SlideShare a Scribd company logo

InfoSec World 2014 Security Imperatives for IOS and Android

Download as PPTX, PDF
Symosis Security (Previously C-Level Security)
Symosis Security (Previously C-Level Security)

A5 Security Imperatives For iOS & Android Apps DEMO Kartik Trivedi, Co-Founder, Symosis Clinton Mugge, Partner, Symosis Understand emerging iOS and Android apps security threats Learn how to design, develop and test secure apps Protect against inadvertent customer and corporate data leakage in mobile apps Mobile app security and privacy best practices from leading companies Get free eval access to iOS/Android app top 10 security CBT

Presentations & Public SpeakingTechnology
1 of 39
Security Imperatives for iOS and Android Session #A5 8, April 2014 8:30am Clinton Mugge and Gary Bahadur Symosis Security
Copyright 2014 RBS Citizens Distributed by MIS Training Institute with permission of owner. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted by electronic, mechanical or any other means without the prior written permission of MIS Training Institute and the respective owner of the copyright. Trademarked product and company names mentioned in this publication are the property of their respective owners. ISW14040714
MIS Training Institute Session A5 - Slide 3 © Symosis Security Who are we?  Clinton Mugge  Application and Network Security Providers  20 Years in Info Sec – Security Assessments, Penetration Testing, Compliance & Training, Investigations, Incident Response  Free Mobile App Security / Training Evaluations  Gary Bahadur  20 Years in Info Sec – Compliance & Training, Security Assessments, Risk Assessments  Author of “Securing the Clicks” Network Security in the Age of Social Media  Free Risk Assessment Software “Razient”
MIS Training Institute Session A5 - Slide 4 © Symosis Security Agenda Introduction iOS / Android Apps Top Risks Countermeasures
MIS Training Institute Session A5 - Slide 5 © Symosis Security Audience Poll • What mobile OS do you mostly use? • How many of you are involved with mobile security, privacy, audits? • Any mobile developers / architects? • Does your employer have mobile presence?
MIS Training Institute Session A5 - Slide 6 © Symosis Security There is an App for that!
MIS Training Institute Session A5 - Slide 7 © Symosis Security What do Attackers Want?  Credentials - To your device, To external services (email, banking, etc)  Access to your device  Use your device (botnets, spamming), Steal trade secrets or other sensitive data  Personal Data - Full Name, SINSSN, address book data, location data  Cardholder Data - Card Numbers, Expiration, CVV  Health Data - Prescription information, medical records, procedure summary  Corporate Data - IP, Design Docs
MIS Training Institute Session A5 - Slide 8 © Symosis Security Security and Privacy Concerns  Side Channel Data Leakage  Insufficient Transport Layer Protection  Weak Server Side Controls  Insecure Data Storage  Client Side Injection  Poor Authorization and Authentication  Improper Session Handling  Security Decisions Via Untrusted Inputs  Broken Cryptography  Sensitive Information Disclosure  Hardcoded password/keys  Privacy compliance  Identity exposure  Activity monitoring and data retrieval  Unauthorized dialing, SMS, and payments  Unauthorized network connectivity (data exfiltration or command & control)  UI (unique identifier) impersonation  System modification (rootkit, APN proxy configuration)  Mobile Malware  Criminals Target and Infect App Stores  Social-Engineering  Geolocation compromise  Security Regulatory Compliance  Device Risk  Application management  Installation of un-verified / unsigned 3rd party apps
MIS Training Institute Session A5 - Slide 9 © Symosis Security Agenda Introduction Mobile Apps Top Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures
MIS Training Institute Session A5 - Slide 10 © Symosis Security 1. Side Channel Data Leakage Data leakage via platform defaults, use of third party libraries, logging, etc  Property List Files  SnapShot (ie- iOS Backgrounding)  iOS logs Sometimes result of programmatic flaws
MIS Training Institute Session A5 - Slide 11 © Symosis Security Demo 1: Snapshot File Tools: iExplore, Reflection Device: iPhone 5, IOS 6 latest version, iPhone 4, IOS 5 Snapshot –  TaxAct Mobile  TaxSlayer
MIS Training Institute Session A5 - Slide 12 © Symosis Security TaxAct Mobile Security Hole Snapshot
MIS Training Institute Session A5 - Slide 13 © Symosis Security TaxSlayer Mobile Security Hole Snapshot
MIS Training Institute Session A5 - Slide 14 © Symosis Security TaxAct Response
