Mobile ThreatsThings Your Smartphone Does When Nobody is Looking
Agenda    The “What”The Problem               Mobile Ecosystem  1              2            3              4              ...
The Problem  1
What Are The Risks Define the Threats
Moving Into The Enterprise  Bring Your Own Device Security      Compliance   Privacy
Mobile Crossroads    The Inflection Point  63%Do you trust the security of your mobile device…         Have yet to make up...
Threat Landscape     2
The Mobile Threat Landscape
Mobile MalwareMobile Networks   Decentralized   Interconnected   Mobile   Quick Content RetrievalPerfect Malware   Decentr...
Statistics
Malware Timeline2011July    August    September     October     November  Early to       Malware Wave             Exponent...
Primary TargetAndroid Most Targeted (65%)iOS Absent (<1%)                                             WHY              •  ...
Mobile Malware86%                                                            7%      Repackaging                  Update  ...
Mobile Malware37%   Privilege Escalation      •Attempts root exploits      •Small number of platform       vulnerabilities...
Application Behaviors Previous Code        Web Sources              Your CodeBinary 3rd Party     Source 3rd Party    Libr...
Case studies               …   !
Vulnerabilities• Sensitive data leakage  (inadvertent or side channel)• Unsafe sensitive data storage• Unsafe sensitive da...
Vulnerabilities• Layered APIs on common  languages• Blackberry and Android  use Java as a base• Non-issue for Objective-C ...
Mobile Ecosystem     3
The Mobile Ecosystem The Players of the Game                 Consumer
MDM Vendors The Enterprise Choke Point                              Enterprise Control Point                              ...
Mobile Anti-Virus Old Methods Rehashed                        Old Methods Rehashed                        What They Provid...
Application Markets The Distributor                   The Distributor                   What They Provide                 ...
Developers The Source              The Source               What They Provide               Enterprise Application Develop...
The Fix4
The Fix Securing Against Multiple ThreatsCapabilities Mapping     Malware DetectionVulnerability Analysis
Capabilities Mapping Features and Permissions                   Data Sources            Data Sinks                 Mapping...
Malware Detection   Learn From Previous Mistakes                                    Static Signatures                     ...
Vulnerability Analysis Find the Flaws          Environmental              Flaws  Application    Flaws
Strategic Control Points Security and Power   Application Markets                         Enterprise Developers   MDM     ...
Enterprise Fixes  De-Risk B.Y.O.DPolicyProcessTechnical  Controls
Consumer Fixes     Will Users Learn?Security Awareness• Read EULAs & prompts..• Understand permissions• Know what jail bre...
Permissions  *SCOFF*Just Let Me Fling Birds at Pigs Already!
Vendor Fixes  It Takes a Village         VerificationProcess and Policy     User Facing         Platform Security
Developer Fixes Secure Coding                  TRAINING                    SDLC                 AWARENESS
The Road Ahead Where do we go from here? Capabilities   Malware     Vulnerability    A Safer              +           +   ...
Sources Show me the data•   http://www.juniper.net/us/en/local/pdf/additional-resources/7100155-en.pdf      Juniper Networ...
Upcoming SlideShare
Loading in...5
×

The New Mobile Landscape - OWASP Ireland

254

Published on

OWASP Ireland talk on securing the new mobile landscape.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
254
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "The New Mobile Landscape - OWASP Ireland"

