Bring your own Risky Apps

Presented at BSidesLV 2014, Aug. 6, 2014, 11 a.m. (60 minutes).

BYOD is a cute and harmless-sounding acronym for a trend that is in reality introducing exponentially more risk to end-users and organizations. The common refrain is to seek out and secure your smartphones and tablets from malware and other malicious software which can wreck havoc on a device and completely ruin its integrity. However, BYOD is about more than just introducing hardware; it also brings the issue of BYOApps. Layers of protection covering both the device operating system as well as the apps running on it is required to have a comprehensive solution to combat this problem, which is actually deeper than it seems. In this co-hosted 45 minute presentation, we will present several real-world case studies of: - How easy it is to App side-jack to gain root (Jailbreak) - How a popular app like Flappy Bird can be trojan-ized to defeat two factor authentication. While the industry loves to talk about sexy malware exploit scenarios, few are exploring the risks that BYOD and BYOApps are introducing, by bringing apps that are hungry for user/private data into the workplace. Does a flashlight app really need access to a corporate address book or calendar? Should a doc-signing app transmit passwords in clear-text? Should a productivity app have access to corporate email attachments and be able to store them to DropBox? As we scratch beneath the surface, the real security issue is deeper rooted in policy decisions that now must be made on which app behaviors should be allowed in an enterprise environment. BYOD has really become BYOApps, bringing with it a new layer of complexity with risks outside of obvious issues like malware. Organizations must make policy decisions about behaviors in apps and look for ways to enforce customized policy. A new approach defines the future of how mobile threats will need to be addressed in an automated and scalable way.

Presenters:

  • Domingo Guerra - President & Founder - Appthority
    Domingo Guerra is the President and Co-founder of Appthority. Domingo was born and raised in Monterrey, Mexico, and moved to the United States at age 18 to pursue his passion for technology. Domingo is a weekly contributor to the Appthority App Security blog and authors Appthority's semiannual App Risk Management Report, which exposes the security risks of iOS and Android's most popular apps. Domingo has Product Design, Development, and Operations experience across multiple industries, having released products and secured patents in the Semiconductor, Robotics, Datacenter, and Mobile Security industries. Domingo holds a BS from The University of Texas at Austin, an MS from Stanford University, and an MBA from Santa Clara University.
  • Michael Raggo - Director, Security Research - MobileIron, Inc.
    Michael T. Raggo, Director of Security Research, MobileIron, Inc. has over 20 years of security research experience. His current focus is threats and countermeasures for the mobile enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding" for Syngress. A former security trainer, Michael has briefed the FBI and Pentagon, is a participating member of the PCI Mobile Task Force, and is a frequent presenter at security conferences, including Black Hat, DEF CON, DoD Cyber Crime, OWASP, and SANS.

Links:

Similar Presentations: