The New Mobile Landscape - OWASP Ireland

  • 175 views
Uploaded on

OWASP Ireland talk on securing the new mobile landscape.

OWASP Ireland talk on securing the new mobile landscape.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
175
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Mobile ThreatsThings Your Smartphone Does When Nobody is Looking
  • 2. Agenda The “What”The Problem Mobile Ecosystem 1 2 3 4 Threat The Fix Landscape
  • 3. The Problem 1
  • 4. What Are The Risks Define the Threats
  • 5. Moving Into The Enterprise Bring Your Own Device Security Compliance Privacy
  • 6. Mobile Crossroads The Inflection Point 63%Do you trust the security of your mobile device… Have yet to make up their minds
  • 7. Threat Landscape 2
  • 8. The Mobile Threat Landscape
  • 9. Mobile MalwareMobile Networks Decentralized Interconnected Mobile Quick Content RetrievalPerfect Malware Decentralized Interconnected Mobile Quick Content Retrieval
  • 10. Statistics
  • 11. Malware Timeline2011July August September October November Early to Malware Wave Exponential the Game Begins Growth
  • 12. Primary TargetAndroid Most Targeted (65%)iOS Absent (<1%) WHY • Closed Technology 1% • Harder to Reverse Engineer 7% • Stronger OS Security 65% 27% • Better App Store Security • No Fragmentation IssueAndroidJ2MESymbianWindows Mobile Distribution of Mobile Threats by Platform 2011
  • 13. Mobile Malware86% 7% Repackaging Update •Choose popular app •Similar to repackaging •Disassemble •Does not add full •Add malicious payloads payload •Re-assemble •Adds small downloader •Submit new app to •Payload downloaded at public market runtime Drive-By Standalone •Entice users to •Commercial spyware download malware •Non functional fake apps<1% 14% •Distributed via malicious (Fake Netflix) websites •Functional Trojan code •May or may not contain •Apps with root exploits a browser exploit
  • 14. Mobile Malware37% Privilege Escalation •Attempts root exploits •Small number of platform vulnerabilities Remote Control •Similar to PC bots •Most use HTTP based web traffic as C&C 93% •May use more than one •Advanced C&C models exploit for attack translating from PC world •Advanced obfuscation seen in the wild Financial Charges Information Collection45% •Premium rate SMS •Both hard-coded and runtime updated numbers •Employ SMS filtering •Harvests personal information and data •User accounts •GPS location 45%SMS •SMS and emails •Phone call tapping •Ad Libraries Phone Number
  • 15. Application Behaviors Previous Code Web Sources Your CodeBinary 3rd Party Source 3rd Party Libraries Libraries
  • 16. Case studies … !
  • 17. Vulnerabilities• Sensitive data leakage (inadvertent or side channel)• Unsafe sensitive data storage• Unsafe sensitive data transmission• Hardcoded password/keys
  • 18. Vulnerabilities• Layered APIs on common languages• Blackberry and Android use Java as a base• Non-issue for Objective-C (it’s own language)
  • 19. Mobile Ecosystem 3
  • 20. The Mobile Ecosystem The Players of the Game Consumer
  • 21. MDM Vendors The Enterprise Choke Point Enterprise Control Point What They Provide Device Enrollment and Management Security Management Device Configuration Device Monitoring Software Management Security Components Passcode Enforcement Encryption Feature Restriction Compliance Locate and Wipe Certificate Management
  • 22. Mobile Anti-Virus Old Methods Rehashed Old Methods Rehashed What They Provide Quarantine and Eradicate Malware Signature Based Analysis Security Components Locate, Lock, and Wipe Cloud Analysis Spam Filtering Email Attachment Scanning Data Backup
  • 23. Application Markets The Distributor The Distributor What They Provide Marketplace for Applications User Ratings Application Updates Security Components Application Approval Process Android Bouncer iOS Scanning
  • 24. Developers The Source The Source What They Provide Enterprise Application Development Consumer Application Development Cross-platform Expertise Security Components Variable on Developer Capabilities
  • 25. The Fix4
  • 26. The Fix Securing Against Multiple ThreatsCapabilities Mapping Malware DetectionVulnerability Analysis
  • 27. Capabilities Mapping Features and Permissions Data Sources Data Sinks Mapping • Location Data • HTTP Requests User Facing • Contacts • Outbound SMS • Email • Outbound Email • Trace Sources to Sinks • SMS Data • DNS Requests • Application “Intent” • SQL Access • TCP • Permission Mapping • File System • UDP • Human Intelligence • Photos • Vulnerable Code • Phone ID Values Code Flow Data Flow
  • 28. Malware Detection Learn From Previous Mistakes Static Signatures Analysis Signatures Human Signatures Intelligence DynamicBasic Heuristics Analysis
  • 29. Vulnerability Analysis Find the Flaws Environmental Flaws Application Flaws
  • 30. Strategic Control Points Security and Power Application Markets Enterprise Developers MDM Consumer Developers Outsourced Developers Anti-Virus COTS Developers … Developers Enterprise
  • 31. Enterprise Fixes De-Risk B.Y.O.DPolicyProcessTechnical Controls
  • 32. Consumer Fixes Will Users Learn?Security Awareness• Read EULAs & prompts..• Understand permissions• Know what jail breaking does to the security posture of the device• Recognizing phishing and social engineering• Practice practice practice
  • 33. Permissions *SCOFF*Just Let Me Fling Birds at Pigs Already!
  • 34. Vendor Fixes It Takes a Village VerificationProcess and Policy User Facing Platform Security
  • 35. Developer Fixes Secure Coding TRAINING SDLC AWARENESS
  • 36. The Road Ahead Where do we go from here? Capabilities Malware Vulnerability A Safer + + = Mapping Detection Analysis Mobile Path
  • 37. Sources Show me the data• http://www.juniper.net/us/en/local/pdf/additional-resources/7100155-en.pdf Juniper Network Trusted Mobility Index• http://countermeasures.trendmicro.eu/wp-content/uploads/2012/02/History-of-Mobile-Malware.pdf A History of Malware – Trend Micro• http://www.cs.berkeley.edu/~afelt/felt-mobilemalware-spsm.pdf A Survey of Mobile Malware In The Wild – UC Berkeley• http://www.securelist.com/en/analysis/204792222/Mobile_Malware_Evolution_Part_5 Mobile Malware Evolution Part 5 – Kaspersky Labs• http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf Dissecting Android Malware: Characterization and Evolution – Yajin Zhou and Xuxian Jiang• http://www.fiercemobilecontent.com/story/apples-new-ios-6-adds-deep-facebook-integration-dumps-google- maps/2012-06-11 Apples new iOS 6 adds deep Facebook integration, dumps Google Maps• http://www.net-security.org/secworld.php?id=13050 LinkedIn Privacy Fail• http://www.trailofbits.com/resources/mobile_eip_2.pdf Mobile Exploit Intelligence Project – Trail of Bits• http://www.net-security.org/secworld.php?id=12418 Social Mobile Apps Found Storing User’s Content Without Permission• And More…. Contact me if you need something specific I may have left out…