SlideShare una empresa de Scribd logo

Mobile Application Security

C
cclark_isec

An overview of the security challenges and opportunities that mobile application developers must work through

TecnologíaEmpresariales
1 de 46
Descargar para leer sin conexión
Mobile Application Security Chris Clark cclark@isecpartners.com iSEC Partners, Inc. 04/23/09 | AND-301 Session Classification: Intermediate
Agenda Mobile Today Security Challenges Supporting Security Actions 2
Mobile Today
Mobile Phone Sales Per Year 1200 Phones 1000 In Millions 800 600 400 200 0 1997 2009 Data from Tomi Ahonen Almanac 2009 4
5
Major Smartphone Platforms 6
7
Trend Catalysts • Sexier Devices • Unlimited Data Plans • Younger Generation • Provider App Stores • F500 Acceptance • Multi-Environment Phones 8
Security Challenges
What is Security? • Not the PC or Server Model – Single User – High-Value Information – Low-Value Applications • Availability and Power • Local Attacker Resistance 10
The Airline Pocket • Physical Security Just Doesn’t Exist • Phones will Be Lost • Need Ways of Protecting Data – Local encryption – Cloud storage 11
Hardware Limitations • Limited Bandwidth • Power • CPU • Size Technology Will Solve These 12
Screen Size *From RSnake 13
Poor Keyboards C)sOz*ao1pdn 14
Regulations 15
User Identification • Real Time • Must be Available Immediately • One Handed Interface • More Prompts than PC 16
“Ownership” • OS Vendor • User • Carrier • Application Developer All “Own” the Phone and Have Differing Objectives 17
Distribution Challenges • Indirect Customer Relationship • Patching Difficulties – Carriers are anti-patch • Long Update Lag • Multiple Hardware Platforms 18
Web Browsers • Different Browser Chrome • Inconsistent Standards Support • Too Much WebKit 19
Unsafe Languages • Windows Mobile (C/C++) – .Net Mobile Framework (safe) – /GS, SafeCRT • iPhone (Objective-C) – Has C Constructs – NX Stack/Heap • Symbian (Symbian C++) – C++ with more Complex Memory Management 20
Technical Comparison Feature Blackberry WinMo 6.x iPhone 2.2.1 Android Enterprise Mail and Calendar Remote Wipe Side-Load Applications Application Sandbox User permission UI App Signing Browser 21
Technical Comparison Feature Blackberry WinMo 6 iPhone 2.2.1 Android Application Language Permission Model App Buffer Overflows OS Buffer Overflow Protections Signature Required?
Vulnerability Count by Platform 23
Desktop Heritage 24
Growing Security Activity • Targeted by Security Community • CanSecWest • Asian & European Research • Commercial Spy Products 25
Mobile Web Presence • Multiple Internet Presences – Mobile vs. Standard • Both are on the Internet – Accept “All” Connections – Pen-Test from Desktop • Common Real World Result: – Primary website secured – Mobile site unprotected 26
Common Mobile Portal Mistakes • Using a Different SLD – bank.mobilecorp.com – mobilecorp.com/bank • Same Credentials as .com • Phishing Education Destroyed – If it Ever Worked
Supporting Security
Security Goals • Users can Safely Run Applications • OS Protected from Applications – A.K.A. Steal Carrier Revenue • Per-Application Private Data • Contain Vulnerabilities 29
Two Models Old Way New Way App App App Privileged Normal App App App 30
Old Way • BlackBerry & Windows Mobile • All or Nothing • Signatures Defines Permission Level • No or Limited File Permission Systems • No “users” – Good, because it doesn’t make sense 31
Pros/Cons Pros Cons • Easy to Understand • No Exploit Containment • Easy to Test • User can’t Make Granular Choices 32
Windows Mobile App 1 App 2 App 3 App 4 Kernel Kernel File System 33
Blackberry • J2ME Based • No Raw Device Access • Web Services and Web Based Models 34
Security Opportunities • More Granular Permissions • Sandboxed Applications • Reduced Attack Surface • Give Users Control of Data 35
iPhone App 1 App 2 App 3 App 4 Kernel App 1 App 2 App 3 App 4 Data Data Data Data 36
iPhone • One Distribution Method • Strict AppStore Policy • Non-Technological Policy Enforcement Application Store is a Security Barrier 37
Android & Symbian App 1 App 2 App 3 App 4 Kernel App 1 App 2 App 3 App 4 Data Data Data Data 38
Benefits • Extensible to Custom Data Types • Users Have Control • Same-Developer Sandbox – An Office Suite is Possible – Attack Surface Increased 39
Challenges 40
Android Market • Self-Signed Certificates • Community Reputation • No Unsigned Code Allowed Application Store is a Security Barrier 41
Actions
For Enterprises • Define a Mobile Application Security Policy • Set User Application Security Policy – Are App Stores Allowed? • Build Secure Line of Business Applications • Create a Unified Model for Mobile Interactions – Don’t mix “m.” with /mobile or .mobi domains 43
For Developers • Define Security Assertions for Users • Define Threats – Lost Phone – Network Attacks • Create Limits – E.g. Read-only Mobile Endpoints • Apply Secure Development Guidelines • Test on Real Devices 44
For Mobile Web Developers • Disallow Older Browsers • Do Not Decrease Overall Security – Tightly-Scope Functionality – Use SSL and Proper Domains • Strong Authentication – Unique Authentication for Mobile Sites • Don’t Make Phishing Easier – Keep Links out of Email – Maintain Clear Message 45
Questions? cclark@isecpartners.com 46

