SlideShare ist ein Scribd-Unternehmen logo

Mobile Apps Security

•
•
Xavier Mertens
Xavier Mertens

Presentation about mobile devices security given at (ISC2) SecureAmsterdam Workshop

Technologie
1 von 47
Mobile Security Xavier Mertens ISC2 Secure Amsterdam - Apr 2013 1
$ cat disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.” 2
$ whoami • Xavier Mertens • Independent Security Consultant • Security Blogger (blog.rootshell.be) • Giving spare time for security projects 3
Agenda • There is an App for that • Risks inherent in mobile devices • Employee owned device (BYOD) • Mobile applications development • Enterprise AppStores 4
“There is an App for that!” 5
Once Upon A Time... 6
What if... 7
Reality... 8
Today... 9
The “Apps Storm” • 550.000 apps available on the Apple AppStore • 45.455 download per app (average) • 315 millions IOS devices in use • 80 apps installed per IOS device (average) (Source: thenextweb.com) 10
Android Jungle Android Pit Google Play AppsLib GetJar Appbackr SlideMe Samsung Apps 1Mobile Cnet LG Mobile Camangi Market Appia MVStore Vodafone Verizon Wireless Mobile24 Amazone Appstore Mobango Extent Mobireach Nook Developer Android Freeware Blue Via Handster FastApp 11
What’s This? 12
Risks Inherent In Mobile Devices 13
Ooops! 14
The Mobile Landscape 15
Apps Permissions 16
Rogue App Stores • Owners tend to install any apps • Social engineering works! • Some apps may require much more rights than required • People trust Apps stores and developers • Developers must write good code 17
Fake Apps • Take a popular app • Add malicious behavior • Repack & republish • Wait & enjoy! 18
QR Codes (Will you scan this code?) 19
Geolocalization 20
NFC 21
Home & Cars 22
Employee Own Devices 23
Why Do People BTOD • Devices became cheaper and powerful • The “Generation Y” • Always online everywhere! • Company devices are sometimes old- fashioned 24
First Question? • Are you ready to accept personal devices on your network? • It’s a question of ... risk! • Examples: • Data loss • Network intrusion • Data ex-filtration 25
“MDM”? • Do you need a MDM solution? (Mobile Device Management) • Microsoft Exchange include ActiveSync for free • Most security $VENDORS propose (basic) tools to handle mobile devices 26
MDM & Security • MDM solutions are connected to an existing infrastructure • Integration is the key • Review requirements (Is is normal to allow a full LDAP access on your AD?) 27
Minimum Requirements • Automatic lock + password • No jailbroken devices • Remote wipe • Backups (who’s responsible?) 28
Data Classification • Another approach is implementing data classification • Implementation of the “least privileges” principle • Access to data is based on profiles • Work with any device! (benefit broader than the scope of mobile devices) 29
Locations • Access to data has a direct relation with the user/device location • Three situations Source Risk Local access LAN, corporate Wi-Fi Low VPN / SSL VPN Medium Remote access Wild High 30
Data Classification Company Owned Personal Devices Devices Data Remote Remote Local Remote Local Remote Classification (Wild) (Wild) Top-Secret No No No No No No Highly Yes No No No No No Confidential Proprietary Yes Yes No Yes No No Internal Use Yes Yes No Yes Yes No Only Public Yes Yes Yes Yes Yes Yes 31
Mobile Application Development 32
Top-10 Mobile Risks • Insecure data storage • Improper session handling • Weak server side • Secure decision via controls untrusted input • Insufficient transport layer • Side channel data leakage protection • Broken cryptography • Client side injection • Sensitive information • Poor authentication & disclosure authorization (Source: OWASP) 33
OWASP Mobile Security Project • Mobile testing guide • Secure mobile development guide • Top-10 mobile controls and design principles https://www.owasp.org/index.php/OWASP_Mobile_Security_Project 34
Types of Applications • Browser based (m.company.com) • Common web vulnerabilities apply • Installed application • Storage of data • Communications • Authentication / session management 35
Use of Environment • Access • 3G/GPRS/Edge • Wi-Fi • Hardware • NFC, Bluetooth • GPS • Camera / Mic • Sensors • USB 36
Lack of / Bad Crypto • Data must be encrypted (data at rest, data in transit) • No not re-invent the wheel. Writing a crypto algorithm is not easy. Use existing libs 37
Local VS. Remote Storage Pros Cons No network costs Risk of loss Local Speed Outdated Always updated Data network ($) Central No risk of loss Speed 38
Geolocalization • Again! But this time for good purposes • Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe • Combine with passwords for stronger authentication/authorization 39
Security Assessment • Static analysis • Network capture (MitM) • Smartphone Pentest Framework(*) (*) http://www.bulbsecurity.com/smartphone-pentest-framework/ 40
Best Practices • Do not hardcode data or store the minimum required • Do no use memory cards for sensitive data • Encrypt again & again (BASE64 != Crypto) • Protect the central server (!) • Sanitize user inputs • Provide correct auth (UDID != auth) 41
Enterprise AppStores 42
Goal & Facts • Distribute mobile apps through your own company branded AppStore. • Reduce risks of rogue apps • Help the users to find their way • Only for “big” companies (only 10% have one) 43
Challenges • Decide which apps to include • Generic vs custom apps • Support the users & their apps • Licenses for commercial apps 44
Benefits Benefits Constraints Same time & effort Users Efficient selection Limited offer Companies Reduced risks Takes time/$$$ 45
Conclusion • Don’t look at the device itself • Person App • Look at data and application (BYOD BYOA) • Perform security assessments of your apps 46
Thank You! ? Xavier Mertens | xavier@truesec.be | @xme | https://www.truesec.be 47

