Security and privacy in the smartphone ecosystem: Final progress report

Transcription

1 Security and privacy in the smartphone ecosystem: Final progress report Alexios Mylonas Athens University of Economics & Business

2 Overview 2 Research Motivation Related work Objective Approach Methodology Threat model Smartphone definition & data Contribution Browser controls User practices Malware mitigation Smartphone forensics Future work

3 Research Motivation 3 Smartphone ecosystem facts: Increase Popularity of devices Installations of third-party apps web browsing Great source of personal and business data Smartphones appealing target for attackers

4 Related work 4 Android-centered & focused on malware mitigation Permission system Policies, all-or-nothing Static analysis e.g. static analysis on manifest Dynamic analysis e.g. Taint analysis

5 Related work 4 Android-centered & focused on malware mitigation Permission system Problem: Static analysis 1. Require advanced technical skills! Policies, all-or-nothing manifest Dynamic analysis Taint analysis Instrumentation

6 Related work 4 Android-centered & focused on malware mitigation Permission system Problem: Static analysis 1. Require advanced technical skills! Policies, all-or-nothing manifest Dynamic analysis Taint analysis Instrumentation

7 Related work 4 Android-centered & focused on malware mitigation Permission system Problem: Static analysis 1. Require advanced technical skills! Policies, all-or-nothing manifest Dynamic analysis Taint analysis Instrumentation

8 Objectives 5 Study user practices adoption of security controls User-centric protection Include user input in our approach Users value their data types differently Case study: Smartphone forensics

9 Methodology 6 Survey of controls Analysis (user-centric) Security Finding Survey of threats Recommendation/Mitigation

10 Threat model 7 T1. Malicious web (servers) WEB

11 Threat model 7 T2. Physical access

12 Threat model 7 12 T3. Malicious apps Users App App App Application Repository App App...

13 A smartphone? 8 Cell\feature phone Smartphone used to access mobile network carrier services contains a smartcard a cell phone advanced hardware capabilities an identifiable OS supports 3 rd -party apps apps from app repository C5. Theoharidou M, Mylonas A, Gritzalis D. A risk assessment method for smartphones. In: Proc. of the 27th IFIP Information Security and Privacy Conference. Springer; AICT-376; p

14 Smartphone Data 8 Smartphones host heterogeneous data Application Sensor Device Smartphone Data SIM Card Messaging Usage History C4. Mylonas A, Meletiadis V, Tsoumas B, Mitrou L, Gritzalis D. Smartphone forensics: A proactive investigation scheme for evidence acquisition. In: 27th IFIP International Information Security and Privacy Conference. Springer; AICT-376; p

15 Browser controls 9 Manageability of browser security controls PC, smartphones Out-of-the box protection offered C7. Mylonas A, Tsalis N, Gritzalis D. Evaluating the manageability of web browsers controls. In: Proc. of the 9th International Workshop on Security and Trust Management (STM-2013), Springer; LNCS-8203; 2013; p

16 Browser Controls 9 Web threats Survey of controls Control enumeration in browser UIs Browser, Chrome, Firefox, Safari, IE, Opera, Opera Mini Identification and manageability Common controls (33) Usability Default values Configurability Unavailability of controls Out-of-the-box protection Usability issues Security-oriented configuration settings UI suggestions

17 Browser controls 10 Availability of controls PC vs. smartphone Smartphones browsers offer less controls

18 Browser controls 10 Availability of controls PC vs. smartphone Smartphones browsers offer less controls Blame the sandbox? Counterexamples Android and ios (10) e.g. block location data, block third-party cookies, enable DNT, certificate warning, private browsing,... (c.f. C.7) Android (5) i.e. block referrer, disable plugin, malware protection, master password, search engine manager

19 Mitigation of web threats 11 identified controls (32) enabled by-default editable Web threats ICT web threats Smartphone threats a) default protection/threat b) control manageability/threat

20 Default protection /threat Evaluating the Manageability of Web Browsers Controls

21 Default protection /threat Evaluating the Manageability of Web Browsers Controls

22 Default protection /threat Evaluating the Manageability of Web Browsers Controls

23 Manageability of controls /threat Evaluating the Manageability of Web Browsers Controls

24 Manageability of controls /threat Evaluating the Manageability of Web Browsers Controls

25 Manageability of controls /threat Evaluating the Manageability of Web Browsers Controls

26 Manageability of controls /threat Evaluating the Manageability of Web Browsers Controls

27 Recommendations 14 Vendor Settings & UI Functionality-oriented Users can disable controls without confirmation Security settings mixed with other settings Proposed Settings & UI Security-oriented all controls configurable & enabled discourage changes certificate warning, malware/ phishing protection confirmation for update settings ask default value block cookies, block location data, block 3 rd party cookies, enable DNT, and master password

28 Recommendations 14 Proposed settings restrictive Security vs. user experience Local blacklist Per-site configuration of controls User awareness Users trained to use control(s) correctly Users aware of web threats

29 User practices 15 Adoption of controls Physical attacks Malicious apps Statistical analysis (n=458, Athens, Fall 2011) C6. Mylonas A, Gritzalis D, Tsoumas B, Apostolopoulos T. A qualitative metrics vector for the awareness of smartphone security users. In: 10th International Conference on Trust, Privacy & Security in Digital Business p J1. Mylonas A, Kastania A, Gritzalis D. Delegate the smartphone user? Security awareness in smartphone platforms. Computers & Security 2013;34(0):47 66.

30 User practices against physical access 10 Physical threat Survey of controls User survey of adoption Exposure to physical threat (vulnerability) Control enumeration in handsets Android, BlackBerry, ios, Symbian, Windows Phone Common controls Password protection remote locator remote wipe encryption Adoption of controls Statistical analysis Risk Assessment method Training

31 User practices against physical access 16 Poor adoption of physical access controls device password encryption remote data wipe remote device locator none % of adoption 64,4 22,7 15,1 23,1 27,9

32 User practices against malware 10 Threat of malicious apps Survey of controls User survey of adoption Exposure to malicious apps (vulnerability) Control enumeration by security models Android, BlackBerry, ios, