Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Ensuring Security on Ensuring Security on Mobile DevicesMobile DevicesMobile DevicesMobile Devices
It is possible… right?It is possible… right?
Topics� About viaForensics� Why mobile security matters� Types of security breaches and fraud
Ensuring Security on Mobile Devices
� Types of security breaches and fraud � Anticipated evolution of attacks� Common mistakes that developers make� How to anticipate and prevent security flaws� Conclusion
About viaForensics� I’m not Andrew Hoog� Mobile security, forensics researchers� Key tech leaders: Hoog, Cannon, Zdziarski
Ensuring Security on Mobile Devices
� Key tech leaders: Hoog, Cannon, Zdziarski� Books, trainings, research papers, news, congressional
staff briefing� Key products and services: appSecure, liveForensics,
AFLogical, viaExtract, and Santoku
Why Mobile Device Security Matters� Necessity of security - given� Importance and growth of mobile
• Fed study: 20% used mobile banking in 2011, up to 30%
Ensuring Security on Mobile Devices
• Fed study: 20% used mobile banking in 2011, up to 30% will use mobile banking by 2013;
Source: http://www.federalreserve.gov/econresdata/mobile-device-report-201203.pdf
Why Mobile Device Security Matters� Problems in mobile security to date
• Rapid growth with little security• Trojan/malicious apps, phishing/smishing
Ensuring Security on Mobile Devices
• Trojan/malicious apps, phishing/smishing• Perception – many consumers unsure
� Potential for much greater harm• Worm or one-click exploit, widespread infection• Rapid increased adoption + platforms in flux• Potential for pervasive, undetected theft of data
Near-field Data Heist� Contactless Credit Cards
Ensuring Security on Mobile Devices
Contactless Credit Cards Problem� Stories from Channel 4, BBC Watchdog� Card info used to make purchases from Amazon UK � Not a new problem, but mobiles facilitate exploit
Ensuring Security on Mobile Devices
� Not a new problem, but mobiles facilitate exploit� Illustrates how ease of use can introduce security risk
Google Wallet Problems� Google Wallet leverages NFC on some devices� Connects to credit, prepaid cards� Leverages “secure element” on device
Ensuring Security on Mobile Devices
� Leverages “secure element” on device� Significant growing pains so far:
• viaForensics found excess private data stored• Zvelo cracked user PIN• Thesmartphonechamp found prepaid card problem
Mobiles as a Target of Attack� Mobile is different
• NAND Memory• New mobile OS’s, frequent updates
Ensuring Security on Mobile Devices
• New mobile OS’s, frequent updates• Traverse more networks, install more apps
� Mobile devices are a target• Rich target handling banking, email, GPS, PII, PHI• Both personal and corporate data• Highly connected and can store large datasets• Security standards, tools still emerging
Anatomy of a Mobile Attack
Ensuring Security on Mobile Devices
Categories of cyber attacks• Goal: Compromise classified materials• Approach: Highly sophisticated and targeted• Impact: Severe, threat to security• Prevention: Complex, expensive
Espionage
Ensuring Security on Mobile Devices
Espionage
• Goal: Steal trade secrets, IP and more• Approach: Sophisticated, company and individual
targeted• Impact: High, financial or R&D loss• Prevention: Strong security & policiesCorporate Theft
• Goal: Financial theft, identity theft• Approach: Trivial to sophisticated,
broad or company targeted• Impact: Small and wide• Prevention: Secure mobile
development, educationConsumer/Identity Theft
Types of breaches� Lost or stolen device� Phishing/Smishing� Clickjacking
Ensuring Security on Mobile Devices
� Clickjacking� Trojan or Malicious apps� Man-in-the-middle� Man-in-the-mobile� Worm
Security Breach Accounting� 2012 DBIR, Verizon with USSS and foreign LE
Ensuring Security on Mobile Devices
Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012-press_en_xg.pdf
Evolution of Attacks� Platforms have been compromised repeatedly� The quantity and value of information stored and
transacted on mobiles is rapidly increasing
Ensuring Security on Mobile Devices
transacted on mobiles is rapidly increasing� Attacks follow the money� Experts anticipate growth in both broad and targeted
attacks on mobile
Reality Check� It’s about the DATA
• Most data is handled by apps• Ergo, it’s about the APPS
Ensuring Security on Mobile Devices
• Ergo, it’s about the APPS
� App security is mobile security� Don’t we trust device passcodes and encryption?
