Your SlideShare is downloading. ×
OWASP Mobile Top 10 List1.    Insecure or unnecessary client-side data storage2.    Lack of data protection in transit3.  ...
•    •        •                •                    •            •
Static Analysis  Analysis of software performed   without actually executing the   program  Full coverage of the entire ...
Entire contents © 2011 Praetorian. All rights reserved. | Information Security Provider and Research Center | www.praetori...
Pervasive Permissions:          Where They Come From &          Why Users Accept Them          Ryan W Smith          Senio...
Android’s Open App Model                                                               • Low barrier to entry             ...
Examples of Android Malware       SMS Trojan         – SMS based propagation         – Link to site hosting rogue app for ...
Praetorian’s Mobile Analyst Project (MAP) Phase 1: Scalable Tailored App Analysis Framework (STAAF) Goal: To aide an analy...
Initial Results :: Permissions Requests 53,000 Applications Analyzed  Android Market:           ~48,000  3rd Party Marke...
Who Wants to Know?                                                               Ad/Marketing Networks                    ...
Initial Results :: Shared Libraries 52,000 Applications Analyzed  Android Market:           ~48,000  3rd Party Markets: ...
Do You User, Take Thee Permissions?                                                                YOUR PERSONAL INFORMAT...
What Really Happens?                                                                    “Given a choice                   ...
Numbers Can Be Deceiving                      zsones                         &                    Droid Dream       SMS Re...
If You See Something, Say Something! Recommendations going forward1. Carefully review the app, the permissions   requested...
Whitelisting•   Conduct static analysis of candidate applications•   Create a whitelist•   Use an unbiased 3rd party•   En...
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
Upcoming SlideShare
Loading in...5
×

Praetorian Veracode Webinar - Mobile Privacy

283

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
283
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Praetorian Veracode Webinar - Mobile Privacy"

  1. 1. OWASP Mobile Top 10 List1. Insecure or unnecessary client-side data storage2. Lack of data protection in transit3. Personal data leakage4. Failure to protect resources with strong authentication5. Failure to implement least privilege authorization policy6. Client-side injection7. Client-side DOS8. Malicious third-party code9. Client-side buffer overflow10. Failure to apply server-side controls
  2. 2. • • • • • •
  3. 3. Static Analysis  Analysis of software performed without actually executing the program  Full coverage of the entire source or binary  In theory, having full application knowledge can reveal a wider range of bugs and vulnerabilities than the “trial and error” of dynamic analysis  Impossible to identify vulnerabilities based on system configuration that exist only in the deployment environment
  4. 4. Entire contents © 2011 Praetorian. All rights reserved. | Information Security Provider and Research Center | www.praetorian.com
  5. 5. Pervasive Permissions: Where They Come From & Why Users Accept Them Ryan W Smith Senior Security Researcher11 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  6. 6. Android’s Open App Model • Low barrier to entry • Apps hosted and installed from anywhere • All apps are created equal • No distinction between core apps and 3rd party apps • Accept apps based on: 1. Trust of the source 2. Permissions requested12 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  7. 7. Examples of Android Malware SMS Trojan – SMS based propagation – Link to site hosting rogue app for “free movie player” – Sends 2 Premium SMS messages to a Kazakhstan number (about $5 per message) Gemeni – Repackaged apps in Chinese market – Sex positions and MonkeyJump2 are known examples – Bot-like capabilities, with unknown impact or purpose Droid Dream – Approx. 50 Malicious apps in official market – Contained several sensitive exhilaration capabilities13 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  8. 8. Praetorian’s Mobile Analyst Project (MAP) Phase 1: Scalable Tailored App Analysis Framework (STAAF) Goal: To aide an analyst’s investigation of a large number of applications Current Capabilities:  Extract permissions and other attributes  Analyze the application’s code using several methods  Gather high level trends, patterns, and statistics from extracted data14 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  9. 9. Initial Results :: Permissions Requests 53,000 Applications Analyzed  Android Market: ~48,000  3rd Party Markets: ~5,000 Permissions Requested  Average: 3  Most Requested: 117 Top “Interesting” Permissions  GPS information: 24% (11,929)  Read Contacts: 8% (3,626)  Send SMS: 4% (1,693)  Receive SMS: 3% (1262)  Record Audio: 2% (1100)  Read SMS: 2% (832)  Process Outgoing Calls: 1% (323)  Use Credentials : 0.5% (248)15 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  10. 10. Who Wants to Know? Ad/Marketing Networks Social Gaming Networks16 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  11. 11. Initial Results :: Shared Libraries 52,000 Applications Analyzed  Android Market: ~48,000  3rd Party Markets: ~5,000 Third Party Libraries  Total Third Party Libraries: ~83,000  Top Shared Libraries  com.admob 38% (18,426 apps )  org.apache 8% ( 3,684 apps )  com.google.android 6% ( 2,838 apps )  com.google.ads 6% ( 2,779 apps )  com.flurry 6% ( 2,762 apps )  com.mobclix 4% ( 2,055 apps )  com.millennialmedia 4% ( 1,758 apps)  com.facebook 4% ( 1,707 apps)17 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  12. 12. Do You User, Take Thee Permissions?  YOUR PERSONAL INFORMATION  READ CONTACT DATA  NETWORK COMMUNICATION  FULL INTERNET ACCESS  NETWORK COMMUNICATION  VIEW NETWORK STATE  SYSTEM TOOLS  PREVENT DEVICE FROM SLEEPING  PHONE CALLS  READ PHONE STATE AND IDENTITY  HARDWARE CONTROLS  CONTROL VIBRATOR  SERVICES THAT COST YOU MONEY  SEND SMS MESSAGES18 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  13. 13. What Really Happens? “Given a choice between dancing pigs and security, users will pick dancing pigs every time.” - Bruce Schneier19 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  14. 14. Numbers Can Be Deceiving zsones & Droid Dream SMS Replicator Fake Security Tool Gemeni SMS Trojan20 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  15. 15. If You See Something, Say Something! Recommendations going forward1. Carefully review the app, the permissions requested, the author, and be judicious2. Support third party initiatives to monitor app markets proactively3. Run security monitoring applications on your Android device4. Visit Praetorian.com for more information on mobile security services21 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
  16. 16. Whitelisting• Conduct static analysis of candidate applications• Create a whitelist• Use an unbiased 3rd party• Enforcement via mobile policy

×