Looking to Build a Secure Enterprise Mobile Application? Here’s How! Mush Hakhinian Chief Security Architect Intralinks Mush Hakhinian Chief Security Architect.

Slides:

Advertisements

Similar presentations

Embrace Mobility. Without Compromise. The apps they need. On the devices they want. Without sacrificing compliance. Strategic Approach to Mobile Security.

Advertisements

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Designing Enterprise Mobility Cortado Corporate Server.

Steve Jordan Director. Industry Solutions 05/05/14 Managing Chaos: Data Movement in 2014.

Everything you want to know about managing mobile devices in the enterprise Ivan Hemmans hemmans.com From A to Z.

INFORMATION TECHNOLOGY FOR MINNESOTA GOVERNMENT Christopher P. Buse Assistant Commissioner and CISO State of Minnesota Mobile Device Management Assessing.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Business Intelligence Accurate Information, Accurate Decisions June 2012 Presented by: Scott Lea Government Services Infogroup Government Division.

Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan and John Canny UC Berkeley.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.

Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:

Office 365: Efficient Cloud Solutions Wednesday March 12, 9AM Chaz Vossburg / Gabe Laushbaugh.

Empower Enterprise Mobility Jasbir Gill Azure Mobility.

© 2011 PLANET TECHNOLOGIES, INC. Augmenting User Profiles with Line of Business Data Patrick Curran, MCT APRIL 28, 2012.

Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.

Open Exchange 7 The Collaborative Suite For All Your Needs.

© 2011 PLANET TECHNOLOGIES, INC. Extending User Profiles with Line of Business Data Patrick Curran, MCT FEBRUARY 24, 2013.

Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite

Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.

V 1.0 May 16,2011 Audience: Staff Outlook Agent For the latest version of this document please go to:

…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

1 Extending User Profiles with Line of Business Data Patrick Curran, MCT.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows

- NCSU project goals and requirements - Adoption Drivers - Current challenges and pain points - Identacor at NCSU - Identacor Features - NCSU Key Benefits.

Get identities to the cloud Mix on-premises and cloud identity for improved PC, mobile, and web productivity Cloud identities help you run your business.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

FriendFinder Location-aware social networking on mobile phones.

2015 NetSymm Overview NETSYMM OVERVIEW December

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

—— Barcode-based mobile payment solution Copyright©popcorn1.

PCI-DSS: Guidelines & Procedures When Working With Sensitive Data.

User and Device Management

Microsoft Partner Conference Integrated Innovation Don Kerr Partner Technology Specialist.

Publishing GIS Services to ArcGIS Server

Easily Organize Common Templates, Phrases, Statements and More to Quickly Reuse Within Microsoft Office 365 Using Dolphin Compose WHAT WE OFFER Replace.

Craig Pringle & Derek Moir

Take Control of Your Contracts with Dolphin 365, a Companion Product to Microsoft Office 365 That Leverages Your Investment and Reduces Risk OFFICE 365.

Empowering people-centric IT Anthony Bartolo Technical Evangelist Microsoft Canada 05/14/2014.

The VERSO Product Returns Portal Incorporates Office 365 Outlook and Excel Add-Ins to Create Seamless Workflow for All Participating Users OFFICE 365 APP.

The information contained in this document represents the current view of Microsoft Corp on the issues discussed as of the date of publication. Because.

Why EMS? What benefit does EMS provide O365 customers Manage Mobile Productivity Increase IT ProductivitySimplify app delivery and deployment LOB Apps.

BYOD: An IT Security Perspective. What is BYOD? Bring your own device - refers to the policy of permitting employees to bring personally owned mobile.

Enterprise Oracle Solutions Oracle Report Manager The New ADI and More Revised:June 20091Report Manager/SROAUG Presentation.

Office 365 is cloud- based productivity, hosted by Microsoft. Business-class Gain large, 50GB mailboxes that can send messages up to 25MB in size,

What are Background Checking Applications? By: Intelifi Screening Technology.

Tomaž Čebul Principal Consultant Microsoft Bring Your Own Device, kaj pa je to?

Total Enterprise Mobility Comprehensive Management and Security

Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.

Office 365 is cloud-based productivity, hosted by Microsoft.

Exe Related 2FA Functionality.

Chapter 2 Starting a Project

SmartHOTEL Planner Add-In for Outlook: Office 365 Integration Enhances Room Planning, Booking, and Guest Management for Small Hotels and B&Bs OFFICE 365.

File and unstructured data Solutions

Make Your Management and Board Meetings More Effective and Paperless with Microsoft Office 365, SharePoint, and the Pervasent Board Papers App Partner.

Power BI Security Best Practices

Microsoft 365 Business Customer Targeting 2/6/18

Windows 10 | Do great things.

11/19/2018 4:38 AM Microsoft 365 Business Customer Targeting Janine Brittain - EXEED 2/6/18 © Microsoft Corporation. All rights reserved. MICROSOFT.

Built on the Powerful Microsoft Office 365 Platform, My Intranet Boosts Efficiency with Support of Daily Tasks, Internal Communications and Collaboration.

Searchable. Secure. Simple.

