mobile - information security research...
TRANSCRIPT
![Page 1: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/1.jpg)
1
![Page 2: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/2.jpg)
Mobile Security
Confidential
© 2011 MIEL eSecurity Pvt Ltd
c0c0n 2011
2
![Page 3: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/3.jpg)
Disclaimer
The following presentation contains information, which is proprietary to MIEL e-Security
Pvt. Ltd. and should be treated as strictly private & confidential. This document is being
discussed with you solely for your information and may not be reproduced,
redistributed or passed on, directly or indirectly, to any other organization or published,
in whole or in part, for any purpose without the express written consent of MIEL e-
Security Pvt. Ltd.
COPYRIGHT © 2011 MIEL e-Security Pvt. Ltd.
All rights reserved.
3
![Page 4: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/4.jpg)
Presenter’s Profile Santosh Satam Head-Technical Services CISA | CISM | CISSP | CSSLP
• Enterprise Security Strategy • Application & Mobile Security Assessment
4
Other Interests: Running Marathon Security Crunch > My Daily Newsletter on Cyber Security
![Page 5: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/5.jpg)
Agenda
Introduction
Trends and Threats
Mobile Threatscape
Enterprise Challenges
Recommendations
Conclusion
5
![Page 6: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/6.jpg)
Information Age and You
6
![Page 7: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/7.jpg)
Evolution of Mobile Use Cases
Source :
7
Mobiles are becoming a first class citizen in enterprises
![Page 8: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/8.jpg)
8
Mobile Trends
![Page 9: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/9.jpg)
Evolution of Mobile Phones
• Now evolved to powerful machines with
almost all capabilities as out laptops
• Always on, always with you
• Constantly evolving and becoming more powerful
• Security not kept pace with this growth,
remains afterthought
9
![Page 10: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/10.jpg)
Mobile Threats
10
Source: McAfee Quarterly Report 2011
![Page 11: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/11.jpg)
MOBILE MISHAPS IN THE NEWS Lots of security incidents reported..
11
![Page 12: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/12.jpg)
source : trendmicro 12
![Page 13: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/13.jpg)
source : netsecurity.org 13
![Page 14: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/14.jpg)
14
![Page 15: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/15.jpg)
15
![Page 16: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/16.jpg)
LET’S GO EXPLORING MOBILE SECURITY !
16
![Page 17: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/17.jpg)
Stakeholders in Mobile Security
Internet
Applications Application Backend Networks
1
2 3 4
1. Mobile Manufacturers 2. IT 3. End Users
1. Application Developers
2. End Users
1. Mobile Operators 2. IT 3. End Users
1. Application Developers
2. IT 17
![Page 18: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/18.jpg)
Mobile security-specific issues..
STRONG AUTHENTICATION WITH POOR KEYBOARDS
MULTIPLE USER SUPPORT WITH SECURITY
SECURE DATA STORAGE(on Disk)
18
![Page 19: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/19.jpg)
Mobile security-specific issues..
CONSTRAINED BROWSING ENVIRONMENT
INFORMATION DISCLOSURE
19
![Page 20: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/20.jpg)
Mobile security-specific issues..
MULTIFACTOR AUTHENTICATION
LOCATION/PRIVACY SECURITY
DIFFICULT PATCHING / UPDATE PROCESS
20
![Page 21: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/21.jpg)
UNDERSTANDING THE THREATS Diving deeper..
21
![Page 22: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/22.jpg)
Mobile Threatscape
Internet
Applications Application Backend
Networks
1
22
![Page 23: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/23.jpg)
Mobile Security Assessment
Mobile Platform Security
Audit
1
23
![Page 24: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/24.jpg)
Mobile Platform Security
• Diverse Platforms vulnerable to security
problems (Android, iOS, Blackberry, Windows
Phone)
• Operating System security vulnerabilities
– Viruses and Worms – is there an Anti Virus?
– Break-in over Wi-Fi and Internet – is there a Firewall?
– Is there a Patch Management?
– Is there a provision to regularly upgrade the OS?
• What happens if the phone is stolen ?
• What happens if data is intentionally or
accidently deleted? Is there a backup
and restoration mechanism?
1
Threats
24
![Page 25: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/25.jpg)
Android Platform Security
• Created by Google and the Open Handset
Alliance
• Linux based
• Java programmable
• Each Application : a new user (UID)
• Android applications are considered “equal”
25
![Page 26: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/26.jpg)
Android Platform Security
• Permissions - help provide data security
• Android’s permission model allows user’s to make
bad but informed choices
• A confused user can’t make good
choices.
26
![Page 27: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/27.jpg)
Android Platform Security
• Possible for 2 applications to
Share the same User ID
• Be run within the same process
and VM Sandbox
• Must be signed with the same
certificate
• An application can allow for
World Readable and Writeable
mode
• This allows any application on
the system to read / write the
host applications files 27
![Page 28: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/28.jpg)
Android Platform Security
• Android Market is the sick man of the app world
• It’s an open market
• Google’s Android Market has 90,000+ apps
• Recently Google has removed 26 malicious apps.
