Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Confidence. Achieved. Mobile Security and Payments Infrastructure 1 AJ Dexter Sr. Security Consultant.

Published byAnne Neal Modified over 8 years ago

Similar presentations

Presentation on theme: "Software Confidence. Achieved. Mobile Security and Payments Infrastructure 1 AJ Dexter Sr. Security Consultant."— Presentation transcript:

1 Software Confidence. Achieved. Mobile Security and Payments Infrastructure 1 AJ Dexter Sr. Security Consultant

2 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. A little about me.. Sr. Security Consultant at Cigital Former Lead Mobile Security Architect @ US Bank. Mobile Platform & Application SME Mobile Development Liaison for Security BITS/FSTC Mobile Threat Assessment SME. Portland OWASP Founder Appreciator of nature and multi colored sunsets.

3 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Agenda Intro Key Terms Statistics Mobile Security Issues Mobile Services Mobile Payments Mobile Platforms Common Issues Android iOS Blackberry Discussion

4 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Key Terms Smartphone - Mobile phone offering advanced capabilities. PC-like functionality. Platform – The operating system on the smartphone. Mobile Web Applications – Web application with a constrained interface. Mobile Applications – “Thick” application meant to be run from the phone. Mobile Banking – View account balances, transactions, transfer funds between accounts, pay bills, receive account alerts, deposit checks, etc. Mobile Payments - Use mobile device for purchase or other payment-related transaction at point of sale (proximity) or via internet (remote).

5 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Worldwide Broadband Growth 5 Source: International Telecommunications Union

6 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Mobile Broadband Subscriptions 6 Source: International Telecommunication Union (Nov. 2011)

7 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. United States Mobile User Behavior 7 Source: Adobe Mobile Experience Survey (Oct. 2010)

8 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. United States Mobile User Behavior 8 Source: Adobe Mobile Experience Survey (Oct. 2010)

9 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. MOBILE PAYMENTS

10 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Mobile Payment Evolution 10 EMV/NFC Contactless Mobile NFC Card Equivalent Remote Mobile Payments P2P Advanced Features of Mobile Banking Basic Mobile Banking Online Banking Source: Marianne Crowe Federal Reserve Bank of Boston

11 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Mobile Financial Services 11 Mobile Financial ServicesMobile Banking Information Services Simple Transactions Bill Payment Mobile Payments RemotePhysicalPeer-2-Peer

12 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. MOBILE SECURITY ISSUES

13 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. OWASP Top Ten Mobile Risks Source: OWASP Mobile Security Project 13 Cryptography: Insecure Data Storage Broken or *Non-existent Cryptography Sensitive Information Disclosure Transport: Weak Server Side Controls – Not mobile specific Insufficient Transport Layer Protection Identity: Poor Authorization and Authentication Backend Issues: Improper Session Handling Client Side Injection Security Decisions via Untrusted inputs Other: Side Channel Data Leakage Physical Security

14 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Major Mobile Risks Source: OWASP Mobile Security Project 14 MalwareMalicious software. Mobile SpoofingA malicious person or program could misrepresent as another. Web Browser AttacksExploitation of malicious web applications. Marketplace CertificationMisrepresentation of branding or theft of legitimate branding. SMS Redirection, SMS Hijacking, SMS Exploit An SMS message can be used to redirect a mobile web browser to a malicious website; call forwarding can be used to fraudulently to bypass authentication. Vendor BreachCompromise of a vendor’s infrastructure could result in the loss of confidential information. Includes carriers

15 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Major Mobile Risks continued Source: OWASP Mobile Security Project 15 Transport/Protocol GapsWeakness in network or transport layer could allow eavesdropping or takeover User Device ControlMobile device could be lost, stolen or inappropriately borrowed or misused Platform Specific AttacksUtilization of known platform specific weaknesses. Device Specific AttacksUtilization of known device specific weaknesses. Rogue ApplicationsFake applications placed in application stores for download that are usually trojanized copies of legitimate applications. Mobile Payment FraudLack of adequate monitoring, detection, or prevention.

