MOBILE SECURITY OVERVIEW

Tim LeMaster

tim.lemaster@lookout.com

Your data center is in the cloud.

Your users and customers have gone mobile.

Starbucks is your fall-back Network.

Your mobile device is a gold mine for hackers

ENTERPRISE EMAIL

ENTERPRISE NETWORKVPN, WiFi

ENTERPRISE APPSSaaS, Custom Apps

CREDENTIALSStored, Soft Tokens

PHOTO ALBUMWhiteboard Screenshots, IDs

SENSORSGPS, Microphone, Camera

Lookout 2017 | Confidential and Proprietary

DEVICE NETWORK WEB & CONTENT

PC

Selected, purchased, and managed by user*

Always on cellularUser selected Wi-Fi

Filtered at organizational perimeter

- Secure Web Gateways

Often unfiltered

MOBILE

LAN / corporate Wi-FiVPN when traveling

- On device firewalls- perimeter firewall

Selected, purchased, and managed by organization

- Administered by IT- Managed by SCCM- OS version control- OS integrity monitoring- Behavioral monitoring

Selected, purchased, and managed by organization

- Anti-Virus- DLP- Vulnerability scanning

APPS

Organizational issued,some BYOD

- Partially managed using MDM

How are you protecting your corporate data?

MOBILE

Lookout 2017 | Confidential and Proprietary

THREATS

SOFTWARE VULNERABILITIES

BEHAVIOR & CONFIGURATIONS

VECTORS

CO

MP

ON

ENTS

OF

RIS

K

DEVICE NETWORK WEB & CONTENTAPPS

- Spyware & surveillanceware

- Trojans- Other malicious apps

- Out-of-date apps- Vulnerable SDKs- Poor coding practices

- Apps that leak data- Apps that breach org

security policy- Apps that breach

regulatory compliance

- Privilege escalation- Remote jailbreak/root

- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed

apps

- User initiated jailbreak/root

- No pin code/password*- USB debugging

- Man-in-the-middle- Fake cell towers- Spoofed WiFi APs- Root CA installation

- Network hardwarevulnerabilities

- Protocol stack vulnerabilities

- Proxies, VPNs, root-CAs- Auto-joining unencrypted

networks

- Phishing- Drive-by-download- Malicious websites & files

- Malformed content that triggers OS or app vulnerabilities

- Opening attachments and visiting links to potentially unsafe content

RISK MATRIX

OS Apps

Network

Multiple attack vectors utilized

Malicious apps

Non-compliant apps

App vulnerability exploits

Data leakage

Malicious MitM attacks

Anomalous Root CA

End user jailbreak/root

Malicious jailbreak/root

OS vulnerabilities exploitation

Data on stolen devices

MOBILE

Lookout 2017 | Confidential and Proprietary

THREATS

SOFTWARE VULNERABILITIES

BEHAVIOR & CONFIGURATIONS

VECTORS

CO

MP

ON

ENTS

OF

RIS

K

DEVICE NETWORK WEB & CONTENTAPPS

- Malicious apps- Spy & surveillanceware- Trojans

- Out-of-date apps- Vulnerable SDKs- Poor coding practice

- Apps that breach company security policy

- Apps that breach regulatory compliance

- User initiated jailbreak/root

- Privilege escalation- Remote jailbreak/root

- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed

apps

- No pin code/password- USB debugging

- Man-in-the-middle- Fake cell towers- Root CA installation

- NIC driver vulnerabilities- Protocol stack

vulnerabilities

- Proxies, VPNs, root-CAs- Auto-joining unencrypted

networks

- Phishing- Drive-by-download- Malicious code injection

- Malformed content that triggers OS or app vulnerabilities

- Message attachments and links to content that result in security policy breaches

RISK MATRIX

- Apps that leak data- Apps that breach org

security policy- Apps that breach

regulatory compliance

Lookout 2017 | Confidential and Proprietary

For iOS enterprise devices:

MOBILE

Lookout 2017 | Confidential and Proprietary

THREATS

SOFTWARE VULNERABILITIES

BEHAVIOR & CONFIGURATIONS

VECTORS

CO

MP

ON

ENTS

OF

RIS

K

DEVICE NETWORK WEB & CONTENTAPPS

- Malicious apps- Spy & surveillance ware- Trojans

- Out-of-date apps- Vulnerable SDKs- Poor coding practice

- Apps that breach company security policy

- Apps that breach regulatory compliance

- User initiated jailbreak/root

- Privilege escalation- Remote jailbreak/root

- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed

apps

- No pin code/password- USB debugging

- Man-in-the-middle- Fake cell towers- Root CA installation

- NIC driver vulnerabilities- Protocol stack

vulnerabilities

- Proxies, VPNs, root-CAs- Auto-joining unencrypted

networks

- Phishing- Drive-by-download- Malicious code injection

- Malformed content that triggers OS or app vulnerabilities

- Message attachments and links to content that result in security policy breaches

RISK MATRIX

- Malicious apps- Spyware &

surveillanceware- Trojans

MOBILE

Lookout 2017 | Confidential and Proprietary

THREATS

SOFTWARE VULNERABILITIES

BEHAVIOR & CONFIGURATIONS

VECTORS

CO

MP

ON

ENTS

OF

RIS

K

DEVICE NETWORK WEB & CONTENTAPPS

- Malicious apps- Spy & surveillance ware- Trojans

- Out-of-date apps- Vulnerable SDKs- Poor coding practice

- Apps that breach company security policy

- Apps that breach regulatory compliance

- User initiated jailbreak/root

- Privilege escalation- Remote jailbreak/root

- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed

apps

- No pin code/password- USB debugging

- Man-in-the-middle- Fake cell towers- Root CA installation

- NIC driver vulnerabilities- Protocol stack

vulnerabilities

- Proxies, VPNs, root-CAs- Auto-joining unencrypted

networks

- Phishing- Drive-by-download- Malicious code injection

- Malformed content that triggers OS or app vulnerabilities

- Message attachments and links to content that result in security policy breaches

