mobile application security

IBM Innovate 2012 Mobile Application Security Foundation & Directions

Raj Balasubramanian

Product Architect, IBM Mobile Foundation

[email protected]

IPI2478

Dirk Nicol

Product Manager, IBM Mobile Foundation

[email protected]

© 2012 IBM Corporation 2

The Premier Event for Software and Systems Innovation

Please note

IBM’s statements regarding its plans, directions, and intent are subject to change or

withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general product

direction and it should not be relied on in making a purchasing decision.

The information mentioned regarding potential future products is not a commitment, promise,

or legal obligation to deliver any material, code or functionality. Information about potential

future products may not be incorporated into any contract. The development, release, and

timing of any future features or functionality described for our products remains at our sole

discretion.

Performance is based on measurements and projections using standard IBM benchmarks

in a controlled environment. The actual throughput or performance that any user will

experience will vary depending upon many factors, including considerations such as the

amount of multiprogramming in the user’s job stream, the I/O configuration, the storage

configuration, and the workload processed. Therefore, no assurance can be given that an

individual user will achieve results similar to those stated here.



61% of CIOs put mobile as priority

increased productivity with mobile apps 45%

10 Billion devices by 2020

Mobile is transformational



Build mobile applications

Connect to, and run backend systems in support

of mobile

Manage mobile devices, services and applications

Secure my mobile business

Manage & Secure

Build & Connect

IBM strategy addresses client mobile initiatives

Extend & Transform

Extend existing business capabilities to mobile devices

Transform the business by creating new opportunities



Build & Connect Extend & Transform

A deeper look at Manage & Secure capabilities

Manage & Secure Key Capabilities

• Mobile lifecycle management

• Device analytics and control

• Secure network communications & management

Manage mobile devices, services and applications




Mobile Devices: Unique Management & Security Challenges

Mobile

devices are

shared more

often

Mobile

devices are

used in more

locations

Mobile

devices

prioritize the

user

Mobile

devices are

diverse .

Mobile devices

have multiple

personas

Personal phones

and tablets

shared with family

Enterprise tablet

shared with co-

workers

Social norms of

mobile apps vs.

file systems

Work tool

Entertainment

device

Personal

organization

Security profile

per persona?

OS immaturity for

enterprise mgmt

BYOD dictates

multiple OSs

Vendor / carrier

control dictates

multiple OS

versions

A single location

could offer public,

private, and cell

connections

Anywhere,

anytime

Increasing

reliance on

enterprise WiFi

Conflicts with user

experience not

tolerated

OS architecture

puts the user in

control

Difficult to enforce

policy, app lists



Mobile Risks

Top 10 Mobile Risks 1. Insecure Data Storage

2. Weak Server Side Controls

3. Insufficient Transport Layer Protection

4. Client Side Injection

5. Poor Authorization and Authentication

6. Improper Session Handling

7. Security Decisions Via Untrusted Inputs

8. Side Channel Data Leakage

9. Broken Cryptography

10. Sensitive Information Disclosure

Source: OWASP Mobile Security Project



Challenges of Enterprise Mobility

Achieving Data Separation & Providing Data Protection

Data separation: personal vs corporate

Data leakage into and out of the enterprise

Partial wipe vs. device wipe vs legally defensible wipe

Data policies

Adapting to the BYOD/ Consumerization of IT Trend

Multiple device platforms and variants

Multiple providers

Managed devices (B2E)

Unmanaged devices (B2B,B2E, B2C)

Endpoint policies

Threat protection

Providing secure access to enterprise applications &

data

Identity of user and devices

Authentication, Authorization and Federation

User policies

Secure Connectivity

Developing Secure Applications

Application life-cycle

Vulnerability & Penetration testing

Application Management

Application policies

Designing & Instituting an Adaptive Security Posture

Policy Management: Location, Geo, Roles, Response, Time policies

Security Intelligence

Reporting



So How do I Protect My Mobile Initiatives?

