Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

The New Mobile Landscape - OWASP Ireland


Hier ansehen

1 von 37 Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)


Ähnlich wie The New Mobile Landscape - OWASP Ireland (20)

Weitere von Tyler Shields (20)


Aktuellste (20)

The New Mobile Landscape - OWASP Ireland

  1. 1. Mobile Threats Things Your Smartphone Does When Nobody is Looking
  2. 2. Agenda The “What” The Problem Mobile Ecosystem 1 2 3 4 Threat The Fix Landscape
  3. 3. The Problem 1
  4. 4. What Are The Risks Define the Threats
  5. 5. Moving Into The Enterprise Bring Your Own Device Security Compliance Privacy
  6. 6. Mobile Crossroads The Inflection Point 63% Do you trust the security of your mobile device… Have yet to make up their minds
  7. 7. Threat Landscape 2
  8. 8. The Mobile Threat Landscape
  9. 9. Mobile Malware Mobile Networks Decentralized Interconnected Mobile Quick Content Retrieval Perfect Malware Decentralized Interconnected Mobile Quick Content Retrieval
  10. 10. Statistics
  11. 11. Malware Timeline 2011 July August September October November Early to Malware Wave Exponential the Game Begins Growth
  12. 12. Primary Target Android Most Targeted (65%) iOS Absent (<1%) WHY • Closed Technology 1% • Harder to Reverse Engineer 7% • Stronger OS Security 65% 27% • Better App Store Security • No Fragmentation Issue Android J2ME Symbian Windows Mobile Distribution of Mobile Threats by Platform 2011
  13. 13. Mobile Malware 86% 7% Repackaging Update •Choose popular app •Similar to repackaging •Disassemble •Does not add full •Add malicious payloads payload •Re-assemble •Adds small downloader •Submit new app to •Payload downloaded at public market runtime Drive-By Standalone •Entice users to •Commercial spyware download malware •Non functional fake apps <1% 14% •Distributed via malicious (Fake Netflix) websites •Functional Trojan code •May or may not contain •Apps with root exploits a browser exploit
  14. 14. Mobile Malware 37% Privilege Escalation •Attempts root exploits •Small number of platform vulnerabilities Remote Control •Similar to PC bots •Most use HTTP based web traffic as C&C 93% •May use more than one •Advanced C&C models exploit for attack translating from PC world •Advanced obfuscation seen in the wild Financial Charges Information Collection 45% •Premium rate SMS •Both hard-coded and runtime updated numbers •Employ SMS filtering •Harvests personal information and data •User accounts •GPS location 45% SMS •SMS and emails •Phone call tapping •Ad Libraries Phone Number
  15. 15. Application Behaviors Previous Code Web Sources Your Code Binary 3rd Party Source 3rd Party Libraries Libraries
  16. 16. Case studies … !
  17. 17. Vulnerabilities • Sensitive data leakage (inadvertent or side channel) • Unsafe sensitive data storage • Unsafe sensitive data transmission • Hardcoded password/keys
  18. 18. Vulnerabilities • Layered APIs on common languages • Blackberry and Android use Java as a base • Non-issue for Objective-C (it’s own language)
  19. 19. Mobile Ecosystem 3
  20. 20. The Mobile Ecosystem The Players of the Game Consumer
  21. 21. MDM Vendors The Enterprise Choke Point Enterprise Control Point What They Provide Device Enrollment and Management Security Management Device Configuration Device Monitoring Software Management Security Components Passcode Enforcement Encryption Feature Restriction Compliance Locate and Wipe Certificate Management
  22. 22. Mobile Anti-Virus Old Methods Rehashed Old Methods Rehashed What They Provide Quarantine and Eradicate Malware Signature Based Analysis Security Components Locate, Lock, and Wipe Cloud Analysis Spam Filtering Email Attachment Scanning Data Backup
  23. 23. Application Markets The Distributor The Distributor What They Provide Marketplace for Applications User Ratings Application Updates Security Components Application Approval Process Android Bouncer iOS Scanning
  24. 24. Developers The Source The Source What They Provide Enterprise Application Development Consumer Application Development Cross-platform Expertise Security Components Variable on Developer Capabilities
  25. 25. The Fix 4
  26. 26. The Fix Securing Against Multiple Threats Capabilities Mapping Malware Detection Vulnerability Analysis
  27. 27. Capabilities Mapping Features and Permissions Data Sources Data Sinks Mapping • Location Data • HTTP Requests User Facing • Contacts • Outbound SMS • Email • Outbound Email • Trace Sources to Sinks • SMS Data • DNS Requests • Application “Intent” • SQL Access • TCP • Permission Mapping • File System • UDP • Human Intelligence • Photos • Vulnerable Code • Phone ID Values Code Flow Data Flow
  28. 28. Malware Detection Learn From Previous Mistakes Static Signatures Analysis Signatures Human Signatures Intelligence Dynamic Basic Heuristics Analysis
  29. 29. Vulnerability Analysis Find the Flaws Environmental Flaws Application Flaws
  30. 30. Strategic Control Points Security and Power Application Markets Enterprise Developers MDM Consumer Developers Outsourced Developers Anti-Virus COTS Developers … Developers Enterprise
  31. 31. Enterprise Fixes De-Risk B.Y.O.D Policy Process Technical Controls
  32. 32. Consumer Fixes Will Users Learn? Security Awareness • Read EULAs & prompts.. • Understand permissions • Know what jail breaking does to the security posture of the device • Recognizing phishing and social engineering • Practice practice practice
  33. 33. Permissions *SCOFF* Just Let Me Fling Birds at Pigs Already!
  34. 34. Vendor Fixes It Takes a Village Verification Process and Policy User Facing Platform Security
  35. 35. Developer Fixes Secure Coding TRAINING SDLC AWARENESS
  36. 36. The Road Ahead Where do we go from here? Capabilities Malware Vulnerability A Safer + + = Mapping Detection Analysis Mobile Path
  37. 37. Sources Show me the data • http://www.juniper.net/us/en/local/pdf/additional-resources/7100155-en.pdf Juniper Network Trusted Mobility Index • http://countermeasures.trendmicro.eu/wp-content/uploads/2012/02/History-of-Mobile-Malware.pdf A History of Malware – Trend Micro • http://www.cs.berkeley.edu/~afelt/felt-mobilemalware-spsm.pdf A Survey of Mobile Malware In The Wild – UC Berkeley • http://www.securelist.com/en/analysis/204792222/Mobile_Malware_Evolution_Part_5 Mobile Malware Evolution Part 5 – Kaspersky Labs • http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf Dissecting Android Malware: Characterization and Evolution – Yajin Zhou and Xuxian Jiang • http://www.fiercemobilecontent.com/story/apples-new-ios-6-adds-deep-facebook-integration-dumps-google- maps/2012-06-11 Apple's new iOS 6 adds deep Facebook integration, dumps Google Maps • http://www.net-security.org/secworld.php?id=13050 LinkedIn Privacy Fail • http://www.trailofbits.com/resources/mobile_eip_2.pdf Mobile Exploit Intelligence Project – Trail of Bits • http://www.net-security.org/secworld.php?id=12418 Social Mobile Apps Found Storing User’s Content Without Permission • And More…. Contact me if you need something specific I may have left out…