THEODORA TITONIS VERACODE Vice President Mobile
MOBILE SECURITY Increasing Threat MOBILE RISK 64% 34% 47% Companies with no BYOD policy. 3 Companies with no app security program. 4 614% Nearly half of companies that permit BYOD experienced a data or security breach as a result of an employee-owned device accessing the corporate network. 1 66% Enterprises have had undisclosed data breaches. 2 Mobile threat increase over the past year. A dramatic rise from 155% in the previous year. 5 2 1 August 2012 Decisive Analytics, LLC, Mobile Consumerization Trends & Perceptions 2 November 2013 Opinion Matters, Threat Track Security 3 June 2013 Cisco BT, Impact of BYOD on Enterprise Networks 4 December 2012 SANS, Survey on Application Security Programs and Practices 5 June 2013 Juniper, Mobile Threat Report
MOBILE SECURITY Sensitive Data on Mobile Device SENSITIVE DATA EMAIL VPN Become a node on the internal network m Add company email to personal device FILE SHARING File sharing services and apps w m SD CARD Copy files from desktop or laptop p MOBILE DEVICE APPS Business productivity apps SMS Instant messages particularly with attachments h 3
MOBILE SECURITY STACK Description of Layers MOBILE STACK Well-defined layers An abstraction based model Allows for focus on specific area of concern/expertise Results in a comprehensive approach 4
MOBILE SECURITY STACK Application Layer MOBILE STACK More app downloads than stars in our galaxy by 2017 Software that the end-user directly interfaces with Utilizes the API s provided by the operating system (OS) Interfaces with the cloud or the device through the OS 5
MOBILE APP 6
USE CASES MOBILE APP SECURITY Securing Apps that are Produced and Consumed APP PRODUCER Mobile SDLC: Volume: 10-100s of apps Speed: New apps every quarter Choice: Developer driven APP CONSUMER BYOD (or BYOA): Volume: Thousands of apps Speed: New apps every day Choice: Employee Driven 7
ENTERPRISE VIEW OF MOBILE APPS Access Sensitive Corporate Data PROGRAM Internally Developed Apps This class of app leaves the enterprise most exposed to risk. Financial services, healthcare, highly regulated industries. Business Apps (Supply Chain) This class of app accesses customer sensitive data and therefore is a risk for enterprises. Salesforce UPS Box ADP Paypal GoToMeeting WebEx Concur Consumer Apps This class of app resides on employee devices alongside internally developed and business apps. 8
MOBILE APPS Vulnerabilities Top Vulnerabilities MOBILE APPS Cryptographic Issues Error Handling Code Quality Information Leakage Credentials Management CRLF Injection Directory Traversal SQL Injection Insufficient Input Validation ANDROID Authorization Issues 9
MOBILE APPS Cryptographic Issues Testing 85% quality control Production system 78% development ANDROID MOBILE APPS t Encryption (protect the key) PROMPT FOR CREDENTIALS WHEN NEEDED MAKE A TRUSTED CONNECTION TO A SECURE SERVER for THe key q CRYPTOGRAPHIC ISSUES 10 WRITE CUSTOM CRYPTO STORE KEYS ON DEVICE
POLICIES POLICIES FOR APPS PRODUCED Security as Part of the Software Development Lifecycle 7 6 Import Scan 3 Sandbox Scan Veracode Cloud-Based Platform 1 2 5 Develop Build Build 4 Automated Veracode Plugin Check in 11
POLICIES POLICIES FOR APPS PRODUCED SECURITY AS PART OF SOFTWARE DEVELOPMENT LIFECYCLE Compliance with Policies Upon First Submission Significant Improvement in First Three Builds Enterprise Policy CWE/SANS Top 25 OWASP Top 10 Compliant Out of Compliance 12
ROLES CUSTOM MOBILE APP SECURITY POLICIES Collaborative Effort Between Business, IT, and Security CISO SECURITY DEVELOPERS IT Drive compliance with policies and monitor risk Embrace automation to reduce manual analysis Security as part of SDLC Establish policies to protect employee devices 13
93% MOBILE 75% 63% 60% Access Files Access Identity Access Location Access Contacts Access Correspondence MOBILE APPS and Risky Apps Top Risky Apps 82% 25% 14 Advertising Tracking
