technology is Securing IoAbacus Technologies
 
Real-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware InfectionReal-Time Protection From Every Malware Infection
Real-Time Protection From Every Malware InfectionWebroot
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Security Lock Down Your Computer Like the National Security Agency (NSA)
Security Lock Down Your Computer Like the National Security Agency (NSA)Security Lock Down Your Computer Like the National Security Agency (NSA)
Security Lock Down Your Computer Like the National Security Agency (NSA)José Ferreiro
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android SecurityNational Cheng Kung University
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Implementing ISO 27001 In A Cost Effective Way
Implementing ISO 27001 In A Cost Effective WayImplementing ISO 27001 In A Cost Effective Way
Implementing ISO 27001 In A Cost Effective WayCertification Europe
 
Windows 7 security enhancements
Windows 7 security enhancementsWindows 7 security enhancements
Windows 7 security enhancementsNarenda Wicaksono
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Microsoft Forefront - Security for Office Communications Server Product Overv...
Microsoft Forefront - Security for Office Communications Server Product Overv...Microsoft Forefront - Security for Office Communications Server Product Overv...
Microsoft Forefront - Security for Office Communications Server Product Overv...Microsoft Private Cloud
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
My PC Mistook Me For A Hat
My PC Mistook Me For A HatMy PC Mistook Me For A Hat
My PC Mistook Me For A Hatgopikurup
 
Easy signature 21 cfr part 11 supplement
Easy signature 21 cfr part 11 supplementEasy signature 21 cfr part 11 supplement
Easy signature 21 cfr part 11 supplementSpinoza77
 
Beam datasheet final 7 28-12
Beam datasheet final 7 28-12Beam datasheet final 7 28-12
Beam datasheet final 7 28-12Bitzer Mobile, now part of Oracle
 
Смирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationСмирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationSECON
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Kuniyasu Suzaki
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayn|u - The Open Security Community
 
Sxsw ppt voice-1
Sxsw ppt voice-1Sxsw ppt voice-1
Sxsw ppt voice-1Dan Miller
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Attacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsAttacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsRoberto Natella
 
Android security
Android securityAndroid security
Android securityMohamed Alharbi
 
2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CASTCAST
 
Function of taking care of elderly people in vietnamese families at present time
Function of taking care of elderly people in vietnamese families at present timeFunction of taking care of elderly people in vietnamese families at present time
Function of taking care of elderly people in vietnamese families at present timeAlexander Decker
 
Adivina adivinanza
Adivina adivinanzaAdivina adivinanza
Adivina adivinanzaJosé de María Pinto Pinto
 
Guia pedagogia de la diferencia cronograma
Guia pedagogia de la diferencia cronogramaGuia pedagogia de la diferencia cronograma
Guia pedagogia de la diferencia cronogramaRafael
 

Más contenido relacionado

La actualidad más candente

Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Implementing ISO 27001 In A Cost Effective Way
Implementing ISO 27001 In A Cost Effective WayImplementing ISO 27001 In A Cost Effective Way
Implementing ISO 27001 In A Cost Effective WayCertification Europe
 
Windows 7 security enhancements
Windows 7 security enhancementsWindows 7 security enhancements
Windows 7 security enhancementsNarenda Wicaksono
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Microsoft Forefront - Security for Office Communications Server Product Overv...
Microsoft Forefront - Security for Office Communications Server Product Overv...Microsoft Forefront - Security for Office Communications Server Product Overv...
Microsoft Forefront - Security for Office Communications Server Product Overv...Microsoft Private Cloud
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
My PC Mistook Me For A Hat
My PC Mistook Me For A HatMy PC Mistook Me For A Hat
My PC Mistook Me For A Hatgopikurup
 
Easy signature 21 cfr part 11 supplement
Easy signature 21 cfr part 11 supplementEasy signature 21 cfr part 11 supplement
Easy signature 21 cfr part 11 supplementSpinoza77
 
Смирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationСмирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationSECON
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Kuniyasu Suzaki
 