» no
Device Security?� viaForensics’ Mobile Security Risk Report � First line of defense
• Complex passcodes
Ensuring Security on Mobile Devices
• Complex passcodes• Keychain data protection• Remote wipe
� But secure sensitive data at app level, and assume a hostile environment
� Do not rely solely on platform security
Apps: Common Problems� Authentication: Authentication bypass, lack of multi-factor,
session state vulnerability, � Insecure data on device: Caching, logging, stored without
Ensuring Security on Mobile Devices
encryption, improper encryption, iOS keychain� Network Issues: Improper SSL or storage encryption,
MITM vulnerability, SSLstrip� Service/Server Vulnerability: Brute force susceptible,
server resource exposure, lack of server-side validation� Code vulnerabilities: Reverse engineering, debugging
Widespread iOS Infection Demo� Demonstrates risk to apps on iOS platform
• Discovered by Jonathan Zdziarski• Not a way to infect; but steal important data from many apps
Ensuring Security on Mobile Devices
• Not a way to infect; but steal important data from many apps• iOS foundation classes hijacked• Most apps’ sensitive data vulnerable
� One attack could steal credentials and more � Potential for pervasive data theft across apps
Secure Mobile App Development� Yes, there is such a thing� Takes more time, skill and money than the alternative� Focus on security before, during and after development
Ensuring Security on Mobile Devices
� Focus on security before, during and after development• Education is Key• Testing is Key
Recommendations� Integrate security from design phase� Maintain traditional security controls� Attack your apps
Ensuring Security on Mobile Devices
� Attack your apps• Test like black hat• Test after updates (platform, app)• Use latest mobile techniques and tools
Anticipate and Prevent� Anticipate attacks
• Expect your app to be reverse engineered• Expect your back-end services to be attacked
Ensuring Security on Mobile Devices
• Expect your back-end services to be attacked• Expect your users to be targeted & devices compromised
� Prevent damage• Prevent your data from being exposed• Prevent your app from being compromised• Prevent attackers from gaining elevated access
Education Resources� Secure mobile development resources are increasing� Industry technical training
• viaForensics/CompTIA certification
Ensuring Security on Mobile Devices
• viaForensics/CompTIA certification• OWASP Resources
� Mobile Security Books • Zdziarski, Hoog, others
Secure Mobile Dev: 42+ Best Practices� FREE Report: https://viaforensics.com/42bp� Avoid insecure data caching� Avoid simple logic
Ensuring Security on Mobile Devices
� Avoid simple logic� Be aware of the keyboard cache� Properly validate SSL/TLS� iOS-specific issues� Android-specific issues
Testing Resources� Internal
• Train existing security engineers• Santoku Linux Project
Ensuring Security on Mobile Devices
• Santoku Linux Project
� External• Specialized mobile app security assessment• viaForensics appSecure• Find mobile expertise
� Expert, red team mobile assessment
Back to that Fed StudyConsumers’ perception that mobile banking and mobile payments are unsecure is currently one of the primary impediments to adoption. If consumers’ perception of security issues changes—whether due to actual or perceived improvements—adoption rates may significantly increase.
Ensuring Security on Mobile Devices
or perceived improvements—adoption rates may significantly increase.
Conclusion� There is great benefit in mobile for enterprises and
consumers, but• Mobile attacks are likely to increase
Ensuring Security on Mobile Devices
• Mobile attacks are likely to increase• Mobile security has been bumpy• Consumer trust of mobile security is not strong
� Secure mobile development is key• Education and Testing• Anticipate and Prevent• Raise the standard and assure consumers