NowSecure Connect — THE mobile AppSec + AppDev community online event — returns with new content and the latest training. Join the world’s brightest innovators, practitioners, community leaders, and industry influencers LIVE online for in-depth training, discussions, strategy sessions, CTF and more. Gain access to keynotes, exclusive breakouts, expert panels, on-demand sessions, plus an interactive peer-to-peer community. #NSConnect22 is your source for cutting-edge mobile AppDev, mobile AppSec and mobile DevSecOps insight. Register your crew today!

magnifying glass icon
Ted Eull

Ted Eull

VP of Risk and Privacy at NowSecure

Ted directs company risk, privacy, and security initiatives to ensure success of the growing company and NowSecure mobile security platform.

Card Forum and Expo – Ensuring Security on Mobile Devices – May 2012

The following presentation was delivered by Ted Eull at the 24th Annual Card Forum and Expo in Orlando, FL on May 11, 2012. For more information about the UK Channel 4 News Special regarding contactless credit cards, please visit the following blog entry.

Slide List

Ensuring Security on Mobile Devices It is possible… right?


 About viaForensics  Why mobile security matters  Types of security breaches and fraud  Anticipated evolution of attacks  Common mistakes that developers make  How to anticipate and prevent security flaws  Conclusion

About viaForensics

 I’m not Andrew Hoog  Mobile security, forensics researchers  Key tech leaders: Hoog, Cannon, Zdziarski  Books, trainings, research papers, news, congressional staff briefing  Key products and services: appSecure, liveForensics, AFLogical, viaExtract, and Santoku

Why Mobile Device Security Matters

 Necessity of security – given  Importance and growth of mobile • Fed study: 20% used mobile banking in 2011, up to 30% will use mobile banking by 2013 (Source.)

Why Mobile Device Security Matters

 Problems in mobile security to date • Rapid growth with little security • Trojan/malicious apps, phishing/smishing • Perception – many consumers unsure  Potential for much greater harm • Worm or one-click exploit, widespread infection • Rapid increased adoption + platforms in flux • Potential for pervasive, undetected theft of data

Near-field Data Heist

 Contactless Credit Cards Contactless Credit Cards Problem  Stories from Channel 4, BBC Watchdog  Card info used to make purchases from Amazon UK  Not a new problem, but mobiles facilitate exploit  Illustrates how ease of use can introduce security risk

Google Wallet Problems

 Google Wallet leverages NFC on some devices  Connects to credit, prepaid cards  Leverages “secure element” on device  Significant growing pains so far: • viaForensics found excess private data stored • Zvelo cracked user PIN • Thesmartphonechamp found prepaid card problem

Mobiles as a Target of Attack

 Mobile is different • NAND Memory • New mobile OS’s, frequent updates • Traverse more networks, install more apps  Mobile devices are a target • Rich target handling banking, email, GPS, PII, PHI • Both personal and corporate data • Highly connected and can store large datasets • Security standards, tools still emerging

Anatomy of a Mobile Attack / Categories of cyber attacks /Types of breaches

 Lost or stolen device  Phishing/Smishing  Clickjacking  Trojan or Malicious apps  Man-in-the-middle  Man-in-the-mobile  Worm

Security Breach Accounting

 2012 DBIR, Verizon with USSS and foreign LE

Evolution of Attacks

 Platforms have been compromised repeatedly  The quantity and value of information stored and transacted on mobiles is rapidly increasing  Attacks follow the money  Experts anticipate growth in both broad and targeted attacks on mobile

Reality Check

 It’s about the DATA • Most data is handled by apps • Ergo, it’s about the APPS  App security is mobile security  Don’t we trust device passcodes and encryption? » no

Device Security?

 viaForensics’ Mobile Security Risk Report  First line of defense • Complex passcodes • Keychain data protection • Remote wipe  But secure sensitive data at app level, and assume a hostile environment  Do not rely solely on platform security

Apps: Common Problems

 Authentication: Authentication bypass, lack of multi-factor, session state vulnerability,  Insecure data on device: Caching, logging, stored without encryption, improper encryption, iOS keychain  Network Issues: Improper SSL or storage encryption, MITM vulnerability, SSLstrip  Service/Server Vulnerability: Brute force susceptible, server resource exposure, lack of server-side validation  Code vulnerabilities: Reverse engineering, debugging

Widespread iOS Infection Demo

 Demonstrates risk to apps on iOS platform • Discovered by Jonathan Zdziarski • Not a way to infect; but steal important data from many apps • iOS foundation classes hijacked • Most apps’ sensitive data vulnerable  One attack could steal credentials and more  Potential for pervasive data theft across apps

Secure Mobile App Development

 Yes, there is such a thing  Takes more time, skill and money than the alternative  Focus on security before, during and after development • Education is Key • Testing is Key


 Integrate security from design phase  Maintain traditional security controls  Attack your apps • Test like black hat • Test after updates (platform, app) • Use latest mobile techniques and tools

Anticipate and Prevent

 Anticipate attacks • Expect your app to be reverse engineered • Expect your back-end services to be attacked • Expect your users to be targeted & devices compromised  Prevent damage • Prevent your data from being exposed • Prevent your app from being compromised • Prevent attackers from gaining elevated access

Education Resources

 Secure mobile development resources are increasing  Industry technical training • viaForensics/CompTIA certification • OWASP Resources  Mobile Security Books • Zdziarski, Hoog, others

Secure Mobile Dev: 42+ Best Practices

 FREE Report:  Avoid insecure data caching  Avoid simple logic  Be aware of the keyboard cache  Properly validate SSL/TLS  iOS-specific issues  Android-specific issues

Testing Resources

 Internal • Train existing security engineers • Santoku Linux Project  External • Specialized mobile app security assessment • viaForensics appSecure • Find mobile expertise  Expert, red team mobile assessment

Back to that Fed Study

Consumers’ perception that mobile banking and mobile payments are insecure is currently one of the primary impediments to adoption. If consumers’ perception of security issues changes—whether due to actual or perceived improvements—adoption rates may significantly increase.


 There is great benefit in mobile for enterprises and consumers, but • Mobile attacks are likely to increase • Mobile security has been bumpy • Consumer trust of mobile security is not strong  Secure mobile development is key • Education and Testing • Anticipate and Prevent • Raise the standard and assure consumers