Third Party Components in Applications: Understanding Application Security



Similar documents
BYOD Management : Geo-fence

CSUF Tech Day Security Awareness Overview Dale Coddington, Information Security Office

Protecting against Mobile Attacks

How to Practice Safely in an era of Cybercrime and Privacy Fears

How Attackers are Targeting Your Mobile Devices. Wade Williamson

BYOD Guidance: BlackBerry Secure Work Space

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Embracing BYOD. Without Compromising Security or Compliance. Sheldon Hebert SVP Enterprise Accounts, Fixmo.

Global Security Report 2011

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

A Case for Managed Security

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

Trust Digital Best Practices

Mobile Security. Luther Knight Mobility Management Technical Specialist, Europe IOT IBM Security April 28, 2015.

How to Secure Your Environment

Guideline on Safe BYOD Management

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

But... It s an App/Play Store Download: Research Exposes Mobile App Flaws

Adobe Flash Player and Adobe AIR security

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

BUSINESS PROTECTION. PERSONAL PRIVACY. ONE DEVICE.

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

4 Steps to Effective Mobile Application Security

A Guide to MAM and Planning for BYOD Security in the Enterprise

Protecting Android Mobile Devices from Known Threats

Kaspersky Fraud Prevention platform: a comprehensive solution for secure payment processing

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Codeproof Mobile Security & SaaS MDM Platform

White Paper. Three Steps To Mitigate Mobile Security Risks

10 best practice suggestions for common smartphone threats

BYOD Policy & Management Part I

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

Tips for Banking Online Safely

Cyber Essentials Scheme

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Simplifying Security & Compliance Innovating IT Managed Services. Data Security Threat Landscape and IT General Controls

BYOD Guidelines A practical guide for implementing a successful BYOD Management program in an organization of any size.

Specific recommendations

10 Smart Ideas for. Keeping Data Safe. From Hackers

Endpoint & Server Protection. Brent Biernat First Vice President Network Services May 13, 2014

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

The Hidden Dangers of Public WiFi

Breaking the Cyber Attack Lifecycle

Ibrahim Yusuf Presales Engineer at Sophos Smartphones and BYOD: what are the risks and how do you manage them?

Windows Phone 8 Security Overview

Yes MAM: How Mobile Device Management Plus Mobile Application Management Protects and Addresses BYOD

Trusted Network Connect (TNC)

Emerging threats for the healthcare industry: The BYOD. By Luca Sambucci

Mike Zusman 3/7/2011. OWASP Goes Mobile SANS AppSec Summit 2011

Security Best Practices for Mobile Devices

Data Security Best Practices & Reasonable Methods

Internet threats: steps to security for your small business

Best Practices in Mobile Device Management (MDM) Assoc. Prof. Dr. Thanachart Numnonda Executive Director IMC Institute

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

Crypto-Segmentation: Protecting Networked Applications When Firewalls Fail

BLACKJACKING: SECURITY THREATS TO BLACKBERRY DEVICES, PDAS, AND CELL PHONES IN THE ENTERPRISE

What s Hot and What s Not in the World of Cyber Security and Cyber Crime

Mobile Threat Intelligence Report

Surviving and operating services despite highly skilled and well-funded organised crime groups. Romain Wartel, CERN CHEP 2015, Okinawa

GOVERNMENT USE OF MOBILE TECHNOLOGY

Securing Endpoints without a Security Expert

Information Security. Be Aware, Secure, and Vigilant. Be vigilant about information security and enjoy using the internet

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

Securing mobile devices in the business environment

COSC 472 Network Security

Protecting the Extended Enterprise Network Security Strategies and Solutions from ProCurve Networking

RETHINKING CYBER SECURITY Changing the Business Conversation

TechnoLabs Software Services Pvt Ltd. Enterprise Mobility - Mobile Device Security

THE TOP 5 WAYS TODAY S SCHOOLS CAN UPGRADE CYBER SECURITY. Public School Cyber Security is Broken; Here s How to Fix It

ARCHITECT S GUIDE: Comply to Connect Using TNC Technology

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Protecting What Matters Most. Terry Ray Chief Product Strategist Trending Technologies Session 11

Mobile Device Management

Senaca Shield Presents 10 Top Tip For Small Business Cyber Security

Mobile App Security: Who Else is on Your Device? August 27, 2013

Introduction to Cyber Security / Information Security

ios Security The Never-Ending Story of Malicious Profiles Adi Sharabani Yair Amit CEO & Co-Founder Skycure CTO & Co-Founder

Course: Information Security Management in e-governance

Defending Behind The Device Mobile Application Risks

WHITE PAPER Usher Mobile Identity Platform

Basic Security Considerations for and Web Browsing

Detecting Cyber Attacks in a Mobile and BYOD Organization

NATIONAL CYBER SECURITY AWARENESS MONTH

Mobile Security BYOD and Consumer Apps

Hands on, field experiences with BYOD. BYOD Seminar

Software that provides secure access to technology, everywhere.

Cyber Security Education & Awareness. Guide for User s

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

Simple security is better security Or: How complexity became the biggest security threat

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

Cloud Backup and Recovery for Endpoint Devices

SECURITY ASPECTS OF OPEN SOURCE

In 2015, just under half (43%) of the world s population has an Internet connection: 3.2 billion people, compared to 2.9 billion in July 2014.

