transforming risky mobile apps into self defending apps
DESCRIPTION
On Thursday, September 25, Bluebox Security hosted a webinar on transforming risky mobile apps into self-defending apps. During the webinar, Subbu Iyer, VP of Product management, analyzed the anatomy of risky apps and explained how to encrypt and protect data from device or app-level compromises. View and listen to the entire webinar here: http://offers.bluebox.com/resource-webinar-transform-risky-mobile-apps.htmlTRANSCRIPT
1
Securing your data wherever it goes
2
Transform Risky Mobile Apps into Self-Defending Apps
Subbu Iyer, Vice President, Product Management
3
Momentum of Internal App Development
A typical enterprise has about 10+ internally developed appsWith about 30+% growth expected next year
Marketers take the lead, with apps both for internal and external use
Driving internal efficiencies, post-sale loyalty mgmt, in-app analytics
App Updates happening at a frenetic pace
Sources: (1) “Evolving the Connected Enterprise”, Oracle, July 2014, (2) “The Connected Marketer”, Forbes, Jan 2014
4
Challenges in Enterprise Mobile App Development
Front-end mobile app development
29%
Enterprise Integra-tion, Security, Qual-ity Assurance and
Design Work71%
Mobile App Development TimeSecure the data first, then the
device
Constant tug of war between Security, IT, and App Dev
teams
Access to enterprise systems is key
Source: (1) “Evolving the Connected Enterprise”, Oracle, July 2014
5
What do mobile apps store on the device?
▪ User identifiers
▪ Session identifiers
▪ Cached application data
▪ Location data
▪ Internal server addresses
▪ Credit card info, purchasing history
▪ Sensitive information, potentially PII
Improves App Loading Performance, caches information for offline usage
Information saved on device allows potential access to malicious apps or users
6
Risks of a mobile data breach
45% of companies experienced a mobile data breach in 2013
11% of them were required to publicly disclose it
Costs of a breach vary by geography and industry
vertical
(US, DE, UK and FR being most expensive)(Healthcare, Education, Pharma and
Financial)
78%
36%
34%
32%
26%
22%
Cited Risks of Mobile Data Leakage
Jailbroken or Rooted devices Security at public hotspots
Penetration of corporate WiFi network
Unknown, possibly malicious apps on device
Data leakage to unau-thorized cloud services
Lost or stolen devices containing corporate in-formation
Sources: (1) “2014 Cost of Breach Study”, IBM, May 2014, (2) “Information Week 2013 Mobile Security Survey, December 2013”
7
Option 1 for securing internal apps: MDM
Enroll users to an MDM
Distribute an MDM profile
Enforce a device-level passcode and encryption
Distribute apps via Enterprise App Catalog
Relies on device-level security; needs to be enabled for the entire device
Requires profiles to be installed on users’ devices – including BYOD
Not easy to scale to external vendors/customers
8
Option 2 for securing internal apps: Containerization
Typically provided via SDK or App Wrapping
Developer involvement for SDK or Wrapping infrastructure set-up
Typically used with containerized Email, PIM and Browsers as well
Substantial developer involvement needed
Traditional wrapping technologies cause intermittent crashes, causing a poor user experience
Users hate the non-native experience of a PIM + browser+ content workspace app
9
Option 3 for securing internal apps: DIY (For App Developers)
SQLCipher: For encrypting app’s database files
IOCipher: Virtual encrypted disk for apps
NetCipher: Strong SSL/TLS implementation
An SDK for every need; increases developer effort exponentially
Security risks at every level of mobility
App Level
Device Level
User Level
Application Level Risks
App Level
75%
of mobile apps will fail basic security tests in 2015
Application Level Risks
App Level
Insecure Data on
device and in transit
Reliance on device,
OS or MDM for security
Reliance on
rational user
behavior
Application Level Risks
App Level
75%Don’t use
properencryption
when storing data on a
mobile device
97%Having access
to private data
without appropriate
security measures
75%Mobile
Security breaches by 2017 will be the result of exploiting
poorly developed
mobile apps
Device Level Risks
Undue focus on
jailbreaking and rooting
alone – what about
non-root system
exploits?
Outdated OS versions
Change of device
posture by other apps on device
Device Level Risks
52Vulnerabilities patched
in iOS in 2014; 40%
of those were
critical code
exploits
24%Android
devices run the latest KitKat 4.4 version
90%of employees use personal smartphones
for work
User Level RisksUser Level
Failure to report lost or
stolen devices
Mobile devices
connect to more public
hotspots and
unknown servers
than laptops
Basic device-level
protection like
password and
encryption turned off
User Level RisksUser Level
113Number of
smart phones lost every MINUTE in the U.S.