MIS Training Institute Session A5 - Slide 15 © Symosis Security
MIS Training Institute Session A5 - Slide 16 © Symosis Security LinkedIn Plist identity theft
MIS Training Institute Session A5 - Slide 17 © Symosis Security Agenda Introduction Mobile Apps Top 3 Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures
MIS Training Institute Session A5 - Slide 18 © Symosis Security 2. Insecure Transport/Server Controls Failing to encrypt sensitive network traffic consisting of sensitive data Insecure server controls - web, application and backend API - can lead to security compromise
MIS Training Institute Session A5 - Slide 19 © Symosis Security Demo 2: Insecure Transport Tools: MITM Proxy, Reflection, Flixster Insecure Transport – User ID, Movies Browsing, Home Area, Purchase Intent
MIS Training Institute Session A5 - Slide 20 © Symosis Security Credentials sent over HTTP iOS App
MIS Training Institute Session A5 - Slide 21 © Symosis Security Unencrypted Cookies over HTTP Instagram iOS App
MIS Training Institute Session A5 - Slide 22 © Symosis Security TOC Mobile Platform Risks Mobile Apps Top 3 Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures
MIS Training Institute Session A5 - Slide 23 © Symosis Security 3. Insecure Data Storage Locally stored data both on native and browser based apps that includes  SQLite  Sensitive Files  Cache Files
MIS Training Institute Session A5 - Slide 24 © Symosis Security Demo 3: local files Tools: iExplore, Reflection SQLite files – Runtastic, TaxSlayer, TaxAct, JacksonHewitt Flat Files – Jackson Hewitt Jackson Hewitt #JacksonHewitt /TaxSlayer #TaxSlayer Tools: iExplorer
MIS Training Institute Session A5 - Slide 25 © Symosis Security Cached Credentials and tax data in the clear
MIS Training Institute Session A5 - Slide 26 © Symosis Security JacksonHewitt Tax Documents in the Clear
MIS Training Institute Session A5 - Slide 27 © Symosis Security JacksonHewitt Responses
MIS Training Institute Session A5 - Slide 28 © Symosis Security Unencrypted Cache with Master Password in Keeper
MIS Training Institute Session A5 - Slide 29 © Symosis Security TOC Mobile Platform Risks Mobile Apps Top 3 Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures
MIS Training Institute Session A5 - Slide 30 © Symosis Security 4. Privacy
MIS Training Institute Session A5 - Slide 31 © Symosis Security Privacy Threat & Impact  UDID, Mac Address, Device ID  Location Training  Usage Tracking - Google, Flurry, Mobclix  Contacts Access & Sharing  Shares / Uploads Phone Number  3rd Party Connections – Facebook, twitter
MIS Training Institute Session A5 - Slide 32 © Symosis Security Path uploads your entire iPhone address book to its servers
MIS Training Institute Session A5 - Slide 33 © Symosis Security WhatsApp sends messages unencrypted over HTTP
MIS Training Institute Session A5 - Slide 34 © Symosis Security LinkedIn transmits confidential info insecurely
MIS Training Institute Session A5 - Slide 35 © Symosis Security Agenda Introduction Mobile Apps Top Risks Countermeasures 1. Disable side channel data leakage 2. Use HTTPS and secure IOS Safe methods 3. Insecure Data storage 4. Privacy
MIS Training Institute Session A5 - Slide 36 © Symosis Security Side Channel Data Leakage Start by identifying all potential side channel data which includes  Plist files – Ensure no sensitive data is written  Disable Snapshots  Disable System / keystroke logs  Disable Web caches  Disable Cut-and-paste buffers  Clean up Core Data Do not store sensitive data (e.g., credentials, tokens, PII) in property list files. Use iOS Keychain
MIS Training Institute Session A5 - Slide 37 © Symosis Security Encrypt Sensitive Data Data Protection API - set the NSFileProtectionKey on an existing file Keychain – Sensitive data like passwords and keys should be stored in the Keychain and not in insecure locations like plist files CCCrypt & javax.crypto.* package for Android - provides access to AES, DES, 3DES SQLCipher (IOS & Android) - transparent 256- bit AES encryption of database files
MIS Training Institute Session A5 - Slide 38 © Symosis Security Strategic Recommendations  Establish common set of security requirements. Perform periodic security scans and audits  Invest in security education for all stakeholders  Perform server side data validation and canonicalization  Define and deploy secure configuration  Do not log credentials, PII and other sensitive data  Design and implement all apps under the assumption that the user’s device will be lost or stolen  Review all third party libraries before use
PLEASE REMEMBER TO FILL OUT THE SESSION EVALUATIONS. THANK YOU!

Recommended

Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Symosis Security (Previously C-Level Security)
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001
CUNIX INDIA
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
The need for security
The need for securityThe need for security
The need for security
Dhani Ahmad
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
Terranovatraining
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 
Information Security Challenges & Opportunities
Information Security Challenges & OpportunitiesInformation Security Challenges & Opportunities
Information Security Challenges & Opportunities
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 

Recommended

Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Symosis Security (Previously C-Level Security)
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001
CUNIX INDIA
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
The need for security
The need for securityThe need for security
The need for security
Dhani Ahmad
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
Terranovatraining
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 
Information Security Challenges & Opportunities
Information Security Challenges & OpportunitiesInformation Security Challenges & Opportunities
Information Security Challenges & Opportunities
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Information Security & Privacy in Healthcare (February 9, 2021)
Information Security & Privacy in Healthcare (February 9, 2021)Information Security & Privacy in Healthcare (February 9, 2021)
Information Security & Privacy in Healthcare (February 9, 2021)
Nawanan Theera-Ampornpunt
 
Security Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterSecurity Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana Chapter
Atlantic Training, LLC.
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
Andris Soroka
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Atlantic Training, LLC.
 
Cyber security standards
Cyber security standardsCyber security standards
Cyber security standards
Vaughan Olufemi ACIB, AICEN, ANIM
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Training
himalya sharma
 
information security awareness course
information security awareness courseinformation security awareness course
information security awareness course
Abdul Manaf Vellakodath
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...
Michael Kaishar, MSIA | CISSP
 
최근 비즈니스에서 활용되는 보안 기술 및 성숙된 보안 관리를 위한 ibm 전략 소개
최근 비즈니스에서 활용되는 보안 기술 및 성숙된 보안 관리를 위한 ibm 전략 소개최근 비즈니스에서 활용되는 보안 기술 및 성숙된 보안 관리를 위한 ibm 전략 소개
최근 비즈니스에서 활용되는 보안 기술 및 성숙된 보안 관리를 위한 ibm 전략 소개
ArumIm
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Enterprise Management Associates
 
Information Security Awareness Session -2020
Information Security Awareness Session -2020Information Security Awareness Session -2020
Information Security Awareness Session -2020
Ismail Oduoye CISSP,CISA, CCNP-ROUTE,CCNA, MCITP,MCTS
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
danielblander
 
WSO2Con EU 2016: Reinforcing Your Enterprise with Security Architectures
WSO2Con EU 2016: Reinforcing Your Enterprise with Security ArchitecturesWSO2Con EU 2016: Reinforcing Your Enterprise with Security Architectures
WSO2Con EU 2016: Reinforcing Your Enterprise with Security Architectures
WSO2
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
David Menken
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
Ivo Depoorter
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
Atlantic Training, LLC.
 
