1. W1
Track Session
4/20/2016 10:00 AM
"Usability vs. Security: Find the
Right Balance in Mobile Apps"
Presented by:
Levent Gurses
Movel
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073
888-268-8770 ∙ 904-278-0524 ∙ info@techwell.com ∙ www.techwell.com

2. Levent Gurses
Movel
A developer, hacker, speaker, community organizer, and entrepreneur, Levent
Gurses is president of Movel, a Washington DC area-based mobile app design
and development company. Levent’s areas of expertise include mobile
development, mobile and cloud security, wearables and Internet of Things (IoT),
mobile user experience, maximizing the value of existing assets for hybrid and
mobile-first apps, startups and strategies for building minimum viable products,
mobile monetization, and enterprise mobility. Actively engaged in mobile and full-
stack development communities, Levent frequently speaks on mobile strategy,
user experience, and security at conferences, meetup groups, and user
communities and associations.

3. Levent Gurses, Movel
@gursesl
Mobile Dev + Test
2016
● The big idea
● Users will use, hackers will hack
● User experience
● Mobile security
● Wearables and IoT - usability vs. security
● Solution
○ The art
○ The science

6. ● Usability and security do not have to compete
● Good usability can improve security
● What’s needed is more thought and better tools
○ Risk assessment
○ Impact analysis
○ Careful usability design
○ Usability testing
○ Usability & security analytics
● Total Protection →Point Protection
○ ID & secure areas of high risk and impact

7. ● Does data security matter?
● Do users value good app experience?
● Do app store reviews matter?

10. ● Users wouldn't have to authenticate - permanent,
automatic, biometric authentication
● Apps would have all data needed, at all times
● All data would be secure
● Servers would be protected
● No data would be stolen
● Stolen/lost devices
● Jailbreaking
● Rooting
● Man-in-the middle attacks
● Phishing attacks

11. ● Passwords have caused more security issues
than probably any other factor
● Weak/ineffective passwords have caused most
of the hacks in recent years
● Spear phishing campaign can result in
administrator's username and password
● Non-admin user passwords are even harder to
keep track of
● Solution: Make passwords more complex
○ Mix of capital letters
○ Lowercase and alpha
○ Min length
● Drawbacks
○ 70% of users forget a password if too long and/or complex. (Source: Ponemon
Institute)
○ 90% of users would just leave a site if they have forgotten a password, instead
of recovering it. (Source: Janrain)
○ 40% of respondents at least sometimes, or often, write passwords down
(Source: Berkeley University Study)
○ 7.9 - number of unique passwords for an average user (Source: Janrain)

12. Most passwords are not strong enough: users tend to choose
meaningful, natural language words that they can remember
However, overzealous password rules can be annoying.
Password for the DHS E-file:
● Contain from 8 to 16 characters
● Contain at least 2 of the following 3 characters: uppercase alphabetic, lowercase
alphabetic, numeric
● Contain at least 1 special character (e.g., @, #, $, %, & *, +, =)
● Begin and end with an alphabetic character
● Not contain spaces
● Not contain all or part of your UserID
● Not use 2 identical characters consecutively
● Not be a recently used password

13. ● Biometrics
○ Fingerprints
○ Iris recognition
○ Facial recognition
○ Voice recognition
● Tokens
○ Physical
○ Software

14. ●
●
● Better user engagement
● More secure apps
● Better reviews in the app store, which leads to
○ Increased sales in the app store
○ Brand value
● Better compliance
● Solid user and community growth

15. A threat model focuses on the
intersection of likely attack vectors
with the points of human interaction.
The resulting area provides the
surface to what needs to be monitored
for user behavior and assessed for
vulnerabilities.

16. ● User engagement - before & after sign up
● Drops in sign ups
● Password/PIN issues
● Forgot my password
● Response times to auth
● Usage of biometric devices
●
●
●
●
●

17. ●
●
●
○
○
○
○
○
○

18. ●
●
●
●

19. ●
●
●
●
●
●

20. ●
●
●
●
●
●

21. ●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●

22. ● App authentication
● API authentication
● App authorization
● API authorization
● Cookie management
● Data/Input validation
● Encryption
● Local storage
● Error Handling/Information leakage
● Logging/Auditing
● Secure transport
● Certificate/key management
● Secure Code Environment
● Session Management

23. ● Create UX metrics - e.g. sign up dropout rate
● Create A/B split tests
● Use app analytics to monitor user behavior
● Discover the balance point between security and usability
● Usability and security can coexist
● True security is an outcome of great user experience
● Cross-functional teams are key
● Model, measure, tweak.
● Repeat.

24. Resources
● http://www.movel.co
● http://www.movel.co/company/events
● http://www.ponemon.org/local/upload/file/NokNokWP_FINAL_3.pdf
● https://www.owasp.org/index.php/Application_Threat_Modeling
● http://passwordresearch.com/stats/statistic101.html
● http://www1.janrain.com/rs/janrain/images/Industry-Research-Consumer-
Perceptions-of-Online-Registration-and-Social-Login-2012.pdf