Sxsw ppt voice-1
Sxsw ppt voice-1Sxsw ppt voice-1
Sxsw ppt voice-1Dan Miller
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Attacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsAttacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsRoberto Natella
 
2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CASTCAST
 

La actualidad más candente (19)

Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Implementing ISO 27001 In A Cost Effective Way
Implementing ISO 27001 In A Cost Effective WayImplementing ISO 27001 In A Cost Effective Way
Implementing ISO 27001 In A Cost Effective Way
 
Windows 7 security enhancements
Windows 7 security enhancementsWindows 7 security enhancements
Windows 7 security enhancements
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Microsoft Forefront - Security for Office Communications Server Product Overv...
Microsoft Forefront - Security for Office Communications Server Product Overv...Microsoft Forefront - Security for Office Communications Server Product Overv...
Microsoft Forefront - Security for Office Communications Server Product Overv...
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
My PC Mistook Me For A Hat
My PC Mistook Me For A HatMy PC Mistook Me For A Hat
My PC Mistook Me For A Hat
 
Easy signature 21 cfr part 11 supplement
Easy signature 21 cfr part 11 supplementEasy signature 21 cfr part 11 supplement
Easy signature 21 cfr part 11 supplement
 
Beam datasheet final 7 28-12
Beam datasheet final 7 28-12Beam datasheet final 7 28-12
Beam datasheet final 7 28-12
 
Смирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationСмирнов Александр, Security in Android Application
Смирнов Александр, Security in Android Application
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
Sxsw ppt voice-1
Sxsw ppt voice-1Sxsw ppt voice-1
Sxsw ppt voice-1
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Attacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor CustomizationsAttacking Proprietary Android Vendor Customizations
Attacking Proprietary Android Vendor Customizations
 
Android security
Android securityAndroid security
Android security
 
2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST
 

Destacado

Function of taking care of elderly people in vietnamese families at present time
Function of taking care of elderly people in vietnamese families at present timeFunction of taking care of elderly people in vietnamese families at present time
Function of taking care of elderly people in vietnamese families at present timeAlexander Decker
 
Guia pedagogia de la diferencia cronograma
Guia pedagogia de la diferencia cronogramaGuia pedagogia de la diferencia cronograma
Guia pedagogia de la diferencia cronogramaRafael
 
Repsol_Ypf_Web_applications
Repsol_Ypf_Web_applicationsRepsol_Ypf_Web_applications
Repsol_Ypf_Web_applicationscorticlan
 
Real ceppa guia_pastor_aleman_low
Real ceppa guia_pastor_aleman_lowReal ceppa guia_pastor_aleman_low
Real ceppa guia_pastor_aleman_lowjho_1993
 
Ciclo del carbono
Ciclo del carbonoCiclo del carbono
Ciclo del carbonoHogar
 
Flextop Overview
Flextop OverviewFlextop Overview
Flextop Overviewblabadini
 
Gathr Films - Theatrical On Demand™
Gathr Films - Theatrical On Demand™Gathr Films - Theatrical On Demand™
Gathr Films - Theatrical On Demand™Alessandro Masi
 
Templatesamdia2014
Templatesamdia2014Templatesamdia2014
Templatesamdia2014amdia
 
Marketing automation markitude
Marketing automation markitudeMarketing automation markitude
Marketing automation markitudedesayunocloud
 
Ley de Feriados Ecuador
Ley de Feriados EcuadorLey de Feriados Ecuador
Ley de Feriados EcuadorFabricio Vela
 
La Autonomía Municipal en Chile
La Autonomía Municipal en ChileLa Autonomía Municipal en Chile
La Autonomía Municipal en ChileNelson Leiva®
 
Ofertero hidrotecnia verano
Ofertero hidrotecnia veranoOfertero hidrotecnia verano
Ofertero hidrotecnia veranoaquacorp
 
Aplicacion web - presentacion impress
Aplicacion web - presentacion impressAplicacion web - presentacion impress
Aplicacion web - presentacion impressFrancisco Muñoz
 