Recomendados

mobile application security
mobile application securitymobile application security
mobile application security-jyothish kumar sirigidi
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Krisshhna Daasaarii
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 

Recomendados

mobile application security
mobile application securitymobile application security
mobile application security-jyothish kumar sirigidi
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Krisshhna Daasaarii
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Mobile security
Mobile securityMobile security
Mobile securityCyberoamAcademy
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2Krisshhna Daasaarii
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1wharpreet
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityMarketingArrowECS_CZ
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hackingVikram Khanna
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 

Más contenido relacionado

La actualidad más candente

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1wharpreet
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10Pawel Rzepa
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hackingVikram Khanna
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 

La actualidad más candente (20)

Mobile security
Mobile securityMobile security
Mobile security
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 
Offensive Security basics part 1
Offensive Security basics part 1Offensive Security basics part 1
Offensive Security basics part 1
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
Application Security
Application SecurityApplication Security
Application Security
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hacking
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 

Destacado

Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
 
Cloud Assessment - iPad App
Cloud Assessment - iPad AppCloud Assessment - iPad App
Cloud Assessment - iPad AppCoe Marlabs
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesJohn Rapa
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testingNowSecure
 
Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009ClubHack
 
Basic Guide For Mobile Application Testing
Basic Guide For Mobile Application TestingBasic Guide For Mobile Application Testing
Basic Guide For Mobile Application TestingSourabh Kasliwal
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sOnyo
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKGuardSquare
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Giorgio Fedon
 
Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryMinded Security
 

Destacado (17)

Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
 
Cloud Assessment - iPad App
Cloud Assessment - iPad AppCloud Assessment - iPad App
Cloud Assessment - iPad App
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
 
How to scale mobile application security testing
How to scale mobile application security testingHow to scale mobile application security testing
How to scale mobile application security testing
 
Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009Gursev kalra _mobile_application_security_testing - ClubHack2009
Gursev kalra _mobile_application_security_testing - ClubHack2009
 
Basic Guide For Mobile Application Testing
Basic Guide For Mobile Application TestingBasic Guide For Mobile Application Testing
Basic Guide For Mobile Application Testing
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`s
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque Attack
 
Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014Linkedin.com DomXss 04-08-2014
Linkedin.com DomXss 04-08-2014
 
Concrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE AdvisoryConcrete5 Sendmail RCE Advisory
Concrete5 Sendmail RCE Advisory
 

Similar a Mobile Application Security

Group1 Ss08 Smartphones
Group1 Ss08 SmartphonesGroup1 Ss08 Smartphones
Group1 Ss08 SmartphonesKalun Leung
 
Mobile opportunity and options for it
Mobile opportunity and options for itMobile opportunity and options for it
Mobile opportunity and options for itTim McGovern
 
Mobile opportunity and options - for CIOs
Mobile opportunity and options - for CIOsMobile opportunity and options - for CIOs
Mobile opportunity and options - for CIOsTim McGovern
 
Browser isolation (isc)2 may presentation v2
Browser isolation (isc)2 may presentation v2Browser isolation (isc)2 may presentation v2
Browser isolation (isc)2 may presentation v2Wen-Pai Lu
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2Santosh Satam
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
Android Overview
Android OverviewAndroid Overview
Android Overviewatomi
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityAVG Technologies AU
 
