mobile (in)security? @ mobile edge '14
TRANSCRIPT
Cláudio André / [email protected]
/// Mobile (in)security ?
2
/// MOBILE (IN)SECURITY ?
WHOAMI
• Pentester at Integrity S.A.
• Web applications, Mobile Applications and
Infrastructure
• BSc in Management Information Technology
• Offensive Security Certified Professional
3
/// MOBILE (IN)SECURITY ?
MOBILE EQUIPMENTS
http://www.idc.com/prodserv/smartphone-os-market-share.jsp
301.3 million shipments 2014Q2
4
/// MOBILE (IN)SECURITY ?
2014Q2 MARKETSHARE
84.7%
11.7%
2.5% 0.5% 0.7%
Android
iOS
Windows Phone
BlackBerry OS
Others
http://www.idc.com/prodserv/smartphone-os-market-share.jsp
5
/// MOBILE (IN)SECURITY ?
MOBILE PLATFORMS ON ENTERPRISE
BYOD & Mobile Security 2013 Survey Linkedin Information Security Group
6
/// MOBILE (IN)SECURITY ?
ENTERPRISES MAIN SECURITY CONCERNS
BYOD & Mobile Security 2013 Survey Linkedin Information Security Group
7
/// MOBILE (IN)SECURITY ?
ENTERPRISES MAIN SECURITY CONCERNS
I'm not a Hacker. Just a silly guy with a ski mask on. Don't know what I'm doing.
8
/// MOBILE (IN)SECURITY ?
SECURITY HORROR STORIES 2014 (SO FAR...)
Ebay - 145 million users and encrypted email address. JP Morgan Chase - Customer information of 76 million households and 7 million business. Home Depot - 56 million debit and credit cards. Target - 40 million credit and debit cards. Community Health Systems - Personal data of 4.5 million patients.
9
/// MOBILE (IN)SECURITY ?
ATTACK VECTORS
10
/// MOBILE (IN)SECURITY ?
ATTACK VECTORS
Device Network Server
11
/// MOBILE (IN)SECURITY ?
ATTACK VECTORS
• Browser • System • Phone / SMS • Apps • Malware • ...
Device
12
/// MOBILE (IN)SECURITY ?
ATTACK VECTORS
Tech details in: http://security.claudio.pt
13
/// MOBILE (IN)SECURITY ?
ATTACK VECTORS
Network • Packet Sniffing • Man-In-The-Middle (MITM) • Rogue Access Point • ...
14
/// MOBILE (IN)SECURITY ?
ATTACK VECTORS
Server • Brute Force Attacks • SQL Injections • OS Command Execution • ...
15
/// MOBILE (IN)SECURITY ?
A WAY TO...
Mobile Device Management; Mobile Application Management; Endpoint Security Tools; Network Access Control (NAC) Endpoint Malware Protections; …..
16
/// MOBILE (IN)SECURITY ?
MOBILE DEVICE MANAGEMENT
- Focus on the Device - Provisioning - Security Policies Enforcement - Reporting and Monitoring - Software Distribution
17
/// MOBILE (IN)SECURITY ?
MOBILE APPLICATION MANAGEMENT
- Focus on the Applications - Same as previous but applied to the applications. - Corporate App Store (wrapping)
18
/// MOBILE (IN)SECURITY ?
WHICH ONE TO CHOOSE ?
- Depends on your objectives - Mixed solution
19
/// MOBILE (IN)SECURITY ?
NOT ONLY *WARE APPROACH
- Defense-In-Depth - Raise User Awareness - Secure Development Best Practises (OWASP) - Threat Modeling - Continuous Penetration Testing
20
Thank you.