Visual Tools for Teaching College /Career-Readiness Standards
Visual Tools for Teaching College /Career-Readiness StandardsVisual Tools for Teaching College /Career-Readiness Standards
Visual Tools for Teaching College /Career-Readiness StandardsEd Ellis
 

Destacado (20)

Function of taking care of elderly people in vietnamese families at present time
Function of taking care of elderly people in vietnamese families at present timeFunction of taking care of elderly people in vietnamese families at present time
Function of taking care of elderly people in vietnamese families at present time
 
Adivina adivinanza
Adivina adivinanzaAdivina adivinanza
Adivina adivinanza
 
Guia pedagogia de la diferencia cronograma
Guia pedagogia de la diferencia cronogramaGuia pedagogia de la diferencia cronograma
Guia pedagogia de la diferencia cronograma
 
Repsol_Ypf_Web_applications
Repsol_Ypf_Web_applicationsRepsol_Ypf_Web_applications
Repsol_Ypf_Web_applications
 
Real ceppa guia_pastor_aleman_low
Real ceppa guia_pastor_aleman_lowReal ceppa guia_pastor_aleman_low
Real ceppa guia_pastor_aleman_low
 
Ciclo del carbono
Ciclo del carbonoCiclo del carbono
Ciclo del carbono
 
Flextop Overview
Flextop OverviewFlextop Overview
Flextop Overview
 
Gathr Films - Theatrical On Demand™
Gathr Films - Theatrical On Demand™Gathr Films - Theatrical On Demand™
Gathr Films - Theatrical On Demand™
 
Mon0grafia (6)
Mon0grafia (6)Mon0grafia (6)
Mon0grafia (6)
 
Templatesamdia2014
Templatesamdia2014Templatesamdia2014
Templatesamdia2014
 
Marketing automation markitude
Marketing automation markitudeMarketing automation markitude
Marketing automation markitude
 
Ley de Feriados Ecuador
Ley de Feriados EcuadorLey de Feriados Ecuador
Ley de Feriados Ecuador
 
Hermanos Jiménez Gómez
Hermanos Jiménez GómezHermanos Jiménez Gómez
Hermanos Jiménez Gómez
 
La Autonomía Municipal en Chile
La Autonomía Municipal en ChileLa Autonomía Municipal en Chile
La Autonomía Municipal en Chile
 
Alexia Peteiro Mata
Alexia Peteiro MataAlexia Peteiro Mata
Alexia Peteiro Mata
 
Ofertero hidrotecnia verano
Ofertero hidrotecnia veranoOfertero hidrotecnia verano
Ofertero hidrotecnia verano
 
Aplicacion web - presentacion impress
Aplicacion web - presentacion impressAplicacion web - presentacion impress
Aplicacion web - presentacion impress
 
2008-06 bankZEIT
2008-06 bankZEIT2008-06 bankZEIT
2008-06 bankZEIT
 
La Nena - Ricardo Arjona
La Nena - Ricardo ArjonaLa Nena - Ricardo Arjona
La Nena - Ricardo Arjona
 
Visual Tools for Teaching College /Career-Readiness Standards
Visual Tools for Teaching College /Career-Readiness StandardsVisual Tools for Teaching College /Career-Readiness Standards
Visual Tools for Teaching College /Career-Readiness Standards
 

Similar a ASFWS 2011 - Secure software development for mobile devices

Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Security and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightSecurity and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightIBM WebSphereIndia
 
Josh Diakun - Cust Pres - Splunk Partner Event
Josh Diakun - Cust Pres - Splunk Partner EventJosh Diakun - Cust Pres - Splunk Partner Event
Josh Diakun - Cust Pres - Splunk Partner EventJosh D
 
การสร้างเกราะป้องกันภัยคุกคาม ต่อข้อมูลความเป็นส่วนบุคคลในองค์กร
การสร้างเกราะป้องกันภัยคุกคาม ต่อข้อมูลความเป็นส่วนบุคคลในองค์กรการสร้างเกราะป้องกันภัยคุกคาม ต่อข้อมูลความเป็นส่วนบุคคลในองค์กร
การสร้างเกราะป้องกันภัยคุกคาม ต่อข้อมูลความเป็นส่วนบุคคลในองค์กรSoftware Park Thailand
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceAndris Soroka
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2Santosh Satam
 
