Mobile devices are becoming the favored location for storing and doing everything we need, anywhere we want. From personal email, to company confidential information, including the social networks, location services and even online banking - we are storing our lives on mobile devices.
Is all of this information secure, or are we now facing some of the same problems we faced before in personal computing ? Have we learned something?
During this talk we discuss the most common problems affecting mobile devices, from Layer 1 to Layer 7. From poor GSM encryption, to poor application development, and everything in between. What are the risks? Are there solutions?
https://codebits.eu/intra/s/session/219
2. About
us
Pedro
Cabrita
Bruno
Morisson
<pfcabrita@gmail.com>
<morisson@genhex.org>
h>p://genhex.org/~mori/
• Principal
Consultant
and
Partner
@
• Infosec
Consultant
&
Partner
@
BiAHEAD;
INTEGRITY
S.A.;
• Working
in
InformaSon
Security
for
the
• Working
in
infosec
for
over
12
years;
past
11
years;
• In
a
past
life,
Security
OperaSons
Manager
• About
10
years
working
@
a
financial
and
Senior
Infosec
Consultant
@
a
private
insStuSon;
telco;
• I
do
mainly
PenTesSng
for
living
(and
have
• Did
Sme
as
a
developer
(C/C++);
fun);
Also:
secure
coding
guidelines
&
reviews;
• CISSP-‐ISSMP,
CISA,
ISO27k1LA,
ITILv3,
…
reverse
engineering;
risk
assessments;
audits…
and
other
security
related
stuff!
• MSc
InformaSon
Security
student
@
Royal
Holloway,
University
of
London
• CISSP
• But
life
isn’t
all
about
security…
10. Thinking
security…
• What
can
someone
do
with
momentarily
physical
access
to
my
device
?
• How
secure
is
my
informaSon
if
my
device
is
lost/stolen
?
• What
else
can
go
wrong
?
30. Bo>om
line…
• If
someone
has
physical
access
to
the
device...
GAME
OVER!
• Turn
on
security
features
(encrypSon,
authenScaSon,
remote
wipe/lock)
• Choose
an
appropriate
PIN
• Wash
your
hands
frequently
• Don’t
connect
it
anywhere...
except
home!
61. Bo>om
line…
• Difficult
(impossible?)
to
keep
updated
• “secret”
features
reveal
private
informaSon
• Encourages
uploading
private
informaSon
to
the
“cloud”
• Insecure
default
configuraSons
However,
they
do
provide
interesSng
security
features
63. Thinking
security…
• How
do
applicaSons
handle
security
?
• Do
they
store
informaSon
securely
?
• What
informaSon
do
they
share
?
• Are
the
markets/app
stores
safe
?
64. OWASP
Top
10
Mobile
Risks
Release
Candidate
v1.0
• Insecure
Data
Storage
• Weak
Server
Side
Controls
• Insufficient
Transport
Layer
ProtecSon
• Client
Side
InjecSon
• Poor
AuthorizaSon
and
AuthenScaSon
• Improper
Session
Handling
• Security
Decisions
Via
Untrusted
Inputs
• Side
Channel
Data
Leakage
• Broken
Cryptography
• SensiSve
InformaSon
Disclosure
h>ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project
83. Bo>om
line…
• Apps
are
leaking
private
informaSon
• InformaSon
is
not
stored
securely
• Have
security
vulnerabiliSes
• Some
include
malware
• Android
malware
is
on
the
rise
• Apps
circumvent
security
features
• ValidaSng
apps
is
not
enough
85. Given
a
choice
between
dancing
pigs
and
security,
users
will
pick
dancing
pigs
every
8me
Gary
McGraw
and
Edward
Felten:
Securing
Java
(John
Wiley
&
Sons,
1999;
ISBN
0-‐471-‐31952-‐X),
Chapter
one,
Part
seven
90. Wrap
Up
• Users
trust
by
default
• Apps
sSll
have
room
for
improvement
(security
wise)
J
• Mobile
devices
are
becoming
a
mainstream
target
for
malware
• Hardware
has
longer
longevity
than
the
OS
• Lower
layers
are
not
helping
Mobile
security
is
sSll
in
its
infancy
91. Thanks!
Q&A
Pedro
Cabrita
<pfcabrita@gmail.com>
Bruno
Morisson
<morisson@genhex.org>