90% MOBILE 55% 63% 15 54% Access Contacts Access Correspondence Access Files Access Identity Access Location MOBILE APPS and Risky Apps Top Risky Apps 92% 20% Advertising Tracking
MOBILE APPS and Risky Apps THREAT ANALYSIS Top Apps 16
POLICY CUSTOM MOBILE APP SECURITY POLICIES Strategic, Comprehensive, and Policy-Driven Approach Create Policy Define Parameters Measure Risk Policy Creation & Evaluation Cycle Apply Policy MDM Integration Monitor and measure for IT audits, policy and controls effectiveness, and constant improvement. Monitor Apps Processes complement each other to create a mobile app security lifecycle that can adapt business, IT and security requirements change. 17
DATA LOSS PREVENTION Securing Sensitive Data MOBILE Sensitive unencrypted network data Sensitive unencrypted SQLite data Sensitive unencrypted filesystem data Direct HTTP Access Direct Socket Access APPLY POLICY TO PROHIBIT APPS Uses SQLITE Examine Filesystem Read Files 18
DATA LOSS PREVENTION Sensitive Data by Organization or Role MOBILE FILES CORRESPONDENCE CONTACTS IDENTITY LOCATION DEVICE Read Files Access Cloud Resources USB Usage Examine File System Retrieve Browser History Access Cookies Access to Bookmarks Read SMS Messages Send, Receive, Prepare SMS Consume SMS Messages Access Call Log Record Phone Calls Monitor Phone Calls Read Contacts Write Contacts Edit Contacts Track Address Book Bulk Access Contacts Access Facebook Audience Examine Account Access Unique Device ID Retrieve SIM Card Info Access Social Networks Access Facebook Access Twitter Access Accounts Monitor Location Uses Geocoding Root Device Listen for Key Presses Monitor Phone Activity Monitor Camera Interface Capable of Recording Audio Access System Logs Retrieve List of Running Apps Access to Shared Library Access to Default Preferences 19
POLICY CUSTOM MOBILE APP SECURITY POLICIES Access to Sensitive Data with use of Unencrypted Network Data ANDROID APPS HTTP Download HTTP Upload Read SMS Install Applications Record Phone Calls Check if Device is Rooted USB Usage Access System Logs Retrieve Browser History Retrieve List of Services Direct HTTP Access Direct Socket Access Access Cloud Resources Read Clipboard Access Global Clipboard Monitor Phone Calls Monitor Device Location Uses Geocoding Access Accounts Runs Other Programs Access to Bookmarks Whitelist Blacklist Whitelist Blacklist 20
POLICY CUSTOM MOBILE APP SECURITY POLICIES Access to Sensitive Data with use of Unencrypted Network Data Apps that Check if a Device is Rooted Code exists to determine if the device has been rooted/jailbroken and running in superuser/admin mode. Afaria Netflix Pandora Twitter Yelp Apps that Access System Logs Has code necessary to read log files such as system events, application events and other output. Divide Instagram ipass LinkedIn Receiver SAP BI Skype TripAdvisor Yelp 21
POLICY CUSTOM MOBILE APP SECURITY POLICIES Access to Sensitive Data with use of Unencrypted Network Data Apps that Bulk Access Contacts Contains code capable of reading and/or copying all data from your address book. May also mass import from a vcard source. Instagram Find My Friends Google Search Pandora SAP Business Objects Mobile Skype Symantec Mobile Encryption Twitter Facebook Apps that Runs Other Programs Contains code that can execute other programs which may also return data back to it. Google Search Netflix Pandora Symantec Mobile Encryption 22
MALWARE Decade of Mobile Malware* MOBILE *Sophos Mobile Threat Report, Mobile World Congress, 2014 23
MOBILE MALWARE Malware Samples through January 2014* 700000 525000 350000 175000 0 Nov Jan Mar May Jul Sep Nov Jan Mar May Jul Sep Nov Jan Mar May Jul Sep Nov Jan *Sophos Mobile Threat Report, Mobile World Congress, 2014 24
POLICY CUSTOM MOBILE APP SECURITY POLICIES Collaborative Effort Between Business, IT, and Security BUSINESS Prepared with a list of objectives including desired user behavior and success metrics IT Equipped to point out risks and any technical limitations SECURITY Equipped to point out risks and any technical limitations 25