SlideShare a Scribd company logo

Mobile security services 2012

Download as PPTX, PDF
T
Tjylen Veselyj

This document provides an overview of mobile security concerns and services offered by SoftServe. It discusses key mobile security risks like confidential data leakage, insecure data storage and transmission, and vulnerabilities in mobile applications. SoftServe's mobile security portfolio includes mobile application security assessments, mobile forensics, mobile network security assessments, and mobile device management. The services help identify vulnerabilities, manage policies and devices, and control security and access to address risks.

Technology
1 of 43
Downloaded 22 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Mobile Security Service Overview Nazar Tymoshyk Ph.D, R&D Manager/Security Consultant
Call History Messages Social Networking Visited websites Contacts Mobile Banking VideosPhotosDocuments PINs & Passwords Who knows more about you than your smartphone?
always with you! Always on Your mobile
All Apps are considered safe until proven guilty by a security review
Key Mobile Device Security Concerns • Confidentiality – Commercial Data • Ex: Financial, IP, etc. – Personal Data • Ex: Customer, Employee records, PCI, etc. • User Personal Data – Diplomatic cables • Accessibility – Resource uptime – High Availability / Recoverability – Archive Maintain device flexibility while protecting against security risks 5
THE ANYTIME, ANYWHERE YOUNG WORKER Prefers an unconventional work schedule, working anytime and anywhere Believes he should be allowed to access social media and personal websites from company-issued devices Checks Facebook page at least once a day Doesn’t believe he needs to be in the office on a regular basis Believes that IT is ultimately responsible for security, not him Will violate IT policies if it’s necessary to get the job done Owns multiple devices, such as laptops, tablets, and mobile phones (often more than one)
Mobile security services 2012
Man in the Middle attacks Prevention of man-in-the-middle attack for Wi-Fi
Your company could be part or victim of mobile Botnet attack Zeus bot for Mobil - Zitmo
Mobile applications for Healthcare Require HIPAA security assessments
Competitors They do all to get your secrets
• Sensitive data leakage (inadvertent or side channel) • Unsafe sensitive data storage • Unsafe sensitive data transmission • Hardcoded password/keys Mobile application Vulnerabilities:
Test Results regarding Availability of Secrets to Attackers in the Lost Device Scenario Tested Account Types Secret Type Accessibility AOL Email Password protected Apple Push Certificate + Token w/o passcode Apps using keychain with default protection depends on App protected Apple-token-sync (mobile me) Token w/o passcode CalDav Password w/o passcode Generic IMAP Password protected Generic SMTP server Password protected Google Mail Password protected Google Mail as MS Exchange Account Password w/o passcode iChat.VeniceRegistrationAgent Token w/o passcode iOS Backup Password Password protected LDAP Password w/o passcode Lockdown Daemon Certificate w/o passcode MS Exchange Password w/o passcode Voicemail Password w/o passcode VPN IPsec Shared Secret Password w/o passcode VPN XAuth Password Password w/o passcode VPN PPP Password Password w/o passcode Website Account from Safari Password protected WiFi (Company WPA with LEAP) Password w/o passcode WiFi WPA Password w/o passcode Yahoo Email Token + Cookie protected
What You LOSE? If your confidential data will be leaked?
Reputation TrustMoney Data TimeDisciplinary actions Clients
SoftServe Mobile Security Portfolio Mobile Application Security Assessment Mobile Forensics Mobile Network Security assessment Mobile Device Management
SoftServe Mobile Security Framework
Mobile Forensics 1. Messaging (corporate Emails and banking SMS ) 2. Audio (calls activities and open microphone recording) 3. Video (still and full-motion) 4. Locations 5. Contact list 6. Call history 7. Browsing history and passwords 8. Input 9. Data files
Vulnerability identification
• Manage policies • Manage mobile applications • Manage devices • Control security • Control passwords • Control access Mobile Device Management We are partner with MDM provider AirWatch
How we help you? (переробити на мобільна безпека)
Mobile security services 2012
Password vs. Bruteforce Passcode Complexity Bruteforce time 4 digits 18 minutes 4 alphanumeric 51 hours 5 alphanumeric 8 years 8 alphanumeric 13,000 years
Mobile Banking
Our Methodology • OWASP Mobile • Automatize Apps analysis – Static Analysis – Dynamic Analysis • OWASP Mobile Top 10 Risk mitigation methodology
CLEAR TEXT SECRETS • App fails to protect sensitive information, credentials • OWASP Mobile: M1- Insecure Data Storage
CLEAR TEXT SECRETS EXAMPLE: CREDENTIALS MANAGER (CVE-2011-1840)
INSECURE CHANNELS EXAMPLE: SOCIAL NETWORKING
DEBUG ENABLED • App ships to market with logging or debugging • features enabled • Helps attacker to learn Apps internal • OWASP Mobile: M8- Side Channel • Data Leakage
CROSS SITE SCRIPTING (XSS) EXAMPLE, INCASE YOU MISSED IT
DATA VALIDATION • App fails to perform appropriate data • validation • Accounts for many common risks • OWASP Mobile: M4- Client Side Injection
DATA VALIDATION MITIGATION • Validate data for: – Valid – Safe – Length • For SQL queries use prepared statements • Validate (sanitize) and escape data before render for web Apps • Use white list approach instead black list • approach. Check out OWASP ESAPI libraries
PII COMPROMISE • App can collect plenty of PII information • – User: username, contacts, bookmarks • – Device: S.O. ver, device name, IMEI, IMSI, • kernel version, UUID • – General info: geolocalization • – OWASP Mobile Risk Classification: M8 – Side • Channel Data Leakage
PII COMPROMISE MITIGATION • Apps don't need to collect all they can, just • what they need • • If collecting PII: • – Where is that info going? • • Log files • • Data storages • • Network • – Protect it: • • Transit • • At Rest
3RD PARTY LIBRARIES INTEGRATION • App integrates 3rd party libraries: • – Facebook • – Greendroid • – Android.ads • – Apache • – google.android.apps.analytics • – Json • – Mozilla • – Javax • – xmlrpc.android • – slf4j
3RD PARTY LIBRARIES INTEGRATION MITIGATION • If using 3rd party libraries, use proven • libraries • What info are these libraries collecting? • Do we really need social networking libs • integrated into our finance apps?
WEAK CRYPTO • Incorrect use of crypto libraries • Implementing custom • bad ass crypto algorithm • M9 - Broken Cryptography
HARDCODED CREDENTIALS App contains credentials embedded in code • Easy to spot by attackers • OWASP Mobile: M10- Sensitive Information Disclosure
HARDCODED CREDENTIALS MITIGATION • Easy, don't write credentials into code files • What happens when the credentials change? • You need to upload a new version on the app! • Credentials need to use secure data storages
Mobile security services 2012
Certifications Ph.D in Security
Security Clients 2010-2011:
Do you have any QUESTIONS?