Enabling Business Beyond the Corporate Network. Secure solutions for mobility, cloud and social media

Transcription:

Third Party Components in Applications: Understanding Application Security SESSION ID: MBS-W08 Olli Jarva Chief Security Specialist, APAC Codenomicon, Singapore @ollijarva

Applications and Open Source

Open Source Components in Mobile Software 80-90% of mobile software consists of re-used libraries Most open source Some overlapping 26-96% of mobile software has known vulnerabilities (depending on platform and developers) Closed source also subject to vulnerabilities 3

Open Source Components No need to re-invent the wheel Affordable In theory, multiple developers means better quality Can be combined to create brilliant things End products, inherit vulnerabilities and licensing issues 4

Open Sources Vulnerable Middleware libraries Common Unix-daemons Embeddable services Utility libraries Encryption libraries Kernels And more... 5

Vulnerabilities are Everywhere Where do the vulnerabilities come from? Immature / Malfunction processes Operating systems, Applications, Anti-{malware/virus/spam} not up-to-date Users fall victim to social engineering Poor or incorrect configurations Poorly implemented software Unknown (and known) vulnerabilities Logic errors in implementation Poor software design and architecture 6

What is the Impact of These Vulnerabilities? Software = Bugs Some vulnerabilities act intentionally or unintentionally Leak information Behave maliciously Do other nasty things behind the scenes that user is not aware of BYOD policies can reveal a larger issue How do we counter this situation? 7

Who is in Charge? End users Policy-makers and their enforcers Developers Combination of all above 8

How Do We Make Sure We Know What the Applications are Doing Consequently, how do you choose what to use? Issues are invisible to the users this all happens behind screens Are there any platform issues related to choosing what we have at use? Testing? 9

Example of a Good Application Behavior App Server 10

Example of Bad Application Behavior Application sends Irrelevant information Too sensitive information To server, and also Third, fourth and fifth parties 11

Applications and Vulnerabilities

What Makes Applications Vulnerable Many Mobile Applications use Open Source libraries 80-90% of mobile software consists of re-used libraries Commonly used libraries: OpenSSL Image handling (PNG, TIFF and so on) Curl Freetype Zlib Many Mobile Applications connect to Ad networks May be stack issues 13

Communication in a Perfect World App installed on smartphone App vendor s server 14

The Reality is Something Else Private information is being shared to outsiders (IMEI, Android ID, Contacts, etc.) 15

Private Information How Private Information is sent 14 4 22 Encrypted, secure SSL Encrypted, unsecure SSL Plain text 16

And it Just Gets Better 17

When Problems Surface Consider possible issues when we use Applications in BYOD environments New issues: Privacy What others are knowing about our daily life, our behavior of doing things? Security What might be the impact of Malicious user utilizing vulnerability in end users device, exposing company secrets? Confidentiality How are we limiting the access or places for certain types of information? Availability Is there a possibility that our availability might be compromised by Malicious application? 18

Where Do We Stand Now?

Today s Landscape Top 50 android apps and their behavior How many Applications are connecting to Ad Networks? Sharing your private information without user awareness? Location Contacts IMEI code Android ID How many endpoints do the applications have? What private information is being shared? 20

Application Downloads (Singapore Above Average, ~37 Apps) Source: Mashable 21

The Issue is Privacy Ad Networks Ad Network leaks information types that should be controlled Amount of Ad Networks 5 15 22 0 1 to 2 over 2 22

The Issue is Privacy Mobile Security and Integrity: Application morale and behavior of handling information is related to privacy 35 Amount of Apps Sending Private Information 30 25 20 15 20 To third party To app vendor 10 5 0 5 11 5 6 2 1 IMEI Android ID Location Phone number 23

Five New Threats to Your Mobile Device Security Mobile phishing and ransomware Using an infected mobile device to infiltrate nearby devices Cross-platform banking attacks Cryptocurrency mining attacks The enemy is us Home WiFi, work WiFi or Starbucks WiFi? Devices with vulnerabilities on these network Can be exploited directly from the infected mobile device 24

Not Only Mobile The Internet of Things is already here Printers, network-attached storage units, wifi-routers... ALSO smart TVs, consoles, connected climate control systems... 25

Some Results: Network Printer Known vulnerabilities Copyleft license 26

More Results: Wireless Router Vulnerable libraries and restrictive licenses 27

The Big Issues More and more devices communicating Not secure enough Not only consumer issue companies face similar problems Smaller companies have less resources Unavailability, information leaks, and lost customer trust are issues CEO s problem, also the CMO s problem and budget 28

The Issue is Availability Amount of Endpoints Compromising Availability Without availability, privacy, integrity, confidentiality are irrelevant. If the systems are down, what else is there? 4 8 7 21 1 to 5 6 to 10 11 to 29 over 30 29

We Can Fix This

From the Experts Changes can be made, yet are temporary Open Source is free, yet not foolproof Community effort to make libraries safer Heartbleed revealed, we can make the change quickly 31

Whitelisting Applications Challenges: Enforcing white lists Listing safe applications to be used Maintaining the list up-to-date Forcing people to consider security as a tier-one priority 32

Challenges in Development How do we make developers aware of the issue? Do they already know about it? What is the monetary impact, how do we solve it? 33

Customers Viewpoint Single customer Difficult as a single voice to be heard Demanding better and higher quality Quality = higher cost Normally the motivating factor may not be security, until a failure occurs Cheap = demand for low-end products 34

What s Next? The requirements are clear Healthier, happier, and more productive Perhaps Create software that is safer, reliable, unbreakable Create software that integrates with everything 35

Questions Olli Jarva @ollijarva info@codenomicon.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information