Mobile Security Mobile Device Management Mobile Application Management.
Mobile Security
-
Upload
xavier-mertens -
Category
Technology
-
view
1.747 -
download
1
description
Transcript of Mobile Security
Mobile Security
“Bring war material with you from home butforage on the enemy” - Sun Tzu
Xavier MertensBeltug SIG Security - Jan 2013
Disclaimer
“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
Agenda
• Introduction: Top-10 mobile risks
• Company owned devices
• Employee owned device (BYOD)
• Risks inherent in mobile devices
• Mobile applications development
Top-10 Mobile Risks• Insecure data storage
• Weak server side controls
• Insufficient transport layer protection
• Client side injection
• Poor authentication & authorization
• Improper session handling
• Secure decision via untrusted input
• Side channel data leakage
• Broken cryptography
• Sensitive information disclosure
(Source: OWASP)
Top-10 Mobile Risks• Insecure data storage
• Weak server side controls
• Insufficient transport layer protection
• Client side injection
• Poor authentication & authorization
• Improper session handling
• Secure decision via untrusted input
• Side channel data leakage
• Broken cryptography
• Sensitive information disclosure
(Source: OWASP)
Mobile devicesare
Computers!
Company Owned Devices
Easy? Really?
• Limited set of manufacturers/OS
• Full control of hell?
• People try to evade from jail (like laptops)
• Need procedures (backups, helpdesk)
Corporate Policy
• Must be communicated & approved before the device provisioning
• Communication channels: addendum to a contract, Intranet, a “check box”?
• Restrictions (SD cards, Bluetooth, camera)
• What about private data? (pictures, MP3, downloaded (paid!) apps?
Examples
• Document already available on beltug.be(Members section)
• Simple policy: http://www.security-marathon.be/?p=1466(Jean-Sébastien Opdebeeck)
Data Classification
• Another approach is implementing data classification
• Implementation of the “least privileges” principle
• Access to data is based on profiles
• Work with any device! (benefit broader than the scope of mobile devices)
Data ClassificationData
ClassificationCompany Owned
DevicesPersonal Devices
Top-Secret No No
Highly Confidential No No
Proprietary Yes No
Internal Use Only Yes Yes
Public Yes Yes
Employed Owned Devices
Why do people BTOD?
• Devices became cheaper and powerful
• The “Generation Y”
• Always online everywhere!
First Question?
• Are you ready to accept personal devices on your network?
• It’s a question of ... risk!
• Examples:
• Data loss
• Network intrusion
• Data ex-filtration
“MDM”?
• Do you need a MDM solution? (Mobile Device Management)
• Can you trust $VENDORS?
• Microsoft Exchange include ActiveSync for free
• Most security $VENDORS propose (basic) tools to handle mobile devices
Minimum Requirements
• Automatic lock + password
• No jailbroken devices
• Remote wipe
• Backups (who’s responsible?)
Risks Inherent InMobile Devices
Personal Hotspots
• Tethering allows mobile devices to be used as hotspots
• Corporate devices (laptops) could bypass Internet access controls
• Risks of rogue routers (if IP-forwarding is enabled
Rogue App Stores
• Mobile devices without apps is less useful
• Owners tend to install any apps
• Some apps may require much more rights than required
• People trust Apps stores and developers
• Developers must write good code
QR Codes
Geolocalization
NFC
Home & Cars
Mobile Application Development
OWASP Mobile Security Project
• Mobile testing guide
• Secure mobile development guide
• Top-10 mobile controls and design principles
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Lack of/Bad Encryption
• Developers re-invent the wheel: do not write a new encryption algorithm
• Encrypt everything (data at rest, data in move)
Local VS. Remote Storage
Pros Cons
Local No network costsSpeed
Risk of lossOutdated
CentralAlways updatedNo risk of loss
Data network ($)Speed
Geolocalization
• Again! But this time for good purposes
• Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe
• Combine with passwords for stronger authentication/authorization
Enterprise Appstores
• Goal: Distribute, secure and manage mobile apps through your own company branded appstore.
• Application available in the appstore have been approved by a strong validation process.
Thank You!
Xavier [email protected]@xmehttp://blog.rootshell.be