Empfohlen

Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011Source Conference
 
DSS ITSEC CONFERENCE - Spector360 as productivity and security tool - Riga NO...
DSS ITSEC CONFERENCE - Spector360 as productivity and security tool - Riga NO...DSS ITSEC CONFERENCE - Spector360 as productivity and security tool - Riga NO...
DSS ITSEC CONFERENCE - Spector360 as productivity and security tool - Riga NO...Andris Soroka
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainWhy You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainEC-Council
 
Sophos Mobile Control - Product Overview
Sophos Mobile Control - Product OverviewSophos Mobile Control - Product Overview
Sophos Mobile Control - Product OverviewSophos
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & androidEndeavour Software Technologies
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White HatsVladimir Jirasek
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of ThingsDavid Strom
 

Empfohlen

Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011Source Conference
 
DSS ITSEC CONFERENCE - Spector360 as productivity and security tool - Riga NO...
DSS ITSEC CONFERENCE - Spector360 as productivity and security tool - Riga NO...DSS ITSEC CONFERENCE - Spector360 as productivity and security tool - Riga NO...
DSS ITSEC CONFERENCE - Spector360 as productivity and security tool - Riga NO...Andris Soroka
 
Why You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainWhy You’ll Care More About Mobile Security in 2020 - Tom Bain
Why You’ll Care More About Mobile Security in 2020 - Tom BainEC-Council
 
Sophos Mobile Control - Product Overview
Sophos Mobile Control - Product OverviewSophos Mobile Control - Product Overview
Sophos Mobile Control - Product OverviewSophos
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & androidEndeavour Software Technologies
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White HatsVladimir Jirasek
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of ThingsDavid Strom
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security LandscapePeter Wood
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)Lacoon Mobile Security
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2
 
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Michael Scheidell
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content HandlingDenim Group
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsMichael Scheidell
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
The Motives, Means and Methods of Cyber-Adversaries
The Motives, Means and Methods of Cyber-AdversariesThe Motives, Means and Methods of Cyber-Adversaries
The Motives, Means and Methods of Cyber-AdversariesKaspersky
 
Take Control of End User Security
Take Control of End User SecurityTake Control of End User Security
Take Control of End User Securityanniebrowny
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security NCC Group
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" NetworkXavier Mertens
 
ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem FraudXavier Mertens
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security LandscapePeter Wood
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)Lacoon Mobile Security
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2
 
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Michael Scheidell
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content HandlingDenim Group
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsMichael Scheidell
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
The Motives, Means and Methods of Cyber-Adversaries
The Motives, Means and Methods of Cyber-AdversariesThe Motives, Means and Methods of Cyber-Adversaries
The Motives, Means and Methods of Cyber-AdversariesKaspersky
 
Take Control of End User Security
Take Control of End User SecurityTake Control of End User Security
Take Control of End User Securityanniebrowny
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security NCC Group
 