26Number of apps the average
mobile user has
downloaded
34%Take no security
measures at all
Free developer time from security implementation
Focus on building business logic
Developers
App Development Needs
Business Owner
Accelerate Time To Market
Meet ever-increasing user
demand for apps
Competitive Advantage
Stay current with mobile threats
Ensure compliance
Security
19
What you really need
Easy, simple access to any app for any user on any device
Instant containerization of any app – on demand
Apps need to assume they are inherently at risk – ALWAYS, and accordingly defend their own data
Contingency management for IT – manage app versions and data, wipe and revoke apps based on usage patterns
Data Wrapping: The Unique Bluebox Approach
User
Data
App
Device
NetworkOTHERS
▪ Data Security on Devices, Apps and Network
▪ Support for ANY 3rd party or internal apps
▪ Native app experience
▪ Clear separation of personal and corporate data
21
Traditional App Wrapping
App Code
3rd p
art
y
Libra
ries
OS Framework
OS
22
Traditional App Wrapping
App Code
3rd p
art
y
Libra
ries
OS Framework
OS
Calls to native
framework mapped to
custom calls
“Swizzling”
• Not dynamic• Needs constant
maintenance with major OS update
23
Traditional App Wrapping
App Code
3rd p
art
y
Libra
ries
OS Framework
OS
Calls to native
framework mapped to
custom calls
“Swizzling”
Native Calls directly to OS
• Not dynamic• Needs constant
maintenance with major OS updates
24
Traditional App Wrapping
App Code
3rd p
art
y
Libra
ries
OS Framework
OS
Calls to native
framework mapped to
custom calls
“Swizzling”
App crashes due to conflicts between data handled differently by two separate engines
Native Calls directly to OS
• Not dynamic• Needs constant
maintenance with major OS updates
25
Traditional App Wrapping
App Code
3rd p
art
y
Libra
ries
OS Framework
OS
Calls to native
framework mapped to
custom calls
“Swizzling”
App crashes due to conflicts between data handled differently by two separate engines
Native Calls directly to OS
Lack of predictabilityPoor App Coverage
Unstable Apps; poor User Experience
• Not dynamic• Needs constant
maintenance with major OS updates
26
Traditional App Wrapping
App Code
3rd p
art
y
Libra
ries
OS Framework
OS
Calls to native
framework mapped to
custom calls
“Swizzling”
App crashes due to conflicts between data handled differently by two separate engines
Native Calls directly to OS
Lack of predictabilityPoor App Coverage
Unstable Apps; poor User Experience
• Not dynamic• Needs constant
maintenance with major OS updates
27
Bluebox Instant App Protect
3rd p
art
y
Libra
ries
App Code
OS Framework
OS
28
Bluebox Instant App Protect
3rd p
art
y
Libra
ries
App Code
OS Framework
OS
Bluebox Data Wrapping Framework
29
Bluebox Instant App Protect
3rd p
art
y
Libra
ries
App Code
OS Framework
OS
Bluebox Data Wrapping Framework
• Dynamic wrapping logic
• Dynamic Updates of wrapping layer
30
Bluebox Instant App Protect
3rd p
art
y
Libra
ries
App Code
OS Framework
OS
Bluebox Data Wrapping Framework
• Dynamic wrapping logic
• Dynamic Updates of wrapping layer
More predictability
Greater App CoverageMore Stable Apps
Bluebox Mobile App Fortification: Reduce Risk
Data Wrapping
Bluebox Mobile App Fortification: Reduce Risk
Enterprise Enablement
APP VPN
APP EVENTINGANDLOGGING
DATA SHARING
CONTROLS
DATA VISIBILITY, SECURITY,
AND CONTROL
Data Wrapping
Self-Defending
Behavior
Bluebox Mobile App Fortification: Reduce Risk
Enterprise Enablement
APP VPN
APP EVENTINGANDLOGGING
DATA SHARING
CONTROLS
DATA VISIBILITY, SECURITY,
AND CONTROL
Data Wrapping
vBluebox Instant App Protect —How It Works
Web-basedBluebox Admin
Portal(portal.bluebox.com
)
Uploadyour App
Apply Policies
and Enterprise
Signing Instantly
Assign Users and Groups
Specify 3rd Party
Apps to secure
35
Bluebox User Enrollment
▪ Easy 3-step process via Bluebox App
▪ SAML 2.0, OAuth 2 (using Google as provider) and ActiveSync supported for user auth
▪ Elegantly off-board users via SAML and SCIM
The Enterprise Mobile UX
User has full visibility into admin controls on the device
Native user experience for all apps
Freedom of choice to add user’s favorite apps to the Bluebox Invisible Workspace
37
Summary
Assume that your apps are perpetually at risk at all layers – Device, App and User
Get beyond jailbreak and rooted detection!
Make your apps self-defending
Focus on the user – allow easy access to your apps on any device
Fortify your Apps – don’t just manage them using an MDM or MAM
38