W1 Track Session 4/20/2016 10:00 AM "Usability vs. Security: Find the Right Balance in Mobile Apps" Presented by: Levent Gurses Movel Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 ∙ 904-278-0524 ∙ [email protected]∙ www.techwell.com
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
W1 Track Session 4/20/2016 10:00 AM
"Usability vs. Security: Find the Right Balance in Mobile Apps"
Presented by:
Levent Gurses Movel
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 ∙ 904-278-0524 ∙ [email protected] ∙ www.techwell.com
Levent Gurses Movel A developer, hacker, speaker, community organizer, and entrepreneur, Levent Gurses is president of Movel, a Washington DC area-based mobile app design and development company. Levent’s areas of expertise include mobile development, mobile and cloud security, wearables and Internet of Things (IoT), mobile user experience, maximizing the value of existing assets for hybrid and mobile-first apps, startups and strategies for building minimum viable products, mobile monetization, and enterprise mobility. Actively engaged in mobile and full-stack development communities, Levent frequently speaks on mobile strategy, user experience, and security at conferences, meetup groups, and user communities and associations.
Levent Gurses, Movel@gursesl
Mobile Dev + Test2016
● The big idea● Users will use, hackers will hack● User experience● Mobile security● Wearables and IoT - usability vs. security● Solution
○ The art○ The science
● Usability and security do not have to compete● Good usability can improve security● What’s needed is more thought and better tools
Most passwords are not strong enough: users tend to choose meaningful, natural language words that they can remember
However, overzealous password rules can be annoying.
Password for the DHS E-file:● Contain from 8 to 16 characters● Contain at least 2 of the following 3 characters: uppercase alphabetic, lowercase
alphabetic, numeric● Contain at least 1 special character (e.g., @, #, $, %, & *, +, =)● Begin and end with an alphabetic character● Not contain spaces● Not contain all or part of your UserID● Not use 2 identical characters consecutively● Not be a recently used password
● Better user engagement● More secure apps● Better reviews in the app store, which leads to
○ Increased sales in the app store○ Brand value
● Better compliance● Solid user and community growth
A threat model focuses on the intersection of likely attack vectors with the points of human interaction. The resulting area provides the surface to what needs to be monitored for user behavior and assessed for vulnerabilities.
● User engagement - before & after sign up● Drops in sign ups● Password/PIN issues● Forgot my password● Response times to auth● Usage of biometric devices
● Create UX metrics - e.g. sign up dropout rate● Create A/B split tests● Use app analytics to monitor user behavior● Discover the balance point between security and usability
● Usability and security can coexist
● True security is an outcome of great user experience