#mstrworld
Mobile App Security
Take Any Mobile App and Make It Secure
Ray Bennett
Microstrategy - Director, Mobile Service Line World, Las Vegas, 2015
#mstrworld
Agenda - State of the Art Mobile App Security
Introduction
- Mobile Security Concerns
- MicroStrategy’s 7 Pillars of Mobile App Security
MicroStrategy Security Model 1. Authentication 2. Device/Application 3. Data 4. Authorization 5. Operations 6. Platform
Mobile Device Management (MDM) Summary
#mstrworld
Introduction
#mstrworld
Mobile Security Concerns and Risks
Most Concerning - Lack of Control
Network Domain: More Control External Domain: Less Control Malware Rootkits Botnets Phishing Ransom-ware Intrusions
#mstrworld
Top Mobile Threats for 2015
According to McAfee Labs
#mstrworld
How Big a Problem is Mobile Malware?
Total mobile malware samples exceeded 5 million in Q3 2014, up by 16% in this quarter and 112% in the past year
#mstrworld
Increased exposure
The Expanding Mobile Device Ecosystem
•
Devices do not work in a vacuum
- Connect to one or more cloud-based services (enterprise
Exchange server, Gmail, MobileMe, iCloud, etc.), home or work PC, or all of above
•
When properly deployed, both platforms allow users to
simultaneously synchronize devices with private and enterprise
cloud services without risking data exposure
- However, there are several scenarios in which services may be
#mstrworld
Mobile Means More Exposure
Victims of our own success
Ever Expanding
Attack Surface
Cloud Internet of Things BYOD Bluetooth Users Device Types Integration Points Moving PartsMore >>
#mstrworld
What is Compromised and Needs Protecting?
•
Names, Telephone Numbers - Contact Information
•
Email Addresses
•
Text Messages
•
Notes
•
Browser history
•
Application Data (Financial Numbers, Forecasts)
•
Trade Secrets
#mstrworld
Microstrategy Mobile Secure Solution Preview
A Complete, Flexible, and Customizable Security Model
Firewall
Firewall
Mobile Server
Intelligence Server
Authentication - Multi-factor, via Touch ID, Passcode & Certificate
Application Security - Double encryption with app level passcode, online or offline
Authorization - Access managed dynamically based on profile and privileges
Device Security - Native hardware security including passcode, auto-lock, failed attempt limits
Data Protection - AES 256-bit encryption of data in transit and at rest
Platform Security - multi-tier architecture to ensure integrity of mobile computing / BI data
Operations – Engineered process and methodology that defines
how mobile technology is to be securely used
C ommu nica tio n - In fo rma tio n F lo w
#mstrworld
Mobile Security – Custom Models are a balancing act
A Mobile Security Model needs to be Customizable
1.
Authentication
2.
Device
3.
Application
4.
Data
5.
Authorization
6.
Operations
7.
Platform
Fully Open Unsecured Fully Lock Down Least Secure Most Secure#mstrworld
Tolerance to Risk vs. Corporate and User Needs
A Mobile Security Model Needs to be Flexible
Security
User Experience
Functionality
#mstrworld
Authentication
#mstrworld
Microstrategy Mobile - User Authentication
Device Level and Application Authentication
Mobile Server Authentication
• Device iOS Profile Logon
• Network Logon (if using VPN or Tunnel)
• Microstrategy Project Meta-Data Logon
1. Standard
2. Windows
3. LDAP
4. Database
• Account/Logon that Mobile Server Web Pool Runs Under:
1. Anonymous
2. Basic
#mstrworld
An added layer of authentication protection
Microstrategy App Passcode, as of 9.4.1, Update 3
Device level application security
•
Issues credential challenge on each entry
#mstrworld
First Entry into App – Create and Confirm password
Microstrategy App Passcode
#mstrworld
Microstrategy App Passcode
#mstrworld
Touch ID – New in 9.4.1, Update 5
Advanced Biometric Authentication Integration
Convenient
Split second access. Don’t have to remember an additional passcode. Unique to you;
impossible to forget.
5X stronger
According to Apple, there is 1 in 50K chance of registering a false fingerprint match versus 1 in 10K chance of guessing a 4-digit passcode
No guessing
Trying out 50,000 different fingerprints is an incredible logistical challenge.
