• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Praetorian Veracode Webinar - Mobile Privacy
 

Praetorian Veracode Webinar - Mobile Privacy

on

  • 375 views

 

Statistics

Views

Total Views
375
Views on SlideShare
375
Embed Views
0

Actions

Likes
1
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Praetorian Veracode Webinar - Mobile Privacy Praetorian Veracode Webinar - Mobile Privacy Presentation Transcript

    • OWASP Mobile Top 10 List1. Insecure or unnecessary client-side data storage2. Lack of data protection in transit3. Personal data leakage4. Failure to protect resources with strong authentication5. Failure to implement least privilege authorization policy6. Client-side injection7. Client-side DOS8. Malicious third-party code9. Client-side buffer overflow10. Failure to apply server-side controls
    • • • • • • •
    • Static Analysis  Analysis of software performed without actually executing the program  Full coverage of the entire source or binary  In theory, having full application knowledge can reveal a wider range of bugs and vulnerabilities than the “trial and error” of dynamic analysis  Impossible to identify vulnerabilities based on system configuration that exist only in the deployment environment
    • Entire contents © 2011 Praetorian. All rights reserved. | Information Security Provider and Research Center | www.praetorian.com
    • Pervasive Permissions: Where They Come From & Why Users Accept Them Ryan W Smith Senior Security Researcher11 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
    • Android’s Open App Model • Low barrier to entry • Apps hosted and installed from anywhere • All apps are created equal • No distinction between core apps and 3rd party apps • Accept apps based on: 1. Trust of the source 2. Permissions requested12 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
    • Examples of Android Malware SMS Trojan – SMS based propagation – Link to site hosting rogue app for “free movie player” – Sends 2 Premium SMS messages to a Kazakhstan number (about $5 per message) Gemeni – Repackaged apps in Chinese market – Sex positions and MonkeyJump2 are known examples – Bot-like capabilities, with unknown impact or purpose Droid Dream – Approx. 50 Malicious apps in official market – Contained several sensitive exhilaration capabilities13 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
    • Praetorian’s Mobile Analyst Project (MAP) Phase 1: Scalable Tailored App Analysis Framework (STAAF) Goal: To aide an analyst’s investigation of a large number of applications Current Capabilities:  Extract permissions and other attributes  Analyze the application’s code using several methods  Gather high level trends, patterns, and statistics from extracted data14 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
    • Initial Results :: Permissions Requests 53,000 Applications Analyzed  Android Market: ~48,000  3rd Party Markets: ~5,000 Permissions Requested  Average: 3  Most Requested: 117 Top “Interesting” Permissions  GPS information: 24% (11,929)  Read Contacts: 8% (3,626)  Send SMS: 4% (1,693)  Receive SMS: 3% (1262)  Record Audio: 2% (1100)  Read SMS: 2% (832)  Process Outgoing Calls: 1% (323)  Use Credentials : 0.5% (248)15 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
    • Who Wants to Know? Ad/Marketing Networks Social Gaming Networks16 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
    • Initial Results :: Shared Libraries 52,000 Applications Analyzed  Android Market: ~48,000  3rd Party Markets: ~5,000 Third Party Libraries  Total Third Party Libraries: ~83,000  Top Shared Libraries  com.admob 38% (18,426 apps )  org.apache 8% ( 3,684 apps )  com.google.android 6% ( 2,838 apps )  com.google.ads 6% ( 2,779 apps )  com.flurry 6% ( 2,762 apps )  com.mobclix 4% ( 2,055 apps )  com.millennialmedia 4% ( 1,758 apps)  com.facebook 4% ( 1,707 apps)17 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
    • Do You User, Take Thee Permissions?  YOUR PERSONAL INFORMATION  READ CONTACT DATA  NETWORK COMMUNICATION  FULL INTERNET ACCESS  NETWORK COMMUNICATION  VIEW NETWORK STATE  SYSTEM TOOLS  PREVENT DEVICE FROM SLEEPING  PHONE CALLS  READ PHONE STATE AND IDENTITY  HARDWARE CONTROLS  CONTROL VIBRATOR  SERVICES THAT COST YOU MONEY  SEND SMS MESSAGES18 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
    • What Really Happens? “Given a choice between dancing pigs and security, users will pick dancing pigs every time.” - Bruce Schneier19 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
    • Numbers Can Be Deceiving zsones & Droid Dream SMS Replicator Fake Security Tool Gemeni SMS Trojan20 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
    • If You See Something, Say Something! Recommendations going forward1. Carefully review the app, the permissions requested, the author, and be judicious2. Support third party initiatives to monitor app markets proactively3. Run security monitoring applications on your Android device4. Visit Praetorian.com for more information on mobile security services21 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
    • Whitelisting• Conduct static analysis of candidate applications• Create a whitelist• Use an unbiased 3rd party• Enforcement via mobile policy