Upload
cclarkisec
View
8
Download
3
Tags:
Embed Size (px)
DESCRIPTION
An overview of the security challenges and opportunities that mobile application developers must work through
Citation preview
Mobile Application Security
Chris Clark
iSEC Partners, Inc.
04/23/09 | AND-301
Session Classification:
Intermediate
2
Agenda
Security Challenges
Mobile Today
Supporting Security
Actions
Mobile Today
Mobile Phone Sales Per Year
0
200
400
600
800
1000
1200
1997 2009
4
Data from Tomi Ahonen Almanac 2009
Phones
In
Millions
5
Major Smartphone Platforms
6
7
Trend Catalysts
• Sexier Devices
• Younger Generation
• F500 Acceptance
• Multi-Environment Phones
• Unlimited Data Plans
• Provider App Stores
8
Security Challenges
What is Security?
• Not the PC or Server Model
– Single User
– High-Value Information
– Low-Value Applications
• Availability and Power
• Local Attacker Resistance
10
The Airline Pocket
• Physical Security Just Doesn’t Exist
• Phones will Be Lost
• Need Ways of Protecting Data
– Local encryption
– Cloud storage
11
Hardware Limitations
• Limited Bandwidth
• Power
• CPU
• Size
12
Technology Will Solve These
Screen Size
13
*From RSnake
Poor Keyboards
14
C)sOz*ao1pdn
Regulations
15
User Identification
• Real Time
• Must be Available Immediately
• One Handed Interface
• More Prompts than PC
16
“Ownership”
• OS Vendor
• Carrier
17
• User
• Application Developer
All “Own” the Phone and Have Differing Objectives
Distribution Challenges
• Indirect Customer Relationship
• Patching Difficulties
– Carriers are anti-patch
• Long Update Lag
• Multiple Hardware Platforms
18
Web Browsers
• Different Browser Chrome
• Inconsistent Standards Support
• Too Much WebKit
19
Unsafe Languages
• Windows Mobile (C/C++)
– .Net Mobile Framework (safe)
– /GS, SafeCRT
• iPhone (Objective-C)
– Has C Constructs
– NX Stack/Heap
• Symbian (Symbian C++)
– C++ with more Complex Memory Management
20
Technical Comparison
21
Feature Blackberry WinMo 6.x iPhone 2.2.1 Android
Enterprise Mail
and Calendar
Remote Wipe
Side-Load
Applications
Application
Sandbox
User
permission UI
App Signing
Browser
Technical Comparison
Feature Blackberry WinMo 6 iPhone 2.2.1 Android
Application
Language
Permission
Model
App Buffer
Overflows
OS Buffer
Overflow
Protections
Signature
Required?
Vulnerability Count by Platform
23
Desktop Heritage
24
Growing Security Activity
• Targeted by Security Community
• CanSecWest
• Asian & European Research
• Commercial Spy Products
25
Mobile Web Presence
• Multiple Internet Presences
– Mobile vs. Standard
• Both are on the Internet
– Accept “All” Connections
– Pen-Test from Desktop
• Common Real World Result:
– Primary website secured
– Mobile site unprotected
26
Common Mobile Portal Mistakes
• Using a Different SLD
– bank.mobilecorp.com
– mobilecorp.com/bank
• Same Credentials as .com
• Phishing Education Destroyed
– If it Ever Worked
SupportingSecurity
Security Goals
• Users can Safely Run Applications
• OS Protected from Applications
– A.K.A. Steal Carrier Revenue
• Per-Application Private Data
• Contain Vulnerabilities
29
Two Models
30
Old Way
Normal Privileged
New Way
App App App
App App App
Old Way
• BlackBerry & Windows Mobile
• All or Nothing
• Signatures Defines Permission Level
• No or Limited File Permission Systems
• No “users”
– Good, because it doesn’t make sense
31
Pros/Cons
32
Pros
• Easy to Understand
• Easy to Test
Cons
• No Exploit Containment
• User can’t Make Granular Choices
Kernel
App 1 App 2 App 3 App 4
File System
Windows Mobile
33
Kernel
Blackberry
• J2ME Based
• No Raw Device Access
• Web Services and Web Based Models
34
Security Opportunities
• More Granular Permissions
• Sandboxed Applications
• Reduced Attack Surface
• Give Users Control of Data
35
iPhone
36
Kernel
App 1 App 2 App 3 App 4
App 1
Data
App 2
Data
App 3
Data
App 4
Data
iPhone
• One Distribution Method
• Strict AppStore Policy
• Non-Technological Policy Enforcement
37
Application Store is a Security Barrier
Kernel
App 1 App 2 App 3 App 4
App 1
Data
App 2
Data
App 3
Data
App 4
Data
Android & Symbian
38
Benefits
• Extensible to Custom Data Types
• Users Have Control
• Same-Developer Sandbox
– An Office Suite is Possible
– Attack Surface Increased
39
Challenges
40
Android Market
• Self-Signed Certificates
• Community Reputation
• No Unsigned Code Allowed
41
Application Store is a Security Barrier
Actions
For Enterprises
• Define a Mobile Application Security Policy
• Set User Application Security Policy
– Are App Stores Allowed?
• Build Secure Line of Business Applications
• Create a Unified Model for Mobile Interactions
– Don’t mix “m.” with /mobile or .mobi domains
43
For Developers
• Define Security Assertions for Users
• Define Threats
– Lost Phone
– Network Attacks
• Create Limits
– E.g. Read-only Mobile Endpoints
• Apply Secure Development Guidelines
• Test on Real Devices
44
For Mobile Web Developers
• Disallow Older Browsers
• Do Not Decrease Overall Security
– Tightly-Scope Functionality
– Use SSL and Proper Domains
• Strong Authentication
– Unique Authentication for Mobile Sites
• Don’t Make Phishing Easier
– Keep Links out of Email
– Maintain Clear Message
45