Isa Prog Need L
Isa Prog Need LIsa Prog Need L
Isa Prog Need L
R_Yanus
 
MobileIron plus Cisco - Mobilizing Network Security
MobileIron plus Cisco - Mobilizing Network SecurityMobileIron plus Cisco - Mobilizing Network Security
MobileIron plus Cisco - Mobilizing Network Security
mobileironmarketing
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
NowSecure
 
Ios seminar
Ios seminarIos seminar
Ios seminar
Kurikkal Ashique
 

More Related Content

What's hot

Security Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterSecurity Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana Chapter
Atlantic Training, LLC.
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
최근 비즈니스에서 활용되는 보안 기술 및 성숙된 보안 관리를 위한 ibm 전략 소개
최근 비즈니스에서 활용되는 보안 기술 및 성숙된 보안 관리를 위한 ibm 전략 소개최근 비즈니스에서 활용되는 보안 기술 및 성숙된 보안 관리를 위한 ibm 전략 소개
최근 비즈니스에서 활용되는 보안 기술 및 성숙된 보안 관리를 위한 ibm 전략 소개
ArumIm
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
danielblander
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
Atlantic Training, LLC.
 
Isa Prog Need L
Isa Prog Need LIsa Prog Need L
Isa Prog Need L
R_Yanus
 

What's hot (20)

Information Security & Privacy in Healthcare (February 9, 2021)
Information Security & Privacy in Healthcare (February 9, 2021)Information Security & Privacy in Healthcare (February 9, 2021)
Information Security & Privacy in Healthcare (February 9, 2021)
 
Security Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana ChapterSecurity Awareness Training by HIMSS Louisiana Chapter
Security Awareness Training by HIMSS Louisiana Chapter
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Cyber security standards
Cyber security standardsCyber security standards
Cyber security standards
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Training
 
information security awareness course
information security awareness courseinformation security awareness course
information security awareness course
 
Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...Information Security Awareness And Training Business Case For Web Based Solut...
Information Security Awareness And Training Business Case For Web Based Solut...
 
최근 비즈니스에서 활용되는 보안 기술 및 성숙된 보안 관리를 위한 ibm 전략 소개
최근 비즈니스에서 활용되는 보안 기술 및 성숙된 보안 관리를 위한 ibm 전략 소개최근 비즈니스에서 활용되는 보안 기술 및 성숙된 보안 관리를 위한 ibm 전략 소개
최근 비즈니스에서 활용되는 보안 기술 및 성숙된 보안 관리를 위한 ibm 전략 소개
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...
 
Information Security Awareness Session -2020
Information Security Awareness Session -2020Information Security Awareness Session -2020
Information Security Awareness Session -2020
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
 
WSO2Con EU 2016: Reinforcing Your Enterprise with Security Architectures
WSO2Con EU 2016: Reinforcing Your Enterprise with Security ArchitecturesWSO2Con EU 2016: Reinforcing Your Enterprise with Security Architectures
WSO2Con EU 2016: Reinforcing Your Enterprise with Security Architectures
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
 
Information security for dummies
Information security for dummiesInformation security for dummies
Information security for dummies
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
 
Isa Prog Need L
Isa Prog Need LIsa Prog Need L
Isa Prog Need L
 
MobileIron plus Cisco - Mobilizing Network Security
MobileIron plus Cisco - Mobilizing Network SecurityMobileIron plus Cisco - Mobilizing Network Security
MobileIron plus Cisco - Mobilizing Network Security
 

Viewers also liked

Android vs i os features
Android vs i os featuresAndroid vs i os features
Android vs i os features
Guang Ying Yuan
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
Tom Eston
 

Viewers also liked (7)

The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
Ios seminar
Ios seminarIos seminar
Ios seminar
 
Android vs iOS security
Android vs iOS securityAndroid vs iOS security
Android vs iOS security
 
Android vs i os features
Android vs i os featuresAndroid vs i os features
Android vs i os features
 