Secure endpoint

device and data

Secure access to enterprise applications and data

Develop, test and deliver safe applications

Internet

WiFi

Telecom Provider

Web sites

Mobile apps

Security Gateway

Corporate Intranet & Systems

Achieve Visibility and Enable Adaptive Security Posture

Begin by taking a holistic view of Mobile Security



Spectrum of Mobile Security Requirements

Data, Network & Access Security App/Test

Development Mobile Device

Management

Device Platforms 30 device Manufacturers, 10 operating platforms

i.e. iOS, Android, Windows Mobile, Symbian, etc

Mobile Application Platforms & Containers

Mobile Device

Management

Acquire/Deploy

Register

Activation

Content Mgmt

Manage/Monitor

Self Service

Reporting

Retire

De-provision

Secure Mobile

Application

Development

Vulnerability

testing

Mobile app

testing

Enforced by tools

Enterprise

policies

Mobile Applications i.e. Native, Hybrid, Web Application

Mobile Device Security Management Device wipe &

lockdown Password

Management Configuration

Policy Compliance

Mobile Information Protection Data encryption

(device,file & app)

Mobile data loss prevention

Mobile Threat Management Anti-malware Anti-spyware Anti-spam Firewall/IPS Web filtering Web Reputation

Mobile Network Protection Secure

Communications (VPN)

Edge Protection

Mobile Identity& Access Management Identity

Management Authorize &

Authenticate Certificate

Management Multi-factor

Mobile Security Intelligence

Mobile devices are not only computing platforms but also communication devices, hence

mobile security is multi-faceted, driven by customers’ operational priorities



Mobile App Security: Defending the Software

Consistently apply and enforce best practices during Development

Perform vulnerability

analysis during Testing

Provide or employ a secure channel for

delivering apps

Employ a secure runtime environment to safeguard

app data

Perform checks to validate the integrity of apps

As threats evolve recognize required updates and establish a

process for pushing them to users



Mobile Security Enabled with IBM Solutions

Internet

IBM WorkLight Runtime for safe mobile apps

• Encrypted data cache

• App validation

IBM Endpoint

Manager for Mobile Configure, Provision, Monitor

• Set appropriate security

policies

• Enable endpoint access

• Ensure compliance

Secure Data & the Device

IBM Security Access

Manager for Mobile Authenticate & Authorize users and

devices

• Standards Support: OAuth,

SAML, OpenID

• Single Sign-On & Identity

Mediation

IBM Mobile Connect Secure Connectivity

• App level VPN

Protect Access to Enterprise

Apps & Data

Achieve Visibility & Enable

Adaptive Security Posture

IBM QRadar System-wide Mobile Security Awareness

• Risk Assessment

• Threat Detection

Build & Run Safe Mobile Apps

IBM WorkLight Develop safe mobile apps

• Direct Updates

IBM AppScan for Mobile Vulnerability testing

• Dynamic & Static analysis of Hybrid

and Mobile web apps

IBM DataPower Protect enterprise applications

• XML security & message

protection

• Protocol Transformation &

Mediation



The Difference Between Secure Apps and Device Management

Mobile Device

Management

Device-level control:

• Password protection

• File-system encryption

• Managed apps

• Jailbreak detection

Requires consent of user to have

enterprise manage entire device

Application-Level

Security

App takes care of itself:

• Authentication

• File encryption

• Remote administration

• Adaptive functionality

Applicable in all scenarios,

including BYOD and consumer-

facing contexts



Worklight Runtime Architecture

Worklight Server

Authentication

JSON Translation

Server-side

Application Code

Adapter Library

Client-side

App Resources

Direct Update

Mobile

Web Apps

Unified Push

Notifications

Sta

ts A

gg

reg

ation

Device Runtime

Ap

plic

atio

n C

od

e

Cross Platform Technology

Security and Authentication

Back-end Data Integration

Post-deployment control

Diagnostics



Mobile Application Security Objectives

Protect data on the device

• Malware, Jailbreaking

• Offline access

• Device theft

• Phishing, repackaging

Streamline Corporate security approval processes

• Complex

• Time-consuming

Enforce security updates

• Be proactive: can’t rely on users getting the latest software update on their own

Provide robust authentication and authorization

• Existing authentication infrastructure

• Passwords are more vulnerable

Protect from the “classic” threats to the application security

• Hacking

• Eavesdropping

• Man-in-the-middle



IBM WorkLight: Security By Design

Enforcing security updates

Remote disable

Direct update

Providing robust authentication and

authorization

Authentication integration framework

Data protection

realms

Coupling device id with

user id

Streamlining Corporate security

processes

Mobile platform as a trust factor

Application Security

Code obfuscation

SSL with server

identity verification

Proven platform security

Jailbreak and malware detection

App authenticity

testing

Protecting data on the device and in transit

Encrypted offline cache

Offline authentication

Secure connectivity



IBM WorkLight: Security By Design


Remote disable

Direct update

Providing robust authentication and

authorization

Authentication integration framework

Data protection

realms

Coupling device id with

user id

Streamlining Corporate security

processes

Mobile platform as a trust factor

Application Security

Code obfuscation

SSL with server

identity verification

Proven platform security

Jailbreak and malware detection

App authenticity

testing

Protecting data on the device and in transit


Offline authentication

Secure connectivity

Integration point with VPN solutions (i.e. IBM Mobile Connect)

