Dirty Little Secret - Mobile Applications Invading Your Privacy

525 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
525
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Dirty Little Secret - Mobile Applications Invading Your Privacy

  1. 1. Dirty Little SecretMobile Applications Invading Your Privacy
  2. 2. Presenter Background
  3. 3. Are Mobile Applications Really Invading My Privacy?
  4. 4. Mobile Device Risks at Every Layer  APPLICATION: Apps with vulnerabilities and malicious code have access to your data and device sensors » Your device isn’t rooted but all your email and pictures are stolen, your location is tracked, and your phone bill is much higher than usual.  OS: Defects in kernel code or vendor supplied system code » iPhone or Android jailbrakes are usually exploiting these defects  HARDWARE: Baseband layer attacks » Memory corruption defects in firmware used to root your device » Demonstrated at CCC/Black Hat DC 2011 by Ralf-Philipp Weinmann  NETWORK: Interception of data over the air. » Mobile WiFi has all the same problems as laptops » GSM has shown some cracks. Chris Paget demo DEFCON 2010
  5. 5. Mobile Device Risks at Every Layer  APPLICATION: Apps with vulnerabilities and malicious code have access to your data and device sensors » Your device isn’t rooted but all your email and pictures are stolen, your location is tracked, and your phone bill is much higher than usual.  OS: Defects in kernel code or vendor supplied system code » iPhone or Android jailbrakes are usually exploiting these defects  HARDWARE: Baseband layer attacks » Memory corruption defects in firmware used to root your device » Demonstrated at CCC/Black Hat DC 2011 by Ralf-Philipp Weinmann  NETWORK: Interception of data over the air. » Mobile WiFi has all the same problems as laptops » GSM has shown some cracks. Chris Paget demo DEFCON 2010
  6. 6. 10.9 billion mobile apps downloaded in 2010, according to IDC Expected to rise to 76.9 billion apps by 2014
  7. 7. 3rd Party Applications … and account for most ofProcess Most of the Data… the vulnerabilities3rd Party Application processing of PII, critical and % of Vulnerability Disclosures Attributed to Top Tenconfidential data VendorsMarch 2009 online Forrester survey of 204 Application and Risk Management Professionals. IBM X-Force® 2008 Trend and Risk Report
  8. 8. Software Value Chain Complexity Makes it Impossible toDevelop Secure Software Crowd Sourced Current Solutions Inadequate Internal Teams Developers Dev Site A Dev Site B Security Consultants • Very expensive • In short supply iPhone • Time to results too long Dev Site C Apps Crowd Internal Sourcing Tools • Do not scale across sites Open 3rd Party • Very high noise ratio Source Open Software Software Vendors • Can not test 3rd party code Source SYMC MSFT • Separation of duties issue Outsourced Developers Offshore • Do not know how to write Oracle secure code Provider • Prioritize time-to-ship, functionality over security Processes • Difficult to implement Eastern China • Years to fine tune Europe India • Low adoption (< 1% of US Contractors companies CMMI Level 5 certified) Unknown Skills
  9. 9. Case Study – Pandora Radio 9
  10. 10. WSJ Breaks Story on Pandora Investigation “Federal prosecutors in New Jersey are investigating whether numerous smartphone applications illegally obtained or transmitted information about their users without proper disclosures” 10
  11. 11. Static Analysis  Analysis of software performed without actually executing the program  Full coverage of the entire source or binary  In theory, having full application knowledge can reveal a wider range of bugs and vulnerabilities than the “trial and error” of dynamic analysis  Impossible to identify vulnerabilities based on system configuration that exist only in the deployment environment
  12. 12. JD-Gui Analysis 12
  13. 13. AdMob Location Requests 13
  14. 14. AdMob android_id Request 14
  15. 15. Medialets Location Requests 15
  16. 16. Medialets android_id Requests 16
  17. 17. SecureStudies getDeviceId Request 17
