Embed Size (px)
DESCRIPTION
Security of Mobile Devices. Lon Kastenson. Agenda. Overview Types of attacks Security in Android Security in iOS Security in other mobile platforms Current protocols and solutions Security in the future Questions. Overview: History. June 2004: Cabir The Evolution after Cabir - PowerPoint PPT Presentation
Citation preview
Lon Kastenson
Security of Mobile Devices
• Overview• Types of attacks• Security in Android• Security in iOS• Security in other mobile platforms• Current protocols and solutions• Security in the future• Questions
Agenda
• June 2004: Cabir• The Evolution after Cabir
– 2006: 31 Families, 170 Variants – Cabir, Comwar, Skuller.gen– In Symbian Alone!
• Windows Mobile 2003 and PocketPC– Comwar
Overview: History
• 2007 Jailbreaking iPhones and iPods reveals critical flaw in iOS
• 2008, exploits found in both Android and iOS
• 2009: Blackberry Hacked• 2010, 5% of apps contain malicious code• 2011, The Apple user tracking debate• 2011, confirmed attack on Android Market
Overview: History
• 1.6 billion smartphone sales worldwide (as of 2010)
Overview: Present
38%
23%
16%
16%
4% 4%
Percent of Worldwide Smartphone Sales
SymbianAndroidRIM (Blackberry)iOSMicrosoftOther
Source: http://www.gartner.com/it/page.jsp?id=1543014
• Both Android and iOS have known security risks.
• IBM X-Force predicts the number of attacks this year will double since last year.
• Popular attacks remain Trojan Horses and Social Engineering hacks.
Overview: Present
• Trojan Horse (Most popular, evident in Android Market Attack)
• Worm• Virus• Socially Engineered• Man in the middle attacks• Privacy Issues? (Application Terms of
Service Agreement)
Types of Attacks
March 2011 Attack on Android Market
Source: http://www.androidpolice.com/2011/03/01/the-mother-of-all-android-malware-has-arrived-stolen-apps-released-to-the-market-that-root-your-phone-steal-your-data-and-open-backdoor/
• Direct Install (Trojan)• Bluetooth• MMS message• Memory card• File Injection• Other methods?
Propagation Methods
• iOS tracking users?• Privacy Policy for smartphone apps• Apps having too much access?• http://blogs.wsj.com/wtk-mobile/
Privacy Issues
• Hardware level• Kernel level
– Linux kernel– “ROMs”
• Android Security Program
Android Security
• NX bit • NFC for wallet transactions• Hardware DRM (locked bootloader)• Off system encryption key
Hardware Level Security
• Hardware Drivers located in the kernel• Explicit permission needed• Only kernel level applications have root
access• Secure Inter-process Communication• Dalvik Virtual Machine
Kernel Level Security
• “Application Sandbox”• Protection for rooted users?
Dalvik Virtual Machine
Source: http://source.android.com/tech/security/
• System Partition and Safe Mode• Filesystem Permissions• Filesystem Encryption
Operating System Security
• Design Review• Penetration Testing and Code Review• Open Source and Community Review• Incident Response• OTA updates• What happened with the March 2011
attack?
Android Security Program
• Rooted Devices• Android Market• Pipes• JNI• Permissions Prompt
Android Security Issues
I agree
Next
I accept
Continue?
Really Continu
e?
• Closed Source• Market App Approval• Security Architecture
– Security APIs– Authentication– Encryption– Permissions
iOS Security
• Apple Developer Program approved developers only allowed to put applications on the market.
• Strict guidelines for application approval• Must adhere to style guides
iStore Market Approval System
• Security Server Daemon• Security APIs• Core OS based encryption
Security Architecture
• Keychain• CFNetwork• Certificate, Key and Trust Services• Randomization Services• Objective-C API
Security APIs
• Filesystem Permissions• Filesystem Encryption• Address Space Layout Randomization• Data Execution Prevention
Other Security Services
• Weak “sandbox”• Vulnerable applications a threat• Closed source approach• Jailbroken devices
iOS Security Issues
• Capability Model• Process Identity• Data Caging• Certification
Symbian Security
• Each binary is a capability• User Capabilities• System Capabilities• How it all works
Capability Model
• “Copies” of DLLs are made and the kernel will check for any forged function calls.
