Slide 1

Looking to Build a Secure Enterprise Mobile Application? Heres How! Mush Hakhinian Chief Security Architect Intralinks Mush Hakhinian Chief Security Architect Intralinks

Slide 2

Intralinks 2014 Looking to Build a Secure Enterprise Mobile Application? Heres How! Mush Hakhinian Chief Security Architect mhakhinian@intralinks.com 2

Slide 3

Agenda Overview Introduction Essential Security Features Verifying Mobile App Security Summary Q&A Overview Introduction Essential Security Features Verifying Mobile App Security Summary Q&A 3

Slide 4

Intralinks Company Overview 4 Company Financials Technology platform Technology platform Founded in 1996 715 employees (as of April 2014) Publically traded (NYSE:IL) $234.5M revenue (2013) $36.9M Adjusted EBITDA (2013) Customer footprint Has been used by 99% of the Fortune 1000 $23.5T of financial transactions completed on Intralinks Include top 20 pharma firms, top 10 biotech firms and top 5 CROs $38.8M R&D (2013 - highest among peers as a share of revenue) 3.1M total paid users across 90K organizations since launch 34K new users per month with average of 48K logins per day

Slide 5

We address the breadth of enterprise content sharing needs on a single cloud content collaboration platform 5 Number of users Customer-specific solutions on Intralinks platform (configured by Intralinks, customer or partner) Mobile content access Ad hoc content collaboration Secure large file exchange Enterprise Design and manage secure content repositories (legal, sales, HR, etc.) Configure detailed compliance reports Integrate with enterprise IT content (SharePoint, etc.) Configure customer-specific solutions File synchronization and sharing Business value / user Content distribution and management Content-centric applications

Slide 6

Introduction Consumer devices are used to connect to enterprise systems Mobile apps need to provide for enterprise grade security Consumer devices are used to connect to enterprise systems Mobile apps need to provide for enterprise grade security 6 Smart phones surpassed PC sales on 7/20/11

Slide 7

Qualities of Secure Mobile App Compartmentalized data Standards-based encryption Strong authentication Control app lifecycle Compartmentalized data Standards-based encryption Strong authentication Control app lifecycle 7

Slide 8

Compartmentalized Data Always remember that the app interacts with an enterprise system Usually, consumer apps cache data locally Make sure that the enterprise system, and not the app, controls whether the data can be cached Design your app so it can work with in-memory data Assume there will not be a local copy If local data is allowed IT should be able to destroy the data without needing to wipe the device Always remember that the app interacts with an enterprise system Usually, consumer apps cache data locally Make sure that the enterprise system, and not the app, controls whether the data can be cached Design your app so it can work with in-memory data Assume there will not be a local copy If local data is allowed IT should be able to destroy the data without needing to wipe the device 8

Slide 9

Own Encryption Encrypt all local data with 256-bit keys Usually, the app needs to store session-related information on a disk (e.g. remember me function) Always treat information in configuration files as private Implement secure key exchange, so the key is never stored on the device Encrypt all local data with 256-bit keys Usually, the app needs to store session-related information on a disk (e.g. remember me function) Always treat information in configuration files as private Implement secure key exchange, so the key is never stored on the device 9

Slide 10

Strong Authentication Implement two factor authentication Make PINs mandatory for remember me functionality Never compromise on security for convenience Implement two factor authentication Make PINs mandatory for remember me functionality Never compromise on security for convenience 10

Slide 11

Control App Lifecycle Control whether the app can run in background Developers may tie clearing the cache with app unloading Explicitly disable the ability of the app to run in the background, so it will unload Disable the setting and make this the default If running in the background is desired make sure data is not available to other apps Check for jailbroken devices Control whether the app can run in background Developers may tie clearing the cache with app unloading Explicitly disable the ability of the app to run in the background, so it will unload Disable the setting and make this the default If running in the background is desired make sure data is not available to other apps Check for jailbroken devices 11

Slide 12

Finding Security Issues Before Adversaries Code Review Test With Debuggers Potential Issues And Solutions Code Review Test With Debuggers Potential Issues And Solutions 12

Slide 13

Code Review Do a full code review, hire professionals 13

Slide 14

Test with Debuggers Run the app through debuggers and simulators to find data left behind 14

Slide 15

Potential Issues and Solutions 15 Running the emulator looked at the directory that $TMPDIR points to and found temporary data left behind. Write a delegate to remove data before exiting the app Running the emulator looked at the directory that $TMPDIR points to and found temporary data left behind. Write a delegate to remove data before exiting the app

Slide 16

Potential Issues and Solutions 16 When run from the emulator, we saw that the app was storing the users PIN and single sign-on token in clear text

Slide 17

Potential Issues and Solutions 17 iPhone/iPad Home button creates a screenshot of the current view and stores it as an image on the device. Two options: 1. Set the Application does not run in background property to YES in info.plist file 2. In applicationDidEnterBackground change the current view to a standard sanitized view, so data will not be leaked in the screenshot

Slide 18

Summary Does the App work with an MDM Look out for regulatory requirements Mobile app should protect its own data Secure key-exchange for encryption is necessary Perform code review before releasing the app Ensure that mobile features do not leave behind data Does the App work with an MDM Look out for regulatory requirements Mobile app should protect its own data Secure key-exchange for encryption is necessary Perform code review before releasing the app Ensure that mobile features do not leave behind data 18

Slide 19

19

Slide 20

Continuing the Discussion Contact: Intralinks 20 Mush Hakhinian, Chief Security Architect mhakhinian@intralinks.com 617.357.3643