Securing Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD WorldSecuring Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD WorldApperian
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseCA API Management
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application PlatformNugroho Gito
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 

Similar a ASFWS 2011 - Secure software development for mobile devices (20)

Windows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep DiveWindows Phone 8 Security Deep Dive
Windows Phone 8 Security Deep Dive
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Security and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightSecurity and Mobile Application Management with Worklight
Security and Mobile Application Management with Worklight
 
Josh Diakun - Cust Pres - Splunk Partner Event
Josh Diakun - Cust Pres - Splunk Partner EventJosh Diakun - Cust Pres - Splunk Partner Event
Josh Diakun - Cust Pres - Splunk Partner Event
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
 
การสร้างเกราะป้องกันภัยคุกคาม ต่อข้อมูลความเป็นส่วนบุคคลในองค์กร
การสร้างเกราะป้องกันภัยคุกคาม ต่อข้อมูลความเป็นส่วนบุคคลในองค์กรการสร้างเกราะป้องกันภัยคุกคาม ต่อข้อมูลความเป็นส่วนบุคคลในองค์กร
การสร้างเกราะป้องกันภัยคุกคาม ต่อข้อมูลความเป็นส่วนบุคคลในองค์กร
 
Key2 share moosecon
Key2 share mooseconKey2 share moosecon
Key2 share moosecon
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
Securing Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD WorldSecuring Mobile Apps: New Approaches for the BYOD World
Securing Mobile Apps: New Approaches for the BYOD World
 
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the EnterpriseBeyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
Beyond MDM: 5 Things You Must do to Secure Mobile Devices in the Enterprise
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
Symantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility StrategySymantec Advances Enterprise Mobility Strategy
Symantec Advances Enterprise Mobility Strategy
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applications
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 

Más de Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

Más de Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 

Último

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Último (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

