There's an App for That: Digital Forensic Realities for Mobile App Evidence, Security and Privacy

Mobile
Forensics
World

June
3,
2013

John
J.
Carney,
Esq.

There’s
an
App
for
That

Digital
Forensic
Reali6es
for
Mobile
App
Evidence,

Security
and
Privacy

www.youtube.com/watch?v=cdWmIoeLyfc

Generations of App Computing
When Generation Companies Languages
1960s Mainframes IBM, Cray Cobol/Fortran
1970s Minicomputers DEC, Wang PL/I, C
1980s Personal Computers Microsoft, Apple C++, VB
1995 Internet Computing Google, Yahoo Java, C#, PHP
2005 Mobile Computing Apple, Google Obj-C, Ruby

Mobile App Evidence Realities
■  “There’s An App for That”
■  App Platforms
■  App Families
■  App Privacy
■  App Data Security
■  App Plug-in Development
■  App Futures

“There’s An App for That”
“Apps are nuggets of magic”

■  Small, downloadable chunks of software
■  Access to info in neatly packaged format
■  Simplicity, cheapness, instant gratification
■  Intuitive because rely on phone’s sensors
■  Accelerometers, gyroscopes, inbuilt GPS
■  Don’t need constant connection to Internet
■  Launch faster than PC software
■  Top ten are 43% of usage; top fifty are 61%

Mobile Apps – Families to Watch
■  Mobile Messaging
■  Mobile Messaging (Retention / Expiration)
■  Personal Navigation (GPS)
■  Payment
■  Social Media
■  Photo Sharing
■  Document Creation
■  Web Mail
■  Productivity
■  Storage/Backup
■  Spyware

iPhone Personal Navigation Apps
■  Garmin StreetPilot
Onboard
■  Magellan
RoadMate
■  TomTom App
■  NAVIGON
MobileNavigator
■  Google Maps
■  Nokia Maps
■  CoPilot Live
■  MotionX GPS Drive
■  MapQuest
Navigator
■  TeleNav
■  AT&T Navigator

Android Personal Navigation Apps
■  Google Maps
■  Nokia Maps
■  NAVIGON MobileNavigator
■  CoPilot Live
■  MapQuest Android Nav App
■  TeleNav
■  Waze – Social GPS
■  Sygic GPS Navigation
■  iGO My Way

Mobile Messaging Apps
•  Make
That
20
Billion
Messages

•  Popular
“SMS
Killers”

•  Use
Internet
and
App
Servers

•  Text
Free
from
Costs
&
Quotas

•  Mul6-‐plaPorm
for
Many
Devices

•  Global
to
Bypass
Country
Limits

•  Evidence
Recovery
Challenging

•  Unaware
of
Exploding
Use
in
US

•  Subpoena
or
Court
Order
Issues

•  Not
Easily
Data
Mined
by
Expert

•  Advanced
Decoding
&
Tools
Required
to
Recover
&
Produce

Expiration / Retention

App Privacy
“Get It Right From The Start”
■  Privacy Recommendations from the FTC
■  Build Privacy into Apps
■  Practice “Privacy by Design”
■  Limit Information Collected
■  Securely Store What Held
■  Safely Dispose of Information
■  Use App Defaults Users Expect
■  Do Mobile Apps Get It Right?

App Privacy
PiOS: Detecting Privacy Leaks in iOS Apps
■  Academics Published Study Using Novel Analysis Tool
■  Tested 1,400 iPhone Apps for Privacy Threats
■  825 Free Apps Vetted by Apple and Available through AppStore
■  582 Jailbroken Apps from Cydia (not associated with Apple)
■  Sensitive Information Sources Giving Rise to Privacy Leaks:

App Privacy
PiOS: Detecting Privacy Leaks in iOS Apps
■  Did the 1,400 iOS Apps Get It Right?
■  Most Leaks Supply Access to Unique DeviceID Allows Hackers to Create
Detailed Profiles of Users’ App Preferences and Usage Patterns

App Data Security
Critical Role of Mobile Apps Data Security
Protection Required:
■  Personally Identifiable Information (PII)
■  Personal Health Information (PHI) - HIPAA
■  Consumer Personal Nonpublic Information – GLBA
■  Student Records – FERPA
■  Security Credentials
■  Trade Secrets
■  Confidential Information
■  Personal Identity and Reputation
“68%
of
mobile
device
owners
who
have
not

adopted

ﬁnancial
apps
are
holding
back
due

to
security
fears.”
–
Mobile
Banking,
Consumer

Security
PracIces
and
the
Growing
Risks
to

Banks,
Research
Report,
Metaforic,
2012

App Data Security
Study and Findings: Sensitive User Data Stored on Mobile Devices
■  100 Popular Consumer Apps Tested
■  iPhone and Android Platforms
■  Finance, Social Media, Productivity, Retail Apps Segments
■  Download, Install, Populate Apps with Marked Data
■  Username, Password, Private App Data
■  Analyze Mobile Device Forensically for Data Exposure
■  Rate Results on Pass/Warn/Fail System
■  Expert Judgments Based On:
■  Security Best Practices, Likely User Expectations, Quantity and Specific
Nature of Data Exposed

