View
1
Download
0
Category
Preview:
Citation preview
CRISC CGEIT CISM CISA 2013 Fall Conference – “Sail to Success”
Shining the Light on Flashlight and the Security of Thousands of Mobile Apps
Theodora Titonis, Vice President Mobile, Veracode
Professional Techniques – T13
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
AGENDA
• The Mobile Security Stack • Recent ANacks on Each Layer • Securing the ApplicaOon Layer • Examples of Risky and Malicious Apps • Shining the Light on Flashlight Apps • What can we do • QuesOons
2
9/8/13 3
CRISC CGEIT CISM CISA 2013 Fall Conference – “Sail to Success”
THE MOBILE SECURITY STACK
3
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
CYBERSECURITY
The protecOon of electronic informaOon and
communicaOons systems and the data contained within those systems.
4
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
MOBILE SECURITY STACK
• Well-‐defined layers • An abstracOon based model
• Allows for focus on specific area of concern/experOse
• Results in a comprehensive approach
5
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
INFRASTRUCTURE
• Supports all other layers
• Owned by the mobile carrier
• Encompasses protocols like LTE, GPS, SMS, MMS, VOIP
• VulnerabiliOes effecOve across mulOple carriers
6
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
INFRASTRUCTURE
7
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
INFRASTRUCTURE
8
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
HARDWARE
• Smartphone or Tablet • Firmware • Maintained by manufacturer
• Carrier pushes upgrades • Infrastructure interfaces with firmware to pass data
• Accessible to the operaOng system for device control
9
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
HARDWARE
10
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
HARDWARE
11
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
HARDWARE
12
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
OPERATING SYSTEM
• The sofware running on the device
• Apple’s iOS and Google’s Android
• Allows communicaOon between the hardware and applicaOon layers
• Provides access to it’s resources by publishing ApplicaOon Programming Interfaces (APIs)
13
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
OPERATING SYSTEM
14
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
OPERATING SYSTEM
15
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
APPLICATION
• More app downloads than stars in our galaxy by 2017
• Sofware that the end-‐user directly interfaces with
• UOlizes the API’s provide by the operaOng system (OS)
• Interfaces with the cloud or device through the OS
16
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
APPLICATION
17
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
APPLICATION
18
9/8/13 19
CRISC CGEIT CISM CISA 2013 Fall Conference – “Sail to Success”
SECURING THE APPLICATION LAYER
19
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
APPLICATION
Insecure apps are the leading cause of security breaches and data loss.
20
VULNERABILITIES RISKY
BEHAVIORS MALICIOUS CODE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
VULNERABILITIES
21
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
ANDROID VULNERABILITIES
22
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
iOS VULNERABILITIES
23
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
OWASP MOBILE TOP 10
24
Insecure Data
Storage
Poor Authorization Authentication
Broken Cryptography
Sensitive Information Disclosure
Insufficient Transport
Layer Protection
Weak Server Side Controls
Client Side Injection
Side Channel Data Leakage
Improper Session Handling
Security Decisions Via
Untrusted Inputs
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
APP DEVELOPMENT LIFECYCLE
25
DESIGN
Describe desired features and operations
DeVELOPMENT
Write the code
REQUIREMENTS
Define project goalsinto functions
TESTING
Check for errors, bugs and interoperability
RELEASE
Put software into production
MAINTAIN
Changes, corrections, additions
V
p
!
a
"
A
APPSECURITY
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
26
INSECURE DATASTORAGEThe basic security architecture, accesscontrols and isolation provided tofiles and databases may be adequatefor non-sensitive data
R!