Android vs. iPhone for Mobile Security
Android vs. iPhone for Mobile SecurityAndroid vs. iPhone for Mobile Security
Android vs. iPhone for Mobile Security
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
 

Similar to InfoSec World 2014 Security Imperatives for IOS and Android

Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
IBM Security
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
 
IBM MobileFirst Protect (MaaS360) : Rendre la Messagerie Mobile Gérable et Sé...
IBM MobileFirst Protect (MaaS360) : Rendre la Messagerie Mobile Gérable et Sé...IBM MobileFirst Protect (MaaS360) : Rendre la Messagerie Mobile Gérable et Sé...
IBM MobileFirst Protect (MaaS360) : Rendre la Messagerie Mobile Gérable et Sé...
AGILLY
 
How to Hack a Cryptographic Key
How to Hack a Cryptographic KeyHow to Hack a Cryptographic Key
How to Hack a Cryptographic Key
IBM Security
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 

Similar to InfoSec World 2014 Security Imperatives for IOS and Android (20)

Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
IBM MobileFirst Protect (MaaS360) : Rendre la Messagerie Mobile Gérable et Sé...
IBM MobileFirst Protect (MaaS360) : Rendre la Messagerie Mobile Gérable et Sé...IBM MobileFirst Protect (MaaS360) : Rendre la Messagerie Mobile Gérable et Sé...
IBM MobileFirst Protect (MaaS360) : Rendre la Messagerie Mobile Gérable et Sé...
 
Cyber Security Measures for LMS Platforms
Cyber Security Measures for LMS PlatformsCyber Security Measures for LMS Platforms
Cyber Security Measures for LMS Platforms
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
 
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenbergIbm ofa ottawa_ how_secure_is_your_data_eric_offenberg
Ibm ofa ottawa_ how_secure_is_your_data_eric_offenberg
 
How to Hack a Cryptographic Key
How to Hack a Cryptographic KeyHow to Hack a Cryptographic Key
How to Hack a Cryptographic Key
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Appsecurity, win or loose
Appsecurity, win or looseAppsecurity, win or loose
Appsecurity, win or loose
 
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
 
4b - Security Management - Cyber Security Mgt (1).pptx
4b - Security Management - Cyber Security Mgt (1).pptx4b - Security Management - Cyber Security Mgt (1).pptx
4b - Security Management - Cyber Security Mgt (1).pptx
 

Recently uploaded

Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Delhi Call girls
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
amilabibi1
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Delhi Call girls
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 

Recently uploaded (18)

Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verifiedSector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
Sector 62, Noida Call girls :8448380779 Noida Escorts | 100% verified
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
Aesthetic Colaba Mumbai Cst Call girls 📞 7738631006 Grant road Call Girls ❤️-...
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 

