The document discusses privacy risks associated with mobile applications. It notes that applications can access personal data and device sensors through vulnerabilities or malicious code at the application, OS, hardware and network layers. It also discusses how the complexity of developing mobile applications across multiple teams and outsourcing parts of the development process makes it difficult to ensure application security. Finally, it provides an example case study of how static analysis was used to investigate privacy issues with the Pandora Radio mobile application.

1. Dirty Little Secret
Mobile Applications Invading Your Privacy

2. Presenter Background

3. Are Mobile Applications Really
Invading My Privacy?

4. Mobile Device Risks at Every Layer
 APPLICATION: Apps with vulnerabilities and malicious code have access
to your data and device sensors
» Your device isn’t rooted but all your email and pictures are stolen,
your location is tracked, and your phone bill is much higher than
usual.
 OS: Defects in kernel code or vendor supplied system code
» iPhone or Android jailbrakes are usually exploiting these defects
 HARDWARE: Baseband layer attacks
» Memory corruption defects in firmware used to root your device
» Demonstrated at CCC/Black Hat DC 2011 by Ralf-Philipp
Weinmann
 NETWORK: Interception of data over the air.
» Mobile WiFi has all the same problems as laptops
» GSM has shown some cracks. Chris Paget demo DEFCON 2010

5. Mobile Device Risks at Every Layer
 APPLICATION: Apps with vulnerabilities and malicious code have access
to your data and device sensors
» Your device isn’t rooted but all your email and pictures are stolen,
your location is tracked, and your phone bill is much higher than
usual.
 OS: Defects in kernel code or vendor supplied system code
» iPhone or Android jailbrakes are usually exploiting these defects
 HARDWARE: Baseband layer attacks
» Memory corruption defects in firmware used to root your device
» Demonstrated at CCC/Black Hat DC 2011 by Ralf-Philipp
Weinmann
 NETWORK: Interception of data over the air.
» Mobile WiFi has all the same problems as laptops
» GSM has shown some cracks. Chris Paget demo DEFCON 2010

6. 10.9 billion mobile apps downloaded
in 2010, according to IDC
Expected to rise to
76.9 billion apps by 2014

7. 3rd Party Applications … and account for most of
Process Most of the Data… the vulnerabilities
3rd Party Application processing of PII, critical and % of Vulnerability Disclosures Attributed to Top Ten
confidential data Vendors
March 2009 online Forrester survey of 204 Application and Risk Management Professionals. IBM X-Force® 2008 Trend and Risk Report

8. Software Value Chain Complexity Makes it Impossible to
Develop Secure Software
Crowd Sourced Current Solutions Inadequate
Internal Teams Developers
Dev Site A Dev Site B
Security Consultants
• Very expensive
• In short supply
iPhone • Time to results too long
Dev Site C Apps
Crowd
Internal Sourcing Tools
• Do not scale across sites
Open 3rd Party • Very high noise ratio
Source Open Software Software Vendors • Can not test 3rd party code
Source SYMC MSFT • Separation of duties issue
Outsourced
Developers
Offshore • Do not know how to write
Oracle secure code
Provider
• Prioritize time-to-ship,
functionality over security
Processes
• Difficult to implement
Eastern China • Years to fine tune
Europe India • Low adoption (< 1% of US
Contractors companies CMMI Level 5
certified)
Unknown
Skills

9. Case Study – Pandora Radio
9

10. WSJ Breaks Story on Pandora Investigation
“Federal prosecutors in New
Jersey are investigating
whether numerous
smartphone applications
illegally obtained or
transmitted information
about their users without
proper disclosures”
10

11. Static Analysis
 Analysis of software performed without
actually executing the program
 Full coverage of the entire source or
binary
 In theory, having full application
knowledge can reveal a wider range of
bugs and vulnerabilities than the “trial
and error” of dynamic analysis
 Impossible to identify vulnerabilities
based on system configuration that exist
only in the deployment environment