Was ist angesagt? (19)

The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security Landscape
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
 
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
 
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
 
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Mobile Browser Content Handling
Mobile Browser Content HandlingMobile Browser Content Handling
Mobile Browser Content Handling
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
WSO2Con Asia 2014 - Embracing BYOD Trend Without Compromising Security, Emplo...
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile Apps
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_final
 
The Motives, Means and Methods of Cyber-Adversaries
The Motives, Means and Methods of Cyber-AdversariesThe Motives, Means and Methods of Cyber-Adversaries
The Motives, Means and Methods of Cyber-Adversaries
 
Take Control of End User Security
Take Control of End User SecurityTake Control of End User Security
Take Control of End User Security
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security
 

Andere mochten auch

All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" NetworkXavier Mertens
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011Xavier Mertens
 
Automatic MIME Attachments Triage
Automatic MIME Attachments TriageAutomatic MIME Attachments Triage
Automatic MIME Attachments TriageXavier Mertens
 
$HOME Sweet $HOME
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOMEXavier Mertens
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?Xavier Mertens
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015Xavier Mertens
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerXavier Mertens
 
Because we are just humans
Because we are just humansBecause we are just humans
Because we are just humansXavier Mertens
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE EditionXavier Mertens
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011Xavier Mertens
 
Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web CodingXavier Mertens
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusXavier Mertens
 
Unity makes strength
Unity makes strengthUnity makes strength
Unity makes strengthXavier Mertens
 
Babadook
BabadookBabadook
Babadookjupton1
 
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...CSCJournals
 
MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 ICMI Pusat
 
Looking for Information Vacuums
Looking for Information VacuumsLooking for Information Vacuums
Looking for Information VacuumsInfo Ops HQ
 

Andere mochten auch (20)

All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
The BruCO"NSA" Network
The BruCO"NSA" NetworkThe BruCO"NSA" Network
The BruCO"NSA" Network
 
ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem Fraud
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
Automatic MIME Attachments Triage
Automatic MIME Attachments TriageAutomatic MIME Attachments Triage
Automatic MIME Attachments Triage
 
$HOME Sweet $HOME
$HOME Sweet $HOME$HOME Sweet $HOME
$HOME Sweet $HOME
 
What Will You Investigate Today?
What Will You Investigate Today?What Will You Investigate Today?
What Will You Investigate Today?
 
$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015$HOME Sweet $HOME Devoxx 2015
$HOME Sweet $HOME Devoxx 2015
 
Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
 
Because we are just humans
Because we are just humansBecause we are just humans
Because we are just humans
 
$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition$HOME Sweet $HOME SANSFIRE Edition
$HOME Sweet $HOME SANSFIRE Edition
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
Secure Web Coding
Secure Web CodingSecure Web Coding
Secure Web Coding
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from Venus
 
Unity makes strength
Unity makes strengthUnity makes strength
Unity makes strength
 
Babadook
BabadookBabadook
Babadook
 
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
Performance Analysis of Mobile Security Protocols: Encryption and Authenticat...
 
MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11 MEDIA ICMI EDISI 11
MEDIA ICMI EDISI 11
 
Updated CV
Updated CVUpdated CV
Updated CV
 
Looking for Information Vacuums
Looking for Information VacuumsLooking for Information Vacuums
Looking for Information Vacuums
 

Ähnlich wie Mobile Apps Security

Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2Santosh Satam
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...Lumension
 
Wso2 con byod-shan-ppt
Wso2 con byod-shan-pptWso2 con byod-shan-ppt
Wso2 con byod-shan-pptWSO2
 
Drainware Corporate
Drainware CorporateDrainware Corporate
Drainware CorporateJose Palanco
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile ApplicationsGreg Patton
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)HITCON GIRLS
 
WSO2Con Asia 2014 - ďżź Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 - ďżź Embracing BYOD Trend Without Compromising Security, Emp...WSO2Con Asia 2014 - ďżź Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 - ďżź Embracing BYOD Trend Without Compromising Security, Emp...WSO2
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Andris Soroka
 
Challenges EPs Face Going Mobile
Challenges EPs Face Going MobileChallenges EPs Face Going Mobile
Challenges EPs Face Going MobileEDR
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityLenin Aboagye
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksSantosh Satam
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 

