1. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 1
TOP 10 MOBILE RISKS
Vladimir Jirasek
CISSP-ISSAP & ISSMP, CISM, CISA
Senior Enterprise Security Architect, Nokia
Steering Group, Common Assurance Maturity Model
Non-executive director, CSA UK & Ireland
2. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 2
I am going to talk about ….
• Risks associated with mobile devices
• Mobile Applications threat model
• Mobile risks in an Enterprise
• Mobile device as a Trusted device
• Mobile security models
• Mobile Top 10
• Not all doom and gloom: What to look for
3. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 3
Mobile devices are ubiquitous for most people
Mobile devices Used by people To access services they
with power of around the globe want, communicate with
average computer in personal and other people, shop and
business life play
Either online or via mobile
apps
4. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 4
And the risks associated with the use cases are
Power (CPU) and
storage with seamless Accessing potentially
and always on Traveling with people private and sensitive
connectivity all the time. data, managing critical
Millions lost everyday transactions.
Mobile devices Used by people To access services they
with power of around the globe want, communicate with
average computer in personal and other people, shop and
business life play
Mobile phone is your most personal computer and it needs to be wellmobile
Either online or via
protected to become a trusted device. apps
5. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 5
Mobile device use cases threat model
Mobile device is Mobile device is is used
Mobile device is
compromised to conduct malicious
lost or stolen
with malware activity
Malicious Loss of data, Unauthorised
activity, Loss of potential transactions,
data, Monitoring malicious activity Botnets, Attack
of activity, Botnet on web services
6. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 6
Mobile device risk in an Enterprise
Enterprise
control
Un-controlled
data sync
Un-managed
personal device
Enterprise
control
Un-controlled
data access
Un-managed
mobile device
7. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 7
Mobile threats summary [2]
• Web-based and network-based attacks – mobile device is connected,
browsing websites with malicious content, malicious proxy servers
• Malware – traditional viruses, worms, and Trojan horses
• Social engineering attacks – phishing. Also used to install malware.
• Resource and service availability abuse – botnet, spamming,
overcharging (SMS and calls)
• Malicious and unintentional data loss – exfiltration of information from
phone
• Attacks on the integrity of the device’s data – malicious encryption with
ransom, modification of data (address book)
8. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 8
Mobile device as a trusted device: [4,5]
How does mobile HW and OS hold up?
Typically
contains System
on Chip (SoC)
Load mobile Load Kernel and
applications mobile OS
Application OS security
segregation, capabilities are
security reviews crucial
Enterprise apps
accessed from If Trust is not assured from HW up then
mobile devices there is no trust at all!
9. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 9
Mobile Security Models [2]
• Traditional Access Control: passwords
and idle-time screen locking.
• Application Provenance: Application
signing and Application review in App store
• Encryption: Encryption of device data and
application data
• Isolation: traditional Sandboxing and
Storage separation
• Permissions-based access control:
Limiting application to needed functionality
only
All must be supported by Trust from Jailbreaking breaks
HW up. the security model!
10. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 10
Veracode Mobile Top 10 [1]
Malicious Functionality Vulnerabilities
1. Activity monitoring and 7. Sensitive data leakage
data retrieval (inadvertent or side
2. Unauthorized dialing, channel)
SMS, and payments
3. Unauthorized network 8. Unsafe sensitive data
connectivity (exfiltration or storage
command & control) 9. Unsafe sensitive data
4. UI Impersonation transmission
5. System modification
10. Hardcoded
(rootkit, APN proxy config)
6. Logic or Time bomb
password/keys
11. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 11
Summary: What to look for
Device and applications Enterprise Network
• Do not jail-break the device • Configure VPN for mobile
• Utilise mobile OS security devices
features (access control, • Provision VPN profiles for
encryption) seamless connectivity
• Follow data classification • Monitor traffic for data
policies – what data can be exfiltration
on mobile devices and what • Enable processes to wipe
protection is required devices
• Follow best practices for • Data security policy includes
mobile application device capabilities and
development position
12. 2011-07-13 Vladimir Jirasek: Top 10 Mobile Risks 12
Resources
1. Veracode Mobile app Top 10 -
http://www.veracode.com/blog/2010/12/mobile-app-top-10-list/
2. Symantec Security Analysis of iOS and Android -
http://www.symantec.com/about/news/release/article.jsp?prid=2011
0627_02
3. Mobile Trusted Computing Platform -
http://www.trustedcomputinggroup.org/developers/mobile
4. Understanding HW architecture of Smartphones -
http://hubpages.com/hub/Understanding-the-hardware-architecture-
of-smartphones
5. A Perspective on the Evolution of Mobile Platform Security
Architectures, Nokia - http://asokan.org/asokan/research/platsec-
comparison-ETHZ-mar2011.pdf
6. Security in Windows Phone 7 - http://msdn.microsoft.com/en-
us/library/ff402533(v=VS.92).aspx