1. Session 810: The Security Risks of
Mobile Environments and How to
Protect Against Them
Ken Huang, Director of Security Engineering, CGI
2. Who am I ?
• Ken Huang
– Director of Security Engineering, CGI
• Cloud/Mobile Security
• Security testing and evaluation
• Identity and Access Management
• Frequent Speaker
• Blog: http://mobile-cloud-security.blogspot.com/
• Linkedin: www.linkedin.com/in/kenhuang8
• Twitter: http://twitter.com/#!/kenhuangus
3. Topics
• Mobile Technology and Trends
• Mobile Application and Trends
• Mobile Security and Trends
• Defense in Depth Solutions
• Conclusion and Questions
4. Mobile Technology and Trends
Technology Trends
•More Wi-Fi hotspots will be added
Wi-Fi
•Wi-Fi still plays a huge role in WLAN
•3G will gradually phase out
•4G networks will increase, as it is a
3G & 4G
major competing ground for carriers
to attract new customers
•Will continue to be used to connect
Bluetooth
personal network devices
•Will gain more momentum for
NFC payment, ticketing, and check-in
devices
5. 3G vs 4G Networks
3G 4G
DSL speeds Wired network speeds
Max speed up to 3.1 Mbps Max speed up to 100+ Mbps
Includes all 2G and 2.5G features plus: Includes all 3G features plus:
•Real-time location-based services •On-demand video
•Full motion videos •Video conferencing
•Streaming music •High-quality streaming video
•3D gaming •High-quality Voice-over-IP (VoIP)
•Faster web browsing •Added security features
Trends: 4G will be the winner
6. WiMAX vs. Wi-Fi
WiMAX Wi-Fi
Speed Up to 4 Mbps Up to 2 Mbps
Bandwidth Up to 75 Mbps Up to 54 Mbps
Range 30 miles (50 km) 100 feet (30 m)
Intended Number of
100+ 20
Users
Weaker encryption (WEP or Stronger encryption (TDES
Quality of Service
WPP) or AES)
Trends: Both WiMAX and Wi-Fi will co-exist for the foreseeable future
7. NFC
• Uses less power than Bluetooth
• Does not need pairing
• Based on RFID Technology at 13.56 MHz
• Operating distance typically up to 10 cm
Trends: NFC will get wider use due to payment and ticketing apps
8. Mobile Application Trends
• Payment
– Using your phone to pay will become a reality
• Federal Government Adoption
– Mobile apps will become more widely used
– Cloud and Mobile Computing
• During an appearance in Silicon Valley, Aneesh Chopra, the
nation’s first-ever CTO, acknowledged the inevitable emergence of
cloud and mobile as solutions for the federal government, but sees
them as supplementing, rather than replacing, legacy systems
– Transportation Department gets $100 million for
mobile apps
9. Mobile Application Trends (cont.)
• Federal Government Adoption (cont.)
– FBI – most wanted listing app on iPhone
– IRS – check refund status
– The White House mobile app – news, videos, podcasts,
blogs, etc.
– More than half of federal websites are planning to develop
a mobile-optimized website, according to a poll by ForeSee
Results.
• Productivity tool
– Mobile apps will become more mature over time
• Banking and Mobile Commerce
– Check balances, transfer funds, etc.
10. Mobile Application Trends (cont.)
• Entertainment
– Videos, gaming, etc.
• Social networking • Activists
– Facebook – Collective bargaining
– Twitter and strikes
– Foursquare • Other
– Linkedin – Price comparison for
– Instagram various products
(Sanptell)
11. Wi-Fi Security
• Use a strong password
• Don’t broadcast your SSID
• Use good wireless encryption (WPA, not WEP)
• Use another layer of encryption when possible (e.g. VPN, SSL)
• Restrict access by MAC address
• Shut down the network and wireless network when not in use
• Monitor your network for intruders
• Use a firewall
Trends: More Wi-Fi hotspots (but more attacks on hotspots as well) – avoid free Wi-Fi
whenever possible; Wi-Fi-enabled mobile devices can become the stepping stone to your
secured network
12. 4G Security Trends
• Backward compatibility to 3G or GSM capabilities exposes 4G to
3G and GSM security vulnerabilities
• 4G also has a roaming vulnerability associated with mutual
authentication: a fake network can easily claim to be a “roaming
partner”
Trends: More bandwidth comes with a greater possibility of being
attacked
13. Bluetooth Security Trends
• Bluejacking
– Sending either a picture or a message from one user to an unsuspecting
user through Bluetooth wireless technology.
• DoS Attacks
• Eavesdropping
• Man-in-the-middle attacks
• Message modification
• NIST published a Guide to Bluetooth Security in 2008
Trends: Dependent on new apps on bluetooth – I don’t see any
significant increase in attacks on bluetooth
14. NFC Security Trends
• Eavesdropping
– Hacker must have a good receiver and stay close
– To avoid this, use a secure channel as compensating control
• Data Corruption and Modification
– Jams the data so that it is not readable by the receiver
– Check RF field as compensating control.
Trends:
• wide spread adoption expected at 2015
• Secure channels for NFC
• Payments through smartphones will replace plastic cards and keys
15. Attack on the app
• Currently, Androids are the target due to Google’s
loose vetting process
– Law360, New York (March 15, 2012, 10:18 PM ET) --
Android cellphone users sued Google Inc over faulty
Android App
• iPhones and iPads are lightly hacked – but will
become targets in the future
Trends: Apps will be more vulnerable to attacks in the future
16. OWASP Top 10 Mobile Risks
• Insecure Data Storage
• Weak Server Side Controls
• Insufficient Transport Layer Protection
• Client Side Injection
• Poor Authorization and Authentication
• Improper Session Handling
• Security Decisions Via Untrusted Inputs
• Side Channel Data Leakage
• Broken Cryptography
• Sensitive Information Disclosure
• Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
17. M1: Insecure Data Storage
• Sensitive data left unprotected
• Applies to locally stored data + cloud synced
• Generally a result of:
– Not encrypting data
– Persist data not intended for long-term storage
– Weak or global permissions
– Not leveraging platform best-practices
• Risk
– Confidentiality of data lost
– Credentials disclosed
– Privacy violations
– Non-compliance
18. M2: Weak Server Side Controls
• We cannot trust mobile client app
• Risk: confidentiality and integrity of data
19. M3: Insufficient Transport Layer
Protection
• No encryption for data in transit
• Weak encryption. Encoding is not encryption
• Strong encryption but ignoring the security
warnings.
– If certificate validation errors happen, fall back to
clear text.
• Risk: confidentiality and integrity of data
20. M4: Client Side Injection
• XSS or SQL injection
• SMS injection (Apple patched iphone SMS
flaw in iOS 3.0.1 in Aug. 2009).
• Risk: toll fraud, device compromise, privilege
escalation etc.
21. M5: Poor Authorization and
Authentication
• Device authentication based on IMEI, IMSI, UUID
is not sufficient
• Hardware identifiers persist across data wipes
and factory resets
• Adding contextual information is useful, but not
foolproof
• Out of band does not work for the same device.
• Risk: Privilege escalation and Unauthorized
access
22. M6: Improper Session Handling
• Mobile session is usually longer for usability
and convenience
• Why it is bad idea to use device identifier as
session token?
• Risk: unauthorized access and privilege
escalation
23. M7: Security Decisions Via Untrusted
Inputs
• Security needs to be based on server side
variables, not client input data
• Risk: Can cause privilege escalation and
consume paid resources
24. M8: Side Channel Data Leakage
• Caused by platform feature or app flaws
• Potential channel
– Caches
– Keystroke logging
– Screenshots
– Logs (system, crash, app)
– Temp directory
• Risk: Privacy violation
25. M9: Broken Cryptography
• Broken implementation using strong
encryption library
• Custom weak encryption implementation.
• Risk: loss of data confidentiality
26. M10: Sensitive Information Disclosure
• Hard coded sensitive information
– User id, password
– SSN
– API keys
– Sensitive business logic
• Risk: credentials disclosed, IP disclosed.
27. OWASP: Top 10 Security Mobile Controls
• Identify and protect sensitive data
• Handle password credentials securely on the device
• Ensure sensitive data is protected in transit
• Implement user authentication/authorization and session
management correctly
• Keep the backend APIs (Rest vs. SOAP) Secure
• Secure integration with third party app and data (ID Federation)
• Get user consent for the collection and use of the data
• Implement Access Control and Digital Rights Management for
paid resources
• secure distribution/provisioning of mobile apps
• check runtime code errors
28. VPN for Smartphone
• Provide secure mobile access to enterprise
network
• Sample Mobile VPN products
– PandaPowVPN for Android
– Hotspot Shield for iphone
– CISCO
29. Virus Scan and Personal Firewall for
Mobile Device
• Lookout Premium
• Trend Micro Mobile Security
• F-Secure Mobile Security
• NetQin Mobile Security
• Webroot Secure Anywhere Mobile
30. Mobile Device Management Features
• Remote Locate - Shows you the location of your phone via Web or SMS, so
you can find it if it’s lost or stolen.
• Remote Lock - Lets you remotely lock your lost or stolen phone via Web or
SMS to prevent strangers from seeing your private stuff or running up your
mobile bill.
• Remote Wipe - Lets you remotely erase the stuff on your phone via SMS if
it’s lost or stolen, including any data on your phone’s memory card.
• Web-based Lost Notice - Displays a customizable message to anyone who
finds your missing device, so you can make arrangements to get it back.
• Web-based Sneak Peek - Snaps photos of anyone in front of your device
then saves the images. (Webcam devices only.)
• Antiphishing Web Protection - Blocks fraudulent (phishing) websites.
Protects your device and your stuff on mobile networks and Wi-Fi
connectionsi
• Download Threat Protection - Automatically scans all the apps and app
updates you download to your mobile device for threats.
32. Mobile Application Management (MAM)
• The BYOD (“Bring Your Own Device”) phenomenon is a
factor behind MAM
• Manage Business Apps using internal App Store for
both BOYD and Company Mobile Device
• Key Features
– App delivery
– App updating
– User authentication
– User authorization
– Version checking
– Push services
– Reporting and tracking
33. Current MAM Players
• App47
• SOTI MobiControl
• AppBlade from Raizlabs
• AppCentral
• Apperian
• Better MDM
• JackBe
• Nukona
• Partnerpedia
• WorkLight
34. Mobile Data Protection (MDP)
• MDP is an established market
• Safeguard stored data on mobile devices by
means of encryption and authentication
• Provide evidence that the protection is
working.
• Widely used in Window based Laptop
• Not yet available for mobile phone or tablet
36. Smartphone Encryption
• Android
– WhisperCore: whole flash memory
– Droid Crypt: files
– AnDisk Encryption: file
– RedPhone: voice
– Text Secure: text
• iPhone
– Impossible to encrypt the whole system
– Update to iOS5 to encrypt outgoing iMessage.
– Voice Encryption App
• Kryptos
• Cellcrypt
– Text Encryption App: Encrypt SMS
– E-mail Encryption: SecureMail use OpenPGP
37. Mobile Virtualization
• Support multiple domains/operating systems
on the same hardware
• Enterprise IT department can securely manage
one domain (in a virtual machine), and the
mobile operator can separately manage the
other domain (in a virtual machine)
38. Current Players in Mobile Virtualization
• Green Hills Software
• Open Kernel Labs
• Red Bend Software
• VMware
• B Labs
• Bitzer Mobile Inc
Reference:
http://www.virtualization.net/tag/mobile/
39. Mobile User willing to pay more
for security
• AdaptiveMobile published the third "Global
Security Insights in Mobile" report which
indicates that 83% people surveyed willing to
pay more for security.
40. Conclusion and Questions
• Defense in depth for mobile environment
• Device Security vs. App Security
• OWASP Top 10 Risk and Controls
• VPN, Virus Scan, MDM, MAM, MDP,
Encryption and Mobile Virtualization
• Questions?
41. Thank you for attending this session. Don’t
forget to complete the evaluation!
Hinweis der Redaktion
WiFi Protected Access (WPA) is the new security standard adopted by the WiFi Alliance consortium. WiFi compliance ensures interoperability between different manufacturer’s equipment. WPA delivers a level of security way beyond anything that WEP can offer, bridges the gap between WEP and 802.11i networks, and has the advantage that the firmware in older equipment may be upgradeable.
The International Mobile Equipment Identity or IMEI ( /aɪˈmiː/) is a number, usually unique toidentify GSM, WCDMA, and iDEN mobile phones, as well as some satellite phones. It is usually found printed inside the battery compartment of the phone. It can also be displayed on the screen of the phone by entering *#06#into the keypad on most phones.The IMEI number is used by the GSM network to identify valid devices and therefore can be used for stopping a stolen phone from accessing the network in that country. For example, if a mobile phone is stolen, the owner can call his or her network provider and instruct them to "blacklist" the phone using its IMEI number. This renders the phone useless on that network and sometimes other networks too, whether or not the phone's SIMis changed.An International Mobile Subscriber Identity or IMSI ( /ˈɪmziː/) is a unique identification associated with all GSM and UMTS network mobile phoneusers. It is stored as a 64 bit field in the SIM inside the phone and is sent by the phone to the network. It is also used for acquiring other details of the mobile in the Home Location Register (HLR) or as locally copied in the Visitor Location Register. To prevent eavesdroppers identifying and tracking the subscriber on the radio interface, the IMSI is sent as rarely as possible and a randomly-generated TMSI is sent instead.The IMSI is used in any mobile network that interconnects with other networks. This number is provisioned in the phone directly or in the R-UIM card (a CDMA analogue equivalent to a SIM card in GSM).
Green Hills SoftwareOK LabsRed Bend SoftwareVMwareB Labs