LT-5-v1
LT-5-v1LT-5-v1
LT-5-v1Uskidz
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
Challenges In Managing Embedded Product Development
Challenges In Managing Embedded Product DevelopmentChallenges In Managing Embedded Product Development
Challenges In Managing Embedded Product DevelopmentAtul Nene
 
Unauthorized Wireless Network Connections
Unauthorized Wireless Network ConnectionsUnauthorized Wireless Network Connections
Unauthorized Wireless Network ConnectionsJohn Rhoton
 
Challenges EPs Face Going Mobile
Challenges EPs Face Going MobileChallenges EPs Face Going Mobile
Challenges EPs Face Going MobileEDR
 
Addressing Mobile App Testing Challenges
Addressing Mobile App Testing ChallengesAddressing Mobile App Testing Challenges
Addressing Mobile App Testing ChallengesLee Barnes
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White HatsVladimir Jirasek
 
Developing the MIT Mobile Web
Developing the MIT Mobile WebDeveloping the MIT Mobile Web
Developing the MIT Mobile Webshu beta
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...LibreCon
 

Similar a Mobile Application Security (20)

Group1 Ss08 Smartphones
Group1 Ss08 SmartphonesGroup1 Ss08 Smartphones
Group1 Ss08 Smartphones
 
Mobile opportunity and options for it
Mobile opportunity and options for itMobile opportunity and options for it
Mobile opportunity and options for it
 
Mobile opportunity and options - for CIOs
Mobile opportunity and options - for CIOsMobile opportunity and options - for CIOs
Mobile opportunity and options - for CIOs
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
Browser isolation (isc)2 may presentation v2
Browser isolation (isc)2 may presentation v2Browser isolation (isc)2 may presentation v2
Browser isolation (isc)2 may presentation v2
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
Android Overview
Android OverviewAndroid Overview
Android Overview
 
The Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our CommunityThe Endless Wave of Online Threats - Protecting our Community
The Endless Wave of Online Threats - Protecting our Community
 
LT-5-v1
LT-5-v1LT-5-v1
LT-5-v1
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Challenges In Managing Embedded Product Development
Challenges In Managing Embedded Product DevelopmentChallenges In Managing Embedded Product Development
Challenges In Managing Embedded Product Development
 
Unauthorized Wireless Network Connections
Unauthorized Wireless Network ConnectionsUnauthorized Wireless Network Connections
Unauthorized Wireless Network Connections
 
Challenges EPs Face Going Mobile
Challenges EPs Face Going MobileChallenges EPs Face Going Mobile
Challenges EPs Face Going Mobile
 
Introduction to Android
Introduction to AndroidIntroduction to Android
Introduction to Android
 
Addressing Mobile App Testing Challenges
Addressing Mobile App Testing ChallengesAddressing Mobile App Testing Challenges
Addressing Mobile App Testing Challenges
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Developing the MIT Mobile Web
Developing the MIT Mobile WebDeveloping the MIT Mobile Web
Developing the MIT Mobile Web
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...Implementing a Security strategy in IoT, Practical example Automotive Grade L...
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
 

Último

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Último (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Mobile Application Security