How Capability Works
Source: http://www.developer.nokia.com/Community/Wiki/File:Capability_subversion.PNG
• SecureID• VendorID
Process Identity
• Applications restricted what data is accessed
• File server controls access, capability.• Sharing data privately• Databases and data caging
Data Caging
• Certification Assignment• Untrusted Applications• Trusted Applications• Self-signing Applications
Certification and Platform Security
• Been around longest, more malware out there.
• Currently supported, but no longer a priority for development at Nokia.
• Capability model has shown weakness in the past.
Symbian Security Issues
• Unique certification for Windows Phone Marketplace
• Mandatory Code Signing• .NET managed Code• Isolated storage “sandbox”• SSL root certificates• Data Encryption
Windows Phone Security
• Hardening– On a hardware level– On a software level
• Attack Surface Reduction• Internet (Cloud) based protection• Telecom based protection• Privacy Argument, how much security is
too much?
Possible Solutions
• Speculation by Dr. Charlie Miller• Speculation of IBM X-Force• Gostev’s “Laws of Computer Virus
Evolution”
In the Future
• Gostev, Alexander. (2006 September) Retrieved October 2011, from Securelist – Mobile Malware Evolution: An Overview Part 1 http://www.securelist.com/en/analysis?pubid=200119916
• Gartner (n.d.). Retrieved October 2011, from Gartner – Gartner Says Sales of Mobile Devices in Second Quarter of 2011 Grew 16.5 Percent Year-on-Year; Smartphones grew 74 Percent http://www.gartner.com/it/page.jsp?id=1764714
• Google. (n.d.). Android Open Source Project. Retrieved Sept 2011, from Android Open Source – Android Security Overview http://source.android.com/tech/security/index.html
• Apple. (n.d.). Mac OS X Developer Library. Retrieved Sept 2011, from Apple Developer – Security Overview http://developer.apple.com/library/mac/#documentation/Security/Conceptual/Security_Overview/Introduction/Introduction.html
• Nokia. (n.d.). Symbian C++ Books. Retrieved October 2011, from Nokia Developer – Fundamentals of Symbian C++/Platform Security http://www.developer.nokia.com/Community/Wiki/Fundamentals_of_Symbian_C%2B%2B/Platform_Security
• Microsoft. (n.d.). MSDN. Retrieved October 2011, from MSDN – Security for Windows Phone http://msdn.microsoft.com/en-us/library/ff402533.aspx
• IBM. (n.d.). IBM Security Solutions. Retrieved September 2011, from IBM – IBM X-Force 2011 Mid-Year Trend and Risk Report http://public.dhe.ibm.com/common/ssi/ecm/en/wge03015usen/WGE03015USEN.PDF
• PCWorld. Bradley, Tony. Retrieved September 2011, from PCWorld – Adobe Flash Zero Day Puts Android Smartphones at Risk. http://www.pcworld.com/businesscenter/article/205411/adobe_flash_zero_day_puts_android_smartphones_at_risk.html
• Montoro, Massimiliano. Retrieved October 2011from oXit – About Cain http://www.oxid.it/cain.html • (n.d.). Retrieved October 2011 from CyanogenMod Wiki – What is CyanogenMod? http://
wiki.cyanogenmod.com/index.php?title=What_is_CyanogenMod• Apple (n.d.). Retrieved October 2011 from Apple Developer – Guidelines for Appstore Submissions http://
developer.apple.com/appstore/resources/approval/guidelines.html• Accuvant. Farnum, Michael. Retrieved October 2011 from Accuvant – Dr. Charlie Miller Compares the Security of iOS and
Android http://www.accuvant.com/blog/2011/10/20/dr-charlie-miller-compares-security-ios-and-android• Viega, LeBlanc, Howard. 19 Deadly Sins of Software Security. Emeryville, CA: McGraw Hill-Osborn. 2005. Print.• Whitaker, Evans, and Voth. Chained Exploits. Boston, MA: Addison-Weasley. 2009. Print
References
Questions?
!Are you sure you want to answer
questions?
