About Me

Steven Fox

Steven Fox
Steven F. Fox, CISSP, QSA, ASV is a Security Architecture and Engineering Advisor at the U.S. Department of the ...

Read More

Enterprise Blogs

Feeds & Podcasts

Meet the Bloggers

Archive

Tags

#McAfeeFOCUS, #MFETrivia, #SecChat, #SecurityLegos, 12 Scams of Christmas, 2012, 2012 Security Predictions, Acquisition, Advanced Persistent Threat, Android, android antivirus, Android Malware, Android security, android security app, anti-phishing, anti-theft, anti-virus, antivirus, APIs, App Alert, Apple, application blacklisting, application developers, application security, app protection, apps, app safety, ATM scams, attacks, authentication, automotive, Bad Apps, balanced scorecard, best practices, Big Data, big security data, BlackBerry, Blackhat, Black Hat, black hat hackers, botnet, Brazil, breach, Business IT, car hacking, certification, Change Control, China, CISO Executive Summit, Citrix, class action lawsuit, cloud, Cloud city, Cloud computing, Cloud Expo, cloud security, Cofer Black, collaboration, Compliance, Conficker, consolidation, Consumer, consumerization, consumerization of IT, Content Protection, counter identity theft, credit card fraud and protection, credit card skimming, critical infrastructure, CSP, cyber attack, Cybercrime, cyberespionage, Cyber Insurance, Cyber Intelligence Sharing and Protection Act of 2011, cyber security, cybersecurity, cyber security awareness, Cyber Security Mom, cyber threat, cyberthreats, data, database activity monitoring, database security, data breach, Datacenter, data center, data center security, Data Classification, data loss, Data Loss Prevention, Data Protection, Data Protection Act, Dave DeWalt, Dave Marcus, dedicated security appliances, Deep Command, Deep Defender, DeepSAFE, DefCon, DefCon Kids, Department of Commerce, device, Device Control, devices, dewalt, DLP, Dmitri Alperovitch, easter, Ecuador, Eelectric Vehicle, Email & Web Security, Email & Web Security, email security, embedded, embedded devices, Embedded Security, Emerging Markets, Emerging Market Security, EMM, encryption, Endpoint Protection, Endpoint Security, enterprise, enterprise mobility, enterprise resource planning, enterprise scurity, enterprise security, epayment, epo, ePO Deep Command, ePolicy Orchestrator, ERP, ESM, espionage, EV, exploit, exploits, facebook, Facial recongnition, Family Safety, FDCC, file sharing, Financial Security, firewall, FISMA, Fixed Function Devices, Focus, Focus11, FOCUS 2011, forrester, Foundstone, Friday Security Highlights, Garter, Gartner, Gartner Security and Risk Management Summit, George Kurtz, Global Cybersecurity, Global SecurityAlliance Partner Summit, global threat intelligence, google, government, GTI, Hackers, hacking, Hacking Exposed, Hacktivism, HB1140, Healthcare, Heuristics, HIPAA, host intrusion prevention, Host IPS, HV, Hybrid Vehicle, ICS, IDC, identify potential cyber-threats, identity protection, identity theft, IDF 2011, Incident Response, Information leak, Information Protection, Information Security, Information Warfare, Insider Threats, Integrity, Integrity Control, intel, intellectual property, Internet Explorer, internet security, Interop, IntruShield, In vehicle Infotainment, IP, iphone, IPS, IT, IT Security, japan earthquake safe donation, japan earthquake scams, kurtz, labs, laptops, Larry Ponemon, law, legal, legal risk, linkedin, live-tweeting, lizamoon, Lockheed Martin, mac, Mac OS X, malware, Malware research, managed security services, Management, Mariposa, mass sql injection, mastercard, Maturity Model, McAfee, McAfee Application Control, McAfee Cloud Security Platform, McAfee Data Loss Prevention, Mcafee DLP, McAfee Email Gateway 7.0, McAfee Enterprise Mobility Management, McAfee ePO, McAfee ePolicy Orchestrator, McAfee Firewall Enterprise, McAfee FOCUS, McAfee FOCUS 2011, McAfee Identity Protection, McAfee Labs, McAfee Mobile Security, McAfee MOVE AV, McAfee Network Security Platform, McAfee NSP, McAfee Policy Auditor, McAfee Risk Advisor, McAfee Security Journal, McAfee Security Management, McAfee Security Webinars, McAfee SiteAdvisor, McAfee Vulnerability Manager, McAfee Vulnerability Manager for Databases, mcafee wavesecure, Microsoft, Microsoft Security Bulletin, Mid-Market, Mobile, mobile antivirus, mobile app, mobile data communications, mobile device, mobile devices, mobile devices and security threats, mobile malware, mobile phone spyware, mobile security, mobile security app, mobile smartphone security, mobiles security, mom, MS12-020, MySQL, NACACS, near field communication, Network Perimeter Security, Network Security, Network Security; Email & Web Security; Security-as-a-Service, network security server security, new year resolution, next-gen IPS, Next Generation IPS, NFC, Night Dragon, NIST, NitroSecurity, NitroView, OMB, online banking, Open Source, operational risk, Operation Aurora, Optimized, outages, OWASP, passwords, password security, patch, Patch Tuesday, Patmos, PCI, PCI Compliance, PCI DSS, Peer to Peer file sharing, perception, personal information over mobile phones, phishing, PII, Ponemon Institute, PostScript, Potentially unwanted program, power grid, power loss, Pre-detection, Pre-Installed Malware, Printers, privacy, protection, Public-Private partnerships, Public Sector, pup, QR codes, reference architecture, regulations, reporting, reputational risk, retail, risk, Risk Advisor, Risk and Compliance, Risk Management, ROI, Rookits, Rootkits, RSA, RSA 2012, SaaS, SaaS security solutions, safe searching, Saviynt Access Manager, SCADA, scam, SCAP, SEC Guidance, SecTor, secure cloud computing, secure container, security, Security-as-a-Service, Security and Defense Agenda, security attacks, security awareness, security breach, security conferences, Security Connected, Security Connected Reference Architecture, Security Influence, security information and event management, security management, security metrics, security optimization, security policy, security threats, Sentrigo acquisition, Shady RAT, SharePoint, shortened URLs, SIA Partners, SIEM, SiteAdvisor, Situational Awareness, Small Business, smartphones, smartphone security, SMB, social business, social media, social networking, social networks, Software-as-a-Service, spam, Spearphishing, sql attacks, SQL Injection, State of Security, stealth attack, stealth crimeware, stealth detection, Steve Jobs, storage, Stuxnet, Support, Symbian, T-Mobile, Tablet, tablets, tablet security, targeted attacks, TCO, technology development, Telecommunications, threat reduction, TJX, TPM, Trusted Computing Module, trustedsource, twitter, Twitter online security, U.S. Cyber Challenge Camps, urchin.js, Vericept DLP, ViaForensics, Virtualization, VIrtual Machines, visa, Vontu DLP, vPro, vulnerability, Vulnerability Manager, vulnerability manager for databases, Web 2.0, Webinar, web protection, web security, Websense DSS, Web services, white hat hackers, Whitelisting, wikileaks, Windows 7, Windows Mobile, Wind River, Xerox, youtube, Zero-Day, zeus
Enterprise : Security Connected :

