4. Mobile Device Risks at Every Layer
APPLICATION: Apps with vulnerabilities and malicious code have access
to your data and device sensors
» Your device isn’t rooted but all your email and pictures are stolen,
your location is tracked, and your phone bill is much higher than
usual.
OS: Defects in kernel code or vendor supplied system code
» iPhone or Android jailbrakes are usually exploiting these defects
HARDWARE: Baseband layer attacks
» Memory corruption defects in firmware used to root your device
» Demonstrated at CCC/Black Hat DC 2011 by Ralf-Philipp
Weinmann
NETWORK: Interception of data over the air.
» Mobile WiFi has all the same problems as laptops
» GSM has shown some cracks. Chris Paget demo DEFCON 2010
5. Mobile Device Risks at Every Layer
APPLICATION: Apps with vulnerabilities and malicious code have access
to your data and device sensors
» Your device isn’t rooted but all your email and pictures are stolen,
your location is tracked, and your phone bill is much higher than
usual.
OS: Defects in kernel code or vendor supplied system code
» iPhone or Android jailbrakes are usually exploiting these defects
HARDWARE: Baseband layer attacks
» Memory corruption defects in firmware used to root your device
» Demonstrated at CCC/Black Hat DC 2011 by Ralf-Philipp
Weinmann
NETWORK: Interception of data over the air.
» Mobile WiFi has all the same problems as laptops
» GSM has shown some cracks. Chris Paget demo DEFCON 2010
6. 10.9 billion mobile apps downloaded
in 2010, according to IDC
Expected to rise to
76.9 billion apps by 2014
7. 3rd Party Applications … and account for most of
Process Most of the Data… the vulnerabilities
3rd Party Application processing of PII, critical and % of Vulnerability Disclosures Attributed to Top Ten
confidential data Vendors
March 2009 online Forrester survey of 204 Application and Risk Management Professionals. IBM X-Force® 2008 Trend and Risk Report
8. Software Value Chain Complexity Makes it Impossible to
Develop Secure Software
Crowd Sourced Current Solutions Inadequate
Internal Teams Developers
Dev Site A Dev Site B
Security Consultants
• Very expensive
• In short supply
iPhone • Time to results too long
Dev Site C Apps
Crowd
Internal Sourcing Tools
• Do not scale across sites
Open 3rd Party • Very high noise ratio
Source Open Software Software Vendors • Can not test 3rd party code
Source SYMC MSFT • Separation of duties issue
Outsourced
Developers
Offshore • Do not know how to write
Oracle secure code
Provider
• Prioritize time-to-ship,
functionality over security
Processes
• Difficult to implement
Eastern China • Years to fine tune
Europe India • Low adoption (< 1% of US
Contractors companies CMMI Level 5
certified)
Unknown
Skills
10. WSJ Breaks Story on Pandora Investigation
“Federal prosecutors in New
Jersey are investigating
whether numerous
smartphone applications
illegally obtained or
transmitted information
about their users without
proper disclosures”
10
11. Static Analysis
Analysis of software performed without
actually executing the program
Full coverage of the entire source or
binary
In theory, having full application
knowledge can reveal a wider range of
bugs and vulnerabilities than the “trial
and error” of dynamic analysis
Impossible to identify vulnerabilities
based on system configuration that exist
only in the deployment environment
19. Permissions Requested by Pandora Application
Network Communication Phone Calls
» Full Internet Access » Read Phone State and Identity
» Create Bluetooth Connections
» View Network State System Tools
» View Wi-Fi State » Modify Global System Settings
» Prevent Device From Sleeping
Your Personal Information » Bluetooth Administration
» Read Contact Data » Change Wi-Fi State
» Add or Modify Calendar Events and » Change Network Connectivity
Send Email To Guests » Automatically Start at Boot
https://market.android.com/details?id=com.pandora.android&feature=search_result – 4/25/2011
19
20. Just A Bit Deeper...
Google purchases AdMob for $750
million dollars. Closed May, 2010
20
21. ESPN, CBS Interactive, Geico, Starbucks…
100,000 – 500,000 installations
Permissions:
• FINE (GPS) LOCATION
• COARSE (NETWORK-BASED) LOCATION
• FULL INTERNET ACCESS
5,000,000 – 10,000,000 installation
Permissions:
• RECORD AUDIO
• CHANGE YOUR AUDIO SETTINGS
• FINE (GPS) LOCATION
• COARSE (NETWORK-BASED) LOCATION
• FULL INTERNET ACCESS
• MODIFY/DELETE USB STORAGE CONTENTS MODIFY/DELETE SD CARD
CONTENTS
• PREVENT DEVICE FROM SLEEPING
Permissions retrieved from official Android Marketplace on 4/25/2011 21
24. Taking a Proactive Stance
“… the popular
Internet radio service is
removing third-party
advertising platforms,
including Google,
AdMeld and
Medialets.”
24
25. What Can Be Reliably Detected?
The problem is determining intent
FP/FN tradeoffs with “unauthorized” behaviors
» e.g. Is it good or bad that the app uses GPS?
Actual vulnerabilities are more straightforward
Think differently – behavioral profiling?
26. Best Practice: Embed Security Acceptance Testing
into Contracts
Software contracts typically focus on features,
functions, maintenance and delivery timeframes
Enterprises can embed security language into contracts
» New purchases or maintenance renewals are
optimal times to introduce security
Security testing is not functional testing, the contract
should specify:
» Specific security measures (for example, static
analysis (code review), dynamic testing,
penetration testing)
» Specific process that should be used for testing
» Acceptance thresholds for testing
» Vulnerability correction rules
27. Best Practice: Purchase from Rated-Approved
COTS Vendors
Make security a formal part of your vendor/product
selection criteria
Involve Vendor Relations/Procurement
Purchase from COTS vendors that have established
security certifications and independent ratings
Look for security related certifications to indicate
vendor commitment:
» Common Criteria
» FIPS-140-2
» PA-DSS (Visa PABP)
» VerAfied Mark
28. Best Practice: Leverage the Power of Community
Pooling the purchasing power of peer
organizations to create demand for
secure software
Vendors will react to fill a market need
Creating a community
» User Groups
» Customer Advisory Boards
» Vendor Relations/Procurement