The document discusses the challenges and vulnerabilities associated with mobile security, emphasizing that if someone gains physical access to a device, security measures can be rendered ineffective. It highlights various risks such as insecure data storage, weak application security, and the prevalence of malware, stressing the importance of user awareness and device protection. The authors call for better security practices in application development and encourage users to prioritize security features and encrypted communications.

1. Mobile
Security
An Oxymoron?
Pedro
Cabrita
<pfcabrita@gmail.com>
Bruno
Morisson
<morisson@genhex.org>

2. About
us
Pedro
Cabrita
Bruno
Morisson
<pfcabrita@gmail.com>
<morisson@genhex.org>
h>p://genhex.org/~mori/
• Principal
Consultant
and
Partner
@
• Infosec
Consultant
&
Partner
@
BiAHEAD;
INTEGRITY
S.A.;
• Working
in
InformaSon
Security
for
the
• Working
in
infosec
for
over
12
years;
past
11
years;
• In
a
past
life,
Security
OperaSons
Manager
• About
10
years
working
@
a
financial
and
Senior
Infosec
Consultant
@
a
private
insStuSon;
telco;
• I
do
mainly
PenTesSng
for
living
(and
have
• Did
Sme
as
a
developer
(C/C++);
fun);
Also:
secure
coding
guidelines
&
reviews;
• CISSP-­‐ISSMP,
CISA,
ISO27k1LA,
ITILv3,
…
reverse
engineering;
risk
assessments;
audits…
and
other
security
related
stuff!
• MSc
InformaSon
Security
student
@
Royal
Holloway,
University
of
London
• CISSP
• But
life
isn’t
all
about
security…

3. What
is
Mobile
Security
?

5. InformaSon

6. Why
do
we
care
?

7. Approach

8. Users
ApplicaSons
OS
Transport
Transmission
Physical

9. Users
ApplicaSons
OS
Transport
Transmission
Physical

10. Thinking
security…
• What
can
someone
do
with
momentarily
physical
access
to
my
device
?
• How
secure
is
my
informaSon
if
my
device
is
lost/stolen
?
• What
else
can
go
wrong
?

13. Demo

14. h>p://lifehacker.com/5811383/these-­‐are-­‐the-­‐most-­‐common-­‐lockscreen-­‐pins-­‐and-­‐you-­‐should-­‐avoid-­‐using-­‐them

16. h>p://www.whispersys.com/screenlock.html

17. h>p://electronicspyeye.info/your-­‐fingers-­‐are-­‐greasy-­‐giving-­‐up-­‐your-­‐android-­‐password/

18. h>p://stream.pleated-­‐jeans.com/post/8575021665/password-­‐acquired?e6abb3a8

24. Filesystem

27. Juice
Jacking

28. h>p://www.pcworld.com/arScle/238499/charging_staSons_may_be_juicejacking_data_from_your_cellphone.html

29. h>p://krebsonsecurity.com/2011/08/beware-­‐of-­‐juice-­‐jacking/

30. Bo>om
line…
• If
someone
has
physical
access
to
the
device...
GAME
OVER!
• Turn
on
security
features
(encrypSon,
authenScaSon,
remote
wipe/lock)
• Choose
an
appropriate
PIN
• Wash
your
hands
frequently
• Don’t
connect
it
anywhere...
except
home!

31. Users
ApplicaSons
OS
Transport
Transmission
Physical

32. Thinking
security…
• Is
my
informaSon
transmi>ed
securely?
• Can
someone
eavesdrop
my
communicaSons?

33. GSM
...is
broken!

34. GSM
Professional
equipment
US$75.000

35. GSM
USRP
US$1.500
h>p://openbts.sourceforge.net/

36. GSM
Old
phone
Priceless
h>p://openbts.sourceforge.net/

37. GSM
Old
phone
Priceless
US$10
h>p://openbts.sourceforge.net/

39. Bo>om
line…
Don’t
trust
the
link
layer
J

40. Users
ApplicaSons
OS
Transport
Transmission
Physical

41. Thinking
security…
• Do
applicaSons
transmit
data
securely
?
• What
data
?
• Can
someone
intercept
it
?

42. h>p://www.theregister.co.uk/2011/05/16/android_impersonaSon_a>acks/

43. h>p://support.apple.com/kb/HT4824

48. Bo>om
line…
• Lots
and
lots
of
apps
send
informaSon
in
clear
• Some
apps
handle
SSL
errors
really
badly…
• Bugs
in
the
underlying
OS
CHAOS

49. Users
ApplicaSons
OS
Transport
Transmission
Physical

50. Thinking
security…
• How
do
security
issues
affect
the
OS
?
• Is
it
updated
?
• For
how
long
?
• Does
it
do
anything
should
know
about
?

