SlideShare uma empresa Scribd logo

Mobile security services 2012

•Transferir como PPTX, PDF•
•
T
Tjylen Veselyj
Tecnologia
1 de 43
Mobile Security Service Overview Nazar Tymoshyk Ph.D, R&D Manager/Security Consultant
Call History Messages Social Networking Visited websites Contacts Mobile Banking VideosPhotosDocuments PINs & Passwords Who knows more about you than your smartphone?
always with you! Always on Your mobile
All Apps are considered safe until proven guilty by a security review
Key Mobile Device Security Concerns • Confidentiality – Commercial Data • Ex: Financial, IP, etc. – Personal Data • Ex: Customer, Employee records, PCI, etc. • User Personal Data – Diplomatic cables • Accessibility – Resource uptime – High Availability / Recoverability – Archive Maintain device flexibility while protecting against security risks 5
THE ANYTIME, ANYWHERE YOUNG WORKER Prefers an unconventional work schedule, working anytime and anywhere Believes he should be allowed to access social media and personal websites from company-issued devices Checks Facebook page at least once a day Doesn’t believe he needs to be in the office on a regular basis Believes that IT is ultimately responsible for security, not him Will violate IT policies if it’s necessary to get the job done Owns multiple devices, such as laptops, tablets, and mobile phones (often more than one)
Man in the Middle attacks Prevention of man-in-the-middle attack for Wi-Fi
Your company could be part or victim of mobile Botnet attack Zeus bot for Mobil - Zitmo
Mobile applications for Healthcare Require HIPAA security assessments
Competitors They do all to get your secrets
• Sensitive data leakage (inadvertent or side channel) • Unsafe sensitive data storage • Unsafe sensitive data transmission • Hardcoded password/keys Mobile application Vulnerabilities:
Test Results regarding Availability of Secrets to Attackers in the Lost Device Scenario Tested Account Types Secret Type Accessibility AOL Email Password protected Apple Push Certicate + Token w/o passcode Apps using keychain with default protection depends on App protected Apple-token-sync (mobile me) Token w/o passcode CalDav Password w/o passcode Generic IMAP Password protected Generic SMTP server Password protected Google Mail Password protected Google Mail as MS Exchange Account Password w/o passcode iChat.VeniceRegistrationAgent Token w/o passcode iOS Backup Password Password protected LDAP Password w/o passcode Lockdown Daemon Certicate w/o passcode MS Exchange Password w/o passcode Voicemail Password w/o passcode VPN IPsec Shared Secret Password w/o passcode VPN XAuth Password Password w/o passcode VPN PPP Password Password w/o passcode Website Account from Safari Password protected WiFi (Company WPA with LEAP) Password w/o passcode WiFi WPA Password w/o passcode Yahoo Email Token + Cookie protected
What You LOSE? If your confidential data will be leaked?
Reputation TrustMoney Data TimeDisciplinary actions Clients
SoftServe Mobile Security Portfolio Mobile Application Security Assessment Mobile Forensics Mobile Network Security assessment Mobile Device Management
SoftServe Mobile Security Framework
Mobile Forensics 1. Messaging (corporate Emails and banking SMS ) 2. Audio (calls activities and open microphone recording) 3. Video (still and full-motion) 4. Locations 5. Contact list 6. Call history 7. Browsing history and passwords 8. Input 9. Data files
Vulnerability identification
• Manage policies • Manage mobile applications • Manage devices • Control security • Control passwords • Control access Mobile Device Management We are partner with MDM provider AirWatch
How we help you? (переробити на мобільна безпека)
Password vs. Bruteforce Passcode Complexity Bruteforce time 4 digits 18 minutes 4 alphanumeric 51 hours 5 alphanumeric 8 years 8 alphanumeric 13,000 years
Mobile Banking
Our Methodology • OWASP Mobile • Automatize Apps analysis – Static Analysis – Dynamic Analysis • OWASP Mobile Top 10 Risk mitigation methodology
CLEAR TEXT SECRETS • App fails to protect sensitive information, credentials • OWASP Mobile: M1- Insecure Data Storage
CLEAR TEXT SECRETS EXAMPLE: CREDENTIALS MANAGER (CVE-2011-1840)
INSECURE CHANNELS EXAMPLE: SOCIAL NETWORKING
DEBUG ENABLED • App ships to market with logging or debugging • features enabled • Helps attacker to learn Apps internal • OWASP Mobile: M8- Side Channel • Data Leakage
CROSS SITE SCRIPTING (XSS) EXAMPLE, INCASE YOU MISSED IT
DATA VALIDATION • App fails to perform appropriate data • validation • Accounts for many common risks • OWASP Mobile: M4- Client Side Injection
DATA VALIDATION MITIGATION • Validate data for: – Valid – Safe – Length • For SQL queries use prepared statements • Validate (sanitize) and escape data before render for web Apps • Use white list approach instead black list • approach. Check out OWASP ESAPI libraries
PII COMPROMISE • App can collect plenty of PII information • – User: username, contacts, bookmarks • – Device: S.O. ver, device name, IMEI, IMSI, • kernel version, UUID • – General info: geolocalization • – OWASP Mobile Risk Classification: M8 – Side • Channel Data Leakage
PII COMPROMISE MITIGATION • Apps don't need to collect all they can, just • what they need • • If collecting PII: • – Where is that info going? • • Log files • • Data storages • • Network • – Protect it: • • Transit • • At Rest
3RD PARTY LIBRARIES INTEGRATION • App integrates 3rd party libraries: • – Facebook • – Greendroid • – Android.ads • – Apache • – google.android.apps.analytics • – Json • – Mozilla • – Javax • – xmlrpc.android • – slf4j
3RD PARTY LIBRARIES INTEGRATION MITIGATION • If using 3rd party libraries, use proven • libraries • What info are these libraries collecting? • Do we really need social networking libs • integrated into our finance apps?
WEAK CRYPTO • Incorrect use of crypto libraries • Implementing custom • bad ass crypto algorithm • M9 - Broken Cryptography
HARDCODED CREDENTIALS App contains credentials embedded in code • Easy to spot by attackers • OWASP Mobile: M10- Sensitive Information Disclosure
HARDCODED CREDENTIALS MITIGATION • Easy, don't write credentials into code files • What happens when the credentials change? • You need to upload a new version on the app! • Credentials need to use secure data storages
Certifications Ph.D in Security
Security Clients 2010-2011:
Do you have any QUESTIONS?

