The New Mobile Landscape - OWASP Ireland
1 like607 views
The document discusses threats to mobile devices and potential solutions. It outlines the mobile threat landscape including types of mobile malware, vulnerabilities, and statistics on infected platforms. It then examines players in the mobile ecosystem like MDM vendors, mobile anti-virus, application markets, and developers. Potential fixes are explored at the enterprise, consumer, vendor, and developer levels through capabilities mapping, malware detection, vulnerability analysis, and secure coding practices. The road ahead is seen through continued collaboration between these players and communities.
The New Mobile Landscape - OWASP Ireland
- 1. Mobile Threats Things Your Smartphone Does When Nobody is Looking
- 2. Agenda The “What” The Problem Mobile Ecosystem 1 2 3 4 Threat The Fix Landscape
- 3. The Problem 1
- 4. What Are The Risks Define the Threats
- 5. Moving Into The Enterprise Bring Your Own Device Security Compliance Privacy
- 6. Mobile Crossroads The Inflection Point 63% Do you trust the security of your mobile device… Have yet to make up their minds
- 7. Threat Landscape 2
- 8. The Mobile Threat Landscape
- 9. Mobile Malware Mobile Networks Decentralized Interconnected Mobile Quick Content Retrieval Perfect Malware Decentralized Interconnected Mobile Quick Content Retrieval
- 10. Statistics
- 11. Malware Timeline 2011 July August September October November Early to Malware Wave Exponential the Game Begins Growth
- 12. Primary Target Android Most Targeted (65%) iOS Absent (<1%) WHY • Closed Technology 1% • Harder to Reverse Engineer 7% • Stronger OS Security 65% 27% • Better App Store Security • No Fragmentation Issue Android J2ME Symbian Windows Mobile Distribution of Mobile Threats by Platform 2011
- 13. Mobile Malware 86% 7% Repackaging Update •Choose popular app •Similar to repackaging •Disassemble •Does not add full •Add malicious payloads payload •Re-assemble •Adds small downloader •Submit new app to •Payload downloaded at public market runtime Drive-By Standalone •Entice users to •Commercial spyware download malware •Non functional fake apps <1% 14% •Distributed via malicious (Fake Netflix) websites •Functional Trojan code •May or may not contain •Apps with root exploits a browser exploit
- 14. Mobile Malware 37% Privilege Escalation •Attempts root exploits •Small number of platform vulnerabilities Remote Control •Similar to PC bots •Most use HTTP based web traffic as C&C 93% •May use more than one •Advanced C&C models exploit for attack translating from PC world •Advanced obfuscation seen in the wild Financial Charges Information Collection 45% •Premium rate SMS •Both hard-coded and runtime updated numbers •Employ SMS filtering •Harvests personal information and data •User accounts •GPS location 45% SMS •SMS and emails •Phone call tapping •Ad Libraries Phone Number
- 15. Application Behaviors Previous Code Web Sources Your Code Binary 3rd Party Source 3rd Party Libraries Libraries
- 16. Case studies … !
- 17. Vulnerabilities • Sensitive data leakage (inadvertent or side channel) • Unsafe sensitive data storage • Unsafe sensitive data transmission • Hardcoded password/keys
- 18. Vulnerabilities • Layered APIs on common languages • Blackberry and Android use Java as a base • Non-issue for Objective-C (it’s own language)
- 19. Mobile Ecosystem 3
- 20. The Mobile Ecosystem The Players of the Game Consumer
- 21. MDM Vendors The Enterprise Choke Point Enterprise Control Point What They Provide Device Enrollment and Management Security Management Device Configuration Device Monitoring Software Management Security Components Passcode Enforcement Encryption Feature Restriction Compliance Locate and Wipe Certificate Management
- 22. Mobile Anti-Virus Old Methods Rehashed Old Methods Rehashed What They Provide Quarantine and Eradicate Malware Signature Based Analysis Security Components Locate, Lock, and Wipe Cloud Analysis Spam Filtering Email Attachment Scanning Data Backup
- 23. Application Markets The Distributor The Distributor What They Provide Marketplace for Applications User Ratings Application Updates Security Components Application Approval Process Android Bouncer iOS Scanning
- 24. Developers The Source The Source What They Provide Enterprise Application Development Consumer Application Development Cross-platform Expertise Security Components Variable on Developer Capabilities
- 25. The Fix 4
- 26. The Fix Securing Against Multiple Threats Capabilities Mapping Malware Detection Vulnerability Analysis
- 27. Capabilities Mapping Features and Permissions Data Sources Data Sinks Mapping • Location Data • HTTP Requests User Facing • Contacts • Outbound SMS • Email • Outbound Email • Trace Sources to Sinks • SMS Data • DNS Requests • Application “Intent” • SQL Access • TCP • Permission Mapping • File System • UDP • Human Intelligence • Photos • Vulnerable Code • Phone ID Values Code Flow Data Flow
- 28. Malware Detection Learn From Previous Mistakes Static Signatures Analysis Signatures Human Signatures Intelligence Dynamic Basic Heuristics Analysis
- 29. Vulnerability Analysis Find the Flaws Environmental Flaws Application Flaws
- 30. Strategic Control Points Security and Power Application Markets Enterprise Developers MDM Consumer Developers Outsourced Developers Anti-Virus COTS Developers … Developers Enterprise
- 31. Enterprise Fixes De-Risk B.Y.O.D Policy Process Technical Controls
- 32. Consumer Fixes Will Users Learn? Security Awareness • Read EULAs & prompts.. • Understand permissions • Know what jail breaking does to the security posture of the device • Recognizing phishing and social engineering • Practice practice practice
- 33. Permissions *SCOFF* Just Let Me Fling Birds at Pigs Already!
- 34. Vendor Fixes It Takes a Village Verification Process and Policy User Facing Platform Security
- 35. Developer Fixes Secure Coding TRAINING SDLC AWARENESS
- 36. The Road Ahead Where do we go from here? Capabilities Malware Vulnerability A Safer + + = Mapping Detection Analysis Mobile Path
- 37. Sources Show me the data • http://www.juniper.net/us/en/local/pdf/additional-resources/7100155-en.pdf Juniper Network Trusted Mobility Index • http://countermeasures.trendmicro.eu/wp-content/uploads/2012/02/History-of-Mobile-Malware.pdf A History of Malware – Trend Micro • http://www.cs.berkeley.edu/~afelt/felt-mobilemalware-spsm.pdf A Survey of Mobile Malware In The Wild – UC Berkeley • http://www.securelist.com/en/analysis/204792222/Mobile_Malware_Evolution_Part_5 Mobile Malware Evolution Part 5 – Kaspersky Labs • http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf Dissecting Android Malware: Characterization and Evolution – Yajin Zhou and Xuxian Jiang • http://www.fiercemobilecontent.com/story/apples-new-ios-6-adds-deep-facebook-integration-dumps-google- maps/2012-06-11 Apple's new iOS 6 adds deep Facebook integration, dumps Google Maps • http://www.net-security.org/secworld.php?id=13050 LinkedIn Privacy Fail • http://www.trailofbits.com/resources/mobile_eip_2.pdf Mobile Exploit Intelligence Project – Trail of Bits • http://www.net-security.org/secworld.php?id=12418 Social Mobile Apps Found Storing User’s Content Without Permission • And More…. Contact me if you need something specific I may have left out…