Presentation is loading. Please wait.

Presentation is loading. Please wait.

Looking to Build a Secure Enterprise Mobile Application? Here’s How! Mush Hakhinian Chief Security Architect Intralinks Mush Hakhinian Chief Security Architect.

Similar presentations


Presentation on theme: "Looking to Build a Secure Enterprise Mobile Application? Here’s How! Mush Hakhinian Chief Security Architect Intralinks Mush Hakhinian Chief Security Architect."— Presentation transcript:

1 Looking to Build a Secure Enterprise Mobile Application? Here’s How! Mush Hakhinian Chief Security Architect Intralinks Mush Hakhinian Chief Security Architect Intralinks

2 © Intralinks 2014 Looking to Build a Secure Enterprise Mobile Application? Here’s How! Mush Hakhinian Chief Security Architect mhakhinian@intralinks.com 2

3 Agenda Overview Introduction Essential Security Features Verifying Mobile App Security Summary Q&A Overview Introduction Essential Security Features Verifying Mobile App Security Summary Q&A 3

4 Intralinks® Company Overview 4 Company Financials Technology platform Technology platform Founded in 1996 715 employees (as of April 2014) Publically traded (NYSE:IL) $234.5M revenue (2013) $36.9M Adjusted EBITDA (2013) Customer footprint Has been used by 99% of the Fortune 1000 $23.5T of financial transactions completed on Intralinks Include top 20 pharma firms, top 10 biotech firms and top 5 CROs $38.8M R&D (2013 - highest among peers as a share of revenue) 3.1M total paid users across 90K organizations since launch 34K new users per month with average of 48K logins per day

5 We address the breadth of enterprise content sharing needs on a single cloud content collaboration platform 5 Number of users Customer-specific solutions on Intralinks platform (configured by Intralinks, customer or partner) Mobile content access Ad hoc content collaboration Secure large file exchange Enterprise Design and manage secure content repositories (legal, sales, HR, etc.) Configure detailed compliance reports Integrate with enterprise IT content (SharePoint, etc.) Configure customer-specific solutions File synchronization and sharing Business value / user Content distribution and management Content-centric applications

6 Introduction Consumer devices are used to connect to enterprise systems Mobile apps need to provide for enterprise grade security Consumer devices are used to connect to enterprise systems Mobile apps need to provide for enterprise grade security 6 Smart phones surpassed PC sales on 7/20/11

7 Qualities of Secure Mobile App Compartmentalized data Standards-based encryption Strong authentication Control app lifecycle Compartmentalized data Standards-based encryption Strong authentication Control app lifecycle 7

8 Compartmentalized Data Always remember that the app interacts with an enterprise system Usually, consumer apps cache data locally Make sure that the enterprise system, and not the app, controls whether the data can be cached –Design your app so it can work with in-memory data –Assume there will not be a local copy If local data is allowed – IT should be able to destroy the data without needing to wipe the device Always remember that the app interacts with an enterprise system Usually, consumer apps cache data locally Make sure that the enterprise system, and not the app, controls whether the data can be cached –Design your app so it can work with in-memory data –Assume there will not be a local copy If local data is allowed – IT should be able to destroy the data without needing to wipe the device 8

9 Own Encryption Encrypt all local data with 256-bit keys Usually, the app needs to store session-related information on a disk (e.g. ‘remember me’ function) Always treat information in configuration files as private Implement secure key exchange, so the key is never stored on the device Encrypt all local data with 256-bit keys Usually, the app needs to store session-related information on a disk (e.g. ‘remember me’ function) Always treat information in configuration files as private Implement secure key exchange, so the key is never stored on the device 9

10 Strong Authentication Implement two factor authentication Make PINs mandatory for ‘remember me’ functionality Never compromise on security for convenience Implement two factor authentication Make PINs mandatory for ‘remember me’ functionality Never compromise on security for convenience 10

11 Control App Lifecycle Control whether the app can run in background Developers may tie clearing the cache with app unloading Explicitly disable the ability of the app to run in the background, so it will unload –Disable the setting and make this the default If running in the background is desired – make sure data is not available to other apps Check for jailbroken devices Control whether the app can run in background Developers may tie clearing the cache with app unloading Explicitly disable the ability of the app to run in the background, so it will unload –Disable the setting and make this the default If running in the background is desired – make sure data is not available to other apps Check for jailbroken devices 11

12 Finding Security Issues Before Adversaries Code Review Test With Debuggers Potential Issues And Solutions Code Review Test With Debuggers Potential Issues And Solutions 12

13 Code Review Do a full code review, hire professionals 13

14 Test with Debuggers Run the app through debuggers and simulators to find data ‘left behind’ 14

15 Potential Issues and Solutions 15 Running the emulator looked at the directory that $TMPDIR points to and found temporary data left behind. Write a delegate to remove data before exiting the app Running the emulator looked at the directory that $TMPDIR points to and found temporary data left behind. Write a delegate to remove data before exiting the app

16 Potential Issues and Solutions 16 When run from the emulator, we saw that the app was storing the user’s PIN and single sign-on token in clear text

17 Potential Issues and Solutions 17 iPhone/iPad ‘Home’ button creates a screenshot of the current view and stores it as an image on the device. Two options: 1. Set the “Application does not run in background” property to ‘YES’ in info.plist file 2. In applicationDidEnterBackground change the current view to a standard sanitized view, so data will not be leaked in the screenshot

18 Summary Does the App work with an MDM Look out for regulatory requirements Mobile app should protect its own data Secure key-exchange for encryption is necessary Perform code review before releasing the app Ensure that mobile features do not leave behind data Does the App work with an MDM Look out for regulatory requirements Mobile app should protect its own data Secure key-exchange for encryption is necessary Perform code review before releasing the app Ensure that mobile features do not leave behind data 18

19 19

20 Continuing the Discussion Contact: Intralinks 20 Mush Hakhinian, Chief Security Architect mhakhinian@intralinks.com 617.357.3643


Download ppt "Looking to Build a Secure Enterprise Mobile Application? Here’s How! Mush Hakhinian Chief Security Architect Intralinks Mush Hakhinian Chief Security Architect."

Similar presentations


Ads by Google