Recomendados

Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 

Recomendados

Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
Cloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudCloud Security vs Security in the Cloud
Cloud Security vs Security in the CloudTjylen Veselyj
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Oh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsOh, WASP! Security Essentials for Web Apps
Oh, WASP! Security Essentials for Web AppsTechWell
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security TestingvodQA
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentationEzhilan Elangovan (Eril)
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 ProjectMuhammad Shehata
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Owasp
Owasp Owasp
Owasp penetration Tester
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through InjectionsNazar Tymoshyk, CEH, Ph.D.
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013 The eCore Group
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSymosis Security (Previously C-Level Security)
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 

Mais conteĂşdo relacionado

Mais procurados

Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security TestingvodQA
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 ProjectMuhammad Shehata
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013 The eCore Group
 

Mais procurados (20)

Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Security testing
Security testingSecurity testing
Security testing
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
 
Security testing
Security testingSecurity testing
Security testing
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Owasp
Owasp Owasp
Owasp
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013
 

Semelhante a Mobile security services 2012

Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseBlueinfy Solutions
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Innovation
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
Protecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsProtecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsBunmi Sowande
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Advanced monitoring
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicTjylen Veselyj
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application ReviewBlueinfy Solutions
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02amiinaaa
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Border crossing mobile social media life-saving security tips
Border crossing mobile social media life-saving security tipsBorder crossing mobile social media life-saving security tips
Border crossing mobile social media life-saving security tipsErnest Staats
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security SeminarJeremy Quadri
 

Semelhante a Mobile security services 2012 (20)

Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
 
Mobile security chess board - attacks & defense
Mobile security chess board - attacks & defenseMobile security chess board - attacks & defense
Mobile security chess board - attacks & defense
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Security Best Practices for Regular Users
Security Best Practices for Regular UsersSecurity Best Practices for Regular Users
Security Best Practices for Regular Users
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular users
 
Protecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsProtecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwords
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
Mobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final PublicMobilination Ntymoshyk Personal Mobile Security Final Public
Mobilination Ntymoshyk Personal Mobile Security Final Public
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
 
Automation In Android & iOS Application Review
Automation In Android & iOS Application Review�Automation In Android & iOS Application Review�
Automation In Android & iOS Application Review
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02Onlinesecurityrecomendations2014 141230081030-conversion-gate02
Onlinesecurityrecomendations2014 141230081030-conversion-gate02
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
information security and backup system
information security and backup systeminformation security and backup system
information security and backup system
 
Border crossing mobile social media life-saving security tips
Border crossing mobile social media life-saving security tipsBorder crossing mobile social media life-saving security tips
Border crossing mobile social media life-saving security tips
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security Seminar
 

Mais de Tjylen Veselyj

Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationWeb Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationTjylen Veselyj
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hackingTjylen Veselyj
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudTjylen Veselyj
 
Sh#3 incident forensics
Sh#3 incident forensicsSh#3 incident forensics
Sh#3 incident forensicsTjylen Veselyj
 
Owasp Community in Lviv
Owasp Community in LvivOwasp Community in Lviv
Owasp Community in LvivTjylen Veselyj
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2Tjylen Veselyj
 

Mais de Tjylen Veselyj (8)

Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationWeb Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combination
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hacking
 
iOS Forensics
iOS Forensics iOS Forensics
iOS Forensics
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the Cloud
 
Sh#3 incident forensics
Sh#3 incident forensicsSh#3 incident forensics
Sh#3 incident forensics
 
Owasp Community in Lviv
Owasp Community in LvivOwasp Community in Lviv
Owasp Community in Lviv
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 

Último

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Último (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Mobile security services 2012

  • 1. Mobile Security Service Overview Nazar Tymoshyk Ph.D, R&D Manager/Security Consultant
  • 2. Call History Messages Social Networking Visited websites Contacts Mobile Banking VideosPhotosDocuments PINs & Passwords Who knows more about you than your smartphone?
  • 3. always with you! Always on Your mobile
  • 4. All Apps are considered safe until proven guilty by a security review
  • 5. Key Mobile Device Security Concerns • Confidentiality – Commercial Data • Ex: Financial, IP, etc. – Personal Data • Ex: Customer, Employee records, PCI, etc. • User Personal Data – Diplomatic cables • Accessibility – Resource uptime – High Availability / Recoverability – Archive Maintain device flexibility while protecting against security risks 5
  • 6. THE ANYTIME, ANYWHERE YOUNG WORKER Prefers an unconventional work schedule, working anytime and anywhere Believes he should be allowed to access social media and personal websites from company-issued devices Checks Facebook page at least once a day Doesn’t believe he needs to be in the office on a regular basis Believes that IT is ultimately responsible for security, not him Will violate IT policies if it’s necessary to get the job done Owns multiple devices, such as laptops, tablets, and mobile phones (often more than one)
  • 7.
  • 8. Man in the Middle attacks Prevention of man-in-the-middle attack for Wi-Fi
  • 9. Your company could be part or victim of mobile Botnet attack Zeus bot for Mobil - Zitmo
  • 10. Mobile applications for Healthcare Require HIPAA security assessments
  • 11. Competitors They do all to get your secrets
  • 12. • Sensitive data leakage (inadvertent or side channel) • Unsafe sensitive data storage • Unsafe sensitive data transmission • Hardcoded password/keys Mobile application Vulnerabilities:
  • 13. Test Results regarding Availability of Secrets to Attackers in the Lost Device Scenario Tested Account Types Secret Type Accessibility AOL Email Password protected Apple Push Certicate + Token w/o passcode Apps using keychain with default protection depends on App protected Apple-token-sync (mobile me) Token w/o passcode CalDav Password w/o passcode Generic IMAP Password protected Generic SMTP server Password protected Google Mail Password protected Google Mail as MS Exchange Account Password w/o passcode iChat.VeniceRegistrationAgent Token w/o passcode iOS Backup Password Password protected LDAP Password w/o passcode Lockdown Daemon Certicate w/o passcode MS Exchange Password w/o passcode Voicemail Password w/o passcode VPN IPsec Shared Secret Password w/o passcode VPN XAuth Password Password w/o passcode VPN PPP Password Password w/o passcode Website Account from Safari Password protected WiFi (Company WPA with LEAP) Password w/o passcode WiFi WPA Password w/o passcode Yahoo Email Token + Cookie protected
  • 14. What You LOSE? If your confidential data will be leaked?
  • 16. SoftServe Mobile Security Portfolio Mobile Application Security Assessment Mobile Forensics Mobile Network Security assessment Mobile Device Management
  • 18. Mobile Forensics 1. Messaging (corporate Emails and banking SMS ) 2. Audio (calls activities and open microphone recording) 3. Video (still and full-motion) 4. Locations 5. Contact list 6. Call history 7. Browsing history and passwords 8. Input 9. Data files
  • 20. • Manage policies • Manage mobile applications • Manage devices • Control security • Control passwords • Control access Mobile Device Management We are partner with MDM provider AirWatch
  • 21. How we help you? (переробити на мобільна йоСпока)
  • 22.
  • 23. Password vs. Bruteforce Passcode Complexity Bruteforce time 4 digits 18 minutes 4 alphanumeric 51 hours 5 alphanumeric 8 years 8 alphanumeric 13,000 years
  • 25. Our Methodology • OWASP Mobile • Automatize Apps analysis – Static Analysis – Dynamic Analysis • OWASP Mobile Top 10 Risk mitigation methodology
  • 26. CLEAR TEXT SECRETS • App fails to protect sensitive information, credentials • OWASP Mobile: M1- Insecure Data Storage
  • 27. CLEAR TEXT SECRETS EXAMPLE: CREDENTIALS MANAGER (CVE-2011-1840)
  • 29. DEBUG ENABLED • App ships to market with logging or debugging • features enabled • Helps attacker to learn Apps internal • OWASP Mobile: M8- Side Channel • Data Leakage
  • 30. CROSS SITE SCRIPTING (XSS) EXAMPLE, INCASE YOU MISSED IT
  • 31. DATA VALIDATION • App fails to perform appropriate data • validation • Accounts for many common risks • OWASP Mobile: M4- Client Side Injection
  • 32. DATA VALIDATION MITIGATION • Validate data for: – Valid – Safe – Length • For SQL queries use prepared statements • Validate (sanitize) and escape data before render for web Apps • Use white list approach instead black list • approach. Check out OWASP ESAPI libraries
  • 33. PII COMPROMISE • App can collect plenty of PII information • – User: username, contacts, bookmarks • – Device: S.O. ver, device name, IMEI, IMSI, • kernel version, UUID • – General info: geolocalization • – OWASP Mobile Risk Classification: M8 – Side • Channel Data Leakage
  • 34. PII COMPROMISE MITIGATION • Apps don't need to collect all they can, just • what they need • • If collecting PII: • – Where is that info going? • • Log files • • Data storages • • Network • – Protect it: • • Transit • • At Rest
  • 35. 3RD PARTY LIBRARIES INTEGRATION • App integrates 3rd party libraries: • – Facebook • – Greendroid • – Android.ads • – Apache • – google.android.apps.analytics • – Json • – Mozilla • – Javax • – xmlrpc.android • – slf4j
  • 36. 3RD PARTY LIBRARIES INTEGRATION MITIGATION • If using 3rd party libraries, use proven • libraries • What info are these libraries collecting? • Do we really need social networking libs • integrated into our finance apps?
  • 37. WEAK CRYPTO • Incorrect use of crypto libraries • Implementing custom • bad ass crypto algorithm • M9 - Broken Cryptography
  • 38. HARDCODED CREDENTIALS App contains credentials embedded in code • Easy to spot by attackers • OWASP Mobile: M10- Sensitive Information Disclosure
  • 39. HARDCODED CREDENTIALS MITIGATION • Easy, don't write credentials into code files • What happens when the credentials change? • You need to upload a new version on the app! • Credentials need to use secure data storages
  • 40.
  • 43. Do you have any QUESTIONS?

