Ensuring Security on Mobile Devices

Ensuring Security on Ensuring Security on Mobile DevicesMobile DevicesMobile DevicesMobile Devices

It is possible… right?It is possible… right?

Topics� About viaForensics� Why mobile security matters� Types of security breaches and fraud

Ensuring Security on Mobile Devices

� Types of security breaches and fraud � Anticipated evolution of attacks� Common mistakes that developers make� How to anticipate and prevent security flaws� Conclusion

About viaForensics� I’m not Andrew Hoog� Mobile security, forensics researchers� Key tech leaders: Hoog, Cannon, Zdziarski


� Key tech leaders: Hoog, Cannon, Zdziarski� Books, trainings, research papers, news, congressional

staff briefing� Key products and services: appSecure, liveForensics,

AFLogical, viaExtract, and Santoku

Why Mobile Device Security Matters� Necessity of security - given� Importance and growth of mobile

• Fed study: 20% used mobile banking in 2011, up to 30%


• Fed study: 20% used mobile banking in 2011, up to 30% will use mobile banking by 2013;

Source: http://www.federalreserve.gov/econresdata/mobile-device-report-201203.pdf

Why Mobile Device Security Matters� Problems in mobile security to date

• Rapid growth with little security• Trojan/malicious apps, phishing/smishing


• Trojan/malicious apps, phishing/smishing• Perception – many consumers unsure

� Potential for much greater harm• Worm or one-click exploit, widespread infection• Rapid increased adoption + platforms in flux• Potential for pervasive, undetected theft of data

Near-field Data Heist� Contactless Credit Cards


Contactless Credit Cards Problem� Stories from Channel 4, BBC Watchdog� Card info used to make purchases from Amazon UK � Not a new problem, but mobiles facilitate exploit


� Not a new problem, but mobiles facilitate exploit� Illustrates how ease of use can introduce security risk

Google Wallet Problems� Google Wallet leverages NFC on some devices� Connects to credit, prepaid cards� Leverages “secure element” on device


� Leverages “secure element” on device� Significant growing pains so far:

• viaForensics found excess private data stored• Zvelo cracked user PIN• Thesmartphonechamp found prepaid card problem

Mobiles as a Target of Attack� Mobile is different

• NAND Memory• New mobile OS’s, frequent updates


• New mobile OS’s, frequent updates• Traverse more networks, install more apps

� Mobile devices are a target• Rich target handling banking, email, GPS, PII, PHI• Both personal and corporate data• Highly connected and can store large datasets• Security standards, tools still emerging

Anatomy of a Mobile Attack


Categories of cyber attacks• Goal: Compromise classified materials• Approach: Highly sophisticated and targeted• Impact: Severe, threat to security• Prevention: Complex, expensive

Espionage


Espionage

• Goal: Steal trade secrets, IP and more• Approach: Sophisticated, company and individual

targeted• Impact: High, financial or R&D loss• Prevention: Strong security & policiesCorporate Theft

• Goal: Financial theft, identity theft• Approach: Trivial to sophisticated,

broad or company targeted• Impact: Small and wide• Prevention: Secure mobile

development, educationConsumer/Identity Theft

Types of breaches� Lost or stolen device� Phishing/Smishing� Clickjacking


� Clickjacking� Trojan or Malicious apps� Man-in-the-middle� Man-in-the-mobile� Worm

Security Breach Accounting� 2012 DBIR, Verizon with USSS and foreign LE


Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012-press_en_xg.pdf

Evolution of Attacks� Platforms have been compromised repeatedly� The quantity and value of information stored and

transacted on mobiles is rapidly increasing


transacted on mobiles is rapidly increasing� Attacks follow the money� Experts anticipate growth in both broad and targeted

attacks on mobile

Reality Check� It’s about the DATA

• Most data is handled by apps• Ergo, it’s about the APPS


• Ergo, it’s about the APPS

� App security is mobile security� Don’t we trust device passcodes and encryption?

» no

Device Security?� viaForensics’ Mobile Security Risk Report � First line of defense

• Complex passcodes


• Complex passcodes• Keychain data protection• Remote wipe

� But secure sensitive data at app level, and assume a hostile environment

� Do not rely solely on platform security

Apps: Common Problems� Authentication: Authentication bypass, lack of multi-factor,

session state vulnerability, � Insecure data on device: Caching, logging, stored without


encryption, improper encryption, iOS keychain� Network Issues: Improper SSL or storage encryption,

MITM vulnerability, SSLstrip� Service/Server Vulnerability: Brute force susceptible,

server resource exposure, lack of server-side validation� Code vulnerabilities: Reverse engineering, debugging

Widespread iOS Infection Demo� Demonstrates risk to apps on iOS platform

• Discovered by Jonathan Zdziarski• Not a way to infect; but steal important data from many apps


• Not a way to infect; but steal important data from many apps• iOS foundation classes hijacked• Most apps’ sensitive data vulnerable

� One attack could steal credentials and more � Potential for pervasive data theft across apps

Secure Mobile App Development� Yes, there is such a thing� Takes more time, skill and money than the alternative� Focus on security before, during and after development


� Focus on security before, during and after development• Education is Key• Testing is Key

Recommendations� Integrate security from design phase� Maintain traditional security controls� Attack your apps


� Attack your apps• Test like black hat• Test after updates (platform, app)• Use latest mobile techniques and tools

Anticipate and Prevent� Anticipate attacks

• Expect your app to be reverse engineered• Expect your back-end services to be attacked


• Expect your back-end services to be attacked• Expect your users to be targeted & devices compromised

� Prevent damage• Prevent your data from being exposed• Prevent your app from being compromised• Prevent attackers from gaining elevated access

Education Resources� Secure mobile development resources are increasing� Industry technical training

• viaForensics/CompTIA certification


• viaForensics/CompTIA certification• OWASP Resources

� Mobile Security Books • Zdziarski, Hoog, others

Secure Mobile Dev: 42+ Best Practices� FREE Report: https://viaforensics.com/42bp� Avoid insecure data caching� Avoid simple logic


� Avoid simple logic� Be aware of the keyboard cache� Properly validate SSL/TLS� iOS-specific issues� Android-specific issues

Testing Resources� Internal

• Train existing security engineers• Santoku Linux Project


• Santoku Linux Project

� External• Specialized mobile app security assessment• viaForensics appSecure• Find mobile expertise

� Expert, red team mobile assessment

Back to that Fed StudyConsumers’ perception that mobile banking and mobile payments are unsecure is currently one of the primary impediments to adoption. If consumers’ perception of security issues changes—whether due to actual or perceived improvements—adoption rates may significantly increase.


or perceived improvements—adoption rates may significantly increase.

Conclusion� There is great benefit in mobile for enterprises and

consumers, but• Mobile attacks are likely to increase


• Mobile attacks are likely to increase• Mobile security has been bumpy• Consumer trust of mobile security is not strong

� Secure mobile development is key• Education and Testing• Anticipate and Prevent• Raise the standard and assure consumers

Documents

Ensuring Security on Mobile Devices