slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
An Inside Look at Mobile Security Android & iOS PowerPoint Presentation
Download Presentation
An Inside Look at Mobile Security Android & iOS

Loading in 2 Seconds...

play fullscreen
1 / 22

An Inside Look at Mobile Security Android & iOS - PowerPoint PPT Presentation


  • 139 Views
  • Uploaded on

An Inside Look at Mobile Security Android & iOS. Zachary Hance & Andrew Phifer Dr Harold Grossman. Introduction. As of February 27 th , 2012, according to techcrunch.com, “Explosive growth. That’s Android. Google’s mobile platform is up 250 percent over last year and,

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'An Inside Look at Mobile Security Android & iOS' - novia


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

An Inside Look at Mobile Security

Android & iOS

Zachary Hance & Andrew Phifer

Dr Harold Grossman

slide2

Introduction

As of February 27th, 2012, according to techcrunch.com,

“Explosive growth. That’s Android. Google’s mobile

platform is up 250 percent over last year and,

according to Andy Rubin, SVP, Mobile and Digital Content, Google is seeing 850,000 activations

every day.”

According to dailymail.co.uk, “Apple’s total figure of 250 million activations of devices running iOS, including iPods, iPhones, and iPads. In

November last year, Android was already standing at

200 million activations.”

slide5

Mobile Security Risks– Top 10

Insecure Data Storage

Weak Server Side Controls

Insufficient Transport Layer Protection

Client-Side Injection

Poor Authorization and Authentication

Improper Session Handling

Security Decisions via Untrusted Inputs

Side Channel Data Leakage

Broken Cryptography

Sensitive Information Disclosure

slide6

Insecure Data Storage

  • Resulting from:
  • Not encrypting data
  • Caching data not intended for long-term storage
  • Weak or global permissions
  • Not leveraging platform best-practices
  • Impacts from this attack:
  • Confidentiality of data lost
  • Credentials disclosed
  • Privacy violations
  • Non-compliance
slide7

Weak Server Side Controls

  • Resulting from:
  • Not being able to trust the client (can’t always assume)
  • Applies to the backend services
  • Impacts from this attack:
  • Confidentially of data lost
  • Integrity of data not trusted
slide8

Insufficient Transport Layer Protection

  • Resulting from:- Complete lack of encryption for transmitted data
  • Weakly encrypted data in transit
  • Strong encryption, but ignoring security warnings
    • Ignoring certificate validation errors and falling back to plain text
  • Impacts from this attack:
  • Man-in-middle gets access to data
  • Tampering with data
  • Confidentiality of data is lost
slide9

Client Side Injection

  • Resulting from:
  • Apps using browser libraries
  • HTML and SQL injections
  • Impacts from this attack:
  • Device is compromised
  • Toll fraud
  • Privilege escalation
slide10

Poor Authorization and Authentication

  • Resulting from:
  • Relying on immutable values to authenticate a user’s device
  • Impacts:
  • Privilege escalation
  • Unauthorized access
slide11

Improper Session Handling

  • Resulting from:
  • Mobile apps running for long periods of time and the ways they maintain sessions (ex. HTTP cookies, OAuth tokens, and SSO authentication devices)
  • Impacts
  • Privilege escalation
  • Unauthorized access
  • Circumvent licensing and payments
slide12

Security Decisions Via Untrusted Inputs

  • Resulting from
  • Mobile devices being taken advantage of to bypass permissions and security models
  • Main attack sources
    • Malicious apps
    • Client side injection
  • Impacts
  • Consuming paid resources
  • Data exfiltration
  • Privilege escalation
slide14

Side Channel Data Leakage

  • Resulting from
  • Mix of not disabling platform features and programmatic flaws that causes sensitive data to be in unintended places (web caches, keystroke logging, screenshots, logs, and temp directories)
  • Impacts
  • Data retained indefinitely
  • Privacy violations
slide15

Broken Cryptography

  • Resulting from
  • Broken implementations using strong cryptography libraries
  • Custom, easily defeated cryptography implementations
  • Impacts
  • Confidentiality of data lost
  • Privilege escalation
  • Circumvent business logic
slide16

Sensitive Information Disclosure

  • Resulting from
  • Apps are reversed engineered easily, code obfuscation
  • Impacts
  • Credentials disclosed
  • Intellectual property exposed
    • Ex. API keys, passwords, sensitive business logic
slide17

Which mobile OS is more secure?

  • Collectively, the mobile OS is more secure than the computer OS.
  • However, the tide is beginning to turn for more malware being developed for mobile OS.
slide18

Conflict of Interest

  • Mobile devices do not allow users complete control over their devices.
  • Most users root or jailbreak their devices using the same vulnerabilities malware is developed for.
  • This conflict of interest between vulnerability disclosure and the ability for people to fully control their own device poses a great security issue.
slide20

Tips For Generally Keeping Safe

1) Only download apps from trusted sources, such as reputable app stores and download sites. Remember to look at the developer name, reviews, and star ratings.

2) After clicking on a web link, pay close attention to the address to make sure it matches the website it claims to be if you are asked to enter account or login information.

3) Set a password on your mobile device so that if it is lost or stolen, your data is difficult to access.

4) Download a mobile security tool that scans every app you download for malware and spyware and can help you locate a lost or stolen device. For extra protection, make sure your security app can also protect from unsafe websites.

5) Be alert for unusual behaviors on your phone, which could be a sign that it is infected. These behaviors may include unusual text messages, strange charges to the phone bill, and suddenly decreased battery life.

6) Make sure to download firmware updates as soon as they are available for your device.

slide21

In Summary

  • The top ten threats are not the only threats.
  • Threats are grouped in application-based, web-based, network-based, and physical groupings.
  • Mobile devices are being increasingly targeted for malware.
  • Staying up to date on trends seen in mobile security will be the best chance at keeping your device clean.
  • Mobile security is equally important for both the
  • Developer
  • And
  • End-User.
slide22

Resources

http://www.bgr.com/2011/06/28/ios-vs-android-which-mobile-os-is-more-secure/

http://www.google.com/imgres?q=ios+logo&num=10&hl=en&safe=off&gbv=2&biw=944&bih=950&tbm=isch&tbnid=jpwbVi42K7WRSM:&imgrefurl=http://www.newgadget.org/technology/apple-ios-vs-google-android-which-one-is-better/&docid=yBXTR8AlMGbqEM&imgurl=http://c686819.r19.cf2.rackcdn.com/wp-content/uploads/2010/09/apple-logo.jpg&w=450&h=370&ei=PUaTT--0I-fe2AWvvpHzBA&zoom=1&iact=hc&vpx=651&vpy=290&dur=1968&hovh=204&hovw=248&tx=155&ty=121&sig=102040322861706139265&sqi=2&page=1&tbnh=140&tbnw=157&start=0&ndsp=24&ved=1t:429,r:8,s:0,i:84

https://www.mylookout.com/mobile-threat-report#platform-comparison

http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes-apples-ios/