InfoSec World 2014 Security Imperatives for IOS and Android

  • 1. Security Imperatives for iOS and Android Session #A5 8, April 2014 8:30am Clinton Mugge and Gary Bahadur Symosis Security
  • 2. Copyright 2014 RBS Citizens Distributed by MIS Training Institute with permission of owner. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted by electronic, mechanical or any other means without the prior written permission of MIS Training Institute and the respective owner of the copyright. Trademarked product and company names mentioned in this publication are the property of their respective owners. ISW14040714
  • 3. MIS Training Institute Session A5 - Slide 3 © Symosis Security Who are we?  Clinton Mugge  Application and Network Security Providers  20 Years in Info Sec – Security Assessments, Penetration Testing, Compliance & Training, Investigations, Incident Response  Free Mobile App Security / Training Evaluations  Gary Bahadur  20 Years in Info Sec – Compliance & Training, Security Assessments, Risk Assessments  Author of “Securing the Clicks” Network Security in the Age of Social Media  Free Risk Assessment Software “Razient”
  • 4. MIS Training Institute Session A5 - Slide 4 © Symosis Security Agenda Introduction iOS / Android Apps Top Risks Countermeasures
  • 5. MIS Training Institute Session A5 - Slide 5 © Symosis Security Audience Poll • What mobile OS do you mostly use? • How many of you are involved with mobile security, privacy, audits? • Any mobile developers / architects? • Does your employer have mobile presence?
  • 6. MIS Training Institute Session A5 - Slide 6 © Symosis Security There is an App for that!
  • 7. MIS Training Institute Session A5 - Slide 7 © Symosis Security What do Attackers Want?  Credentials - To your device, To external services (email, banking, etc)  Access to your device  Use your device (botnets, spamming), Steal trade secrets or other sensitive data  Personal Data - Full Name, SINSSN, address book data, location data  Cardholder Data - Card Numbers, Expiration, CVV  Health Data - Prescription information, medical records, procedure summary  Corporate Data - IP, Design Docs
  • 8. MIS Training Institute Session A5 - Slide 8 © Symosis Security Security and Privacy Concerns  Side Channel Data Leakage  Insufficient Transport Layer Protection  Weak Server Side Controls  Insecure Data Storage  Client Side Injection  Poor Authorization and Authentication  Improper Session Handling  Security Decisions Via Untrusted Inputs  Broken Cryptography  Sensitive Information Disclosure  Hardcoded password/keys  Privacy compliance  Identity exposure  Activity monitoring and data retrieval  Unauthorized dialing, SMS, and payments  Unauthorized network connectivity (data exfiltration or command & control)  UI (unique identifier) impersonation  System modification (rootkit, APN proxy configuration)  Mobile Malware  Criminals Target and Infect App Stores  Social-Engineering  Geolocation compromise  Security Regulatory Compliance  Device Risk  Application management  Installation of un-verified / unsigned 3rd party apps
  • 9. MIS Training Institute Session A5 - Slide 9 © Symosis Security Agenda Introduction Mobile Apps Top Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures
  • 10. MIS Training Institute Session A5 - Slide 10 © Symosis Security 1. Side Channel Data Leakage Data leakage via platform defaults, use of third party libraries, logging, etc  Property List Files  SnapShot (ie- iOS Backgrounding)  iOS logs Sometimes result of programmatic flaws
  • 11. MIS Training Institute Session A5 - Slide 11 © Symosis Security Demo 1: Snapshot File Tools: iExplore, Reflection Device: iPhone 5, IOS 6 latest version, iPhone 4, IOS 5 Snapshot –  TaxAct Mobile  TaxSlayer
  • 12. MIS Training Institute Session A5 - Slide 12 © Symosis Security TaxAct Mobile Security Hole Snapshot
  • 13. MIS Training Institute Session A5 - Slide 13 © Symosis Security TaxSlayer Mobile Security Hole Snapshot
  • 14. MIS Training Institute Session A5 - Slide 14 © Symosis Security TaxAct Response
  • 15. MIS Training Institute Session A5 - Slide 15 © Symosis Security
  • 16. MIS Training Institute Session A5 - Slide 16 © Symosis Security LinkedIn Plist identity theft
  • 17. MIS Training Institute Session A5 - Slide 17 © Symosis Security Agenda Introduction Mobile Apps Top 3 Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures
