Mobile App Security: Who Else is on Your Device? August 27, 2013

Size: px

Start display at page:

Download "Mobile App Security: Who Else is on Your Device? August 27, 2013"

Verity Owen
8 years ago
Views:

1 Mobile App Security: Who Else is on Your Device? August 27, 2013 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London 1

2 2 Generously sponsored by:

3 Welcome Conference Moderator Hari Pendyala ISSA Fellow and Member, Chennai, Asia Pacific Chapter ISSA Web Conference Committee 3

Agenda Speakers Aaron Brauer-Rieke Attorney, Federal Trade Commission, Division of Privacy and Identity Protection Heather Hillerman Product

4 Agenda Speakers Aaron Brauer-Rieke Attorney, Federal Trade Commission, Division of Privacy and Identity Protection Heather Hillerman Product Marketing Specialist, TRITON Mobile Security, Websense, Inc. Sam Masiello Head of Application Security, Groupon Open Panel with Audience Q&A Closing Remarks 4

Marketing Specialist, TRITON Mobile Security, Websense, Inc.

5 Assessing the Mobile Security Landscape Aaron Brauer-Rieke Attorney, Federal Trade Commission, Division of Privacy and Identity Protection 5

6 The FTC s Lens Promoting and enforcing reasonable security practices. [U]nfair or deceptive acts or practices in or affecting commerce[] are hereby declared unlawful. 15 USC 45 6

Recent Activity Enforcement Actions HTC (2013) We alleged that HTC America failed to employ reasonable and appropriate security practices in the design and

7 Recent Activity Enforcement Actions HTC (2013) We alleged that HTC America failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices Workshops Mobile Security: Potential Threats and Solutions (2013) 7

customization of the software on its mobile devices Workshops Mobile Security:

8 Presentation Overview Ecosystem is complicated Handset makers, carriers, platform providers, app developers, etc. No silver bullets Key areas for discussion Gatekeeping Security design/features Updates/patching 8

9 Gatekeeping Keep bad apps away from users. Platforms have seen some success here Not foolproof Code obfuscation Delayed malicious behavior Tensions of between security and choice/control Competition Permissions 9

Code obfuscation Delayed malicious behavior Tensions

10 Security Design, Features Build a better OS. Sandboxing, access controls Permissions Trusted UIs Data usage intention strings Exploit mitigation Securing apps by default Preventing API abuse Encouraging use of security APIs 10

usage intention strings Exploit mitigation Securing apps

11 Updates and Patching Keeping devices up-to-date. Security lifetimes, patch cycles OEMs and carriers Bug bounty programs 11

12 12 Reflections: where are we headed?

13 Question and Answer Aaron Brauer-Rieke Attorney, Federal Trade Commission, Division of Privacy and Identity Protection 27 13

14 Mobile Web Security Threats Heather Hillerman Product Marketing, Websense 5

15 The Perfect Storm for Mobile Security Mobile Growth

16 The Perfect Storm for Mobile Security Mobile Growth Bring Your Own Device

17 The Perfect Storm for Mobile Security Mobile Growth Bring Your Own Device Increased Mobile Threats

18 Threats don t discriminate

Facts about mobile devices Over 6 billion active mobile devices Mobile Factbook predicts there will be 6.9 billion active mobile devices by the end of 2013 69.

19 Facts about mobile devices Over 6 billion active mobile devices Mobile Factbook predicts there will be 6.9 billion active mobile devices by the end of % of the market is ios or Android 32% increase in website traffic from mobile devices Information from: International Telecommunication Union and Mobile Factbook

9% of the market is ios or Android 32% increase in website traffic from mobile devices Information from: International

20 The percentage of mobile workers currently using their personal smartphones for work. The ipass Q Mobile Workforce Report 2013 ipass Inc.

21 FactsMark Authority, July 24, 2012,

22 Most Used Smartphone Apps - August 6, 2013

23 Vulnerabilities Malicious apps Ad malware Social engineering One click downloads Physical loss

Malicious App Numbers Rise Malicious Android apps have increased by 350,000 during the first half of 2013. More than a million malicious Android apps before the end of the year.

24 Malicious App Numbers Rise Malicious Android apps have increased by 350,000 during the first half of More than a million malicious Android apps before the end of the year. 718,000 Source: Trend Micro TrendLabs 2Q 2013 Security Roundup Report

25 Android Versions in Use

26 Fragmentation

27 Android background It has been calculated that there are 11,868 distinct Android devices.

Mobile Threats Mobile friendly SMS Email Apps Targeting

28 Mobile Threats Mobile friendly SMS Apps Targeting the end user SMS spoofing Phishing Web/app exploits Bluetooth

29 Threats are Changing

30 Threats are Changing

31 Recent Headlines Mobile Advertising Malware Downloader App builder includes adware, it asks for an update to mobile user, this enables malware download Java Cryptography Architecture (JCA) installed into Android OS, has known flaws, exposes security risk to BitCoin wallets

bulletins are rated critical; 5 are rated important.