Hack proof
Apple doesn’t store the fingerprint as an image; they store it as a mathematical representation that hackers can’t reverse engineer.
#mstrworld
Microstrategy Application Level
Touch ID
#mstrworld
Microstrategy Document Level
#mstrworld
Introducing - Microstrategy 9s
The world’s most sophisticated Analytics Platform. Now
including the world’s most simple, seamless and sophisticated
identity platform.
#mstrworld
The future of identification and authentication
What is Usher?
Protect Cyber Assets
Replace Physical Badges
Secure Facilities and Entryways
Monitor and Manage Activities Usher is a self-service, cloud-based
application that simplifies user authentication and delivers unprecedented system security.
#mstrworld
Bluetooth, QR Code
#mstrworld
Log into applications without entering password credentials
#mstrworld
See it for yourself with the Secure Analytics 9s Demo
#mstrworld
Microstrategy 9s with Usher
iPhone Application Access Demo
#mstrworld
Time and Geo-Fence Restrictions
Microstrategy 9s with Usher
User Does Not Satisfy Following Condition: Geolocation Time
#mstrworld
Builds on top of existing secure architecture and provides 3 factor authentication
#mstrworld
Microstrategy 9s
#mstrworld
#mstrworld
Single SignOn (SSO)
OOB Support
Seamless SSO Support for Authentication Providers
•
Tivoli
•
Siteminder
•
Oblix
•
Okta
Seamless SSO Support for Portal Server Applications
•
Microsoft Sharepoint
•
IBM Websphere
•
Oracle WebLogic
•
SAP Enterprise Portal
Also 3rd Party Identity Management Systems that support SAML (Security Assertion Markup Language)
#mstrworld
Single SignOn (SSO)
Basic Mechanism
Device side Application Supports:
HTML Forms Consumption
✓ Allows Custom Log-on Screen Work-flow
#mstrworld
Device/Application
#mstrworld
MicroStrategy Mobile Application Security
• Expira'on can be set to enforce MicroStrategy
user creden'als when opening the app
• User creden'als are stored encrypted on device.
• Applica'on data is encrypted on device.
• Caches can be cleared when exi'ng the
applica'on.
• Isola'on protects App data from other Apps.
• Apps are signed to ensure the App is authen'c.
• Run'me checks enforce App Security.
• Password required aEer 'meout or suspended
state (Confiden'al Project Mode)
• Single sign-‐on support.
• LDAP, Kerberos, NT Integra'on.
• Independent Third –Party Security Tes'ng
MicroStrategy Mobile Server MicroStrategy Intelligence Server Link Encryp'on User Authen'ca'on • Standard • LDAP • Database • NT
Web User Authen'ca'on Support for SSO
#mstrworld
Apple iOS
#mstrworld
Security Model
1. Security at the Operating System
level through the Linux kernel
2. Mandatory application sandbox
3. Secure inter-process
communication
4. Application signing
5. Application-defined and user
granted permissions
#mstrworld
Android and iOS devices - varying degrees
Security Models
•
Isolation
- Limits app’s ability to access sensitive data or systems on device
•
Permissions-based access control
- Grants set of permissions to each app and then limits each app to
accessing device data/systems within the scope of permissions
•
Traditional access control
- Protects devices by using techniques such as passwords and idle
time screen locking
•
Limited Hardware Access
- Apps can not directly access the underlying hardware
•
Data Encryption
#mstrworld
Apple’s iOS vs. Google’s Android
A General Summation
iOS – A locked-down platform
- Strict Controls on Device and Store
- Well designed and thus far, resistant to attack
- Rigorous certification model which vets the identity of
software authors and weeds out attackers
Android – Freedom with precaution
- Major improvement over traditional computing programs
- Less rigorous certification model which allows a more
open development environment
#mstrworld
Data
#mstrworld
Symmetric Cryptography/Encryption
Protects data at rest or in transit (i.e., AES (128, 192, 256))
#mstrworld
Asymmetric (Public Key) Cryptography/Encryption
Exchange symmetric keys, digital signing, x.509 certificate authentication
#mstrworld
Asymmetric Encryption – x.509 Certificates
Certificate Authority
•
Collects Applicant’s Money
•
Validates Applicant’s Identity
•
Issues Digital Certificate
•
Issues Private Key
•
Private Key
•
Version
•
Unique Serial Number
•
Certificate Signature Algorithm
•
CA Name
•
Validity Period
•
Subject Name
•
Public Key Algorithm
•
Subject Public Key
•
CA Signature
#mstrworld
Putting It All Together – Transport Layer Security (TLS). Also SSL
Asymme
tri
c
Symme
tri
c
Hello!