12. JD-Gui Analysis
12

13. AdMob Location Requests
13

14. AdMob android_id Request
14

15. Medialets Location Requests
15

16. Medialets android_id Requests
16

17. SecureStudies getDeviceId Request
17

18. Android Manifest Permissions
 ACCESS_CHECKIN_PROPERTIES  DISABLE_KEYGUARD  RECEIVE_SMS
 ACCESS_COARSE_LOCATION  DUMP  RECEIVE_WAP_PUSH
 ACCESS_FINE_LOCATION  EXPAND_STATUS_BAR  RECORD_AUDIO
 ACCESS_LOCATION_EXTRA_COMMAN  FACTORY_TEST  REORDER_TASKS
DS  FLASHLIGHT  RESTART_PACKAGES
 ACCESS_MOCK_LOCATION  FORCE_BACK  SEND_SMS
 ACCESS_NETWORK_STATE  GET_ACCOUNTS  SET_ACTIVITY_WATCHER
 ACCESS_SURFACE_FLINGER  GET_PACKAGE_SIZE  SET_ALARM
 ACCESS_WIFI_STATE  GET_TASKS  SET_ALWAYS_FINISH
 ACCOUNT_MANAGER  GLOBAL_SEARCH  SET_ANIMATION_SCALE
 AUTHENTICATE_ACCOUNTS  HARDWARE_TEST  SET_DEBUG_APP
 BATTERY_STATS  INJECT_EVENTS  SET_ORIENTATION
 BIND_APPWIDGET  INSTALL_LOCATION_PROVIDER  SET_PREFERRED_APPLICATIONS
 BIND_DEVICE_ADMIN  INSTALL_PACKAGES  SET_PROCESS_LIMIT
 BIND_INPUT_METHOD  INTERNAL_SYSTEM_WINDOW  SET_TIME
 BIND_REMOTEVIEWS  INTERNET  SET_TIME_ZONE
 BIND_WALLPAPER  KILL_BACKGROUND_PROCESSES  SET_WALLPAPER
 BLUETOOTH  MANAGE_ACCOUNTS  SET_WALLPAPER_HINTS
 BLUETOOTH_ADMIN  MANAGE_APP_TOKENS  SIGNAL_PERSISTENT_PROCESSES
 BRICK  MASTER_CLEAR  STATUS_BAR
 BROADCAST_PACKAGE_REMOVED  MODIFY_AUDIO_SETTINGS  SUBSCRIBED_FEEDS_READ
 BROADCAST_SMS  MODIFY_PHONE_STATE  SUBSCRIBED_FEEDS_WRITE
 BROADCAST_STICKY  MOUNT_FORMAT_FILESYSTEMS  SYSTEM_ALERT_WINDOW
 BROADCAST_WAP_PUSH  MOUNT_UNMOUNT_FILESYSTEMS  UPDATE_DEVICE_STATS
 CALL_PHONE  NFC  USE_CREDENTIALS
 CALL_PRIVILEGED  PERSISTENT_ACTIVITY  USE_SIP
 CAMERA  PROCESS_OUTGOING_CALLS  VIBRATE
 CHANGE_COMPONENT_ENABLED_STA  READ_CALENDAR  WAKE_LOCK
TE  READ_CONTACTS  WRITE_APN_SETTINGS
 CHANGE_CONFIGURATION  READ_FRAME_BUFFER  WRITE_CALENDAR
 CHANGE_NETWORK_STATE  READ_HISTORY_BOOKMARKS  WRITE_CONTACTS
 CHANGE_WIFI_MULTICAST_STATE  READ_INPUT_STATE  WRITE_EXTERNAL_STORAGE
 CHANGE_WIFI_STATE  READ_LOGS  WRITE_GSERVICES
 CLEAR_APP_CACHE  READ_PHONE_STATE  WRITE_HISTORY_BOOKMARKS
 CLEAR_APP_USER_DATA  READ_SMS  WRITE_SECURE_SETTINGS
 CONTROL_LOCATION_UPDATES  READ_SYNC_SETTINGS  WRITE_SETTINGS
 DELETE_CACHE_FILES  READ_SYNC_STATS  WRITE_SMS
 DELETE_PACKAGES  REBOOT  WRITE_SYNC_SETTINGS
 DEVICE_POWER  RECEIVE_BOOT_COMPLETED
 DIAGNOSTIC  RECEIVE_MMS

19. Permissions Requested by Pandora Application
 Network Communication  Phone Calls
» Full Internet Access » Read Phone State and Identity
» Create Bluetooth Connections
» View Network State  System Tools
» View Wi-Fi State » Modify Global System Settings
» Prevent Device From Sleeping
 Your Personal Information » Bluetooth Administration
» Read Contact Data » Change Wi-Fi State
» Add or Modify Calendar Events and » Change Network Connectivity
Send Email To Guests » Automatically Start at Boot
https://market.android.com/details?id=com.pandora.android&feature=search_result – 4/25/2011
19

20. Just A Bit Deeper...
Google purchases AdMob for $750
million dollars. Closed May, 2010
20

21. ESPN, CBS Interactive, Geico, Starbucks…
100,000 – 500,000 installations
Permissions:
• FINE (GPS) LOCATION
• COARSE (NETWORK-BASED) LOCATION
• FULL INTERNET ACCESS
5,000,000 – 10,000,000 installation
Permissions:
• RECORD AUDIO
• CHANGE YOUR AUDIO SETTINGS
• FINE (GPS) LOCATION
• COARSE (NETWORK-BASED) LOCATION
• FULL INTERNET ACCESS
• MODIFY/DELETE USB STORAGE CONTENTS MODIFY/DELETE SD CARD
CONTENTS
• PREVENT DEVICE FROM SLEEPING
Permissions retrieved from official Android Marketplace on 4/25/2011 21

22. CBSNews Advertising Networks
22

23. TV.Com Advertising Networks
23

24. Taking a Proactive Stance
“… the popular
Internet radio service is
removing third-party
advertising platforms,
including Google,
AdMeld and
Medialets.”
24

25. What Can Be Reliably Detected?
 The problem is determining intent
 FP/FN tradeoffs with “unauthorized” behaviors
» e.g. Is it good or bad that the app uses GPS?
 Actual vulnerabilities are more straightforward
 Think differently – behavioral profiling?

26. Best Practice: Embed Security Acceptance Testing
into Contracts
 Software contracts typically focus on features,
functions, maintenance and delivery timeframes
 Enterprises can embed security language into contracts
» New purchases or maintenance renewals are
optimal times to introduce security
 Security testing is not functional testing, the contract
should specify:
» Specific security measures (for example, static
analysis (code review), dynamic testing,
penetration testing)
» Specific process that should be used for testing
» Acceptance thresholds for testing
» Vulnerability correction rules

27. Best Practice: Purchase from Rated-Approved
COTS Vendors
 Make security a formal part of your vendor/product
selection criteria
 Involve Vendor Relations/Procurement
 Purchase from COTS vendors that have established
security certifications and independent ratings
 Look for security related certifications to indicate
vendor commitment:
» Common Criteria
» FIPS-140-2
» PA-DSS (Visa PABP)
» VerAfied Mark

28. Best Practice: Leverage the Power of Community
 Pooling the purchasing power of peer
organizations to create demand for
secure software
 Vendors will react to fill a market need
 Creating a community
» User Groups
» Customer Advisory Boards
» Vendor Relations/Procurement

29. Questions?