Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Android 8 Oreo and iOS 11 security updates: What you need to know

1,303 views

Published on

Google released Android 8 (Oreo) recently, and soon Apple will release iOS 11. Both updates include a number of security enhancements.

This 30-minute overview covers the security updates and will also touch on:
-- Changes in iOS 11 that provide better security for app data in transit
-- App permissions updates in Android Oreo
-- How Android Oreo and iOS 11 updates affect mobile app security assessments

Originally presented 9/14/2017

Published in: Mobile
  • Can You Use Any Charger With Any Cell Phone, Laptop, Camera, or Tablet? ▲▲▲ https://tinyurl.com/rtswhls
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I am very grateful for Jeevan's program because it taught me many techniques on how to overcome common mistakes made in maths. Also, his revision strategy is unique because the same principles can be used in other subjects too and not only maths. Thank you Jeevan, your techniques are very useful!★★★ http://t.cn/AirraVnG
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Android 8 Oreo and iOS 11 security updates: What you need to know

  1. 1. Android 8 “Oreo” & iOS 11 security updates: What you need to know 8X FASTER 3X DEEPER MOST TRUSTED © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
  2. 2. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NowSecure #MobSec5 Weekly mobile security news update SUBSCRIBE NOW: www.nowsecure.com/go/subscribe
  3. 3. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA + SPEAKERS Android 8 (“Oreo”) ▪ Google Play Protect ▪ App permissions changes ▪ WebViews security enhancements ▪ Other Android 8 security quick hits iOS 11 - available Sept. 19 ▪ Password AutoFill ▪ FileProvider ▪ New barriers to unlocking phones ▪ Other iOS 11 security quick hits Tony Ramirez Mobile Security Analyst Michael Krueger Mobile Security Analyst
  4. 4. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Android 8 “Oreo” Security Highlights
  5. 5. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Google Play Protect Malware scanning ▪ Scans and reports on apps on the device ▪ Will also scan unknown/side-loaded apps SafetyNet Verify Apps API ▪ An app can query apps on a device prior to executing ▪ And refuse to run if known malicious app is found
  6. 6. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Noteworthy app permissions changes Install unknown apps (side-loaded apps) ▪ Replaces “Allow unknown sources” ▪ Required for sources other than trusted stores ▪ Defense against “hostile downloaders” TYPE_APPLICATION_OVERLAY ▪ Stops apps from over-laying critical windows ▪ Fights against overlay malware More granular granting of app permissions ▪ Entire permission groups no longer granted ▪ Automatically-grants subsequent requests for additional permissions within the same group Example unknown app alert
  7. 7. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WebView security enhancements Multi Process mode ▪ Isolates WebView from app ▪ Prevents malicious content from accessing the app ▪ Good for security, but won’t fix every issue Safe Browsing API ▪ Protection against known bad websites ▪ WebViews are easy to re-direct and use for executing phishing attacks Example Safe Browsing alert
  8. 8. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. PROJECT TREBLE ▪ Creates vendor interface in Android ▪ Makes the OS more modular ▪ Purpose is to make OEM updates faster & easier ▪ Hardware Abstraction Layers (HAL) limit media framework access to kernel Other Android 8 Security Quick Hits 8 NETWORK SECURITY ▪ HttpsURLConnection will not fall back to insecure versions of SSL/TLS ▪ Drops support for SSLv3 OS DOWNGRADE PROTECTION ▪ Prevents downgrading a device to a more vulnerable version of Android DEVELOPER OPTIONS - PASSWORD ▪ Now requires password for access ▪ Privileged access (e.g., debug mode, bootloader, developer tools) SECCOMP FILTER ▪ Secure Computing (SECCOMP) filter applied to all apps ▪ System calls can expose the kernel to attack
  9. 9. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. iOS 11 Security Highlights