More Related Content

PPTX
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
PPTX
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
PPT
Penetration Testing Basics
Rick Wanner
 
PDF
Security testing presentation
Confiz
 
PDF
Oh, WASP! Security Essentials for Web Apps
TechWell
 
PPTX
Web application penetration testing
Imaginea
 
PDF
Penetration testing web application web application (in) security
Nahidul Kibria
 
PPTX
Security testing
Rihab Chebbah
 
Security hole #5 application security science or quality assurance
Tjylen Veselyj
 
Cloud Security vs Security in the Cloud
Tjylen Veselyj
 
Penetration Testing Basics
Rick Wanner
 
Security testing presentation
Confiz
 
Oh, WASP! Security Essentials for Web Apps
TechWell
 
Web application penetration testing
Imaginea
 
Penetration testing web application web application (in) security
Nahidul Kibria
 
Security testing
Rihab Chebbah
 

What's hot (20)

PDF
Web Application Security 101
Cybersecurity Education and Research Centre
 
PPS
Security testing
Tabăra de Testare
 
PDF
Introduction to Security Testing
vodQA
 
PDF
Security-testing presentation
Ezhilan Elangovan (Eril)
 
PPTX
Security testing
Khizra Sammad
 
PDF
OWASP Top 10 Project
Muhammad Shehata
 
PDF
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
 
PDF
Client-Side Penetration Testing Presentation
Chris Gates
 
PPTX
Web Application Penetration Testing Introduction
gbud7
 
PPTX
Owasp
penetration Tester
 
PPTX
Penetration Testing
RomSoft SRL
 
PDF
Penetration and hacking training brief
Bill Nelson
 
PPT
Web Application Security Testing
Marco Morana
 
PDF
Finacle - Secure Coding Practices
Infosys Finacle
 
PPTX
Secure coding practices
Mohammed Danish Amber
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
PDF
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
PPTX
Security Testing
Qualitest
 