Securing Mobile Data at the Application Layer

Friday, October 21, 2011 at 4:23pm by Steven Fox
Steven Fox

Most mobile device applications have serious security vulnerabilities.  These flaws include the storage and transmission of unencrypted data, poor session handling, and data leakage.  McAfee addresses many of the management and compliance challenges through its Mobile Security Strategy.

The Open Web Application Security Project (OWASP) Mobile Security Project focuses on the security of the applications that enrich the mobile device user experience.  According to its contributors, it “is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.”

Following in the theme on the OWASP Top 10 web application risks, the project focuses on the top ten mobile risks.  This series will launch with a discussion of risk number one – Insecure Data Storage.  The controls recommend to mitigate these risks include encryption, data classification, session management, and data leakage.  Gartner’s analysis of upcoming mobile application trends highlights the need for a rigorous Secure Software Development Lifecycle (SSDLC).  These include financial, location-based services, and mobile health monitoring.

Data Classification

OWASP recommends that processing, storage and transmission of data should be consistent with its classification.  Developers should consider data sensitivity when creating data models from which information will be queried and processed.  They should also communicate with business stakeholders to identify the stages where data classification changes.  The University of Florida has composed a mobile device data classification policy covering OWASP’s recommendations.

Access Control

The increased usage of mobile devices to access financial content, such as online banking and credit card management sites, makes a compelling case for strong access controls.  According to a study performed by Stephen Perlson and Reinhardt Botha, there are three key security services that developers should address.

- Authentication – the application must confirm the claimed identity.

- Confidentiality – the application does not disclose information erroneously.  OWASP advises that applications be programmed to collect and disclose only the data that is required for business use.

- Integrity – the application attempts to mitigate the risk of data corruption.

Encryption

Consider the data exposed to the applications on your smart phone; information on your contacts, credentials to email accounts, and possibly credentials to financial sites, just to name a few.  A survey of 100 consumer mobile applications conducted by ViaForensics found that 76% of apps stored unencrypted user credentials.  The survey also found that private data could be recovered from 60% of these applications.  The risk of credential sniffing or session hijacking is enhanced for those users who retain active sessions with a website.

OWASP recommends that data stored or transmitted from the mobile device be encrypted.  The choice of encryption solution will vary depending on the enterprise requirements.  In any case, developers should design code that does not store/cache sensitive unencrypted data.  All sensitive data should be transmitted to a server via a secure network connection and deleted from the mobile device.  Sensitive data should be stored in an encrypted form if network connectivity is unavailable.

Data Purging 

Data retention extends beyond its familiar consideration in the handling of data outside of software applications.  OWASP warns that applications retaining data beyond the period required for processing increases the chance of data leakage.  It advises that developers destroy sensitive data such as GPS coordinates or financial data once an application utilizes it.  Additionally, all data that exceeds a specified retention period should be deleted.

The Kill Switch

According to a study by the Department of Health and Human Services, over 116 cases of mobile device loss or theft led to the exposure of at least 500 patient records between September 2009 and May 2011.  This is but one case where applications lacked access to the common API that allows the deletion of data or disabling of the device remotely.  OWASP recommends that this API is accessible by all applications that store or process data on the device.

The next installment in this series will discuss the management of user credentials on mobile devices.  Some of the controls will include the use of authorization tokens and the limitations on SMS as a communication channel.  This installment will also cite the common tools used to exploit poorly secured mobile devices. 

Bookmark and Share

Tags: , , , ,

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

CAPTCHA Image

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (0)