Integration point with MDM solutions (i.e. IBM Endpoint Manager for Mobile)

Integration point with User Security solutions

(i.e. IBM Security Access Manager for

Mobile)



App

authenticity

testing

Encrypted

offline

cache

Offline

authentication

Secure

challenge-

response on

startup

Protecting data on the device


Offline authentication using password

Extended authentication with server using secure challenge response

App authenticity testing: server-side verification mechanism to mitigate

risk of Phishing through repackaging or app forgery

Compatibility with various jailbreak and malware detection libraries

Malware, Jailbreaking

Device theft

Offline access

Phishing, repackaging

Compatibility

with jailbreak

detection libs

Protecting data

on the device




Enforcing

security

updates

Remote

disable

Direct

update

Remote Disable: shut down

specific versions of a

downloadable app, providing

users with link to update

Direct Update: automatically

send new versions of the

locally-cached HTML/JS

resources to installed apps

Can’t rely on users

getting the latest

software update on

their own



Authentication and Authorization

Providing robust

authentication and

authorization

Authentication

integration

framework

Data

protection

realms

Device

Provisioning Very flexible framework for simplifying

integration of apps with existing

authentication infrastructure

Manages authenticated sessions with

configurable expiration

Open: e.g., custom OTP as

anti-keylogger mechanism

Server-side services grouped into

separate protection realms for different

authentication levels

Secure device ID generated as part of

extensible provisioning process

Need to integrate with existing

authentication infrastructure

Authenticate users when offline

Mobile passwords are more

vulnerable (keyboard more

difficult to use, typed text is

visible)



Session Authentication Management

Step 1 – Unauthenticated Session

Worklight Server

Access denied because

session is unauthenticated or

expired

1. Call protected Procedure

2. Request Authentication

Session:

• Created on first access from client

• Identified using session cookie

• Associated data is stored on the server




Step 2 – Authentication

Worklight Server

Process authentication data 2. Forward credentials

1. Obtain credentials from

user and device

3. If necessary:

• Consult with authentication servers

• Perform device provisioning

• Receive authentication token

• Associate token with session




Step 3 – Authenticated Session

Worklight Server

Authenticated token

associated with session

1. Procedure call on

authenticated session

3. Procedure result

2. Access back-end service

using authentication

token

Session ID Auth

Tokens/State

2bd4296a3f29 Realm 1:

25487

Realm 2: ------

--

25617ff82a90 Realm 1: ------

---

Realm 2:

a6c9a

89a77921b02 Realm 1:

7b8df

Realm 2:

6a8a0



One team creates a custom

container (“Shell Component”) for

extensive security certification

Other teams create

HTML-only “inner apps”

wrapped in that container

Worklight Studio simplifies the reuse of custom containers across the organization



Mobile Security Enabled with IBM Solutions IBM brings together a broad portfolio of technologies and services to meet the

mobile security needs of customers across multiple industries

•Application security •Worklight

•IBM Rational AppScan

•Mobile device management •IBM Endpoint Manager for Mobile devices

•IBM Hosted Mobile Device Security

Management

•Secure enterprise access •IBM Security Access Manager

•Security Intelligence

•IBM QRadar



Mobile Device

Hybrid Mobile Apps

Based on WorkLight

SSL SSO WorkLight Server

(WAS w/ security)

Worklight Runtime

Hybrid App. Mobile Security

Gateway

Enterprise

Applications,

Connectivity & Data

Hybrid App.

Risk Based Access

Security intelligence with mobile context

Intelligence around malware and advanced threats in mobile enabled enterprise

User identity and device identity correlation, leading to behavior analysis

Geo-fencing, anomaly detection based on device, user, location, and application

characteristics

Security Intelligence Platform

IBM Endpoint

Manager

Deployment for SSO and Security Intelligence



IBM AppScan: Bringing Vulnerability Scanning to Mobile

Detection of Vulnerabilities before Apps are Delivered and Deployed Known vulnerabilities can be addressed in software development and testing

Code vulnerable to known threat models can be identified in testing Security designed in vs. bolted on

Leverage AppScan for vulnerability testing of mobile web apps and web elements (JavaScript,

HTML5) of hybrid mobile apps



IBM Security Access Manager: Authentication & Authorization of Mobile Users and their Devices

VPN or HTTPS

Mobile Browser or Native

Applications

Application Servers (i.e. WebSphere, WorkLight)

Web Applications

Enterprise

IBM Access Manager

Access Manager Servers (e.g.,

Policy) User registries

(i.e. LDAP)

Authorization

IBM Security Access Manager for Mobile can be used to satisfy complex authentication

requirements. A feature called the External Authentication Interface (EAI) is designed to

provide flexibility in authentication.