PPTX
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
PPTX
Secure Coding 2013
The eCore Group
 
Web Application Security 101
Cybersecurity Education and Research Centre
 
Security testing
Tabăra de Testare
 
Introduction to Security Testing
vodQA
 
Security-testing presentation
Ezhilan Elangovan (Eril)
 
Security testing
Khizra Sammad
 
OWASP Top 10 Project
Muhammad Shehata
 
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
 
Client-Side Penetration Testing Presentation
Chris Gates
 
Web Application Penetration Testing Introduction
gbud7
 
Owasp
penetration Tester
 
Penetration Testing
RomSoft SRL
 
Penetration and hacking training brief
Bill Nelson
 
Web Application Security Testing
Marco Morana
 
Finacle - Secure Coding Practices
Infosys Finacle
 
Secure coding practices
Mohammed Danish Amber
 
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
Security Testing
Qualitest
 
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
Secure Coding 2013
The eCore Group
 
Ad

Similar to Mobile security services 2012 (20)

PPTX
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
PDF
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
PDF
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
PDF
Invited Talk - Cyber Security and Open Source
hack33
 
PPTX
Security Best Practices for Regular Users
Security Innovation
 
PPTX
Security best practices for regular users
Geoffrey Vaughan
 
PPTX
Protecting your online identity - Managing your passwords
Bunmi Sowande
 
PDF
DefCamp_2016_Chemerkin_Yury_--_publish.pdf
Yury Chemerkin
 
PDF
Secon_2017_Chemerkin_Yury_-_final_-_Clean.pdf
Yury Chemerkin
 
PDF
Безопасность данных мобильных приложений. Мифы и реальность.
Advanced monitoring
 
PPTX
Mobilination Ntymoshyk Personal Mobile Security Final Public
Tjylen Veselyj
 
PDF
Can You Steal From Me Now? Mobile and BYOD Security Risks
Michael Davis
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
PPTX
Android Hacking + Pentesting
Sina Manavi
 
PDF
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
Maxim Salnikov
 
PDF
INFOSEC_UAB_2016_Conference_Chemerkin_Yury.pdf
Yury Chemerkin
 
PPT
Automation In Android & iOS Application Review
Blueinfy Solutions
 
PDF
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
PDF
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
amiinaaa
 
PPTX
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
 
Invited Talk - Cyber Security and Open Source
hack33
 
Security Best Practices for Regular Users
Security Innovation
 
Security best practices for regular users
Geoffrey Vaughan
 
Protecting your online identity - Managing your passwords
Bunmi Sowande
 
DefCamp_2016_Chemerkin_Yury_--_publish.pdf
Yury Chemerkin
 
Secon_2017_Chemerkin_Yury_-_final_-_Clean.pdf
Yury Chemerkin
 
Безопасность данных мобильных приложений. Мифы и реальность.
Advanced monitoring
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Tjylen Veselyj
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Michael Davis
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
Android Hacking + Pentesting
Sina Manavi
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
Maxim Salnikov
 
INFOSEC_UAB_2016_Conference_Chemerkin_Yury.pdf
Yury Chemerkin
 
Automation In Android & iOS Application Review
Blueinfy Solutions
 
ISACA CACS 2012 - Mobile Device Security and Privacy
Michael Davis
 
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
amiinaaa
 
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Ad

More from Tjylen Veselyj (8)

PPTX
Web Application Firewall (WAF) DAST/SAST combination
Tjylen Veselyj
 
PPTX
Intro to Security in SDLC
Tjylen Veselyj
 
PPTX
Welcome to the world of hacking
Tjylen Veselyj
 
PPTX
iOS Forensics
Tjylen Veselyj
 
PPTX
Virtual Machine Introspection - Future of the Cloud
Tjylen Veselyj
 
PPTX
Sh#3 incident forensics
Tjylen Veselyj
 
PPTX
Owasp Community in Lviv
Tjylen Veselyj
 
PPTX
Sql Injection V.2
Tjylen Veselyj
 
Web Application Firewall (WAF) DAST/SAST combination
Tjylen Veselyj
 
Intro to Security in SDLC
Tjylen Veselyj
 
Welcome to the world of hacking
Tjylen Veselyj
 
iOS Forensics
Tjylen Veselyj
 
Virtual Machine Introspection - Future of the Cloud
Tjylen Veselyj
 
Sh#3 incident forensics
Tjylen Veselyj
 
Owasp Community in Lviv
Tjylen Veselyj
 
Sql Injection V.2
Tjylen Veselyj
 

Recently uploaded (20)

