Symantec Mobile Security Whitepaper June 2011

Mobile Device Security:A summary of the securityapproaches employed inApple’s iOS and Google’sAndroid

Introduction• Today’s popular mobile platforms were designed with security in mind, but these provisions are not always sufficient in protecting enterprise assets• In this presentation: – Today’s major mobile threats – Mobile device security models – Analysis of Apple’s iOS – Analysis of Google’s Android – The mobile device ecosystem – Mobile security solutions 2

Today’s Major Mobile Threats• Web-based and network-based attacks: – Typically launched by malicious websites or compromised legitimate sites• Malware: – Three high-level categories: viruses, worms and Trojan horse programs 3

Today’s Major Mobile Threats• Social engineering attacks: – Leverage social engineering to trick users into disclosing sensitive information; can also be used to entice a users to install malware• Resource abuse attacks: – Misuse network, computing or identity resources of a device; two most common such abuses are sending spam and launching DoS attacks 4

Today’s Major Mobile Threats• Data loss: – Employee or hacker exfiltrates sensitive information from protected device or network; loss can be unintentional or malicious.• Data integrity threats: – Corrupt or modify data without permission of the data’s owner; motivations may include disrupting enterprise operations and financial gain (data ransom fee) 5

Mobile Device Security Models• Traditional access control: – Protects devices by using techniques such as passwords and idle-time screen locking• Application provenance: – Each app is stamped with identity of author and made tamper resistant; enables user to decide whether or not to use app based on identity of author• Encryption: – Conceals data at rest on the device to address device loss or theft 6

Mobile Device Security Models• Isolation: – Limits app’s ability to access sensitive data or systems on device• Permissions-based access control: – Grants set of permissions to each app and then limits each app to accessing device data/systems within the scope of permissions 7

High Level Analysis of Apple’s iOS• iOS security model well designed and thus has far proven largely resistant to attack• iOS’s security model offers strong protection against traditional malware, primarily due to Apple’s rigorous app certification process and their developer certification process, which vets the identity of each software author and weeds out attackers. 8

High Level Analysis of Google’s Android• Android’s security model a major improvement over traditional computing platforms; ultimately relies on users to make important security decisions and most users are unequipped to do this:• Google has opted for a less rigorous certification model, permitting any software developer to create and release apps anonymously, without inspection. This lack of certification has arguably led to today’s increasing volume of Android-specific malware. 9

Mobile Platform Security Summary 10

Mobile Device Ecosystem• iOS and Android devices do not work in a vacuum – Connect to one or more cloud-based services (enterprise Exchange server, Gmail, MobileMe, etc.), home or work PC, or all of above• When properly deployed, both platforms allow users to simultaneously synchronize devices with private and enterprise cloud services without risking data exposure – However, there are several scenarios in which services may be abused by employees, resulting in exposure of enterprise data 11

Mobile Device Ecosystem• Scenario #1 12

Mobile Security Solutions• Mobile antivirus: – Scanners for Android, but iOS’s isolation model prevents implementing on iOS devices – Effective at detecting known threats, but provide little protection against unknown threats; expect traditional scanners to be replaced by cloud- enabled, reputation-based protection – Addresses threats in malware threat category and subset of malware- based attacks in resource abuse, data loss and data integrity categories• Secure browser: – Secure browser apps for iOS and Android checks visited URLs against blacklist or reputation database and blocks malicious pages – User must use the third-party secure Web browser to do all surfing – Secure browsers address Web-based attacks and social engineering attacks; can also potentially block malware downloaded through browser 15

Mobile Security Solutions• Mobile device management (MDM) – Enables admins to remotely manage iOS and Android devices – Admins can set security policies such as password strength, VPN settings, screen lock duration; can also disable specific device functions, wipe missing devices and use the device’s GPS to locate missing device – Doesn’t specifically protect against any one threat category, but helps reduce risk of attack from many categories• Enterprise Sandbox – Aims to provide secure environment where enterprise resources such as email, calendar, contacts, corporate websites and sensitive documents can be accessed – Essentially divides device’s contents into two zones: secure zone for the enterprise data, and insecure zone for the employee’s personal and private data. – Focused on preventing malicious and unintentional data loss; though doesn’t block other attack categories explicitly, does limit impact of other attacks 16

Mobile Security Solutions• Data loss prevention (DLP) – Scan publicly accessible storage areas of device for sensitive materials – Due to iOS’s isolation system, iOS-based DLP tools only inspect calendar and contact lists – On Android, could scan external flash storage, email and SMS inboxes, as well as calendar and contact lists – Due to isolation models, unable to scan data of other apps 17

Thank you!For more information, please visit:Podcast - http://bit.ly/ipQUOfBlog post - http://bit.ly/mk6YwtInfographic - http://bit.ly/leQBtVCopyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates inthe U.S. and other countries. Other names may be trademarks of their respective owners.This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied,are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 18

http://172.17.120.14	84
http://hiddenspider.net	8
http://paper.li	2
http://twitter.com	1

Symantec Mobile Security Whitepaper June 2011

by Symantec

Accessibility

Categories

Upload Details

Usage Rights

4 Embeds 95

Statistics

Symantec Mobile Security Whitepaper June 2011 Presentation Transcript