28
![Page 29: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/29.jpg)
iOS Platform Security
• Processor – ARM 6 or 7 depending on model
• Runs iOS
• Derived from Mac OSX
• FreeBSD
• 2 primary users
• Mobile
• Root
29
![Page 30: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/30.jpg)
iOS Platform Security
• There are around 5,00,000+ apps for iOS platform
• Code Signing applied to all applications
• Appstore applications signed by Apple
• All applications run as user “mobile”
• Chroot used to restrict apps from each other
• Applications are also encrypted when stored
• Runtime decryption before execution
30
![Page 31: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/31.jpg)
iOS Platform Security
• Jailbreaking is the process of getting “root”
access to the phone. This allows running custom
software / firmware on the phone
• Unlocking refers to bypass controls which bind
the phone to a carrier. This opens it for use with
any carrier.
31
![Page 32: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/32.jpg)
Mobile Platform Security
• Proprietary OS created by
RIM
• Provides multi-tasking support
• Currently version 7
• Written in C++
• OS supports devices unique to the BB – trackball,
trackwheel, touchscreen and touchpad
• Runs on ARM 7, 9 and ARM 11 processors
32
![Page 33: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/33.jpg)
Mobile Platform Security
• As vulnerable as other phones, Still less in number
• Difficult to infect as no popular public appstore
• Most applications are loaded over the air by the
network managers
• Offers strong suite of security features which
include:
• End-to-end Encryption
• RSA SecurID Two-Factor Authentication
• HTTPS Secure Data Access
• Strong IT Policy Enforcement and Management
• Built in Firewall
33
![Page 34: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/34.jpg)
Blac Application Attacks
• Browser a key part of
Blackberry
• Based on the open source
Webkit
• Webkit known to be vulnerable
• First public exploit on BB demoed at Pwn2Own 2011
• ARM based exploit code
34
![Page 35: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/35.jpg)
• Microsoft’s Mobile OS
• Windows Phone 7 was developed from scratch
• Currently in version 7.5 (called Mango)
• Not to be confused with Windows 8 OS (One OS for
Desktops, Laptops, and Tablets.)
Microsoft Windows Phone
35
![Page 36: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/36.jpg)
Security Model
• Does not support for removable storage.
• No tethered file system access from a PC
• No concept of users and user logon
• Application origin based authentication and authorization
• Elements of Windows Phone Security Model
– Chambers
– Capabilities
– Application Safeguards
36
![Page 37: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/37.jpg)
Chambers
37
Unrestricted access to the platform
Driver and OS level code
Elevated Rights
Chamber (ERC)
User mode drivers and services.
Standard Rights Chamber (SRC)
All pre-installed MS and OEM applications
Least Privileged Chamber (LPC)
Default permission set in which all apps
from the App Marketplace run
Trusted Computing Base (TCB)
Principle of isolation and Least Privilege
![Page 38: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/38.jpg)
Capabilities
• Capabilities are granted during application installation, and their privileges cannot be elevated at run time
• Capabilities include geographical location information,
camera, microphone, networking, and sensors.
• The Least Privileged Chamber (LPC) defines a minimal set of
access rights by default. This helps in reducing the attack
surface.
38
![Page 39: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/39.jpg)
Application Safeguards
• Application developers must register with Microsoft
• Stringent check before inclusion in the App store
• All applications are code-signed by VeriSign.
• Applications that are not code-signed cannot run on Windows
Phone 7.
• Applications run in a sandboxed process
– Can interact with the OS in a limited way
– Execution Manager monitors programs and kills programs
with unusual activity
39
![Page 40: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/40.jpg)
Windows Mobile Malware
40 Source: http://news.cnet.com/8301-27080_3-20006882-245.html
![Page 41: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/41.jpg)
Secure Practices Recommendations
• Turn-off GPS / Bluetooth when not in use.
• Do not leave your phone unattended
• Make sure that the OS and firmware is updated
• Use anti-virus software and keep the definition file up to
date
• Password protect your device and change this regularly
![Page 42: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/42.jpg)
Mobile Threatscape
Internet
Applications Application Backend
Networks
2
42
![Page 43: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/43.jpg)
Mobile Application
Security Audit
Mobile Platform Security
Audit
2 1
Mobile Security Assessment
43
![Page 44: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/44.jpg)
Mobile Application Security
2
Applications
• Malware and Trojan applications
• Security vulnerabilities in code
• Client Application security
• Bypass Enterprise policies – Difficult to apply Enterprise security policy
• Acts like a Backdoor into the Enterprise
Threats
44
![Page 45: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/45.jpg)
MALWARE IN MY MOBILE !! What if ? There’s a..
45
![Page 46: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/46.jpg)
Downloads App
Malware that mails secrets!