  1. 1. Mobile ThreatsThings Your Smartphone Does When Nobody is Looking
  2. 2. Agenda The “What”The Problem Mobile Ecosystem 1 2 3 4 Threat The Fix Landscape
  3. 3. The Problem 1
  4. 4. What Are The Risks Define the Threats
  5. 5. Moving Into The Enterprise Bring Your Own Device Security Compliance Privacy
  6. 6. Mobile Crossroads The Inflection Point 63%Do you trust the security of your mobile device… Have yet to make up their minds
  7. 7. Threat Landscape 2
  8. 8. The Mobile Threat Landscape
  9. 9. Mobile MalwareMobile Networks Decentralized Interconnected Mobile Quick Content RetrievalPerfect Malware Decentralized Interconnected Mobile Quick Content Retrieval
  10. 10. Statistics
  11. 11. Malware Timeline2011July August September October November Early to Malware Wave Exponential the Game Begins Growth
  12. 12. Primary TargetAndroid Most Targeted (65%)iOS Absent (<1%) WHY • Closed Technology 1% • Harder to Reverse Engineer 7% • Stronger OS Security 65% 27% • Better App Store Security • No Fragmentation IssueAndroidJ2MESymbianWindows Mobile Distribution of Mobile Threats by Platform 2011
  13. 13. Mobile Malware86% 7% Repackaging Update •Choose popular app •Similar to repackaging •Disassemble •Does not add full •Add malicious payloads payload •Re-assemble •Adds small downloader •Submit new app to •Payload downloaded at public market runtime Drive-By Standalone •Entice users to •Commercial spyware download malware •Non functional fake apps<1% 14% •Distributed via malicious (Fake Netflix) websites •Functional Trojan code •May or may not contain •Apps with root exploits a browser exploit
  14. 14. Mobile Malware37% Privilege Escalation •Attempts root exploits •Small number of platform vulnerabilities Remote Control •Similar to PC bots •Most use HTTP based web traffic as C&C 93% •May use more than one •Advanced C&C models exploit for attack translating from PC world •Advanced obfuscation seen in the wild Financial Charges Information Collection45% •Premium rate SMS •Both hard-coded and runtime updated numbers •Employ SMS filtering •Harvests personal information and data •User accounts •GPS location 45%SMS •SMS and emails •Phone call tapping •Ad Libraries Phone Number
  15. 15. Application Behaviors Previous Code Web Sources Your CodeBinary 3rd Party Source 3rd Party Libraries Libraries
  16. 16. Case studies … !
  17. 17. Vulnerabilities• Sensitive data leakage (inadvertent or side channel)• Unsafe sensitive data storage• Unsafe sensitive data transmission• Hardcoded password/keys
  18. 18. Vulnerabilities• Layered APIs on common languages• Blackberry and Android use Java as a base• Non-issue for Objective-C (it’s own language)
  19. 19. Mobile Ecosystem 3
  20. 20. The Mobile Ecosystem The Players of the Game Consumer
  21. 21. MDM Vendors The Enterprise Choke Point Enterprise Control Point What They Provide Device Enrollment and Management Security Management Device Configuration Device Monitoring Software Management Security Components Passcode Enforcement Encryption Feature Restriction Compliance Locate and Wipe Certificate Management
  22. 22. Mobile Anti-Virus Old Methods Rehashed Old Methods Rehashed What They Provide Quarantine and Eradicate Malware Signature Based Analysis Security Components Locate, Lock, and Wipe Cloud Analysis Spam Filtering Email Attachment Scanning Data Backup
  23. 23. Application Markets The Distributor The Distributor What They Provide Marketplace for Applications User Ratings Application Updates Security Components Application Approval Process Android Bouncer iOS Scanning
  24. 24. Developers The Source The Source What They Provide Enterprise Application Development Consumer Application Development Cross-platform Expertise Security Components Variable on Developer Capabilities
  25. 25. The Fix4
  26. 26. The Fix Securing Against Multiple ThreatsCapabilities Mapping Malware DetectionVulnerability Analysis
  27. 27. Capabilities Mapping Features and Permissions Data Sources Data Sinks Mapping • Location Data • HTTP Requests User Facing • Contacts • Outbound SMS • Email • Outbound Email • Trace Sources to Sinks • SMS Data • DNS Requests • Application “Intent” • SQL Access • TCP • Permission Mapping • File System • UDP • Human Intelligence • Photos • Vulnerable Code • Phone ID Values Code Flow Data Flow
  28. 28. Malware Detection Learn From Previous Mistakes Static Signatures Analysis Signatures Human Signatures Intelligence DynamicBasic Heuristics Analysis
  29. 29. Vulnerability Analysis Find the Flaws Environmental Flaws Application Flaws
  30. 30. Strategic Control Points Security and Power Application Markets Enterprise Developers MDM Consumer Developers Outsourced Developers Anti-Virus COTS Developers … Developers Enterprise
  31. 31. Enterprise Fixes De-Risk B.Y.O.DPolicyProcessTechnical Controls
  32. 32. Consumer Fixes Will Users Learn?Security Awareness• Read EULAs & prompts..• Understand permissions• Know what jail breaking does to the security posture of the device• Recognizing phishing and social engineering• Practice practice practice
  33. 33. Permissions *SCOFF*Just Let Me Fling Birds at Pigs Already!
  34. 34. Vendor Fixes It Takes a Village VerificationProcess and Policy User Facing Platform Security
  35. 35. Developer Fixes Secure Coding TRAINING SDLC AWARENESS
  36. 36. The Road Ahead Where do we go from here? Capabilities Malware Vulnerability A Safer + + = Mapping Detection Analysis Mobile Path
  37. 37. Sources Show me the data• http://www.juniper.net/us/en/local/pdf/additional-resources/7100155-en.pdf Juniper Network Trusted Mobility Index• http://countermeasures.trendmicro.eu/wp-content/uploads/2012/02/History-of-Mobile-Malware.pdf A History of Malware – Trend Micro• http://www.cs.berkeley.edu/~afelt/felt-mobilemalware-spsm.pdf A Survey of Mobile Malware In The Wild – UC Berkeley• http://www.securelist.com/en/analysis/204792222/Mobile_Malware_Evolution_Part_5 Mobile Malware Evolution Part 5 – Kaspersky Labs• http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf Dissecting Android Malware: Characterization and Evolution – Yajin Zhou and Xuxian Jiang• http://www.fiercemobilecontent.com/story/apples-new-ios-6-adds-deep-facebook-integration-dumps-google- maps/2012-06-11 Apples new iOS 6 adds deep Facebook integration, dumps Google Maps• http://www.net-security.org/secworld.php?id=13050 LinkedIn Privacy Fail• http://www.trailofbits.com/resources/mobile_eip_2.pdf Mobile Exploit Intelligence Project – Trail of Bits• http://www.net-security.org/secworld.php?id=12418 Social Mobile Apps Found Storing User’s Content Without Permission• And More…. Contact me if you need something specific I may have left out…
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×