Lon Kastenson

Security of Mobile Devices

• Overview• Types of attacks• Security in Android• Security in iOS• Security in other mobile platforms• Current protocols and solutions• Security in the future• Questions

Agenda

• June 2004: Cabir• The Evolution after Cabir

– 2006: 31 Families, 170 Variants – Cabir, Comwar, Skuller.gen– In Symbian Alone!

• Windows Mobile 2003 and PocketPC– Comwar

Overview: History

• 2007 Jailbreaking iPhones and iPods reveals critical flaw in iOS

• 2008, exploits found in both Android and iOS

• 2009: Blackberry Hacked• 2010, 5% of apps contain malicious code• 2011, The Apple user tracking debate• 2011, confirmed attack on Android Market

Overview: History

• 1.6 billion smartphone sales worldwide (as of 2010)

Overview: Present

38%

23%

16%

16%

4% 4%

Percent of Worldwide Smartphone Sales

SymbianAndroidRIM (Blackberry)iOSMicrosoftOther

Source: http://www.gartner.com/it/page.jsp?id=1543014

• Both Android and iOS have known security risks.

• IBM X-Force predicts the number of attacks this year will double since last year.

• Popular attacks remain Trojan Horses and Social Engineering hacks.

Overview: Present

• Trojan Horse (Most popular, evident in Android Market Attack)

• Worm• Virus• Socially Engineered• Man in the middle attacks• Privacy Issues? (Application Terms of

Service Agreement)

Types of Attacks

March 2011 Attack on Android Market

Source: http://www.androidpolice.com/2011/03/01/the-mother-of-all-android-malware-has-arrived-stolen-apps-released-to-the-market-that-root-your-phone-steal-your-data-and-open-backdoor/

• Direct Install (Trojan)• Bluetooth• MMS message• Memory card• File Injection• Other methods?

Propagation Methods

• iOS tracking users?• Privacy Policy for smartphone apps• Apps having too much access?• http://blogs.wsj.com/wtk-mobile/

Privacy Issues

• Hardware level• Kernel level

– Linux kernel– “ROMs”

• Android Security Program

Android Security

• NX bit • NFC for wallet transactions• Hardware DRM (locked bootloader)• Off system encryption key

Hardware Level Security

• Hardware Drivers located in the kernel• Explicit permission needed• Only kernel level applications have root

access• Secure Inter-process Communication• Dalvik Virtual Machine

Kernel Level Security

• “Application Sandbox”• Protection for rooted users?

Dalvik Virtual Machine

Source: http://source.android.com/tech/security/

• System Partition and Safe Mode• Filesystem Permissions• Filesystem Encryption

Operating System Security

• Design Review• Penetration Testing and Code Review• Open Source and Community Review• Incident Response• OTA updates• What happened with the March 2011

attack?

Android Security Program

• Rooted Devices• Android Market• Pipes• JNI• Permissions Prompt

Android Security Issues

I agree

Next

I accept

Continue?

Really Continu

e?

• Closed Source• Market App Approval• Security Architecture

– Security APIs– Authentication– Encryption– Permissions

iOS Security

• Apple Developer Program approved developers only allowed to put applications on the market.

• Strict guidelines for application approval• Must adhere to style guides

iStore Market Approval System

• Security Server Daemon• Security APIs• Core OS based encryption

Security Architecture

• Keychain• CFNetwork• Certificate, Key and Trust Services• Randomization Services• Objective-C API

Security APIs

• Filesystem Permissions• Filesystem Encryption• Address Space Layout Randomization• Data Execution Prevention

Other Security Services

• Weak “sandbox”• Vulnerable applications a threat• Closed source approach• Jailbroken devices

iOS Security Issues

• Capability Model• Process Identity• Data Caging• Certification

Symbian Security

• Each binary is a capability• User Capabilities• System Capabilities• How it all works

Capability Model

• “Copies” of DLLs are made and the kernel will check for any forged function calls.