  10. 10. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Password AutoFill Features ▪ Existing iCloud Keychain & Safari AutoFill passwords available on the QuickType bar within apps ▪ Button on right authenticates with TouchID Security ▪ Only presents credentials associated with the app ▪ Website associations stored in app entitlements ▪ The JSON file apple-app-site-associationon the server-side points to the allowed apps Example password autofill implementation
  11. 11. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. FileProvider Enhancements (new Files App) ▪ Organizes, shares, and opens documents connected to cloud storage via the Document Browser ▪ “On My <iPad/iPhone>” FileProvider • Only local FileProvider • Apps use it to expose local documents to other apps ▪ Data saved and what apps can save data will be important ▪ Testing should evaluate data stored and access File Providers Document Browser UI Document based app Cloud backend
  12. 12. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. New barriers to unlocking phones Emergency SOS Mode ▪ Activated by pressing the lock button 5 times • Phone enters emergency mode • SOS button • Alerts emergency contacts to location • Can auto-call emergency services ▪ Also locks down device • Disables TouchID (passcode required) • Does NOT require you to actually call emergency services “...handy if you're being mugged or arrested and don't want to be compelled to unlock your device.” http://www.macworld.co.uk/how-to/iphone/how-use-so s-mode-on-iphone-3663371/
  13. 13. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. Other iOS 11 security quick hits 13 FACE RECOGNITION - IPHONE X ▪ Protected by secure enclave ▪ Requires user attention to unlock ▪ Photo alone won’t work to bypass ▪ Questions about privacy of data OFFLOAD UNUSED APPS ▪ Delete an app from your phone, but save the data ▪ Data’s still there, will it be protected? TLS CONNECTIONS ▪ Preliminary TLSv1.3 support ▪ TLSv1.2 now default ▪ 3DES no longer an approved cipher ▪ SHA1 no longer accepted ▪ RSA keys must be at least 2048 bits LOCATION SERVICES ▪ More granularity about when apps can use them ▪ Blue bar displays when in use SAFARI - TRACKING PREVENTION ▪ Intelligent tracking prevention (ITP) ▪ Cookies for tracking and re-targeting disabled after 24 hours & purged after 30 days NATIVE SCREEN RECORDING ▪ Where will screen recordings reside? ▪ Malicious use of screen recordings
  14. 14. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. In action: Keeping up with the latest OS updates
  15. 15. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. BEST PRACTICE RECOMMENDATIONS 1. Recognize that every new OS release - big or small - can introduce new gaps and risks 2. Find a reputable source you can count on to keep you up to date a. Sign up for Nowsecure #MobSec5 at www.nowsecure.com/go/subscribe. b. Read our blog at www.nowsecure.com/blog 3. Test existing apps on new OS versions to identify potential risks and gaps 4. Re-test apps when update take advantage of new OS features to identify potential risks and gaps 5. Add a mobile app security testing platform to your app factory to test custom and 3rd party apps
  16. 16. Case study: Global Entertainment Brand ● PAIN: Staying current on Android/iOS updates ● Mobile app security requirements service ● Continually updated BPs to account for latest threats and versions of Android and iOS “By the time we finished a draft of requirements specific to one version of iOS, Apple released the next one. We couldn’t keep up with the changes in iOS and also do the same for Android.” — Security Engineer, Multi-billion Dollar Global Brand As a global leader in high quality entertainment delivered through an array of channels, this brand harnessed the power of mobile technology early. https://www.nowsecure.com/case-studies/mobile-app-security-program-for-global-entertainment-brand/ Global Entertainment Brand
  17. 17. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NowSecure INTELLIGENCE AlwaysOn AppStore Cloud Analysis for EMM & Security teams NowSecure AUTOMATED OnDemand Fast Cloud Analysis for Dev, QA & Security teams NowSecure WORKSTATION Deep Pen Testing Analysis for Security Analysts NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING NowSecure SERVICES Expert Pen Testing, Training & Programs for App Owners & Security teams 17 8X FASTER – 3X DEEPER – MOST TRUSTED
  18. 18. Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 A digest of the week’s mobile security news that matters https://www.nowsecure.com/go/subscribe

×