  • 18. MIS Training Institute Session A5 - Slide 18 © Symosis Security 2. Insecure Transport/Server Controls Failing to encrypt sensitive network traffic consisting of sensitive data Insecure server controls - web, application and backend API - can lead to security compromise
  • 19. MIS Training Institute Session A5 - Slide 19 © Symosis Security Demo 2: Insecure Transport Tools: MITM Proxy, Reflection, Flixster Insecure Transport – User ID, Movies Browsing, Home Area, Purchase Intent
  • 20. MIS Training Institute Session A5 - Slide 20 © Symosis Security Credentials sent over HTTP iOS App
  • 21. MIS Training Institute Session A5 - Slide 21 © Symosis Security Unencrypted Cookies over HTTP Instagram iOS App
  • 22. MIS Training Institute Session A5 - Slide 22 © Symosis Security TOC Mobile Platform Risks Mobile Apps Top 3 Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures
  • 23. MIS Training Institute Session A5 - Slide 23 © Symosis Security 3. Insecure Data Storage Locally stored data both on native and browser based apps that includes  SQLite  Sensitive Files  Cache Files
  • 24. MIS Training Institute Session A5 - Slide 24 © Symosis Security Demo 3: local files Tools: iExplore, Reflection SQLite files – Runtastic, TaxSlayer, TaxAct, JacksonHewitt Flat Files – Jackson Hewitt Jackson Hewitt #JacksonHewitt /TaxSlayer #TaxSlayer Tools: iExplorer
  • 25. MIS Training Institute Session A5 - Slide 25 © Symosis Security Cached Credentials and tax data in the clear
  • 26. MIS Training Institute Session A5 - Slide 26 © Symosis Security JacksonHewitt Tax Documents in the Clear
  • 27. MIS Training Institute Session A5 - Slide 27 © Symosis Security JacksonHewitt Responses
  • 28. MIS Training Institute Session A5 - Slide 28 © Symosis Security Unencrypted Cache with Master Password in Keeper
  • 29. MIS Training Institute Session A5 - Slide 29 © Symosis Security TOC Mobile Platform Risks Mobile Apps Top 3 Risks 1. Side Channel Leakage 2. Insecure Transport / Server Controls 3. Insecure Data Storage 4. Privacy Countermeasures
  • 30. MIS Training Institute Session A5 - Slide 30 © Symosis Security 4. Privacy
  • 31. MIS Training Institute Session A5 - Slide 31 © Symosis Security Privacy Threat & Impact  UDID, Mac Address, Device ID  Location Training  Usage Tracking - Google, Flurry, Mobclix  Contacts Access & Sharing  Shares / Uploads Phone Number  3rd Party Connections – Facebook, twitter
  • 32. MIS Training Institute Session A5 - Slide 32 © Symosis Security Path uploads your entire iPhone address book to its servers
  • 33. MIS Training Institute Session A5 - Slide 33 © Symosis Security WhatsApp sends messages unencrypted over HTTP
  • 34. MIS Training Institute Session A5 - Slide 34 © Symosis Security LinkedIn transmits confidential info insecurely
  • 35. MIS Training Institute Session A5 - Slide 35 © Symosis Security Agenda Introduction Mobile Apps Top Risks Countermeasures 1. Disable side channel data leakage 2. Use HTTPS and secure IOS Safe methods 3. Insecure Data storage 4. Privacy
  • 36. MIS Training Institute Session A5 - Slide 36 © Symosis Security Side Channel Data Leakage Start by identifying all potential side channel data which includes  Plist files – Ensure no sensitive data is written  Disable Snapshots  Disable System / keystroke logs  Disable Web caches  Disable Cut-and-paste buffers  Clean up Core Data Do not store sensitive data (e.g., credentials, tokens, PII) in property list files. Use iOS Keychain
  • 37. MIS Training Institute Session A5 - Slide 37 © Symosis Security Encrypt Sensitive Data Data Protection API - set the NSFileProtectionKey on an existing file Keychain – Sensitive data like passwords and keys should be stored in the Keychain and not in insecure locations like plist files CCCrypt & javax.crypto.* package for Android - provides access to AES, DES, 3DES SQLCipher (IOS & Android) - transparent 256- bit AES encryption of database files
  • 38. MIS Training Institute Session A5 - Slide 38 © Symosis Security Strategic Recommendations  Establish common set of security requirements. Perform periodic security scans and audits  Invest in security education for all stakeholders  Perform server side data validation and canonicalization  Define and deploy secure configuration  Do not log credentials, PII and other sensitive data  Design and implement all apps under the assumption that the user’s device will be lost or stolen  Review all third party libraries before use
  • 39. PLEASE REMEMBER TO FILL OUT THE SESSION EVALUATIONS. THANK YOU!