There are NO good ways,native to Android,to store sensitive data on the device
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
PROPER USE OF ENCRYPTION
27
Encryption(protect the key)
tMAKE A
TRUSTED CONNECTION TO A SECURE SERVER for
THe key
Production system
development
WRITE CUSTOM CRYPTO
PROMPT FOR CREDENTIALS
WHEN NEEDED
Testing quality control
58%64%
ANDROID
CRYPTOGRAPHICISSUES
qSTORE KEYS ON DEVICE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
PROTECT SENSITIVE DATA
28
1Take a user-
supplied
2Derive
256-bit AES key from password
3Encrypt and
decrypt data at will
STORE DATA ANYWHEREOnce we encrypt the data we can store it in a file, in a database, even on the SD card
5
DO NOT STORE KEYKeep the symmetric key from compromise by NOT storing it anywhere at anytime
p
9/8/13 29
CRISC CGEIT CISM CISA 2013 Fall Conference – “Sail to Success”
RISKY AND MALICIOUS APPS
29
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
MOBILE ENTERPRISE
30
1http://www.zdnet.com/unavoidable-62-percent-of-companies-to-allow-byod-by-years-end-7000010703 2hNp://www.net-‐security.org/secworld.php?id=15006
APP PRODUCER APP CONSUMER
By 2015, mobile application development projects will outnumber native PC projects by
4-to-1*
62% of companies to allow BYOD by year’s end1
93% of companies face challenges adopting BYOD policies2
*Gartner Top Predictions for IT Organizations and Users, 2012 and Beyond
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
MOBILE ENTERPRISE
31
APP PRODUCER
Mobile SDLC:
Volume: 10-100s of apps
Speed: New apps every quarter
Choice: Developer driven
APP CONSUMER
BYOD (or BYOA):
Volume: Thousands of apps Speed: New apps every day
Choice: Employee Driven
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
RISKY ANDROID APPS
32
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
RISKY AND MALICIOUS ANDROID APPS
33
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
GROWTH OF MALICOUS ANDROID APPS
34
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
DATA LOSS
94% of companies said lost informaOon was their biggest concern in a mobile
security incident.
35
hNp://www.net-‐security.org/secworld.php?id=15006
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
SENSITIVE DATA LANDS ON EMPLOYEE DEVICES
36
FILE SHARING
File sharing services and apps
APPS Business productivity
EMAIL Add company email to personal device
SMS Instant messages particularly with attachments
SD CARD Copy files from desktop or laptop
VPN
Become a node on the internal network
BYOD
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
SENSITIVE DATA LEAVES EMPLOYEE DEVICES
37
• System Logs • Unique Device IdenOficaOon
• Device Type InformaOon
• Carrier InformaOon • Device LocaOon • Examine Root File System
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
BATTERY SAVER APP
38
10 million downloads
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
BATTERY SAVER APP
39
10 million downloads
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
PHOTO APP
40
100,000 downloads
9/8/13 41
CRISC CGEIT CISM CISA 2013 Fall Conference – “Sail to Success”
SHINING THE LIGHT ON FLASHLIGHT APPS
41
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
FLASHLIGHT APPS
42
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
FLASHLIGHT APPS
43
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
44
ANTIVIRUS SCANNERS
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
45
NETWORK ANALYSIS
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
46
BRIGHTEST FREE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
47
BRIGHTEST FREE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
48
BRIGHTEST FREE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
49
BRIGHTEST FREE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
50
BRIGHTEST FREE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
51
BRIGHTEST FREE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
52
BRIGHTEST FREE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
53
BRIGHTEST FREE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
54
BRIGHTEST FREE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
55
BRIGHTEST FREE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
56
BRIGHTEST FREE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
57
BRIGHTEST FREE
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
58
BRIGHTEST FREE
9/8/13 59
CRISC CGEIT CISM CISA 2013 Fall Conference – “Sail to Success”
WHAT CAN WE DO
59
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
WHAT CAN WE DO
• Make secure coding pracOces an integral part of your Sofware Development Lifecycle
• Ensure that apps that you are producing are free from vulnerabiliOes
• Ensure that third-‐party libraries used in your apps are free from risky behavior
• Ensure that the apps in your enterprise app store and on your employee devices are free from risky behavior and malicious code
60
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
WHAT CAN WE DO
• Understand how mobile apps put sensiOve data at risk
• Detect which mobile apps violate enterprise policy quickly and efficiently
• Act intelligently to miOgate risk and protect data
61
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
ENTERPRISE ACTION AT CONTROL POINTS
62
Mobile Device Management (MDM) Mobile ApplicaOon Management (MAM) Enterprise App Stores App Wrapping
Enterprise Developers Outsourced Developers
SDLC
BUT INTELLIGENCE IS REQUIRED!
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
ACT THROUGH MOBILITY MANAGEMENT
63
MDM Integration
MAM Integration
Enterprise App Store Integration
Reports for User Education
App Sources Intelligence Control
Internal Apps
Outsourced Apps
Public App Stores
2013 Fall Conference – “Sail to Success” September 30 – October 2, 2013
INTELLIGENCE INTEGRITY THROUGH INNOVATION
64
StaOc Analysis
Dynamic/Behavioral Analysis
Advanced Machine Learning
Signatures Signatures
Basic HeurisOcs
Signatures
Manual TesOng
9/8/13 65
CRISC CGEIT CISM CISA 2013 Fall Conference – “Sail to Success”
QUESTIONS
65
Recommended