![The year of
Android
malware [1]
Google reveals
“Bouncer” - its
malware
scanner [2]
Malware is
moving out of
the Google
Play [3]
Google adds full-time
app scanning to address
malware on external
stores [4]
Google’s&Focus&on&Malware&
Android is becoming like iOS
when it comes to malware](https://image.slidesharecdn.com/yairamit-mobilesecurityaglimpsefromthetrenches-141223084707-conversion-gate01-150101083348-conversion-gate01/85/Mobile-Security-Attacks-A-Glimpse-from-the-Trenches-Yair-Amit-Skycure-37-320.jpg)
Mobile Security Attacks: A Glimpse from the Trenches - Yair Amit, Skycure
- 1. Mobile Security A Glimpse from the Trenches Yair Amit CTO & Co-Founder Skycure @YairAmit
- 2. ! Today ! CTO & co-founder of Skycure ! Previously ! Managed the Application Security Group at IBM ! Joined IBM through the acquisition of Watchfire ! Loves and lives security ! Filed over 15 security patents About&Me&
- 5. ! Threat&vector& ! Device'lost'/'device'stolen'/'temporary'physical'access ! Basic&physical&security&needs:& ! Remote'wipe ! Locate'device ! Backup ! Local'storage ! Passcode'protec@on ! The&above&becomes&OS&responsibility& ! MDM&provides&the&above&OS&features&together&with& management&and&policy&enforcement& The&Physical&Layer&
- 7. Based on Skycure enabled devices worldwide Real World Incident Statistics& Affected Devices Over Time 0%& 10%& 20%& 30%& 40%& 50%& 0%& 23%& 30%& 35%& 41%& 1&Month& 2&Months& 3&Months& 4&Months& !&
- 8. & ! Did&network&aNacks&happen&near&your&office?& ! Are&airports&more&suscep-ble&to&aNacks?& ! Which&networks&at&a&conference&should&I&be&avoiding?& Global&RealUTime&Threat&Map&& hNps://maps.skycure.com&
- 13. Gotofail&–&The&Code& static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { … if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; err = sslRawVerify(ctx, ctx->peerPubKey, dataToSign, /* plaintext */ dataToSignLen, /* plaintext length */ signature, signatureLen); … fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; }& Always&goto& “fail”,&even&if& err==0& Code&is&skipped& (even&though&err&==&0)& Func-on&returns&0&(i.e.&verified),& even&though&sslRawVerify&was& not&called&
- 15. Heartbleed&
- 17. ! Design&issues&are&much&more&interes-ng& ! …'and'much'harder'to'fix ! These&are÷d&into&two&types:& ! General'“protocol”'vulnerabili@es ! Design'issues'affec@ng'mobile'OS ! Mobile&devices&are&more&suscep-ble:& ! Classical'solu@ons'are'inadequate ! Excessive'use'of'untrusted'networks DesignUBased&Vulnerabili-es&
- 20. ! Example&III:& Karma& DesignUBased&Vulnerabili-es&(Generic)& Hak5’s'WiFi'Pineapple >>'Read'more
- 22. iOS sandbox approach Source: Apple’s App Sandbox Design Guide App Characteristics $ ! One&Store& ! Heavy&Screening& ! App&Sandboxing& Profile Characteristics ! No&Store& ! No&Screening& ! No&Sandboxing& iOS Security Model&
- 23. Where$Do$We$Find$Them?$ ! Mobile&Device&Management&(MDM)& ! Cellular&carriers& ! Usually'used'for'APN'sengs ! Mobile&applica-ons& ! Service&providers& Configura-on&Profiles&
- 24. Configura;on$profiles$can$also$be$malicious$ ! Malicious&“service&providers”&(apps/services/WiUFis/etc.)& ! Vulnerable&services& ! Privacy&viola-ng&services& Malicious&Profiles& Click to install streaming profile Welcome to iOS Streamer Watch TV shows and movies free online. Stream your favorite content directly to your iOS device. Hacker'gains'access'to'your'mail,'business' apps,'cloud'services,'bank'accounts'and' more,'even if traffic is encrypted >>'Read'more
- 25. Going$Viral$ ! ANacker&hijacks&vic-m’s&key&iden--es& ! Corporate'Exchange ! Facebook ! LinkedIn ! ANacker&sends&mass&messages&to&vic-m’s&contacts,&luring& them&to&install&the&malicious&profile& ! ANack&propagates& Malicious&Profiles&
- 29. ! Mobile&OS&enforce&addi-onal&security&models& ! Sandbox ! Be_er'updates ! Controlled'applica@on'stores ! AppUlevel&issues&are&now&on&the&rise& App&Level&Security&&&Privacy&
- 33. A$Long$Way$to$Go$ ! Almost&all&major&apps&today&lack&SSL&Pinning& ! Suscep@ble'to'a_acks'such'as'malicious'profiles'by'design ! Also'exploited'when'a_acker'gains'access'to'a'trusted'CA ! Slow&adop-on&should¬&come&as&a&surprise& ! Implementa@on'challenges ! Less'flexibility ! Can'become'a'nightmare'if'done'wrong… Cer-ficate&Pinning&
- 35. Vic@m'interacts'with'the' malicious'server A'while'later, vic@m'opens'the'app App'logic'has' changed! A_acker'returns'a'301' direc@ve'specifying'a' permanent'change'in'URI Victim opens the app in an untrusted environment App'con@nues'to'connect' to'the'malicious'server! Malicious'server'can' return'actual'results' from'the'target'server >>'Read'more HRH&–&ANack&Flow&
- 37. The year of Android malware [1] Google reveals “Bouncer” - its malware scanner [2] Malware is moving out of the Google Play [3] Google adds full-time app scanning to address malware on external stores [4] Google’s&Focus&on&Malware& Android is becoming like iOS when it comes to malware
- 40. Summary$
- 41. ! The&physical&threats& ! Becomes'the'OS'responsibility ! Network&based&threats& ! Implementa@on'vulnerabili@es ! Design'vulnerabili@es ! Generic'vs.'mobile'specific ! App&level&threats& ! Vulnerabili@es ! HTTP/S,'Cer@ficate'Pinning,'HTTP'Request'Hijacking ! The'“maliciousness”'axis ! Malware'!'Ad'Networks'!'Privacy'Viola@ons Summary&
- 42. ! Personal level ! Maintain'an'up'to'date'opera@nglsystem ! Update'the'apps'that'you'are'using ! Be'alerted'and'aware'of'evolving'threats ! Network'layer ! Thirdlparty'app'stores ! OS'misconfigura@ons'and'vulnerabili@es ! Organizational level& ! Deploy'a'mobile'security'solu@on Recommenda-ons&
- 43. Thank you! ! Twi_er: @YairAmit ! Email: [email protected] ! Blog: h_p://www.skycure.com/blog Seamless Mobile Security