52. h>p://www.pcworld.com/businesscenter/arScle/239607/diginotar_cerSficates_are_pulled_but_not_on_smartphones.html

53. h>p://www.zdnet.com/blog/london/-­‐8216hacked-­‐server-­‐claims-­‐another-­‐cerSficate-­‐authority-­‐casualty/596

54. h>p://threatpost.com/en_us/blogs/new-­‐ios-­‐bug-­‐lets-­‐apps-­‐run-­‐unsigned-­‐code-­‐110711

55. h>ps://twi>er.com/#!/dinodaizovi/status/133705807157145600

59. h>p://corte.si/posts/security/openfeint-­‐udid-­‐deanonymizaSon/index.html

60. h>p://corte.si/posts/security/openfeint-­‐udid-­‐deanonymizaSon/index.html

61. Bo>om
line…
• Difficult
(impossible?)
to
keep
updated
• “secret”
features
reveal
private
informaSon
• Encourages
uploading
private
informaSon
to
the
“cloud”
• Insecure
default
configuraSons
However,
they
do
provide
interesSng
security
features

62. Users
Applica4ons
OS
Transport
Transmission
Physical

63. Thinking
security…
• How
do
applicaSons
handle
security
?
• Do
they
store
informaSon
securely
?
• What
informaSon
do
they
share
?
• Are
the
markets/app
stores
safe
?

64. OWASP
Top
10
Mobile
Risks
Release
Candidate
v1.0
• Insecure
Data
Storage
• Weak
Server
Side
Controls
• Insufficient
Transport
Layer
ProtecSon
• Client
Side
InjecSon
• Poor
AuthorizaSon
and
AuthenScaSon
• Improper
Session
Handling
• Security
Decisions
Via
Untrusted
Inputs
• Side
Channel
Data
Leakage
• Broken
Cryptography
• SensiSve
InformaSon
Disclosure
h>ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project

65. h>p://threatpost.com/en_us/blogs/wells-­‐fargo-­‐boa-­‐cited-­‐lax-­‐mobile-­‐app-­‐security-­‐110510

66. h>p://www.androidpolice.com/2011/10/01/massive-­‐security-­‐vulnerability-­‐in-­‐htc-­‐android-­‐devices-­‐evo-­‐3d-­‐4g-­‐thunderbolt-­‐others-­‐exposes-­‐phone-­‐numbers-­‐gps-­‐sms-­‐
emails-­‐addresses-­‐much-­‐more/

67. h>ps://superevr.com/blog/2011/xss-­‐in-­‐skype-­‐for-­‐ios/

68. h>p://www.androidpolice.com/2011/04/14/exclusive-­‐vulnerability-­‐in-­‐skype-­‐for-­‐android-­‐is-­‐exposing-­‐your-­‐name-­‐phone-­‐number-­‐chat-­‐logs-­‐and-­‐a-­‐lot-­‐more/

69. h>p://www.androidpolice.com/2011/04/14/exclusive-­‐vulnerability-­‐in-­‐skype-­‐for-­‐android-­‐is-­‐exposing-­‐your-­‐name-­‐phone-­‐number-­‐chat-­‐logs-­‐and-­‐a-­‐lot-­‐more/

70. Markets
and
App
Stores

71. h>p://www.darkreading.com/insider-­‐threat/167801100/security/vulnerabiliSes/228201093/google-­‐issuing-­‐fix-­‐for-­‐latest-­‐android-­‐vulnerability-­‐disclosure.html

72. h>p://news.cnet.com/8301-­‐27080_3-­‐10446402-­‐245.html

73. h>p://threatpost.com/en_us/blogs/new-­‐ios-­‐bug-­‐lets-­‐apps-­‐run-­‐unsigned-­‐code-­‐110711

74. h>p://www.kaspersky.co.uk/news?id=207576416

75. h>p://www.darkreading.com/authenScaSon/167901072/security/news/231500422/gingermaster-­‐is-­‐first-­‐malware-­‐to-­‐uSlize-­‐a-­‐root-­‐exploit-­‐on-­‐android-­‐2-­‐3.html

76. Other
Malicious
Soyware

77. h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories

78. h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories

79. h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories

80. h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories

81. h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories

82. h>p://www.securelist.com/en/analysis/204792194/ZeuS_in_the_Mobile_Facts_and_Theories

83. Bo>om
line…
• Apps
are
leaking
private
informaSon
• InformaSon
is
not
stored
securely
• Have
security
vulnerabiliSes
• Some
include
malware
• Android
malware
is
on
the
rise
• Apps
circumvent
security
features
• ValidaSng
apps
is
not
enough

84. Users
ApplicaSons
OS
Transport
Transmission
Physical

85. Given
a
choice
between
dancing
pigs
and
security,
users
will
pick
dancing
pigs
every
8me
Gary
McGraw
and
Edward
Felten:
Securing
Java
(John
Wiley
&
Sons,
1999;
ISBN
0-­‐471-­‐31952-­‐X),
Chapter
one,
Part
seven

88. Users
ApplicaSons
OS
Transport
Transmission
Physical

89. Wrap
Up

90. Wrap
Up
• Users
trust
by
default
• Apps
sSll
have
room
for
improvement
(security
wise)
J
• Mobile
devices
are
becoming
a
mainstream
target
for
malware
• Hardware
has
longer
longevity
than
the
OS
• Lower
layers
are
not
helping
Mobile
security
is
sSll
in
its
infancy

91. Thanks!
Q&A
Pedro
Cabrita
<pfcabrita@gmail.com>
Bruno
Morisson
<morisson@genhex.org>