Application vulnerabilities account for the largest portion of attack vectors outside of malware. It is crucial that Infopoint be assessed for vulnerabilities and any vulnerabilities be remediated prior to production deployment.
The purpose of this policy is to define application security assessments within Arrive Systems. Such assessments are performed to identify potential or realized weaknesses as a result of inadvertent misconfiguration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of Arrive Systems Infopoint services available both internally and externally, as well as satisfy compliance with any relevant policies in place.
This document covers all application security assessments requested by any individual, group or department for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies.
All application security assessments will be performed by delegated security personnel either employed or contracted by Arrive Systems. All findings are considered confidential and are to be distributed to persons on a “need to know” basis. Distribution of any findings outside of Arrive Systems is strictly prohibited unless approved by the Arrive Chief Digital Officer.
Any relationships within multi-tiered applications found during the scoping phase will be included in the assessment unless explicitly limited. Limitations and subsequent justification will be documented prior to the start of the assessment.
4.1 Infopoint is subject to security assessments based on the following criteria:
4.2 All security issues that are discovered during assessments must be mitigated based upon the following risk levels.
a) High – any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment. Applications with high risk issues are subject to being taken off-line or denied release into the live environment.
b) Medium – medium risk issues should be reviewed to determine what is required to mitigate and scheduled accordingly. Applications with medium risk issues may be taken off-line odenied release into the live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level. Issues should be fixed in a patch/point release unless other mitigation strategies will limit exposure.
c) Low – issue should be reviewed to determine what is required to correct the issue and scheduled accordingly.
4.3 The following security assessment levels has been established by the internal Arrive Systems Testing Committee:
a) Full – a full assessment is comprised of tests for all known features of the Infopoint vulnerabilities using both automated and manual tools as identified. A full assessment will use manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered.
b) Targeted – a targeted assessment is performed to verify vulnerability remediation changes or new application functionality.
5. Security Compliance Considerations
The InfoPoint device has limited hardware features in order to exactly comply to run the InfoPoint application on the tablet as a room signage system, and ensuring a secure and robust design. the following aspects are tested to ensure security from a hardware perspective:
a) No microphone
b) No camera
c) No sensors (ex. accelerometer, GPS, or any other Android devices built -in sensors)
d) Controlled connectivity to avoid security vulnerabilities:
i. No bluetooth
ii. No bluetooth; Low Energy
iii. Device can only connect with the following interfaces:
e) Audio output through internal speakers only
f) All external buttons on the device are suppressed and not active, such as :
i. No power button
ii. No home button
iii. Volume button is present
g. No support for an SD card
h. No SIM card interface
i. All ports for external communication are disabled, except for the ICMP port.
InfoPoint runs on Android OS Version 4.4.4 (KitKat). The 4.4.4 version of the Android OS boasts of industry-leading security features. This version pioneered the Message and Calendar consolidation. Moreover, this version of Android is the most apt for ‘Locking’ the in-built Android features. As of April 2017, security vulnerabilities identified in Android 4.4.4 continue to have patches published from Google.
Similarly, the account credentials are not stored by the application and is handled by the OS directly, thereby reducing risk of information retrieval through the website.
Following are the focus of major upgrades for the newer Android versions:
|Features||Relevance for Infopoint|
|Battery Life||Not relevant|
|Torch display||Not relevant|
|Multi tasking||Not relevant|
|Guest user account||Not relevant|
|Google Voice||Not relevant|
Following are extra points for considering the security comprises through the application:
• Account credentials storage – the account related information (Google or Microsoft) is not stored in the application and hence poses no threat in case the Infopoint application is compromised.
• Encrypted communication – communication to the Infopoint for Microsoft related product suites is through secured HTTPS protocol.
As of March 2017, the decision stands from the Chief Digital Officer of Arrive Systems to not to upgrade the Android version as the upgrade does not prove any advantages to the Infopoint application itself.
InfoPoint Application runs in a secured lock down mode which ensures that all the unwanted features of the tablet are supressed. Arrive team refers to the Infopoint running on Lockdown manager as the ‘Kiosk Mode’. Kiosk mode ensures:
1. Custom Launcher – the Android default launcher is disabled to ensure that only the admin will have access to InfoPoint and System Settings (for user access security measures)
2. Android Keys and home screen are locked:
a) Disabling back, home, recent app, power, volume buttons
b) Disabling home key
c) Tablet always remains on the Infopoint application
d) Disabling back key allows maximum control of user interface
e) Disabling menu key avoids access to app setting commonly available via menu keys
f) Hiding OS navigational buttons
g) Hiding all notifications and avoiding access to system or any other application settings.
If notification bar must be visible, Kiosk Mode can be disabled.
3. Android OS updates – all OS updates are disabled.
6. Definitions and Terms
7. Revision History
|Date of Change||Responsible||Summary of Change|
|June 2015||Arrive Systems||Creation of the document|
|March 2016||Arrive Systems||Updation of the document to the new format|
|March 2017||Arrive Systems||Updation of the document to the new format|