Notas do Editor

  1. Smartphones and other mobile devices serve the same functions as laptop computers—with comparable computing power—but with little or no endpoint security.phone call logsaddress bookemailssmsMobile browser historydocumentscalendarVoice calls cross trough it (volatile but non that much)Corporate network accessGPS tracking dataEnterprise employees use it for their business activityMobile phones became the most personal and private item we ownGet out from home and you take:House & car keyPortfolioMobile phone
  2. “The best approach to tablet security is one that allows the ability to isolate business and personal apps and data reliably, applying appropriate security policy to each,” says HoracioZambrano, product manager for Cisco. “Policy happens in the cloud or with an intelligent network, while for the employee, their user experience is preserved and they can leverage the native app capabilities of the device.”
  3. Ten years ago, employees were assigned laptops and told not to lose them. They were given logins to the company network, and told not to tell anyone their password. End of security training. Today, your “millennial” employees—the people you want to hire because of the fresh ideas and energy they can bring to your business—show up to their first day on the job toting their own phones, tablets, and laptops, and expect to integrate them into their work life. They also expect others—namely, IT staff and chief information officers—to figure out how they can use their treasured devices, anywhere and anytime they want to, without putting the enterprise at risk. Security, they believe, is not really their responsibility: They want to work hard, from home or the office, using social networks and cloud applications to get the job done, while someone else builds seamless security into their interactions. Research from the Connected World study offers a snapshot of how younger workers and college students about to enter the workforce view security, access to information, and mobile devices. Here’s a snapshot of who you’ll be hiring, based on findings from the study:
  4. Mobile Device Management (Prevention of man-in-the-middle attack for wifi)Any sensitive data transferred across wireless network is sniffed and analyzedWill be presented on next sales meeting
  5. mobile = PC orOperating SystemWifi = network
  6. Use proven crypto libraries and readdocumentation!• Forget about your own crypto• If using SHA1 or MD5 for passwordsapply salt, even better use SHA-256• If using SHA1PRNG set the seed
  7. Bh-eu-12-rose0smartphone_apps