External Authentication

Provider

Federated Identity Manager

Federated Identity Manager can be incorporated into the solution to provide federated identity management

Web Services

Authentication (i.e. userid/password,

Basic Auth, Certificate or

Custom)



IBM Endpoint Manager for Mobile: Extending Management Reach to Mobile Devices

Advanced management for iOS,

Android, Symbian, and Windows

Phone

Unified management automatically

enables VPN access based on

security compliance

Integration with back-end IT

management systems such as

service desk, CMDB, and SIEM

Security threat detection and

automated remediation

Extends IBM’s existing 500,000

endpoint deployment

Desktop / laptop /

server endpoint

Mobile

endpoint

Purpose-specific

endpoint

Security

management

Systems

management

Common

management agent

and console

Near-instant

deployment of

new features

IBM Endpoint Manager



IBM Qradar: Delivering Mobile Security Intelligence

Unified collection, aggregation and analysis architecture for: o Application logs o Security events

o Vulnerability data o Identity and Access Management data

o Configuration files o Network flow telemetry

A common platform for o Searching o Filtering

o Rule writing o Reporting functions

A single user interface for o Log management o Risk modeling

o Vulnerability prioritization o Incident detection

o Impact analysis tasks

Ingest log data and events from:

Endpoint Manager for Mobile Devices

Access Manager for Mobile

Mobile Connect

WorkLight

Delivers Mobile Security Intelligence by monitoring data collected from other mobile

security solutions – visibility, reporting and threat detection



© IBM Corporation 2012. All Rights Reserved.

IBM, the IBM logo, ibm.com are trademarks or registered trademarks of

International Business Machines Corp., registered in many jurisdictions

worldwide. Other product and service names might be trademarks of IBM or

other companies. A current list of IBM trademarks is available on the Web at

“Copyright and trademark information” at

www.ibm.com/legal/copytrade.shtml.

Copyright and Trademarks



IBM Global Technology Services offers a broad set of complementary mobile capabilities

Build mobile applications

Connect to, and run backend systems in

support of mobile

Manage mobile devices and applications


Extend existing business capabilities

to mobile devices

Transform the business by creating

new opportunities

• Unified Communications Services

• Mobile Application Platform Management

• Strategy & Transformation

• Mobile Application Management

• Messaging, collaboration and social

• Mobile application development

• Mobile Application Platform Management

• Network (e.g. wi-fi, VPN)

• Telecom Expense Management

• Mobile Security

• Mobile Device Management

• End-user and administration support

• Procurement, staging and kitting

Client Initiatives

Services



www.ibm.com/software/rational

http://www.ibm.com/software/rational



Daily iPod Touch giveaway

Complete your session surveys online each day at a conference kiosk or on your

Innovate 2012 Portal!

Each day that you complete all of that day’s session surveys, your name will be entered

to win the daily IPOD touch!

On Wednesday be sure to complete your full conference evaluation to receive your

free conference t-shirt!



Acknowledgements and disclaimers

© Copyright IBM Corporation 2012. All rights reserved.

– U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM, the IBM logo, ibm.com, Rational, the Rational logo, Telelogic, the Telelogic logo, Green Hat, the Green Hat logo, and other IBM products and

services are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these

and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate

U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or

common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at

www.ibm.com/legal/copytrade.shtml

If you have mentioned trademarks that are not from IBM, please update and add the following lines:

[Insert any special third-party trademark names/attributions here]

Other company, product, or service names may be trademarks or service marks of others.

Availability: References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries

in which IBM operates.

The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for

informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant.

While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without

warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this

presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or

representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of

IBM software.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have

achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to,

nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

http://www.ibm.com/legal/copytrade.shtml



© Copyright IBM Corporation 2012. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

www.ibm.com/software/rational

http://www.ibm.com/software/rational

mobile application security

Technology

adaptive security

run backend

proven platform

streamlining

federated

mobile security

enforcing

coupling device