ASFWS 2011 - Secure software development for mobile devices

  • 1. DÉVELOPPEMENT D’APPLICATIONS MOBILES SÉCURISÉES Julien Probst Cofondateur Sysmosoft SA Application Security Forum Western Switzerland 27 octobre 2011 - HEIGVD Yverdon-les-Bains http://appsec-forum.ch 27.10.2011 Application Security Forum - Western Switzerland - 2011 1
  • 2. Swiss based company Specialized in Mobile Security Spinoff of the University of Applied Sciences in Yverdon-les-Bains (HEIG-VD) Mobility Working since 2008 with private banks to create an adapted solution In production since 2010 Security Threat and vulnerability analysis linked to mobility Agile & Security Development Lifecycle 2
  • 3. Theft/Lost Property of the enterprise Virus/Malwares Unauthorized User’s personal access phone Outside Company Network 3
  • 4. 4
  • 5. Purpose ‒ Install Free Apps from “Alternative Stores” ‒ Unlock some new device features Security Issues ‒ All OS Security mechanisms are disabled… ‒ … So all data can potentially be accessed ‒ “Alternative stores” do not verify Apps JailbreakMe ‒ Jailbreak your iPhone/iPad from a web page ‒ Uses a third party App Security Flaw ‒ Versions : v1 2007, v2 2010, v3 2011 Source : jailbreakme.com 5
  • 6. Purpose ‒ To improve user’s experience, some data are shared between Apps ‒ “Official” APIs are usually provided by the OS Security Issues ‒ Easy for Developers to access your shared data… ‒ …and do what they want with it Wall Street Journal Analysis ‒ Over 100 analyzed legal applications ‒ 5 of them transmitted address book to outsiders Source : Wall Street Journal, Your Apps Are Watching You, 17 Dec. 2010 6
  • 7. PoC How It Works 1. Get access to an iPhone 2. Execute a Jailbreak 3. Install and run the Fraunhofer’s script 4. Wait for the OS to decrypt the Keychain — The PIN Code is not required — Not all secrets are decrypted 5. Access user’s secrets in 6 minutes Source : http://www.fraunhofer.de/ 7
  • 8. Purpose ‒ Commercial and Free/Open Source solutions ‒ Access “all” data stored on a Smartphone Grant Access to iOS 4.x Physical imaging Logical imaging Passcode recovery Keychain decryption Disk decryption Source : www.viaforensic.com & www.elcomsoft.com 8
  • 9. Compromised data Affected Shared Keychain Application Data Device Attack users Data Data Data Transport Specific. Malicious legal App. JailBreak (with malicious App.) Fraunhofer’s PoC Forensic Solution 9
  • 10. 10
  • 11. Professional Configuration Operating System Device Security features Device Configuration Applications Resources 11
  • 12. Prof. Config. User Config. Operating System Device Security features Device Configuration Applications Secure Application Resources Security Business 12
  • 13. 13
  • 14. Device OS User’s secrets Interface “Screenshots” Keychain Display Memory Application Output Manag. Memory’s Data Keyboard Data Input Transport Dictionary cache OS App. Application’s State Backup Manager Storage Device’s Data Shared Data Application Data 14
  • 15. OS Application : Secure Document Reader OS Security Protection Business Prevention Features Clean Keyboard Keychain Encrypt keyboard Input on exit Clean OS App. Storage Encrypt state on Manager standby Clean Data Auth & Memory mem. on Transport Encrypt Manag. standby 15
  • 16. Cryptographic algorithms Implements all cryptographic algorithms at the application level Usually the strongest part of the application Key Management Manages all cryptographic keys at the application level Usually a weak point of the application 16
  • 17. View Mode – Best security Do not store data on the device Only use the established ephemeral session key to exchange the data Cache Mode – Best compromise Encrypt data on the device Store and protect the key on the server only Offline Mode – Less Secure Encrypt data on the device Store and protect the key on the device 17
  • 18. Offline authentication limitation ‒ Device ID cannot be verified by the device itself ‒ Hardware Tokens ID are verified by a trusted server ‒ Only the user’s ID can be verified by the device Potential attacks against offline authentication ‒ Social engineering to obtain user’s credentials ‒ Brute force attack against data encryption’s key • Even if crypto algorithms (PBKDF2) are used 18
  • 19. Check the operating system Verify the version of the OS Control the integrity of the OS (jailbreak, etc.) Check for systems unsecure caches and features Avoid/Clean caches (keyboard, pasteboard, screenshots, etc.) Detect undesired features (multitasking manage., backup, etc.) Apply device specific best practice Security recommendations Memory management, … 19
  • 20. 20
  • 21. Comply with company security policies Countermeasures are implemented according to the security needs Use high level standards cryptographic algorithms Crypto algorithms can be used without limitation or restrictions Apply the same security mechanisms to each platform Same mechanisms can be implemented and managed for each platform 21
  • 22. The Application still relies on the operating system Critical flaw in the OS can potentially lead to data breach Some mechanisms remain out of the control of the application OS Prevention/Control mechanisms must be developed (cache cleaning, etc.) Offline Mode remains a potential issue Trusted specific hardware can potentially be used Implementing security inside Apps. requires experience and time Integrating a Security Development Lifecycle (SDLC) is recommended 22
  • 23. Mobile Devices are new threat vectors for companies’ data Misconfigured devices are vulnerable to a multitude of new types of attacks Conventional security solutions are not really adapted for mobility Applying company security policies to personal mobile devices is not possible Integrate security inside Apps and not rely only on OS or infrastructure Sensitive data is protected by additional applicative security mechanisms Isolate sensitive or corporate data from private data End users keep their habits while companies apply specific rules to sensitive data 23
  • 24. Contact Rue Galilée 9 Sysmosoft SA 1400 Yverdon-les-Bains +41 (0) 24 524 10 36 Julien Probst Julien.probst@sysmosoft.com 24