How Capability Works

Source: http://www.developer.nokia.com/Community/Wiki/File:Capability_subversion.PNG

• SecureID• VendorID

Process Identity

• Applications restricted what data is accessed

• File server controls access, capability.• Sharing data privately• Databases and data caging

Data Caging

• Certification Assignment• Untrusted Applications• Trusted Applications• Self-signing Applications

Certification and Platform Security

• Been around longest, more malware out there.

• Currently supported, but no longer a priority for development at Nokia.

• Capability model has shown weakness in the past.

Symbian Security Issues

• Unique certification for Windows Phone Marketplace

• Mandatory Code Signing• .NET managed Code• Isolated storage “sandbox”• SSL root certificates• Data Encryption

Windows Phone Security

• Hardening– On a hardware level– On a software level

• Attack Surface Reduction• Internet (Cloud) based protection• Telecom based protection• Privacy Argument, how much security is

too much?

Possible Solutions

• Speculation by Dr. Charlie Miller• Speculation of IBM X-Force• Gostev’s “Laws of Computer Virus

Evolution”

In the Future

• Gostev, Alexander. (2006 September) Retrieved October 2011, from Securelist – Mobile Malware Evolution: An Overview Part 1 http://www.securelist.com/en/analysis?pubid=200119916

• Gartner (n.d.). Retrieved October 2011, from Gartner – Gartner Says Sales of Mobile Devices in Second Quarter of 2011 Grew 16.5 Percent Year-on-Year; Smartphones grew 74 Percent http://www.gartner.com/it/page.jsp?id=1764714

• Google. (n.d.). Android Open Source Project. Retrieved Sept 2011, from Android Open Source – Android Security Overview http://source.android.com/tech/security/index.html

• Apple. (n.d.). Mac OS X Developer Library. Retrieved Sept 2011, from Apple Developer – Security Overview http://developer.apple.com/library/mac/#documentation/Security/Conceptual/Security_Overview/Introduction/Introduction.html

• Nokia. (n.d.). Symbian C++ Books. Retrieved October 2011, from Nokia Developer – Fundamentals of Symbian C++/Platform Security http://www.developer.nokia.com/Community/Wiki/Fundamentals_of_Symbian_C%2B%2B/Platform_Security

• Microsoft. (n.d.). MSDN. Retrieved October 2011, from MSDN – Security for Windows Phone http://msdn.microsoft.com/en-us/library/ff402533.aspx

• IBM. (n.d.). IBM Security Solutions. Retrieved September 2011, from IBM – IBM X-Force 2011 Mid-Year Trend and Risk Report http://public.dhe.ibm.com/common/ssi/ecm/en/wge03015usen/WGE03015USEN.PDF

• PCWorld. Bradley, Tony. Retrieved September 2011, from PCWorld – Adobe Flash Zero Day Puts Android Smartphones at Risk. http://www.pcworld.com/businesscenter/article/205411/adobe_flash_zero_day_puts_android_smartphones_at_risk.html

• Montoro, Massimiliano. Retrieved October 2011from oXit – About Cain http://www.oxid.it/cain.html • (n.d.). Retrieved October 2011 from CyanogenMod Wiki – What is CyanogenMod? http://

wiki.cyanogenmod.com/index.php?title=What_is_CyanogenMod• Apple (n.d.). Retrieved October 2011 from Apple Developer – Guidelines for Appstore Submissions http://

developer.apple.com/appstore/resources/approval/guidelines.html• Accuvant. Farnum, Michael. Retrieved October 2011 from Accuvant – Dr. Charlie Miller Compares the Security of iOS and

Android http://www.accuvant.com/blog/2011/10/20/dr-charlie-miller-compares-security-ios-and-android• Viega, LeBlanc, Howard. 19 Deadly Sins of Software Security. Emeryville, CA: McGraw Hill-Osborn. 2005. Print.• Whitaker, Evans, and Voth. Chained Exploits. Boston, MA: Addison-Weasley. 2009. Print

References

Questions?

!Are you sure you want to answer

questions?