3. Who knows
more about you than your
smartphone?
Call History
Contacts Messages
Social Networking Mobile Banking
Documents Photos Videos
PINs & Passwords Visited websites
16. Mobile malware -spyware
• Commercial spyware focus on information
spying
• Flexispy(cross-platform commercial spyware)
– Listen in to an active phone call
(CallInterception)
– Secretly read SMS, Call Logs, Email, Cell ID and
make Spy Call
– Listen in to the phone surrounding
– Secret GPS tracking
– Highly stealth (user Undetectable in operation)
• A lot small software made for lawful and
unlawful use by many small companies
18. Reduced security by hw design
• Poor screen, poor
control
• User diagnostic
capabilities are
reduced. No easy
checking of what’s
going on
• Critical situation where
user analysis is required
are difficult to be
handled (SSL, Email)
23. New attack direction
• Racketeering
• VPN usage
• Spam
• Botnets
• Contacts stealing
• Device blocking
• Photo folder stealing
• Storage card mirroring
• Phishing
• Paypal and other payment system password
extraction
24. Application Backend Security
Application farm security
vulnerabilities:
• Web server security bugs
• Database server security
bugs
• Storage server security bugs
• Load balancer security bugs
Web application security vulnerabilities
-OWASP Top 10 security problems
-Advanced Web application attacks
Web service security vulnerabilities
Client application security vulnerabilities
25. Mobile security specific issues
• Secure data storage on
removable card?
• Multiple user support with
security?
• Strong authentication with poor
keyboard?
Try to type a passphrase:
P4rtyn%!ter.nd@‟01
Mobile malware attacks and other exploits are no longer just theoretical occurrences discussed by security researchers and vendors keen on cashing in on a projected market. The threats to mobile devices are real—and reach far beyond simple viruses to include malware, loss and theft, data communication interception, exploitation and misconduct, and direct attacks.Already, mobile malware and exploitation techniques have reached the complexity and capabilities of their counterparts in wired networks. Malware developers are capable of researching, uncovering, and leveraging weaknesses in mobile platform security models, as well as inherent weaknesses in app stores and open ecosystems. A lack of oversight, coupled with an exploding number of new consumers who lack security awareness or are disinterested in the mundane aspects of mobile security with access to a plethora of new apps for their mobile devices, is creating a recipe ripe for a catastrophic malware disaster. As mobile device usage increases, the absence of installed mobile security products is playing an enabling role in the vulnerability of mobile devices and the exploitation of sensitive data and personal identifying information (PII).
Чому ми про це говоримо?Інформація про партнерів, шантаж, соціальна інженеріяSmartphones and other mobile devices serve the same functions as laptop computers—with comparable computing power—but with little or no endpoint security.phone call logsaddress bookemailssmsMobile browser historydocumentscalendarVoice calls cross trough it (volatile but non that much)Corporate network accessGPS tracking dataEnterprise employees use it for their business activityMobile phones became the most personal and private item we ownGet out from home and you take:House & car keyPortfolioMobile phone
Тому що кожного дня в світі нові секюріті інциденти на мобільній платформі
Leverage social engineering to track users into discosing sensitive information; can also be used to entice a user to install malwareMisuse network, computing or identity resource of a device; two most common such abuse are sending spam and launching DoS attacks
Встановлення аплікейшенів через лінки прислані в SMS/MMS, тиряння смс, SMS replicatorMAIL SECURITYSMS interpreter exploitSMS used to deliver web attacksSMS mobile data hijacking trough SMS provisioningiPhone SMS remote exploithttp://news.cnet.com/8301-27080_3-10299378-245.htmlSend Wap PUSH OTA configuration message to configure DNS (little of social engineerings)Redirection, phishing, mitm, SSL attack, protocol downgrade, etc, etcSMSC filters sometimes applied, often bypassedOnly 160byte per SMS (concatenation support)CLI spoofing is extremely easyService Loading (SL) primer
Як воно туди попадає:Деасемльована крута програмулька в яку впарили кусок «поганого» коду і скомпілили назад і залили на меркетДружочок скинува APK щоб поставити з SDMARKETSWifi = networkmobile = PC/OS
Згадати про Jailbreak в Cydiaчерез PDFПро атаки XSS I SQL-injectionВикрадення cookies, sniffing
Отже поговоримо як вберегтися від згаданих вище загроз
USE ONLY SECURE Connection, USE VPN for sensitive resources (VPN for surfing with trusted enterprise proxy), USE more secure protocols for application (TLS1.1)Do not use pay system in insecure environment. USE cookies with Secured FLAG!!!Regularly Backup!!!
USE Signal checkerUSE PASSWORD PROTECTED Access PointsDisable option to connect to well known SSIDs
USE PASSWORD PROTECTION
Must be on every smartphone. It also could be used
Install patches and updates only from trusted sources. Use Mobile Device management for your corporate devices.