Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Android 8 Oreo and iOS 11 security updates: What you need to know

968 views

Published on

Google released Android 8 (Oreo) recently, and soon Apple will release iOS 11. Both updates include a number of security enhancements.

This 30-minute overview covers the security updates and will also touch on:
-- Changes in iOS 11 that provide better security for app data in transit
-- App permissions updates in Android Oreo
-- How Android Oreo and iOS 11 updates affect mobile app security assessments

Originally presented 9/14/2017

Published in: Mobile
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Android 8 Oreo and iOS 11 security updates: What you need to know

  1. 1. Android 8 “Oreo” & iOS 11 security updates: What you need to know 8X FASTER 3X DEEPER MOST TRUSTED © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
  2. 2. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NowSecure #MobSec5 Weekly mobile security news update SUBSCRIBE NOW: www.nowsecure.com/go/subscribe
  3. 3. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA + SPEAKERS Android 8 (“Oreo”) ▪ Google Play Protect ▪ App permissions changes ▪ WebViews security enhancements ▪ Other Android 8 security quick hits iOS 11 - available Sept. 19 ▪ Password AutoFill ▪ FileProvider ▪ New barriers to unlocking phones ▪ Other iOS 11 security quick hits Tony Ramirez Mobile Security Analyst Michael Krueger Mobile Security Analyst
  4. 4. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Android 8 “Oreo” Security Highlights
  5. 5. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Google Play Protect Malware scanning ▪ Scans and reports on apps on the device ▪ Will also scan unknown/side-loaded apps SafetyNet Verify Apps API ▪ An app can query apps on a device prior to executing ▪ And refuse to run if known malicious app is found
  6. 6. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Noteworthy app permissions changes Install unknown apps (side-loaded apps) ▪ Replaces “Allow unknown sources” ▪ Required for sources other than trusted stores ▪ Defense against “hostile downloaders” TYPE_APPLICATION_OVERLAY ▪ Stops apps from over-laying critical windows ▪ Fights against overlay malware More granular granting of app permissions ▪ Entire permission groups no longer granted ▪ Automatically-grants subsequent requests for additional permissions within the same group Example unknown app alert
  7. 7. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WebView security enhancements Multi Process mode ▪ Isolates WebView from app ▪ Prevents malicious content from accessing the app ▪ Good for security, but won’t fix every issue Safe Browsing API ▪ Protection against known bad websites ▪ WebViews are easy to re-direct and use for executing phishing attacks Example Safe Browsing alert
  8. 8. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. PROJECT TREBLE ▪ Creates vendor interface in Android ▪ Makes the OS more modular ▪ Purpose is to make OEM updates faster & easier ▪ Hardware Abstraction Layers (HAL) limit media framework access to kernel Other Android 8 Security Quick Hits 8 NETWORK SECURITY ▪ HttpsURLConnection will not fall back to insecure versions of SSL/TLS ▪ Drops support for SSLv3 OS DOWNGRADE PROTECTION ▪ Prevents downgrading a device to a more vulnerable version of Android DEVELOPER OPTIONS - PASSWORD ▪ Now requires password for access ▪ Privileged access (e.g., debug mode, bootloader, developer tools) SECCOMP FILTER ▪ Secure Computing (SECCOMP) filter applied to all apps ▪ System calls can expose the kernel to attack
  9. 9. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. iOS 11 Security Highlights
  10. 10. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Password AutoFill Features ▪ Existing iCloud Keychain & Safari AutoFill passwords available on the QuickType bar within apps ▪ Button on right authenticates with TouchID Security ▪ Only presents credentials associated with the app ▪ Website associations stored in app entitlements ▪ The JSON file apple-app-site-associationon the server-side points to the allowed apps Example password autofill implementation
  11. 11. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. FileProvider Enhancements (new Files App) ▪ Organizes, shares, and opens documents connected to cloud storage via the Document Browser ▪ “On My <iPad/iPhone>” FileProvider • Only local FileProvider • Apps use it to expose local documents to other apps ▪ Data saved and what apps can save data will be important ▪ Testing should evaluate data stored and access File Providers Document Browser UI Document based app Cloud backend
  12. 12. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. New barriers to unlocking phones Emergency SOS Mode ▪ Activated by pressing the lock button 5 times • Phone enters emergency mode • SOS button • Alerts emergency contacts to location • Can auto-call emergency services ▪ Also locks down device • Disables TouchID (passcode required) • Does NOT require you to actually call emergency services “...handy if you're being mugged or arrested and don't want to be compelled to unlock your device.” http://www.macworld.co.uk/how-to/iphone/how-use-so s-mode-on-iphone-3663371/
  13. 13. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Other iOS 11 security quick hits 13 FACE RECOGNITION - IPHONE X ▪ Protected by secure enclave ▪ Requires user attention to unlock ▪ Photo alone won’t work to bypass ▪ Questions about privacy of data OFFLOAD UNUSED APPS ▪ Delete an app from your phone, but save the data ▪ Data’s still there, will it be protected? TLS CONNECTIONS ▪ Preliminary TLSv1.3 support ▪ TLSv1.2 now default ▪ 3DES no longer an approved cipher ▪ SHA1 no longer accepted ▪ RSA keys must be at least 2048 bits LOCATION SERVICES ▪ More granularity about when apps can use them ▪ Blue bar displays when in use SAFARI - TRACKING PREVENTION ▪ Intelligent tracking prevention (ITP) ▪ Cookies for tracking and re-targeting disabled after 24 hours & purged after 30 days NATIVE SCREEN RECORDING ▪ Where will screen recordings reside? ▪ Malicious use of screen recordings
  14. 14. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. In action: Keeping up with the latest OS updates
  15. 15. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. BEST PRACTICE RECOMMENDATIONS 1. Recognize that every new OS release - big or small - can introduce new gaps and risks 2. Find a reputable source you can count on to keep you up to date a. Sign up for Nowsecure #MobSec5 at www.nowsecure.com/go/subscribe. b. Read our blog at www.nowsecure.com/blog 3. Test existing apps on new OS versions to identify potential risks and gaps 4. Re-test apps when update take advantage of new OS features to identify potential risks and gaps 5. Add a mobile app security testing platform to your app factory to test custom and 3rd party apps
  16. 16. Case study: Global Entertainment Brand ● PAIN: Staying current on Android/iOS updates ● Mobile app security requirements service ● Continually updated BPs to account for latest threats and versions of Android and iOS “By the time we finished a draft of requirements specific to one version of iOS, Apple released the next one. We couldn’t keep up with the changes in iOS and also do the same for Android.” — Security Engineer, Multi-billion Dollar Global Brand As a global leader in high quality entertainment delivered through an array of channels, this brand harnessed the power of mobile technology early. https://www.nowsecure.com/case-studies/mobile-app-security-program-for-global-entertainment-brand/ Global Entertainment Brand
  17. 17. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NowSecure INTELLIGENCE AlwaysOn AppStore Cloud Analysis for EMM & Security teams NowSecure AUTOMATED OnDemand Fast Cloud Analysis for Dev, QA & Security teams NowSecure WORKSTATION Deep Pen Testing Analysis for Security Analysts NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING NowSecure SERVICES Expert Pen Testing, Training & Programs for App Owners & Security teams 17 8X FASTER – 3X DEEPER – MOST TRUSTED
  18. 18. Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 A digest of the week’s mobile security news that matters https://www.nowsecure.com/go/subscribe

×