Unaware user
Hidden Trojan Mails all secrets to attacker /
Tracks Location
Attacker
46
![Page 47: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/47.jpg)
Secure Practices Recommendations
• Address security in the mobile application development
process
• Download apps from trustworthy sources
Scrutinize permission requirements of applications
before installation
• Use mobile security apps for data protection
![Page 48: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/48.jpg)
Mobile Threatscape
Internet
Applications Application Backend
Networks
3
48
![Page 49: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/49.jpg)
Mobile Network Security
Audit
Mobile Application
Security Audit
Mobile Platform Security
Audit
1 2 3
Mobile Security Assessment
49
![Page 50: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/50.jpg)
Network Access Security
3
Networks
• Heterogeneous Network Risks – GPRS/3G/$G – Wi-Fi – Bluetooth – PC Synchronization
• “ON” by default open up to network based attacks
• Every access mechanism has security implications
• Difficult to control and prevent unauthorized access
• Requires custom solution to address each – Difficult to apply uniformly across all devices on the
network
Threats
50
![Page 51: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/51.jpg)
Understanding Mobile Connectivity
a
b
c
d
Device Sync
51
![Page 52: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/52.jpg)
Full Disclosure: Hacking Mobile Phones using Bluetooth!
52
![Page 53: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/53.jpg)
53
Secure Practices Recommendations
Use device inventory and track all mobile devices before and after allowing network access-You can’t protect or manage what you can’t see Non compliant mobile phones should be denied network access until they have been scanned, patched or remediated.
Do not access corporate secured sites over public Wi-Fi
![Page 54: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/54.jpg)
Mobile Threatscape
Internet
Applications Application Backend
Networks
4
54
![Page 55: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/55.jpg)
Application Backend Security
• Application farm security vulnerabilities – Web server security bugs
– Database server security bugs
– Storage server security bugs
– Load balancer security bugs
• Web application security vulnerabilities – OWASP Top 10 security problems
– Advanced Web Application attacks
• Web service security vulnerabilities
• Client application security vulnerabilities
Threats 4
Application Backend
55
![Page 56: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/56.jpg)
Security Breach Targets iPad Servers
56
![Page 57: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/57.jpg)
Confidential Information Exposed!!
57
![Page 58: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/58.jpg)
Application Backend Security
Audit
Mobile Network Security
Audit
Mobile Application
Security Audit
Mobile Platform Security
Audit
1 2 3 4
Mobile Security Assessment
58
![Page 59: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/59.jpg)
MOBILE SECURITY CHALLENGES IN AN ENTERPRISE ENVIRONMENT
59
![Page 60: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/60.jpg)
Enterprise Mobile Security Challenges
60
INFORMATION DISCLOSURE POLICIES
• DIFFICULTY AND COMPLEXITY IN IMPLEMENTATION
LACK OF KNOWLEDGE ABOUT RISK
![Page 61: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/61.jpg)
Enterprise Mobile Security Challenges
61
REMOTE CONTROL, TRACKING AND DATA WIPING
• ENTERPRISE WIDE MOBILE SECURITY POLICIES
RESTRICTING MOBILE INTERNET ACCESS
![Page 62: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/62.jpg)
Enterprise Security Recommendations
A lost or stolen device
Implement a central management console
Provide support to multiple devices
Implement centrally managed mobile device managers
Controlling data flow on multiple devices
Secure server systems with strong access control
Mechanism for installing secure apps centrally through an authorized server
Prevent Unauthorized Synchronization
Monitor and restrict data transfers to handheld or removable storage devices.
User awareness
Create keen awareness on information assets, risk and value to the enterprise
62
![Page 63: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/63.jpg)
The Future
• Mobile and Cloud will turn traditional IT and computing on it’s
head.
• It’s about user experience (U-Ex)
• Virtual smart phones (Mobile Hypervisor )
• Dynamic context- and content-aware Data Protection
• NFC enabled smart phones to take center stage and may
replace cards
63
![Page 64: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/64.jpg)
Thank you!
64
Santosh Satam
@satamsantosh
http://in.linkedin.com/in/santoshsatam
https://www.facebook.com/satamsantosh
www.securitycrunch.in
![Page 65: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/65.jpg)
65
Any people that would
give up liberty for a
little temporary safety
deserves neither
liberty nor safety.
Benjamin Franklin
![Page 66: Mobile - Information Security Research Associationis-ra.org/.../2011/pdf-topics/Santosh-Santam-Mobile... · Mobile Platform Security • Diverse Platforms vulnerable to security problems](https://reader030.vdocuments.net/reader030/viewer/2022011902/5f0a0bad7e708231d429c042/html5/thumbnails/66.jpg)
References
66
• SECURING MOBILE DEVICES ISACA EMERGING TECHNOLOGY WHITEPAPER
• DEVELOPING SECURE MOBILE APPLICATIONS FOR ANDROID An introduction to making secure Android applications Jesse Burns
• Mobile banking: Safe, at least for now, Elinor Mills