Session 810: The Security Risks of Mobile Environments and How to Protect Against ThemKen Huang, Director of Security Engineering, CGI
Who am I ?• Ken Huang – Director of Security Engineering, CGI • Cloud/Mobile Security • Security testing and evaluation • Identity and Access Management • Frequent Speaker • Blog: http://mobile-cloud-security.blogspot.com/ • Linkedin: www.linkedin.com/in/kenhuang8 • Twitter: http://twitter.com/#!/kenhuangus
Topics• Mobile Technology and Trends• Mobile Application and Trends• Mobile Security and Trends• Defense in Depth Solutions• Conclusion and Questions
Mobile Technology and TrendsTechnology Trends •More Wi-Fi hotspots will be added Wi-Fi •Wi-Fi still plays a huge role in WLAN •3G will gradually phase out •4G networks will increase, as it is a 3G & 4G major competing ground for carriers to attract new customers •Will continue to be used to connect Bluetooth personal network devices •Will gain more momentum for NFC payment, ticketing, and check-in devices
3G vs 4G Networks 3G 4GDSL speeds Wired network speedsMax speed up to 3.1 Mbps Max speed up to 100+ MbpsIncludes all 2G and 2.5G features plus: Includes all 3G features plus:•Real-time location-based services •On-demand video•Full motion videos •Video conferencing•Streaming music •High-quality streaming video•3D gaming •High-quality Voice-over-IP (VoIP)•Faster web browsing •Added security features Trends: 4G will be the winner
WiMAX vs. Wi-Fi WiMAX Wi-Fi Speed Up to 4 Mbps Up to 2 Mbps Bandwidth Up to 75 Mbps Up to 54 Mbps Range 30 miles (50 km) 100 feet (30 m)Intended Number of 100+ 20 Users Weaker encryption (WEP or Stronger encryption (TDES Quality of Service WPP) or AES)Trends: Both WiMAX and Wi-Fi will co-exist for the foreseeable future
NFC• Uses less power than Bluetooth• Does not need pairing• Based on RFID Technology at 13.56 MHz• Operating distance typically up to 10 cm Trends: NFC will get wider use due to payment and ticketing apps
Mobile Application Trends• Payment – Using your phone to pay will become a reality• Federal Government Adoption – Mobile apps will become more widely used – Cloud and Mobile Computing • During an appearance in Silicon Valley, Aneesh Chopra, the nation’s first-ever CTO, acknowledged the inevitable emergence of cloud and mobile as solutions for the federal government, but sees them as supplementing, rather than replacing, legacy systems – Transportation Department gets $100 million for mobile apps
Mobile Application Trends (cont.)• Federal Government Adoption (cont.) – FBI – most wanted listing app on iPhone – IRS – check refund status – The White House mobile app – news, videos, podcasts, blogs, etc. – More than half of federal websites are planning to develop a mobile-optimized website, according to a poll by ForeSee Results.• Productivity tool – Mobile apps will become more mature over time• Banking and Mobile Commerce – Check balances, transfer funds, etc.
Mobile Application Trends (cont.)• Entertainment – Videos, gaming, etc.• Social networking • Activists – Facebook – Collective bargaining – Twitter and strikes – Foursquare • Other – Linkedin – Price comparison for – Instagram various products (Sanptell)
Wi-Fi Security • Use a strong password • Don’t broadcast your SSID • Use good wireless encryption (WPA, not WEP) • Use another layer of encryption when possible (e.g. VPN, SSL) • Restrict access by MAC address • Shut down the network and wireless network when not in use • Monitor your network for intruders • Use a firewallTrends: More Wi-Fi hotspots (but more attacks on hotspots as well) – avoid free Wi-Fiwhenever possible; Wi-Fi-enabled mobile devices can become the stepping stone to your secured network
4G Security Trends• Backward compatibility to 3G or GSM capabilities exposes 4G to 3G and GSM security vulnerabilities• 4G also has a roaming vulnerability associated with mutual authentication: a fake network can easily claim to be a “roaming partner”Trends: More bandwidth comes with a greater possibility of being attacked
Bluetooth Security Trends• Bluejacking – Sending either a picture or a message from one user to an unsuspecting user through Bluetooth wireless technology.• DoS Attacks• Eavesdropping• Man-in-the-middle attacks• Message modification• NIST published a Guide to Bluetooth Security in 2008 Trends: Dependent on new apps on bluetooth – I don’t see any significant increase in attacks on bluetooth
NFC Security Trends• Eavesdropping – Hacker must have a good receiver and stay close – To avoid this, use a secure channel as compensating control• Data Corruption and Modification – Jams the data so that it is not readable by the receiver – Check RF field as compensating control. Trends: • wide spread adoption expected at 2015 • Secure channels for NFC • Payments through smartphones will replace plastic cards and keys
Attack on the app• Currently, Androids are the target due to Google’s loose vetting process – Law360, New York (March 15, 2012, 10:18 PM ET) -- Android cellphone users sued Google Inc over faulty Android App• iPhones and iPads are lightly hacked – but will become targets in the future Trends: Apps will be more vulnerable to attacks in the future
OWASP Top 10 Mobile Risks• Insecure Data Storage• Weak Server Side Controls• Insufficient Transport Layer Protection• Client Side Injection• Poor Authorization and Authentication• Improper Session Handling• Security Decisions Via Untrusted Inputs• Side Channel Data Leakage• Broken Cryptography• Sensitive Information Disclosure• Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
M1: Insecure Data Storage• Sensitive data left unprotected• Applies to locally stored data + cloud synced• Generally a result of: – Not encrypting data – Persist data not intended for long-term storage – Weak or global permissions – Not leveraging platform best-practices• Risk – Confidentiality of data lost – Credentials disclosed – Privacy violations – Non-compliance
M2: Weak Server Side Controls• We cannot trust mobile client app• Risk: confidentiality and integrity of data
M3: Insufficient Transport Layer Protection• No encryption for data in transit• Weak encryption. Encoding is not encryption• Strong encryption but ignoring the security warnings. – If certificate validation errors happen, fall back to clear text.• Risk: confidentiality and integrity of data
M4: Client Side Injection• XSS or SQL injection• SMS injection (Apple patched iphone SMS flaw in iOS 3.0.1 in Aug. 2009).• Risk: toll fraud, device compromise, privilege escalation etc.