Hello Back!, Server sends Cert
Client Cert, Key Exchange, Verify
C
re
at
es
Se
ssi
on
Ke
y
U
se
s
Se
ssi
on
Ke
y
to
En
cryp
t
Trust Established
Encrypted Communication
#mstrworld
Authorization
#mstrworld
Mobile Administrator Utility
#mstrworld
#mstrworld
#mstrworld
Mobile Server Configuration – Admin Settings
#mstrworld
Mobile Server Configuration – Admin Settings
#mstrworld
Mobile Server Configuration – Admin Settings
#mstrworld
#mstrworld
#mstrworld
#mstrworld
#mstrworld
#mstrworld
Authorizing User Access to Secure Objects and Data
Information ‘Not-Sharing’ Northeast Southeast Central West Total East West Exec
#mstrworld
Authorizing User Access to Secure Objects and Data
East Region Users
Northeast Southeast
Total East
#mstrworld
Authorizing User Access to Secure Objects and Data
West Region Users
West Total West
#mstrworld
Authorizing User Access to Secure Objects and Data
CXO Executive User – No Viewing Restrictions
Northeast Southeast Central West Total Exec
#mstrworld
Authorizing User Access to Secure Objects and Data
Information ‘Not-Sharing’
East
West
#mstrworld
Authorizing User Access to Secure Objects and Data
Information ‘Not-Sharing’
East
West
#mstrworld
Row Level Security Filters
#mstrworld
Authorizing User Access to Secure Objects and Data
• Set of Users
• Can assign Privileges and ACLs
• Privileges Apply to All Projects
• Set of Privileges
• Can be assigned to Users and/or Groups
• Apply to Specified Projects
• ACLs can be Assigned to User Groups
• Iden'fied by a Unique Login and User Name
• Defined in the Metadata Repository
• Exists Across Mul'ple Projects
Users
User Groups
#mstrworld
Granting Access Permissions in Microstrategy
Privileges
•
Relates to a user’s ability to perform certain functions/tasks
such as Mobile, Exporting Data, Drilling, etc.
Object Permissions via ACL (Access Control List)
•
Provides user, group, role access/restriction on project
metadata objects
Security Filters (Could use System User Prompt)
•
Introduces column in database tables for user or group or role
#mstrworld
Operations
#mstrworld
Operational Security
Establish Security Policy
•
Passcode Required•
Passcode ComplexityProcedures for Reporting Lost/Stolen Device Device Management
•
Proactive Monitoring•
Response to lost/stolen device reportInformation Management
•
Policies for handling of sensitive data•
Sensitivity Reduction•
Information DeceptionEnsure proper placement and operation of WiFi Equipment
Situational Awareness - Keep users informed of the importance and
impact of their actions
#mstrworld
Platform
#mstrworld
Virtual Private Network (VPN)
#mstrworld
Virtual Private Network (VPN)
Secure Pin’s – Generates access credential based on coordinated algorithm processing
• Provides an extra layer of protection
• Results in extra user authentication step.