RISK MATRIX

- Privilege escalation- Remote jailbreak/root

- Man-in-the-middle- Fake cell towers- Spoofed WiFi APs- Root CA installation

- User initiated jailbreak/root

- No pin code/password*- USB debugging

MitM Demo

MITM Example

MOBILE

Lookout 2017 | Confidential and Proprietary

THREATS

SOFTWARE VULNERABILITIES

BEHAVIOR & CONFIGURATIONS

VECTORS

CO

MP

ON

ENTS

OF

RIS

K

DEVICE NETWORK WEB & CONTENTAPPS

- Malicious apps- Spy & surveillance ware- Trojans

- Out-of-date apps- Vulnerable SDKs- Poor coding practice

- Apps that breach company security policy

- Apps that breach regulatory compliance

- User initiated jailbreak/root

- Privilege escalation- Remote jailbreak/root

- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed

apps

- No pin code/password- USB debugging

- Man-in-the-middle- Fake cell towers- Root CA installation

- NIC driver vulnerabilities- Protocol stack

vulnerabilities

- Proxies, VPNs, root-CAs- Auto-joining unencrypted

networks

- Phishing- Drive-by-download- Malicious code injection

- Malformed content that triggers OS or app vulnerabilities

- Message attachments and links to content that result in security policy breaches

RISK MATRIX

- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed

apps

ANDROID

https://source.android.com/security/bulletin/2017-06-01

• 101 patched CVEs in Jun

• 76 high or critical

• 120 patched CVEs in May

• 88 high or critical

• Android Security Advisory 2016-03-18

• Rooting app – Kernel vuln

• Deployment challenges

• Older devices not getting updates

Android Patches

IOS

iOS Status

• iOS version 10.3.2 released 15 May

• 49 CVEs patched

• iOS version 10.3.1 released 3 Apr

• WiFi chip vulnerability patch

• iOS version 10.3 released 27 Mar

• 91 CVEs patched

• Scareware for Ransom

• Safari browser pop-ups loop

• Need employees to update…

https://support.apple.com/en-us/HT207617

iOS Patches

• Alternative App stores

• Fraudulent/Fake Apps

• Pegasus and Trident

• MilkyDoor

• ViperRAT–surveillanceware

• App take downs

MOBILE RISK HIGHLIGHTS…

Lots of alternative app stores…

• A professionally developed and highly

advanced threat leveraging, zero-day

vulnerabilities, code obfuscation, and

encryption and sophisticated function

hooking to subvert app controls.

• Describes a trifecta of three related zero-day

vulnerabilities in iOS, that collectively

allowed the attacker to automatically

jailbreak the device and install far-reaching

spyware.

Pegasus and Trident

Trident: The Three VulnerabilitiesPegasus: The Threat

• All encrypted data from any

apps on the device

• User passwords from the

keychain

• All wifi passwords for every

network the device has been

on

• All passwords from any

connected Apple router /

Airport / Time Capsule

• GPS / User location

• All calls audio and history

• All data from calendar

including meetings

• Sensitive conversations

recorded via microphone

conversations

• All contacts on the device

• And more…

Pegasus causes catastrophic data compromise

MilkyDoor

• Covertly grants attackers access to enterprise's services• web, FTP, SMTP in the internal network

• Repackaged Android Apps

• 200 unique apps on Play

• Communicates to C&C over SSH

• Android.process.s

Provides access to internal networks

ViperRAT

• Social media for targeting

• Fake Profile as young women

• Build trust

• Install app for easier communication

• Multi-stage malware

• Dropper for profiling

• 2nd stage is more capable

• Extract files and Photos

Surveillanceware

BouncerBounce

Malware that works

around Google’s review

process to plant

malicious apps in Play

Store.

Spyware targeting

foreign travelers

searching for Embassy

locations. Steals contact

and location data

OverSeer DressCode

Can make the device

a proxy for network

traffic on corporate

networks.

DressCode

We discovered more

apps on Play injected

with this trojan.

TcemuiPhoto Uploader

Lookout discovered

this malware family in

fake versions of

popular apps on Play.

WakefulApp Download

Malware hidden in

"File Explorer" app

that had gotten into

Play, downloads and

launches additional

apps.

XRanger

167 apps in Play

infected with this

app dropper.

210 Lookout-discovered threats in the Google Play Store (2016)

1 4 13 3 1 2 167

October 19July 15 August 4 September 7 September 30 October-November November 25

= Discovered by Lookout in Play Store and subsequently removed by Google.

Gartner Market Guide for Mobile Threat Defense Solutions

”It is becoming increasingly important that security leaders look at the anti-malware, mobile threat defense solutions market, the products available and how they should be used.”*

Source: Gartner Market Guide for Mobile Threat Defense Solutions, John Girard and Dionisio Zumerle, July 2016

*Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

This Gartner report is available upon request from Lookout

Behavioral Anomaly Detection

Vulnerability Assessment

Network Security

App Scan

Lookout Mobile Endpoint Security meets all four functional capabilities, including:

What Should You Do??

• Stick to official app stores

• Lock your screen

• MDM

• Don’t connect to unknown WiFi

• Use a VPN

• Be wary of phishing attempts

• Unknown links in text messages, emails and web sites

• Use a Mobile Threat Detection solution

Layered Defenses