The document discusses mobile app security and how to build trust between apps and users. It notes that thousands of apps are released daily and top apps need user trust. However, some apps request unnecessary permissions that could compromise user privacy or security. The document recommends following the OWASP Top 10 Mobile Risks guidelines to address common issues like insecure data storage, weak authentication, and unintended data leaks. Comprehensive mobile security requires strategies for governance, users/identity, applications, data, networks, and devices. Example use cases are also discussed.
2. 1000+ Apps are released on Google Play and
Appstore every day!
The most popular ones are downloaded
75 000 times a day.
There are many success factors that must be met
for your app to be successful and one of these are
trust
4. Top 10 downloaded apps* with more than 100 million downloads
all rely on users to trust them and the services they offer
*in Google Play according to Wikipedia 26.10.2014
13. Scandinavian teenagers favorite picture-sharing app has a not
that appealing feature…
• The App’s goal is to meet users need to communicate
instant photos and videos without the fear that a post or
picture will be held against them in the future
There are many success factors that must be met, and one important factor is trust.
Your app users must trust that your app delivers what is sais and that it keeps them in control of their data
What are the main security risks that you should be aware of, and how can these be reduces?
Felles for alle topp kategorier og apper med suksess i markedet er at de ivaretar tillit.
F.eks. Hvem ville snakket med venner over Skype, WhatsApp eller Facebook messenger dersom alle andre kunne hørt det?
Hva hvis epostene I gmail-appen din kunne leses av alle, eller hva hvis angry birds kunne sende sms-bank meldinger på dine vegne?
Example – Burpsuit fange pakker
Extract .apk, analyze and remake
AuthN and AuthZ
Binary protection
Weak server side
Crypto
Insecure storage
Mobile security has more or less the same aspects as traditional IT security. With that being said, a lot of decisions need to be made. The enterprise needs to define the level of services being provided, how to support the end user, and how to manage risk. All considerations point to having a mobile security strategy in place – even if it is a complete ban! Though this is an extreme case, a strategy that accounts for supporting the business securely is CRITICAL for success. As we start to think about a mobile security strategy, there are 6 main categories to consider across Governance, Users & Identity, Applications, Data, Network, and Devices.:
Governance:
What are the policies that will drive the usage of mobile technologies?
What services do you want/not want to provide?
How will you monitor usage and to what level?
Which devices/technologies will you allow/not allow?
Training programs and communication
Users & Identity:
What users/groups will have access to what?
How will you get the right people the appropriate content to do their tasks?
Applications:
Applications can be looked at in a few ways:
Development: In-house enterprise applications or for commercial consumption will require a full set of secure SDLC services (development, source code review, vulnerability scanning, etc.)
Deployment: An enterprise wants to control the deployment of applications through their own application store
Data:
Introducing mobile technologies opens up additional concerns. For example:
Does this change my data classifications?
How can I ensure secure communications to this data?
Personal devices introduce personal data to the environment. How will I protect it?
Will functionality of devices have to be limited? Cloud apps, Dropbox?
Network:
Network is a critical component and the introduction of mobile devices adds additional components that may not have been planned for in the initial design of the infrastructure.
Can my network handle the load?
How will I support remote access securely?
How will I monitor the environment, traffic/usage patterns, forensics?
Devices:
Managed or unmanaged?
What platforms and devices are supported?
How should these devices be hardened/secured (Antivirus, etc.)?
How will I handle a lost or stolen device to ensure security?