A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Bring your own Risky Apps Michael Raggo - Kevin Watkins (BSides Las Vegas 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)

Bring your own Risky Apps Michael Raggo - Kevin Watkins

BYOD is a cute and harmless-sounding acronym for a trend that is in reality introducing exponentially more risk to end-users and organizations. The common refrain is to seek out and secure your smartphones and tablets from malware and other malicious software which can wreck havoc on a device and completely ruin its integrity. However, BYOD is about more than just introducing hardware; it also brings the issue of BYOApps. Layers of protection covering both the device operating system as well as the apps running on it is required to have a comprehensive solution to combat this problem, which is actually deeper than it seems.
In this co-hosted 45 minute presentation, we will present several real-world case studies of:
- How easy it is to App side-jack to gain root (Jailbreak)
- How a popular app like Flappy Bird can be trojan-ized to defeat two factor authentication.
While the industry loves to talk about sexy malware exploit scenarios, few are exploring the risks that BYOD and BYOApps are introducing, by bringing apps that are hungry for user/private data into the workplace.
Does a flashlight app really need access to a corporate address book or calendar? Should a doc-signing app transmit passwords in clear-text? Should a productivity app have access to corporate email attachments and be able to store them to DropBox? As we scratch beneath the surface, the real security issue is deeper rooted in policy decisions that now must be made on which app behaviors should be allowed in an enterprise environment.
BYOD has really become BYOApps, bringing with it a new layer of complexity with risks outside of obvious issues like malware. Organizations must make policy decisions about behaviors in apps and look for ways to enforce customized policy. A new approach defines the future of how mobile threats will need to be addressed in an automated and scalable way.

Bio: Domingo was born and raised in Monterrey, Mexico, and moved to the United States at age 18 to pursue his passion for technology. Domingo is a weekly contributor to the Appthority App Security blog and authors Appthority's semiannual App Risk Management Report, which exposes the security risks of iOS and Android's most popular apps. Domingo has Product Design, Development, and Operations experience across multiple industries, having released products and secured patents in the Semiconductor, Robotics, Datacenter, and Mobile Security industries.
Domingo holds a BS from The University of Texas at Austin, an MS from Stanford University, and an MBA from Santa Clara University.
Michael T. Raggo (CISSP, NSA-IAM, CCSI, ACE, CSI), Security Evangelist, MobileIron, Inc. applies over 20 years of security technology experience and evangelism to the technical delivery of Mobile Security Solutions. Mr. Raggo’s technology experience includes mobile device security, penetration testing, wireless security assessments, compliance assessments, incident response and forensics, security research, and is a former security trainer. In addition, Mr. Raggo conducts ongoing independent research on various Data Hiding techniques including steganography, as well as Wireless and Mobile Device attack and countermeasure techniques. His publications include books for Syngress titled “Data Hiding” and McGraw Hill as a contributing author for “Information Security the Complete Reference 2nd Edition”, as well as multiple magazine and online articles. He is also a participating member of the PCI Mobile Task Force. Mr. Raggo has presented on various security topics at numerous conferences around the world (BlackHat, DefCon, SANS, Gartner, DoD Cyber Crime, OWASP, InfoSec, etc.) and has even briefed the Pentagon and FBI.

Back to BSides Las Vegas 2014 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast