Is Mobile Application for you

/in /by

Is Mobile Application for you

You are a cyber threat analyst at a mobile applications company. Mobile applications and their security are on the technology roadmap for our organization. Of course, this means we need to be well-informed of mobile application security management.

ACTION: prepare a report for senior management

Begin with the scenario as it might occur in the workplace. The goal is to convince senior managers that your proposals will benefit the company.

The report should give senior management a greater understanding of mobile application security and its implementation.

Your report should consist of the following sections

Introduction

Mobile application architecture

Mobile data

Threat agent identification

Methods of attack

Possible controls – Discuss the controls to prevent attacks

Summary

The areas of concern include, the mobile application structure, the data, identifying threat agents and methods of attack, and controls to prevent attacks. The threat model should be created with an outline or checklist of items that need to be documented, reviewed, and discussed, when developing a mobile application

My role as a cyber threat analyst, senior management has asked you to identify how a particular mobile application of your choosing conforms to mobile architecture standards. You are asked to:

  1. Describe device-specific features used by the application, wireless transmission protocols, data transmission media, interaction with hardware components, and other applications.
  2. Identify the needs and requirements for application security, computing security, and device management and security.
  3. Describe the operational environment and use cases.
  4. Identify the operating system security and enclave/computing environment security concerns, if there are any.

This can be fictional or modeled after a real-world application.

focus your discussion on the security threats, vulnerabilities, and mitigations of the above considerations.

Educate your management about mobile devices and mobile application security: mobile platform security, mobile protocols and security, mobile security vulnerabilities, and related technologies and their security.

Include the hardware and software needed to interoperate with mobile devices and mobile applications.

**Include an overview of these topics in your report.

Include those that are relevant to your mobile application in your report to senior management. Address the following questions:

  1. What is the design of the architecture (network infrastructure, web services, trust boundaries, third-party APIs, etc.)?
  2. What are the common hardware components?
  3. What are the authentication specifics?
  4. What should or shouldn’t the app do?

*You will include this information in your report.

**Define what purpose the mobile app serves from a business perspective and what data the app will store, transmit, and receive. Include a data flow diagram to showing exactly how data are handled and managed by the application

Here are some questions to consider as you define your requirements:

  1. What is the business function of the app?
  2. What data does the application store/process (provide data flow diagram)?
  1. This diagram should outline network, device file system, and application data flows
  2. How are data transmitted between third-party APIs and app(s)?
  3. Will there be remote access and connectivity? Read this resource about mobile VPN security, and include any of these security issues in your report.
  4. Are there different data-handling requirements between different mobile platforms? (iOS/Android/Blackberry/Windows/J2ME)
  5. Does the app use cloud storage APIs (e.g., Dropbox, Google Drive, iCloud, Lookout) for device data backups?
  6. Does personal data intermingle with corporate data?
  7. Is there specific business logic built into the app to process data?
  1. What does the data give you (or an attacker) access to? Think about data at restand data in motion as they relate to your app.
    1. Do stored credentials provide authentication?
    2. Do stored keys allow attackers to break crypto functions (data integrity)?
  2. Are third-party data being stored and/or transmitted?
    1. What are the privacy requirements of user data? Consider, for example, a unique device identifier (UDID) or geolocation being transmitted to a third party.
    2. Are there user privacy-specific regulatory requirements to meet?
  1. How do other data on the device affect the app? Consider, for example, authentication credentials shared between apps.
  2. Compare between jailbroken (i.e., a device with hacked or bypassed digital rights software) and nonjailbroken devices.
  1. How do the differences affect app data? This can also relate to threat agent identification.
  1. Identify possible threats to the mobile application
    1. Identify the threat agents
  2. Outline the process for defining what threats apply to your mobile application

Identify different methods an attacker can use to reach the data. These data can be sensitive information to the device or something sensitive to the app itself.

Provide senior management an understanding of the possible methods of attack of your app.

Discuss the controls to prevent attacks. Consider the following questions:

You will address only the areas that apply to the application you have chosen.

  • What are the controls to prevent an attack? Conduct independent research and then define these controls by platform (e.g., Apple iOS, Android, Windows Mobile, BlackBerry).
  • What are the controls to detect an attack? Define these controls by platform.
  • What are the controls to mitigate/minimize impact of an attack? Define these controls by platform.
  • What are the privacy controls (i.e., controls to protect users’ private information)? An example of this would be a security prompt for users to access an address book or geolocation.
  • Create a mapping of controls to each specific method of attack (defined in the previous step)
    • Create a level of assurance framework based on controls implemented. This would be subjective to a certain point, but it would be useful in guiding organizations that want to achieve a certain level of risk management based on the threats and vulnerabilities.

Compile all your findings and produce your Threat Model Report.

The report should include your findings and any recommendations for mitigating the threats found.

Grading Checklist

1. Threat Model Report: (Eight to 10 pages)

Describe Your Mobile Application Architecture

a) Describe device-specific features used by the application, wireless transmission protocols, data transmission media, interaction with hardware components, and other applications.

b) Identify the needs and requirements for application security, computing security, and device management and security.

c) Describe the operational environment and use cases.

d) Identify the operating system security and enclave/computing environment security concerns, if there are any.

Include an overview of topics such asmobile platform security, mobile protocols and security, mobile security vulnerabilities, and related technologies and their security, in your report.

Include the Mobile Application considerations that are relevant to your mobile application

What is the design of the architecture (network infrastructure, web services, trust boundaries, third-party APIs, etc.)?

What are the common hardware components?

What are the authentication specifics?

What should or shouldn’t the app do?

Define the Requirements for Your Mobile Application

What is the business function of the app?

What data does the application store/process (provide data flow diagram)?

The diagram outlines network, device file system, and application data flows

How are data transmitted between third-party APIs and app(s)?

Will there be remote access and connectivity? Read this resource about mobile VPN security, and include any of these security issues in your report.

Are there different data-handling requirements between different mobile platforms? (iOS/Android/Blackberry/Windows/J2ME)

Does the app use cloud storage APIs (e.g., Dropbox, Google Drive, iCloud, Lookout) for device data backups

Is there specific business logic built into the app to process data?

What does the data give you (or an attacker) access to? Think about data at rest and data in motion as they relate to your app.

Do stored credentials provide authentication?

Do stored keys allow attackers to break crypto functions (data integrity)?

Are third-party data being stored and/or transmitted?

What are the privacy requirements of user data? Consider, for example, a unique device identifier (UDID) or geolocation being transmitted to a third party.

Are there user privacy-specific regulatory requirements to meet?

How do other data on the device affect the app? Consider, for example, authentication credentials shared between apps.

Compare between jailbroken (i.e., a device with hacked or bypassed digital rights software) and non-jailbroken devices.

How do the differences affect app data? This can also relate to threat agent identification.

Identify Threats and Threat Agents

Identify possible threats to the mobile application and Threat agents

Outline the process for defining what threats apply to your mobile application

Does personal data intermingle with corporate data?

Identify Methods of Attack

Provide senior management an understanding of the possible methods of attack of your app.

Controls

What are the controls to prevent an attack? Conduct independent research, then define these controls by platform (e.g., Apple iOS, Android, Windows Mobile, BlackBerry).

What are the controls to detect an attack? Define these controls by platform.

What are the controls to mitigate/minimize impact of an attack? Define these controls by platform.

What are the privacy controls (i.e., controls to protect users’ private information)? An example of this would be a security prompt for users to access an address book or geolocation.