Yury Chemerkin

Security Expert at JSC Advanced Monitoring

Yury Chemerkin has ten years of experience in information security. He is multi-skilled security expert on security & compliance and mainly focused on privacy and leakage showdown. Key activity fields are EMM and Mobile Computing, IAM, Cloud Computing, Forensics & Compliance. He published many papers on mobile and cloud security, regularly appears at conferences such as CyberCrimeForum, HackerHalted, DefCamp, NullCon, OWASP, CONFidence, Hacktivity, Hackfest, DeepSec Intelligence, HackMiami, NotaCon, BalcCon, Intelligence Sec, InfoSec NetSysAdmins, etc.

The rise of security assistants over security audit services

Mobile applications have not only become daily things of our lives, but they have also become a part of XXI culture. Corporate IT and security professionals have same needs with typical customers who manage personal information only. To understand a security, users should keep in mind what happens with their OS, applications, and its data and divide risks into vulnerability and privacy group. The first group refers to actions that break either application or OS. It usually designed to rare involve any user actions to break security mechanisms and get access to user data. The second group refers to privacy issues and describes cases when data stored or transmitted insecurely.

Developers ignore the data protection until they faced something or someone who makes them implement a protection, as it should be designed. Developer’s privacy policies describe how much every developer cares about data, protect everything and assure users his app provides 100% guarantees. Many security companies develop their risky applications to show customers how much good their data protected. They use (or develop their own) automatic scanners to analyze application code and provide an auto-generated report. Anyway, no one of them can clearly say what data items protected and how bad that protection is. In other words, should user worry about non-protected HTTP connection if he does not know what data transferred over it? The downloading news might be acceptable; transmitting device information, geolocation data and credentials over the network in plaintext is not acceptable. Same to out-of-date OS. Is previous version so bad to worry to rush into an update or not? How was many user data items consumed by 3rd party services like Google/Flurry analytics? The last question is usually how much money user data does worth? The cheapest software costs less than $50; the average one does in 10 times more and forensics software costs over thousand dollars up to $20,000 that gives access to thousand devices and million data items. The saddest part of this story is ‘Speed-to-market’ idea that helps them to grab data from thousand applications improperly protected, especially, if customers use same data among more than one applications and have at least one bad protected the application. More same data shared between applications and more applications you use, the higher risk of data leakage customers obtains eventually.

A new set of security challenges has been already raised. To answer this, we have been examining many applications to have the opportunity make results widely useful and available for IT and security professionals as well as non-technical customers to stay informed about app insecurity. The goal is integrating and introducing security, data privacy compliance to mobile application development and management. It helps to educate customers with useful security & privacy behavior mindset. Spreading information in different ways such as bulletins, EMM integrated monitoring service, or simple reports is a way to solve insecurity issues and help to reduce risks when using mobile applications.

Attendee Takeaways
1) Audience is security experts, developers and non-experienced users
2) Optional solution for community to help in keeping knowledge databases up-to-date on improper protection techniques
3) It’s also in-depth analysis of the simplest & cheapest attacks of mobile and cross-platform apps

We are going to present results over 500 applications, and 20k data types examined like credentials, chats, payment info, etc. We offer a solution and a way to contribute to the security community, independent researchers and developers on an important problem. Finally, we share a cutting-edge knowledge free 😉
Plus, a security awareness application will be available for guests as a demo

Presentation @DefCamp 2017