  18. 18. Android Manifest Permissions ACCESS_CHECKIN_PROPERTIES  DISABLE_KEYGUARD  RECEIVE_SMS ACCESS_COARSE_LOCATION  DUMP  RECEIVE_WAP_PUSH ACCESS_FINE_LOCATION  EXPAND_STATUS_BAR  RECORD_AUDIO ACCESS_LOCATION_EXTRA_COMMAN  FACTORY_TEST  REORDER_TASKS DS  FLASHLIGHT  RESTART_PACKAGES ACCESS_MOCK_LOCATION  FORCE_BACK  SEND_SMS ACCESS_NETWORK_STATE  GET_ACCOUNTS  SET_ACTIVITY_WATCHER ACCESS_SURFACE_FLINGER  GET_PACKAGE_SIZE  SET_ALARM ACCESS_WIFI_STATE  GET_TASKS  SET_ALWAYS_FINISH ACCOUNT_MANAGER  GLOBAL_SEARCH  SET_ANIMATION_SCALE AUTHENTICATE_ACCOUNTS  HARDWARE_TEST  SET_DEBUG_APP BATTERY_STATS  INJECT_EVENTS  SET_ORIENTATION BIND_APPWIDGET  INSTALL_LOCATION_PROVIDER  SET_PREFERRED_APPLICATIONS BIND_DEVICE_ADMIN  INSTALL_PACKAGES  SET_PROCESS_LIMIT BIND_INPUT_METHOD  INTERNAL_SYSTEM_WINDOW  SET_TIME BIND_REMOTEVIEWS  INTERNET  SET_TIME_ZONE BIND_WALLPAPER  KILL_BACKGROUND_PROCESSES  SET_WALLPAPER BLUETOOTH  MANAGE_ACCOUNTS  SET_WALLPAPER_HINTS BLUETOOTH_ADMIN  MANAGE_APP_TOKENS  SIGNAL_PERSISTENT_PROCESSES BRICK  MASTER_CLEAR  STATUS_BAR BROADCAST_PACKAGE_REMOVED  MODIFY_AUDIO_SETTINGS  SUBSCRIBED_FEEDS_READ BROADCAST_SMS  MODIFY_PHONE_STATE  SUBSCRIBED_FEEDS_WRITE BROADCAST_STICKY  MOUNT_FORMAT_FILESYSTEMS  SYSTEM_ALERT_WINDOW BROADCAST_WAP_PUSH  MOUNT_UNMOUNT_FILESYSTEMS  UPDATE_DEVICE_STATS CALL_PHONE  NFC  USE_CREDENTIALS CALL_PRIVILEGED  PERSISTENT_ACTIVITY  USE_SIP CAMERA  PROCESS_OUTGOING_CALLS  VIBRATE CHANGE_COMPONENT_ENABLED_STA  READ_CALENDAR  WAKE_LOCK TE  READ_CONTACTS  WRITE_APN_SETTINGS CHANGE_CONFIGURATION  READ_FRAME_BUFFER  WRITE_CALENDAR CHANGE_NETWORK_STATE  READ_HISTORY_BOOKMARKS  WRITE_CONTACTS CHANGE_WIFI_MULTICAST_STATE  READ_INPUT_STATE  WRITE_EXTERNAL_STORAGE CHANGE_WIFI_STATE  READ_LOGS  WRITE_GSERVICES CLEAR_APP_CACHE  READ_PHONE_STATE  WRITE_HISTORY_BOOKMARKS CLEAR_APP_USER_DATA  READ_SMS  WRITE_SECURE_SETTINGS CONTROL_LOCATION_UPDATES  READ_SYNC_SETTINGS  WRITE_SETTINGS DELETE_CACHE_FILES  READ_SYNC_STATS  WRITE_SMS DELETE_PACKAGES  REBOOT  WRITE_SYNC_SETTINGS DEVICE_POWER  RECEIVE_BOOT_COMPLETED DIAGNOSTIC  RECEIVE_MMS
  19. 19. Permissions Requested by Pandora Application Network Communication  Phone Calls » Full Internet Access » Read Phone State and Identity » Create Bluetooth Connections » View Network State  System Tools » View Wi-Fi State » Modify Global System Settings » Prevent Device From Sleeping Your Personal Information » Bluetooth Administration » Read Contact Data » Change Wi-Fi State » Add or Modify Calendar Events and » Change Network Connectivity Send Email To Guests » Automatically Start at Boot https://market.android.com/details?id=com.pandora.android&feature=search_result – 4/25/2011 19
  20. 20. Just A Bit Deeper... Google purchases AdMob for $750 million dollars. Closed May, 2010 20
  21. 21. ESPN, CBS Interactive, Geico, Starbucks… 100,000 – 500,000 installations Permissions: • FINE (GPS) LOCATION • COARSE (NETWORK-BASED) LOCATION • FULL INTERNET ACCESS 5,000,000 – 10,000,000 installation Permissions: • RECORD AUDIO • CHANGE YOUR AUDIO SETTINGS • FINE (GPS) LOCATION • COARSE (NETWORK-BASED) LOCATION • FULL INTERNET ACCESS • MODIFY/DELETE USB STORAGE CONTENTS MODIFY/DELETE SD CARD CONTENTS • PREVENT DEVICE FROM SLEEPING Permissions retrieved from official Android Marketplace on 4/25/2011 21
  22. 22. CBSNews Advertising Networks 22
  23. 23. TV.Com Advertising Networks 23
  24. 24. Taking a Proactive Stance “… the popular Internet radio service is removing third-party advertising platforms, including Google, AdMeld and Medialets.” 24
  25. 25. What Can Be Reliably Detected? The problem is determining intent FP/FN tradeoffs with “unauthorized” behaviors » e.g. Is it good or bad that the app uses GPS? Actual vulnerabilities are more straightforward Think differently – behavioral profiling?
  26. 26. Best Practice: Embed Security Acceptance Testinginto Contracts Software contracts typically focus on features, functions, maintenance and delivery timeframes Enterprises can embed security language into contracts » New purchases or maintenance renewals are optimal times to introduce security Security testing is not functional testing, the contract should specify: » Specific security measures (for example, static analysis (code review), dynamic testing, penetration testing) » Specific process that should be used for testing » Acceptance thresholds for testing » Vulnerability correction rules
  27. 27. Best Practice: Purchase from Rated-ApprovedCOTS Vendors Make security a formal part of your vendor/product selection criteria Involve Vendor Relations/Procurement Purchase from COTS vendors that have established security certifications and independent ratings Look for security related certifications to indicate vendor commitment: » Common Criteria » FIPS-140-2 » PA-DSS (Visa PABP) » VerAfied Mark
  28. 28. Best Practice: Leverage the Power of Community Pooling the purchasing power of peer organizations to create demand for secure software Vendors will react to fill a market need Creating a community » User Groups » Customer Advisory Boards » Vendor Relations/Procurement
  29. 29. Questions?

×