The document discusses mobile security and insecurity. It notes that in 2014, 84.7% of mobile devices shipped ran on Android. It also discusses the main security concerns of enterprises, which include loss or theft of devices, insecure apps, and lack of device security controls. Examples of major data breaches in 2014 at companies like eBay, JP Morgan Chase, Home Depot and Target are provided to illustrate security horror stories. The document outlines various attack vectors against mobile devices, networks and servers, and provides examples for each. It suggests approaches to improving mobile security such as mobile device management, mobile application management, and endpoint security tools.

1. /// Mobile (in)security ?
Cláudio André / ca@integrity.pt

2. 2
/// MOBILE (IN)SECURITY ?
WHOAMI
• Pentester at Integrity S.A.
• Web applications, Mobile Applications and
Infrastructure
• BSc in Management Information Technology
• Offensive Security Certified Professional

3. 301.3 million shipments
3
/// MOBILE (IN)SECURITY ?
MOBILE EQUIPMENTS
2014Q2
http://www.idc.com/prodserv/smartphone-os-market-share.jsp

4. 4
/// MOBILE (IN)SECURITY ?
2014Q2 MARKETSHARE
2.5% 0.5% 0.7%
84.7%
11.7%
Android
iOS
Windows Phone
BlackBerry OS
Others
http://www.idc.com/prodserv/smartphone-os-market-share.jsp

5. 5
/// MOBILE (IN)SECURITY ?
MOBILE PLATFORMS ON ENTERPRISE
BYOD & Mobile Security 2013 Survey Linkedin Information Security Group

6. 6
/// MOBILE (IN)SECURITY ?
ENTERPRISES MAIN SECURITY CONCERNS
BYOD & Mobile Security 2013 Survey Linkedin Information Security Group

7. 7
/// MOBILE (IN)SECURITY ?
ENTERPRISES MAIN SECURITY CONCERNS
I'm not a Hacker. Just a silly guy with a ski
mask on. Don't know what I'm doing.

8. 8
/// MOBILE (IN)SECURITY ?
SECURITY HORROR STORIES 2014 (SO FAR...)
Ebay - 145 million users and encrypted email address.
JP Morgan Chase - Customer information of 76 million households and 7 million business.
Home Depot - 56 million debit and credit cards.
Target - 40 million credit and debit cards.
Community Health Systems - Personal data of 4.5 million patients.

9. 9
/// MOBILE (IN)SECURITY ?
ATTACK VECTORS

10. 10
/// MOBILE (IN)SECURITY ?
ATTACK VECTORS
Device Network Server

11. 11
/// MOBILE (IN)SECURITY ?
ATTACK VECTORS
• Browser
• System
• Phone / SMS
• Apps
• Malware
• ...
Device

12. 12
/// MOBILE (IN)SECURITY ?
ATTACK VECTORS
Tech details in: http://security.claudio.pt

13. 13
/// MOBILE (IN)SECURITY ?
ATTACK VECTORS
Network
• Packet Sniffing
• Man-In-The-Middle (MITM)
• Rogue Access Point
• ...

14. 14
/// MOBILE (IN)SECURITY ?
ATTACK VECTORS
Server
• Brute Force Attacks
• SQL Injections
• OS Command Execution
• ...

15. 15
/// MOBILE (IN)SECURITY ?
A WAY TO...
Mobile Device Management;
Mobile Application Management;
Endpoint Security Tools;
Network Access Control (NAC)
Endpoint Malware Protections;
…..

16. 16
/// MOBILE (IN)SECURITY ?
MOBILE DEVICE MANAGEMENT
- Focus on the Device
- Provisioning
- Security Policies Enforcement
- Reporting and Monitoring
- Software Distribution

17. 17
/// MOBILE (IN)SECURITY ?
MOBILE APPLICATION MANAGEMENT
- Focus on the Applications
- Same as previous but applied to the applications.
- Corporate App Store (wrapping)

18. 18
/// MOBILE (IN)SECURITY ?
WHICH ONE TO CHOOSE ?
- Depends on your objectives
- Mixed solution

19. 19
/// MOBILE (IN)SECURITY ?
NOT ONLY *WARE APPROACH
- Defense-In-Depth
- Raise User Awareness
- Secure Development Best Practises (OWASP)
- Threat Modeling
- Continuous Penetration Testing

20. Thank you.
20