App Data Security
■  Overall Only 17% of Apps Pass

App Data Security
■  44% of Financial Apps Pass and Are Most Secure
■  74% of Social Media Apps Fail and Are Least Secure
■  No Social Media Apps Pass App Data Test
■  4 Social Media Apps Stored Device Passwords in Clear Text
■  Only 3 Productivity Apps Pass
■  11 Productivity Apps Failing are E-mail Apps
■  No Retail Apps Pass
■  Overall
Results:

App Plug-in Development
Challenge: Exponential Growth in App Installs

Challenge: High Growth in Apps Available
Pure Oxygen Labs, LLC

Solution: Examiner Developers in the Field

Case Study in App Forensics Development
•  App Chosen Is “Burner” – Disposable Phone Numbers
•  Family: Mobile Messaging App – Retention / Expiration
•  By Ad Hoc Labs, Inc.
•  TIME Magazine’s Top 10 Apps of 2012
•  Featured in Wired and Engadget

Plug-in Development Environment
•  Goals
•  Least Intrusive (Phone Handset Experimentation)
•  Portable
•  Standard
•  Cost Effective
•  Windows7 VMware Virtual Machine
•  Android SDK Emulator Creates Virtual Test Phones
•  Supports SMS, Voice, Voice Messages, VOIP
•  APK App Downloader for Chrome to Download Apps from Google Play
Store
•  Android Debug Bridge (ADB) to Install Apps
•  IDE – Vim, Eclipse, Notepad++

Plug-in Decoding and Development
•  App Decoding Using
•  UFED Physical Analyzer
•  UFED Plug-ins – YAFFS2, Android Content, SmartFat, ExtX
•  Viewers – SQLite, XML Preference Files, Text
•  Diff
•  Plug-in Development Using
•  Iron Python Shell
•  Method Auto-completion
•  Browse Loaded Objects
•  Iron Python Libraries for Scripting
•  UFED Plug-in Packager
•  Converts Python Script into Plug-in

Plug-in Execution
UFED Physical Analyzer
•  Physical Memory Acquisition
•  File System Reconstruction
•  Plug-in Chain Management
•  Automated Plug-in Execution
•  App Parsing and Object Loading
•  Reporting, Analytics, Exports

Plug-in Results
•  Only Passwords Are Encrypted
•  App Data Stored in SQLite Database Openly & Unprotected
•  Until Phone Number Expires and App Data Wiped
Lessons
•  Examiners Can Decode Apps
•  Examiners Can Author App Plug-ins

Mobile App Futures
■ Wearables
■  Smart Watches
■ Sony SmartWatch – >200 Android Apps Available
■ Pebble Watch – Apps Platform
■ i’m Watch – Android Apps
■ MetaWatch STRATA and FRAME – iOS Apps
■ WIMM One – Android Apps
■ Apple iWatch – iOS Apps (presumably)

Mobile App Futures
■  Wearables
■  Google Glass – Apps Platform is “Glassware”
■ Facebook
■ Twitter
■ Tumblr
■ Evernote
■ Elle Magazine
■ CNN
■ Ice Breaker

Mobile App Futures
■  Quantified Self
■  Uses
■  Fitness – Exercise / Calories / Weight
■  Diagnostics – Sleep / Ultrasound / Heart
■  Devices
■  Smart Phones – Apps like RunKeeper, Endomondo
My Fitness Pro
■  Fitbit
■  Nike+ FuelBand
■  Jawbone UP
■  Zeo, SleepBot – Sleep
■  Polar WearLink – Heart
■  Mobisante, Fraunhofer – Ultrasound

Mobile App Futures
It’s All About the Apps – New Vendor Metric?
# Device Profiles Supported
# Mobile Apps Supported

Questions & Answers
Carney Forensics
Cell Phones / Smart Phones
Smart Tablets
Computer Forensics
GPS Devices
Social Media / Email
Mobile App Litigation Readiness
Sign up for our Newsletter!!
www.carneyforensics.com

There's an App for That: Digital Forensic Realities for Mobile App Evidence, Security and Privacy

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to There's an App for That: Digital Forensic Realities for Mobile App Evidence, Security and Privacy

Similar to There's an App for That: Digital Forensic Realities for Mobile App Evidence, Security and Privacy (20)

Recently uploaded

Recently uploaded (20)

There's an App for That: Digital Forensic Realities for Mobile App Evidence, Security and Privacy