iPhone Passcode Generator Physical Tokens
#mstrworld
#mstrworld
HTTPS Encrypted Communication – (TLS, SSL)
#mstrworld
Recommended MicroStrategy Mobile Security Architecture
CRL Cer'ficate Revoca'on List MicroStrategy Cer'ficate Server MicroStrategy Mobile Server
MD
DWHX.509 Cer'ficate Request
HTTPS
(AES)
MicroStrategy Intelligence Server LDAP ServerFi
re
w
al
l
Fi
re
w
al
l
#mstrworld
#mstrworld
#mstrworld
Platform Network Security
• WEP (Wired Equivalent Privacy)
- Most common protocol
- Currently considered not secure
• WPA (WiFi Protected Access) or WPA2
- Used in commercial WiFi systems
- Extremely difficult to compromise
• Disable identifier broadcasting
#mstrworld
#mstrworld
Mobile Device Management (MDM)
#mstrworld
MDM
Benefits of an MDM Integration
•
Supports a variety of mobile devices (Phones, Tablets, Printers)
•
Provides centralized control to manage, monitor, and support mobile users
•
Supports BYOD models
•
Asserts control over user experience
•
Enforces specific levels of security policy across all mobile devices
•
Protects proprietary organizational information
•
Provides ‘On-Demand’ VPN (or other) access
•
Supports monitoring
#mstrworld
MDM Integration
Internal App Store Distribution
Xcode Distribution/Save/Archive
#mstrworld
MDM API Integration – Code Level App Wrapping
#mstrworld
Code Level App Wrapping
By Microstrategy v9.4.1.4 Registered on Sep 11, 2014
#mstrworld
MDM API Integration
Current/Planned Offerings
Exists for 9.4.1 (update 1, 2, 3, 4). Previously for 9.3.0
Currently available in Beta
Planned. In contract negotiation and test
#mstrworld
Summary
#mstrworld
Microstrategy – Low Vulnerability Mobile Security Model
Firewall
Firewall Mobile Server
Intelligence Server
Communications
•
Data in transit always encrypted (Symmetric and Asymmetric)
•
Network administration
#mstrworld
Microstrategy – Low Vulnerability Mobile Security Model
Firewall
Firewall Mobile Server
Intelligence Server
Emissions
•
Data in motion encrypted with WPA and WPA2
•
Disable Identifier Broadcasting
•
Maintain wireless emissions within
#mstrworld
Microstrategy – Low Vulnerability Mobile Security Model
Firewall Firewall Mobile Server Intelligence Server Device
•
iOS/Android Protections
•
Digital X-509 certificates
•
iOS Remote Wipe
•
Device Lock
#mstrworld
Microstrategy – Low Vulnerability Mobile Security Model
Firewall
Firewall Mobile Server
Intelligence Server
Application
•
Encrypt user credentials and app data
•
Clear credentials
•
Clear caches
•
Leverage iOS sandboxing
•
Digitally sign apps
•
Runtime checks
#mstrworld
Microstrategy – Low Vulnerability Mobile Security Model
Firewall
Firewall Mobile Server
Intelligence Server
Data
•
User and Group Authentication
•
Privileges
•
ACL’s
•
Security Roles
#mstrworld
Microstrategy – Low Vulnerability Mobile Security Model
Firewall
Firewall Mobile Server
Intelligence Server
Authentication
•
App passcode (Complexity, Expiration)
•
Touch ID
•
Microstrategy 9s (Usher Mobile Identity)
•
Digital Signing and Certificates (e.g.,
HTTPS)
•
VPN Tunneling
•
Auth Models (e.g., Windows NT, LDAP, Basic, etc.)
#mstrworld
Microstrategy – Low Vulnerability Mobile Security Model
Firewall Firewall Mobile Server Intelligence Server Operations
•
MDM
•
Device activation, user authentication, certificate enrollment
•
Configuration profiles, Restrict device features
•
Policy and restrictions enforcement
•
Asset management, theft and loss
prevention
#mstrworld
MSTR SDK (Extending OOTB Capabilities)
Application Device Side
•
Edit un-compiled Objective-C code via X-code
•
Potential customizations:
-
Rebranding
-
Springboard icon
-
Opening logo animation
-
Custom help
-
Custom Visualizations
Mobile Server Side
•
Java Task Framework (e.g., Mobile Logon Task)
#mstrworld
#mstrworld
For More Information
Mobile Security Whitepaper – Secure Mobile Computing and Business Intelligence on
Apple and Android Mobile Devices
http://www.microstrategy.com/Strategy/media/downloads/products/Whitepaper_Mobile-Security.pdf
MicroStrategy Product Manuals
• Administration Guide
• Mobile Administration and Design Guide
New Microstrategy Community - Mobile Discussion Forums and Knowledge Base
http://community.microstrategy.com
Microstrategy Apple App Store Download(s)
#mstrworld