PDF
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Orbitly Pitch Deck|A Mission-Driven Platform for Side Project Collaboration (...
zz41354899
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Software Development Methodologies in 2025
KodekX
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
The Future of Artificial Intelligence (AI)
Mukul
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 

Mobile security services 2012

  • 1. Mobile Security Service Overview Nazar Tymoshyk Ph.D, R&D Manager/Security Consultant
  • 2. Call History Messages Social Networking Visited websites Contacts Mobile Banking VideosPhotosDocuments PINs & Passwords Who knows more about you than your smartphone?
  • 3. always with you! Always on Your mobile
  • 4. All Apps are considered safe until proven guilty by a security review
  • 5. Key Mobile Device Security Concerns • Confidentiality – Commercial Data • Ex: Financial, IP, etc. – Personal Data • Ex: Customer, Employee records, PCI, etc. • User Personal Data – Diplomatic cables • Accessibility – Resource uptime – High Availability / Recoverability – Archive Maintain device flexibility while protecting against security risks 5
  • 6. THE ANYTIME, ANYWHERE YOUNG WORKER Prefers an unconventional work schedule, working anytime and anywhere Believes he should be allowed to access social media and personal websites from company-issued devices Checks Facebook page at least once a day Doesn’t believe he needs to be in the office on a regular basis Believes that IT is ultimately responsible for security, not him Will violate IT policies if it’s necessary to get the job done Owns multiple devices, such as laptops, tablets, and mobile phones (often more than one)
  • 8. Man in the Middle attacks Prevention of man-in-the-middle attack for Wi-Fi
  • 9. Your company could be part or victim of mobile Botnet attack Zeus bot for Mobil - Zitmo
  • 10. Mobile applications for Healthcare Require HIPAA security assessments
  • 11. Competitors They do all to get your secrets
  • 12. • Sensitive data leakage (inadvertent or side channel) • Unsafe sensitive data storage • Unsafe sensitive data transmission • Hardcoded password/keys Mobile application Vulnerabilities:
  • 13. Test Results regarding Availability of Secrets to Attackers in the Lost Device Scenario Tested Account Types Secret Type Accessibility AOL Email Password protected Apple Push Certificate + Token w/o passcode Apps using keychain with default protection depends on App protected Apple-token-sync (mobile me) Token w/o passcode CalDav Password w/o passcode Generic IMAP Password protected Generic SMTP server Password protected Google Mail Password protected Google Mail as MS Exchange Account Password w/o passcode iChat.VeniceRegistrationAgent Token w/o passcode iOS Backup Password Password protected LDAP Password w/o passcode Lockdown Daemon Certificate w/o passcode MS Exchange Password w/o passcode Voicemail Password w/o passcode VPN IPsec Shared Secret Password w/o passcode VPN XAuth Password Password w/o passcode VPN PPP Password Password w/o passcode Website Account from Safari Password protected WiFi (Company WPA with LEAP) Password w/o passcode WiFi WPA Password w/o passcode Yahoo Email Token + Cookie protected
  • 14. What You LOSE? If your confidential data will be leaked?
  • 16. SoftServe Mobile Security Portfolio Mobile Application Security Assessment Mobile Forensics Mobile Network Security assessment Mobile Device Management
  • 18. Mobile Forensics 1. Messaging (corporate Emails and banking SMS ) 2. Audio (calls activities and open microphone recording) 3. Video (still and full-motion) 4. Locations 5. Contact list 6. Call history 7. Browsing history and passwords 8. Input 9. Data files
  • 20. • Manage policies • Manage mobile applications • Manage devices • Control security • Control passwords • Control access Mobile Device Management We are partner with MDM provider AirWatch
  • 21. How we help you? (переробити на мобільна безпека)
  • 23. Password vs. Bruteforce Passcode Complexity Bruteforce time 4 digits 18 minutes 4 alphanumeric 51 hours 5 alphanumeric 8 years 8 alphanumeric 13,000 years
  • 25. Our Methodology • OWASP Mobile • Automatize Apps analysis – Static Analysis – Dynamic Analysis • OWASP Mobile Top 10 Risk mitigation methodology
  • 26. CLEAR TEXT SECRETS • App fails to protect sensitive information, credentials • OWASP Mobile: M1- Insecure Data Storage
  • 27. CLEAR TEXT SECRETS EXAMPLE: CREDENTIALS MANAGER (CVE-2011-1840)
  • 29. DEBUG ENABLED • App ships to market with logging or debugging • features enabled • Helps attacker to learn Apps internal • OWASP Mobile: M8- Side Channel • Data Leakage
  • 30. CROSS SITE SCRIPTING (XSS) EXAMPLE, INCASE YOU MISSED IT
  • 31. DATA VALIDATION • App fails to perform appropriate data • validation • Accounts for many common risks • OWASP Mobile: M4- Client Side Injection
  • 32. DATA VALIDATION MITIGATION • Validate data for: – Valid – Safe – Length • For SQL queries use prepared statements • Validate (sanitize) and escape data before render for web Apps • Use white list approach instead black list • approach. Check out OWASP ESAPI libraries
  • 33. PII COMPROMISE • App can collect plenty of PII information • – User: username, contacts, bookmarks • – Device: S.O. ver, device name, IMEI, IMSI, • kernel version, UUID • – General info: geolocalization • – OWASP Mobile Risk Classification: M8 – Side • Channel Data Leakage
  • 34. PII COMPROMISE MITIGATION • Apps don't need to collect all they can, just • what they need • • If collecting PII: • – Where is that info going? • • Log files • • Data storages • • Network • – Protect it: • • Transit • • At Rest
  • 35. 3RD PARTY LIBRARIES INTEGRATION • App integrates 3rd party libraries: • – Facebook • – Greendroid • – Android.ads • – Apache • – google.android.apps.analytics • – Json • – Mozilla • – Javax • – xmlrpc.android • – slf4j
  • 36. 3RD PARTY LIBRARIES INTEGRATION MITIGATION • If using 3rd party libraries, use proven • libraries • What info are these libraries collecting? • Do we really need social networking libs • integrated into our finance apps?
  • 37. WEAK CRYPTO • Incorrect use of crypto libraries • Implementing custom • bad ass crypto algorithm • M9 - Broken Cryptography
  • 38. HARDCODED CREDENTIALS App contains credentials embedded in code • Easy to spot by attackers • OWASP Mobile: M10- Sensitive Information Disclosure
  • 39. HARDCODED CREDENTIALS MITIGATION • Easy, don't write credentials into code files • What happens when the credentials change? • You need to upload a new version on the app! • Credentials need to use secure data storages
  • 43. Do you have any QUESTIONS?

Editor's Notes

  • #4: Smartphones and other mobile devices serve the same functions as laptop computers—with comparable computing power—but with little or no endpoint security.phone call logsaddress bookemailssmsMobile browser historydocumentscalendarVoice calls cross trough it (volatile but non that much)Corporate network accessGPS tracking dataEnterprise employees use it for their business activityMobile phones became the most personal and private item we ownGet out from home and you take:House & car keyPortfolioMobile phone
  • #6: “The best approach to tablet security is one that allows the ability to isolate business and personal apps and data reliably, applying appropriate security policy to each,” says HoracioZambrano, product manager for Cisco. “Policy happens in the cloud or with an intelligent network, while for the employee, their user experience is preserved and they can leverage the native app capabilities of the device.”
  • #7: Ten years ago, employees were assigned laptops and told not to lose them. They were given logins to the company network, and told not to tell anyone their password. End of security training. Today, your “millennial” employees—the people you want to hire because of the fresh ideas and energy they can bring to your business—show up to their first day on the job toting their own phones, tablets, and laptops, and expect to integrate them into their work life. They also expect others—namely, IT staff and chief information officers—to figure out how they can use their treasured devices, anywhere and anytime they want to, without putting the enterprise at risk. Security, they believe, is not really their responsibility: They want to work hard, from home or the office, using social networks and cloud applications to get the job done, while someone else builds seamless security into their interactions. Research from the Connected World study offers a snapshot of how younger workers and college students about to enter the workforce view security, access to information, and mobile devices. Here’s a snapshot of who you’ll be hiring, based on findings from the study:
  • #9: Mobile Device Management (Prevention of man-in-the-middle attack for wifi)Any sensitive data transferred across wireless network is sniffed and analyzedWill be presented on next sales meeting
  • #10: mobile = PC orOperating SystemWifi = network
  • #38: Use proven crypto libraries and readdocumentation!• Forget about your own crypto• If using SHA1 or MD5 for passwordsapply salt, even better use SHA-256• If using SHA1PRNG set the seed
  • #39: Bh-eu-12-rose0smartphone_apps