mobile security
DESCRIPTION
Slides about mobile security presented during the BELTUG Security SIG ("Special Interest Group") in January 2013.TRANSCRIPT
Mobile Security
“Bring war material with you from home butforage on the enemy” - Sun Tzu
Xavier MertensBeltug SIG Security - Jan 2013
Disclaimer
“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
Agenda
• Introduction: Top-10 mobile risks
• Company owned devices
• Employee owned device (BYOD)
• Risks inherent in mobile devices
• Mobile applications development
Top-10 Mobile Risks• Insecure data storage
• Weak server side controls
• Insufficient transport layer protection
• Client side injection
• Poor authentication & authorization
• Improper session handling
• Secure decision via untrusted input
• Side channel data leakage
• Broken cryptography
• Sensitive information disclosure
(Source: OWASP)
Top-10 Mobile Risks• Insecure data storage
• Weak server side controls
• Insufficient transport layer protection
• Client side injection
• Poor authentication & authorization
• Improper session handling
• Secure decision via untrusted input
• Side channel data leakage
• Broken cryptography
• Sensitive information disclosure
(Source: OWASP)
Mobile devicesare
Computers!
Company Owned Devices
Easy? Really?
• Limited set of manufacturers/OS
• Full control of hell?
• People try to evade from jail (like laptops)
• Need procedures (backups, helpdesk)
Corporate Policy
• Must be communicated & approved before the device provisioning
• Communication channels: addendum to a contract, Intranet, a “check box”?
• Restrictions (SD cards, Bluetooth, camera)
• What about private data? (pictures, MP3, downloaded (paid!) apps?
Examples
• Document already available on beltug.be(Members section)
• Simple policy: http://www.security-marathon.be/?p=1466(Jean-Sébastien Opdebeeck)
Data Classification
• Another approach is implementing data classification
• Implementation of the “least privileges” principle
• Access to data is based on profiles
• Work with any device! (benefit broader than the scope of mobile devices)
Data ClassificationData
ClassificationCompany Owned
DevicesPersonal Devices
Top-Secret No No
Highly Confidential No No
Proprietary Yes No
Internal Use Only Yes Yes
Public Yes Yes
Employed Owned Devices
Why do people BTOD?
• Devices became cheaper and powerful
• The “Generation Y”
• Always online everywhere!
First Question?
• Are you ready to accept personal devices on your network?
• It’s a question of ... risk!
• Examples:
• Data loss
• Network intrusion
• Data ex-filtration
“MDM”?
• Do you need a MDM solution? (Mobile Device Management)
• Can you trust $VENDORS?
• Microsoft Exchange include ActiveSync for free
• Most security $VENDORS propose (basic) tools to handle mobile devices
Minimum Requirements
• Automatic lock + password
• No jailbroken devices
• Remote wipe
• Backups (who’s responsible?)
Risks Inherent InMobile Devices
Personal Hotspots
• Tethering allows mobile devices to be used as hotspots
• Corporate devices (laptops) could bypass Internet access controls
• Risks of rogue routers (if IP-forwarding is enabled
Rogue App Stores
• Mobile devices without apps is less useful
• Owners tend to install any apps
• Some apps may require much more rights than required
• People trust Apps stores and developers
• Developers must write good code
QR Codes
Geolocalization
NFC
Home & Cars
Mobile Application Development
OWASP Mobile Security Project
• Mobile testing guide
• Secure mobile development guide
• Top-10 mobile controls and design principles
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
Lack of/Bad Encryption
• Developers re-invent the wheel: do not write a new encryption algorithm
• Encrypt everything (data at rest, data in move)
Local VS. Remote Storage
Pros Cons
Local No network costsSpeed
Risk of lossOutdated
CentralAlways updatedNo risk of loss
Data network ($)Speed
Geolocalization
• Again! But this time for good purposes
• Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe
• Combine with passwords for stronger authentication/authorization
Enterprise Appstores
• Goal: Distribute, secure and manage mobile apps through your own company branded appstore.
• Application available in the appstore have been approved by a strong validation process.
Thank You!
Xavier [email protected]@xmehttp://blog.rootshell.be