M5: Poor Authorization and Authentication• Device authentication based on IMEI, IMSI, UUID is not sufficient• Hardware identifiers persist across data wipes and factory resets• Adding contextual information is useful, but not foolproof• Out of band does not work for the same device.• Risk: Privilege escalation and Unauthorized access
M6: Improper Session Handling• Mobile session is usually longer for usability and convenience• Why it is bad idea to use device identifier as session token?• Risk: unauthorized access and privilege escalation
M7: Security Decisions Via Untrusted Inputs• Security needs to be based on server side variables, not client input data• Risk: Can cause privilege escalation and consume paid resources
M8: Side Channel Data Leakage• Caused by platform feature or app flaws• Potential channel – Caches – Keystroke logging – Screenshots – Logs (system, crash, app) – Temp directory• Risk: Privacy violation
M9: Broken Cryptography• Broken implementation using strong encryption library• Custom weak encryption implementation.• Risk: loss of data confidentiality
M10: Sensitive Information Disclosure• Hard coded sensitive information – User id, password – SSN – API keys – Sensitive business logic• Risk: credentials disclosed, IP disclosed.
OWASP: Top 10 Security Mobile Controls• Identify and protect sensitive data• Handle password credentials securely on the device• Ensure sensitive data is protected in transit• Implement user authentication/authorization and session management correctly• Keep the backend APIs (Rest vs. SOAP) Secure• Secure integration with third party app and data (ID Federation)• Get user consent for the collection and use of the data• Implement Access Control and Digital Rights Management for paid resources• secure distribution/provisioning of mobile apps• check runtime code errors
VPN for Smartphone• Provide secure mobile access to enterprise network• Sample Mobile VPN products – PandaPowVPN for Android – Hotspot Shield for iphone – CISCO
Virus Scan and Personal Firewall for Mobile Device• Lookout Premium• Trend Micro Mobile Security• F-Secure Mobile Security• NetQin Mobile Security• Webroot Secure Anywhere Mobile
Mobile Device Management Features• Remote Locate - Shows you the location of your phone via Web or SMS, so you can find it if it’s lost or stolen.• Remote Lock - Lets you remotely lock your lost or stolen phone via Web or SMS to prevent strangers from seeing your private stuff or running up your mobile bill.• Remote Wipe - Lets you remotely erase the stuff on your phone via SMS if it’s lost or stolen, including any data on your phone’s memory card.• Web-based Lost Notice - Displays a customizable message to anyone who finds your missing device, so you can make arrangements to get it back.• Web-based Sneak Peek - Snaps photos of anyone in front of your device then saves the images. (Webcam devices only.)• Antiphishing Web Protection - Blocks fraudulent (phishing) websites. Protects your device and your stuff on mobile networks and Wi-Fi connectionsi• Download Threat Protection - Automatically scans all the apps and app updates you download to your mobile device for threats.
Mobile Application Management (MAM)• The BYOD (“Bring Your Own Device”) phenomenon is a factor behind MAM• Manage Business Apps using internal App Store for both BOYD and Company Mobile Device• Key Features – App delivery – App updating – User authentication – User authorization – Version checking – Push services – Reporting and tracking
Current MAM Players• App47• SOTI MobiControl• AppBlade from Raizlabs• AppCentral• Apperian• Better MDM• JackBe• Nukona• Partnerpedia• WorkLight
Mobile Data Protection (MDP)• MDP is an established market• Safeguard stored data on mobile devices by means of encryption and authentication• Provide evidence that the protection is working.• Widely used in Window based Laptop• Not yet available for mobile phone or tablet
Smartphone Encryption• Android – WhisperCore: whole flash memory – Droid Crypt: files – AnDisk Encryption: file – RedPhone: voice – Text Secure: text• iPhone – Impossible to encrypt the whole system – Update to iOS5 to encrypt outgoing iMessage. – Voice Encryption App • Kryptos • Cellcrypt – Text Encryption App: Encrypt SMS – E-mail Encryption: SecureMail use OpenPGP
Mobile Virtualization• Support multiple domains/operating systems on the same hardware• Enterprise IT department can securely manage one domain (in a virtual machine), and the mobile operator can separately manage the other domain (in a virtual machine)
Current Players in Mobile Virtualization• Green Hills Software• Open Kernel Labs• Red Bend Software• VMware• B Labs• Bitzer Mobile IncReference:http://www.virtualization.net/tag/mobile/
Mobile User willing to pay more for security• AdaptiveMobile published the third "Global Security Insights in Mobile" report which indicates that 83% people surveyed willing to pay more for security.
Conclusion and Questions• Defense in depth for mobile environment• Device Security vs. App Security• OWASP Top 10 Risk and Controls• VPN, Virus Scan, MDM, MAM, MDP, Encryption and Mobile Virtualization• Questions?
Thank you for attending this session. Don’tforget to complete the evaluation!