  • 1. Mobile Application Security Chris Clark cclark@isecpartners.com iSEC Partners, Inc. 04/23/09 | AND-301 Session Classification: Intermediate
  • 2. Agenda Mobile Today Security Challenges Supporting Security Actions 2
  • 4. Mobile Phone Sales Per Year 1200 Phones 1000 In Millions 800 600 400 200 0 1997 2009 Data from Tomi Ahonen Almanac 2009 4
  • 5. 5
  • 7. 7
  • 8. Trend Catalysts • Sexier Devices • Unlimited Data Plans • Younger Generation • Provider App Stores • F500 Acceptance • Multi-Environment Phones 8
  • 10. What is Security? • Not the PC or Server Model – Single User – High-Value Information – Low-Value Applications • Availability and Power • Local Attacker Resistance 10
  • 11. The Airline Pocket • Physical Security Just Doesn’t Exist • Phones will Be Lost • Need Ways of Protecting Data – Local encryption – Cloud storage 11
  • 12. Hardware Limitations • Limited Bandwidth • Power • CPU • Size Technology Will Solve These 12
  • 13. Screen Size *From RSnake 13
  • 16. User Identification • Real Time • Must be Available Immediately • One Handed Interface • More Prompts than PC 16
  • 17. “Ownership” • OS Vendor • User • Carrier • Application Developer All “Own” the Phone and Have Differing Objectives 17
  • 18. Distribution Challenges • Indirect Customer Relationship • Patching Difficulties – Carriers are anti-patch • Long Update Lag • Multiple Hardware Platforms 18
  • 19. Web Browsers • Different Browser Chrome • Inconsistent Standards Support • Too Much WebKit 19
  • 20. Unsafe Languages • Windows Mobile (C/C++) – .Net Mobile Framework (safe) – /GS, SafeCRT • iPhone (Objective-C) – Has C Constructs – NX Stack/Heap • Symbian (Symbian C++) – C++ with more Complex Memory Management 20
  • 21. Technical Comparison Feature Blackberry WinMo 6.x iPhone 2.2.1 Android Enterprise Mail and Calendar Remote Wipe Side-Load Applications Application Sandbox User permission UI App Signing Browser 21
  • 22. Technical Comparison Feature Blackberry WinMo 6 iPhone 2.2.1 Android Application Language Permission Model App Buffer Overflows OS Buffer Overflow Protections Signature Required?
  • 23. Vulnerability Count by Platform 23
  • 25. Growing Security Activity • Targeted by Security Community • CanSecWest • Asian & European Research • Commercial Spy Products 25
  • 26. Mobile Web Presence • Multiple Internet Presences – Mobile vs. Standard • Both are on the Internet – Accept “All” Connections – Pen-Test from Desktop • Common Real World Result: – Primary website secured – Mobile site unprotected 26
  • 27. Common Mobile Portal Mistakes • Using a Different SLD – bank.mobilecorp.com – mobilecorp.com/bank • Same Credentials as .com • Phishing Education Destroyed – If it Ever Worked
  • 29. Security Goals • Users can Safely Run Applications • OS Protected from Applications – A.K.A. Steal Carrier Revenue • Per-Application Private Data • Contain Vulnerabilities 29
  • 30. Two Models Old Way New Way App App App Privileged Normal App App App 30
  • 31. Old Way • BlackBerry & Windows Mobile • All or Nothing • Signatures Defines Permission Level • No or Limited File Permission Systems • No “users” – Good, because it doesn’t make sense 31
  • 32. Pros/Cons Pros Cons • Easy to Understand • No Exploit Containment • Easy to Test • User can’t Make Granular Choices 32
  • 33. Windows Mobile App 1 App 2 App 3 App 4 Kernel Kernel File System 33
  • 34. Blackberry • J2ME Based • No Raw Device Access • Web Services and Web Based Models 34
  • 35. Security Opportunities • More Granular Permissions • Sandboxed Applications • Reduced Attack Surface • Give Users Control of Data 35
  • 36. iPhone App 1 App 2 App 3 App 4 Kernel App 1 App 2 App 3 App 4 Data Data Data Data 36
  • 37. iPhone • One Distribution Method • Strict AppStore Policy • Non-Technological Policy Enforcement Application Store is a Security Barrier 37
  • 38. Android & Symbian App 1 App 2 App 3 App 4 Kernel App 1 App 2 App 3 App 4 Data Data Data Data 38
  • 39. Benefits • Extensible to Custom Data Types • Users Have Control • Same-Developer Sandbox – An Office Suite is Possible – Attack Surface Increased 39
  • 41. Android Market • Self-Signed Certificates • Community Reputation • No Unsigned Code Allowed Application Store is a Security Barrier 41
  • 43. For Enterprises • Define a Mobile Application Security Policy • Set User Application Security Policy – Are App Stores Allowed? • Build Secure Line of Business Applications • Create a Unified Model for Mobile Interactions – Don’t mix “m.” with /mobile or .mobi domains 43
  • 44. For Developers • Define Security Assertions for Users • Define Threats – Lost Phone – Network Attacks • Create Limits – E.g. Read-only Mobile Endpoints • Apply Secure Development Guidelines • Test on Real Devices 44
  • 45. For Mobile Web Developers • Disallow Older Browsers • Do Not Decrease Overall Security – Tightly-Scope Functionality – Use SSL and Proper Domains • Strong Authentication – Unique Authentication for Mobile Sites • Don’t Make Phishing Easier – Keep Links out of Email – Maintain Clear Message 45