16 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Cryptography Store only what is absolutely necessary. Don’t trust the device to protect that sensitive information. Where possible leverage the application for robust encryption and make use of industry standard libraries. Don’t rely on Platform or “All device” encryption. 16

17 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Transport Understand the architecture. Includes mobile carrier networks/operators, personal networks, and corporate networks. End to end encryption. 17

18 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Backend Issues Understand additional risks that mobile devices bring to existing architectures. Secure the backend APIs just as you would for web services. Implement robust session handling. 18

19 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Other Give users the ability to educate themselves, and take a role in their own security/safety. Just don’t trust them to make the right decisions. Build security into the application at all layers of the SDLC. 19

20 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. PLATFORM CAPABILITIES  Apple iOS  Google Android  Blackberry

21 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 21 General Platform Issues Robust, well vetted platform encryption still not common. Physical Security; Single User security model. Assume attacker has physical access. Removable media can’t be trusted Application Isolation/Sandboxing…Weak link? Jail breaking adds an unknown to testing and security. App stores can act as a mechanism to validate basic coding practices. They aren’t robust tests for security. Also act as a means for distributing truly bad apps. Platforms teach users to intrinsically trust distribution channels. Small displays make it difficult to inform users of choices, provide warnings. Makes easier phishing targets.

22 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 22 Apple iOS Security Model Very similar to Mac OS X. Based on TrustedBSD Uses Mandatory Access Control to restrict the capabilities of applications. Implements a method for sandboxing applications. Permissions/Access Control Each application is given free access to it’s own file system resources. Any elevated privileges or access to specific APIs prompts user to allow or deny at time of use. Storage SQL Database: flat file databases where data can be accessed with conventional SQL queries. Keychain Storage: for securely storing small amounts of data. Passwords, cookies, short text strings. File System: Similar to a home directory for each application Developmen t Applications are developed in Objective-C. Bundled with an entitlements and preferences file, code signed by an Apple issued certificate.

23 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 23 Google Android Security Model Based on Linux user and file permissions. Each process is tied to a userid. Applications are run isolated in their own virtual machine. Permissions/Access Control Free for harmless interactions with the operating system. For all other interactions the developer has to specify what permissions are needed in a manifest file. The user approves these interactions when the application is installed. Storage File system: Similar to a home directory for each application SQLite Databases: flat file databases where data can be accessed with conventional SQL queries. Development Applications are developed in Java, compiled into Davlik Executables, bundled with the manifest files, and packaged into Android Package files. Packaged is signed by the developer’s public key pair, and sent to Google Market.

24 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. 24 Blackberry Security Model Relies on a custom Java Virtual Machine to sandbox applications. Controls application access on a per-API level. Security enforcement is facilitated by signatures, java verification, and class restrictions. Permissions/Access Control Permissions are determined and assigned per application based on the signature and policy specified by the user. Sensitive APIs may require the application to be signed before allowing access. Storage Combined flash and external memory in virtualized view. Layout similar to a Unix based operating system. Utilizes a pretty sophisticated content protection system that encrypts data when written to memory. Development Applications typically developed in Java.

25 © 2011 Cigital Inc. All Rights Reserved. Proprietary and Confidential. Discussion Questions/Thoughts? Check out the OWASP Mobile Project Contact Info: AJ Dexter adexter@cigital.com LinkedIn, Google+, Twitter 25

Download ppt "Software Confidence. Achieved. Mobile Security and Payments Infrastructure 1 AJ Dexter Sr. Security Consultant."

Similar presentations

Smartphone and Mobile Device Security IT Communication Liaisons Meeting October 11, 2012 Theresa Semmens, CITSO.

Smartphone and Mobile Device Security IT Communication Liaisons Meeting October 11, 2012 Theresa Semmens, CITSO.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Oracle IDM at First National Bank

Oracle IDM at First National Bank
Internet of Things Security Architecture

Internet of Things Security Architecture
Introduction to Android Mohammad A. Gowayyed CS334-Spring 2014.

Introduction to Android Mohammad A. Gowayyed CS334-Spring 2014.
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.

SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Web Services, SOA and Security May 11, 2009 Michael Burnett.

Web Services, SOA and Security May 11, 2009 Michael Burnett.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Android Security What is out there? Waqar Aziz. Android Market Share - I 2.

Android Security What is out there? Waqar Aziz. Android Market Share - I 2.
Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd.

Metro (down the Tube) Security Testing Windows Store Apps Marion McCune – ScotSTS Ltd.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do

Similar presentations

Ads by Google