Ähnlich wie Mobile Apps Security (20)

Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
 
Wso2 con byod-shan-ppt
Wso2 con byod-shan-pptWso2 con byod-shan-ppt
Wso2 con byod-shan-ppt
 
Drainware Corporate
Drainware CorporateDrainware Corporate
Drainware Corporate
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile Applications
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
 
WSO2Con Asia 2014 - ďżź Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 - ďżź Embracing BYOD Trend Without Compromising Security, Emp...WSO2Con Asia 2014 - ďżź Embracing BYOD Trend Without Compromising Security, Emp...
WSO2Con Asia 2014 - ďżź Embracing BYOD Trend Without Compromising Security, Emp...
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Challenges EPs Face Going Mobile
Challenges EPs Face Going MobileChallenges EPs Face Going Mobile
Challenges EPs Face Going Mobile
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 

Mehr von Xavier Mertens

FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)Xavier Mertens
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018Xavier Mertens
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes StrengthXavier Mertens
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free SoftwareXavier Mertens
 
You have a SIEM! And now?
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?Xavier Mertens
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)Xavier Mertens
 
Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Xavier Mertens
 
Social Networks - The Good and the Bad
Social Networks - The Good and the BadSocial Networks - The Good and the Bad
Social Networks - The Good and the BadXavier Mertens
 
BruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkBruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkXavier Mertens
 
Belnet events management
Belnet events managementBelnet events management
Belnet events managementXavier Mertens
 

Mehr von Xavier Mertens (12)

FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)FPC for the Masses (SANSFire Edition)
FPC for the Masses (SANSFire Edition)
 
FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018FPC for the Masses - CoRIIN 2018
FPC for the Masses - CoRIIN 2018
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
Unity Makes Strength
Unity Makes StrengthUnity Makes Strength
Unity Makes Strength
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Malware Analysis Using Free Software
Malware Analysis Using Free SoftwareMalware Analysis Using Free Software
Malware Analysis Using Free Software
 
You have a SIEM! And now?
You have a SIEM! And now?You have a SIEM! And now?
You have a SIEM! And now?
 
What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)What are-you-investigate-today? (version 2.0)
What are-you-investigate-today? (version 2.0)
 
Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013Unity Makes Strength SOURCE Dublin 2013
Unity Makes Strength SOURCE Dublin 2013
 
Social Networks - The Good and the Bad
Social Networks - The Good and the BadSocial Networks - The Good and the Bad
Social Networks - The Good and the Bad
 
BruCON 2010 Lightning Talk
BruCON 2010 Lightning TalkBruCON 2010 Lightning Talk
BruCON 2010 Lightning Talk
 
Belnet events management
Belnet events managementBelnet events management
Belnet events management
 

KĂźrzlich hochgeladen

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vĂĄzquez
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

KĂźrzlich hochgeladen (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Mobile Apps Security