Business Document Platform

COMPLETE BUSINESS TEXTING SOLUTION

Presentation transcript:

Looking to Build a Secure Enterprise Mobile Application? Here’s How! Mush Hakhinian Chief Security Architect Intralinks Mush Hakhinian Chief Security Architect Intralinks

© Intralinks 2014 Looking to Build a Secure Enterprise Mobile Application? Here’s How! Mush Hakhinian Chief Security Architect 2

Agenda Overview Introduction Essential Security Features Verifying Mobile App Security Summary Q&A Overview Introduction Essential Security Features Verifying Mobile App Security Summary Q&A 3

Intralinks® Company Overview 4 Company Financials Technology platform Technology platform Founded in employees (as of April 2014) Publically traded (NYSE:IL) $234.5M revenue (2013) $36.9M Adjusted EBITDA (2013) Customer footprint Has been used by 99% of the Fortune 1000 $23.5T of financial transactions completed on Intralinks Include top 20 pharma firms, top 10 biotech firms and top 5 CROs $38.8M R&D ( highest among peers as a share of revenue) 3.1M total paid users across 90K organizations since launch 34K new users per month with average of 48K logins per day

We address the breadth of enterprise content sharing needs on a single cloud content collaboration platform 5 Number of users Customer-specific solutions on Intralinks platform (configured by Intralinks, customer or partner) Mobile content access Ad hoc content collaboration Secure large file exchange Enterprise Design and manage secure content repositories (legal, sales, HR, etc.) Configure detailed compliance reports Integrate with enterprise IT content (SharePoint, etc.) Configure customer-specific solutions File synchronization and sharing Business value / user Content distribution and management Content-centric applications

Introduction Consumer devices are used to connect to enterprise systems Mobile apps need to provide for enterprise grade security Consumer devices are used to connect to enterprise systems Mobile apps need to provide for enterprise grade security 6 Smart phones surpassed PC sales on 7/20/11

Qualities of Secure Mobile App Compartmentalized data Standards-based encryption Strong authentication Control app lifecycle Compartmentalized data Standards-based encryption Strong authentication Control app lifecycle 7

Compartmentalized Data Always remember that the app interacts with an enterprise system Usually, consumer apps cache data locally Make sure that the enterprise system, and not the app, controls whether the data can be cached –Design your app so it can work with in-memory data –Assume there will not be a local copy If local data is allowed – IT should be able to destroy the data without needing to wipe the device Always remember that the app interacts with an enterprise system Usually, consumer apps cache data locally Make sure that the enterprise system, and not the app, controls whether the data can be cached –Design your app so it can work with in-memory data –Assume there will not be a local copy If local data is allowed – IT should be able to destroy the data without needing to wipe the device 8

Own Encryption Encrypt all local data with 256-bit keys Usually, the app needs to store session-related information on a disk (e.g. ‘remember me’ function) Always treat information in configuration files as private Implement secure key exchange, so the key is never stored on the device Encrypt all local data with 256-bit keys Usually, the app needs to store session-related information on a disk (e.g. ‘remember me’ function) Always treat information in configuration files as private Implement secure key exchange, so the key is never stored on the device 9

Strong Authentication Implement two factor authentication Make PINs mandatory for ‘remember me’ functionality Never compromise on security for convenience Implement two factor authentication Make PINs mandatory for ‘remember me’ functionality Never compromise on security for convenience 10

Control App Lifecycle Control whether the app can run in background Developers may tie clearing the cache with app unloading Explicitly disable the ability of the app to run in the background, so it will unload –Disable the setting and make this the default If running in the background is desired – make sure data is not available to other apps Check for jailbroken devices Control whether the app can run in background Developers may tie clearing the cache with app unloading Explicitly disable the ability of the app to run in the background, so it will unload –Disable the setting and make this the default If running in the background is desired – make sure data is not available to other apps Check for jailbroken devices 11

Finding Security Issues Before Adversaries Code Review Test With Debuggers Potential Issues And Solutions Code Review Test With Debuggers Potential Issues And Solutions 12

Code Review Do a full code review, hire professionals 13

Test with Debuggers Run the app through debuggers and simulators to find data ‘left behind’ 14

Potential Issues and Solutions 15 Running the emulator looked at the directory that $TMPDIR points to and found temporary data left behind. Write a delegate to remove data before exiting the app Running the emulator looked at the directory that $TMPDIR points to and found temporary data left behind. Write a delegate to remove data before exiting the app

Potential Issues and Solutions 16 When run from the emulator, we saw that the app was storing the user’s PIN and single sign-on token in clear text

Potential Issues and Solutions 17 iPhone/iPad ‘Home’ button creates a screenshot of the current view and stores it as an image on the device. Two options: 1. Set the “Application does not run in background” property to ‘YES’ in info.plist file 2. In applicationDidEnterBackground change the current view to a standard sanitized view, so data will not be leaked in the screenshot

Summary Does the App work with an MDM Look out for regulatory requirements Mobile app should protect its own data Secure key-exchange for encryption is necessary Perform code review before releasing the app Ensure that mobile features do not leave behind data Does the App work with an MDM Look out for regulatory requirements Mobile app should protect its own data Secure key-exchange for encryption is necessary Perform code review before releasing the app Ensure that mobile features do not leave behind data 18

19

Continuing the Discussion Contact: Intralinks 20 Mush Hakhinian, Chief Security Architect