32 Old World Patches Lasted patch release: August 13, 2013 Lasted patch release: June 18, 2013 Lasted patch release: July 9, 2013 For: Windows, Exchange, IE 8 bulletins 23 vulnerabilities 3of the bulletins are rated critical; 5 are rated important. For: 40 new security fixes 37 of which are remotely exploitable without authentication For: Flash 3 CVEs which are all rated a impact and exploitability score of 10

33 The Threat Landscape has Changed Advanced Threats THEN NOW Signature Based Zero Day High Volume Targeted / Low Volume Mass Distribution Trusted Entry

34 The Threat Landscape has Changed Advanced Threats Data Theft THEN NOW THEN NOW Signature Based Zero Day Goal: Damage Goal: Financial gain High Volume Targeted / Low Volume Inbound focus was enough Assume holes in security Mass Distribution Trusted Entry Data was easily identifiable Theft can easily be hidden

35 The Threat Landscape has Changed Advanced Threats Data Theft Attack & Malware Forensics THEN NOW THEN NOW THEN NOW Signature Based Zero Day Goal: Damage Goal: Financial gain Hands-Off Hands-on High Volume Targeted / Low Volume Inbound focus was enough Assume holes in security Reactive Proactive Mass Distribution Trusted Entry Data was easily identifiable Theft can easily be hidden Focus on intrusion prevention Holistic View

36 The Seven Stages of Advanced Threats Recon Lure Redirect Exploit Kit Dropper File Call Home Data Theft AWARENESS REAL-TIME ANALYSIS INLINE DEFENSES CONTAIN- MENT

37 What can you do today? Password Protect Protect Data-on-Device App Permissions and Availability Mobile Web Security Layer Mobile DLP Layer Mobile AUP

38 Question and Answer Heather Hillerman Product Marketing, Websense 27 38

39 Mobile App Security Who Else is on Your Device? Sam Masiello Head of Application Security Groupon 36

40 Alternate Title: The Other Devil in Your Pants

41 About Groupon Currently in about 50 countries Over 12,000 employees very mobile workforce Significant percentage of revenue coming from purchases made on mobile devices Looking at mobile security both from the end user and the employee PoV 41

42 Consumerization of IT is Real 42

43 Mobile Threat Landscape is Growing 43

44 By the numbers Source: F-Secure 44

45 Still Like Comparing 45

46 App Marketplaces the Primary Catalyst Started in 2007 when Apple opened up its API to third party devs Both a blessing and a curse That blessing also makes these marketplaces attractive targets Competing business models 46

47 Tighter Control!= Security No system is 100% fool-proof Jekyll Apps 47

48 It Isn t Just About The Marketplaces 48

49 Jailbreak as a Service Jailbreakme.com Disclaimer: No longer being maintained. Untethered jailbreak Exploited various OS level vulnerabilities Powerful Proof of Concept 49

50 It s All About the Money? 50

51 Other Key Enterprise Security Threats Public WiFi Hotspots Data Exfiltration ( , Dropbox-like sites, web browser uploads) 51

52 Why You Need Enterprise Mobile Security Enterprise data loss caused by device loss/theft Malware Users need I say more? Lack of IT control Lack of a formal mobile security strategy 52

53 (Not so?) Bold predictions for the future The mobile landscape will continue to get more complex Companies will constantly be playing catch up The mobile threat landscape will continue to become more complex Data leaks and breaches from mobile devices will become more commonplace 53

54 Takeaways You can t stop it. You can only hope to contain it Eyes wide open! Be an enabler 54

55 Thank You! Sam Masiello Head of Application Security Groupon

56 Question and Answer Sam Masiello Head of Application Security Groupon 56

57 Open Panel with Audience Q&A Aaron Brauer-Rieke Attorney, Federal Trade Commission, Division of Privacy and Identity Protection Heather Hillerman Product Marketing Specialist, TRITON Mobile Security, Websense, Inc. Sam Masiello Head of Application Security, Groupon 57

58 Closing Remarks Thank you to our Sponsor Thank you to Citrix for donating this Webcast service Online Meetings Made Easy 58

CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.

59 CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link via to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. On-Demand Viewers Quiz Link: Conference-Mobile-App-Security-Who-Else-is-on-Your- Device-August

Open Software and Trust Better Than Free? April 28, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time

Open Software and Trust Better Than Free? April 28, 2015 Start Time: 9am US Pacific /12 noon US Eastern/ 5pm London Time 1 T Sponsored by: #ISSAWebConf 2 Welcome Conference Moderator Phillip Griffin CISM,