  • 1. Mobile Security Xavier Mertens ISC2 Secure Amsterdam - Apr 2013 1
  • 2. $ cat disclaimer.txt “The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.” 2
  • 3. $ whoami • Xavier Mertens • Independent Security Consultant • Security Blogger (blog.rootshell.be) • Giving spare time for security projects 3
  • 4. Agenda • There is an App for that • Risks inherent in mobile devices • Employee owned device (BYOD) • Mobile applications development • Enterprise AppStores 4
  • 5. “There is an App for that!” 5
  • 6. Once Upon A Time... 6
  • 10. The “Apps Storm” • 550.000 apps available on the Apple AppStore • 45.455 download per app (average) • 315 millions IOS devices in use • 80 apps installed per IOS device (average) (Source: thenextweb.com) 10
  • 11. Android Jungle Android Pit Google Play AppsLib GetJar Appbackr SlideMe Samsung Apps 1Mobile Cnet LG Mobile Camangi Market Appia MVStore Vodafone Verizon Wireless Mobile24 Amazone Appstore Mobango Extent Mobireach Nook Developer Android Freeware Blue Via Handster FastApp 11
  • 14. Ooops! 14
  • 17. Rogue App Stores • Owners tend to install any apps • Social engineering works! • Some apps may require much more rights than required • People trust Apps stores and developers • Developers must write good code 17
  • 18. Fake Apps • Take a popular app • Add malicious behavior • Repack & republish • Wait & enjoy! 18
  • 19. QR Codes (Will you scan this code?) 19
  • 21. NFC 21
  • 24. Why Do People BTOD • Devices became cheaper and powerful • The “Generation Y” • Always online everywhere! • Company devices are sometimes old- fashioned 24
  • 25. First Question? • Are you ready to accept personal devices on your network? • It’s a question of ... risk! • Examples: • Data loss • Network intrusion • Data ex-filtration 25
  • 26. “MDM”? • Do you need a MDM solution? (Mobile Device Management) • Microsoft Exchange include ActiveSync for free • Most security $VENDORS propose (basic) tools to handle mobile devices 26
  • 27. MDM & Security • MDM solutions are connected to an existing infrastructure • Integration is the key • Review requirements (Is is normal to allow a full LDAP access on your AD?) 27
  • 28. Minimum Requirements • Automatic lock + password • No jailbroken devices • Remote wipe • Backups (who’s responsible?) 28
  • 29. Data Classification • Another approach is implementing data classification • Implementation of the “least privileges” principle • Access to data is based on profiles • Work with any device! (benefit broader than the scope of mobile devices) 29
  • 30. Locations • Access to data has a direct relation with the user/device location • Three situations Source Risk Local access LAN, corporate Wi-Fi Low VPN / SSL VPN Medium Remote access Wild High 30
  • 31. Data Classification Company Owned Personal Devices Devices Data Remote Remote Local Remote Local Remote Classification (Wild) (Wild) Top-Secret No No No No No No Highly Yes No No No No No Confidential Proprietary Yes Yes No Yes No No Internal Use Yes Yes No Yes Yes No Only Public Yes Yes Yes Yes Yes Yes 31
  • 33. Top-10 Mobile Risks • Insecure data storage • Improper session handling • Weak server side • Secure decision via controls untrusted input • Insufficient transport layer • Side channel data leakage protection • Broken cryptography • Client side injection • Sensitive information • Poor authentication & disclosure authorization (Source: OWASP) 33
  • 34. OWASP Mobile Security Project • Mobile testing guide • Secure mobile development guide • Top-10 mobile controls and design principles https://www.owasp.org/index.php/OWASP_Mobile_Security_Project 34
  • 35. Types of Applications • Browser based (m.company.com) • Common web vulnerabilities apply • Installed application • Storage of data • Communications • Authentication / session management 35
  • 36. Use of Environment • Access • 3G/GPRS/Edge • Wi-Fi • Hardware • NFC, Bluetooth • GPS • Camera / Mic • Sensors • USB 36
  • 37. Lack of / Bad Crypto • Data must be encrypted (data at rest, data in transit) • No not re-invent the wheel. Writing a crypto algorithm is not easy. Use existing libs 37
  • 38. Local VS. Remote Storage Pros Cons No network costs Risk of loss Local Speed Outdated Always updated Data network ($) Central No risk of loss Speed 38
  • 39. Geolocalization • Again! But this time for good purposes • Do not allow some actions or apps (ex: opening a wallet) if GPS data shows the phone outside Europe • Combine with passwords for stronger authentication/authorization 39
  • 40. Security Assessment • Static analysis • Network capture (MitM) • Smartphone Pentest Framework(*) (*) http://www.bulbsecurity.com/smartphone-pentest-framework/ 40
  • 41. Best Practices • Do not hardcode data or store the minimum required • Do no use memory cards for sensitive data • Encrypt again & again (BASE64 != Crypto) • Protect the central server (!) • Sanitize user inputs • Provide correct auth (UDID != auth) 41
  • 43. Goal & Facts • Distribute mobile apps through your own company branded AppStore. • Reduce risks of rogue apps • Help the users to find their way • Only for “big” companies (only 10% have one) 43
  • 44. Challenges • Decide which apps to include • Generic vs custom apps • Support the users & their apps • Licenses for commercial apps 44
  • 45. Benefits Benefits Constraints Same time & effort Users Efficient selection Limited offer Companies Reduced risks Takes time/$$$ 45
  • 46. Conclusion • Don’t look at the device itself • Person App • Look at data and application (BYOD BYOA) • Perform security assessments of your apps 46
  • 47. Thank You! ? Xavier Mertens | xavier@truesec.be | @xme | https://www.truesec.be 47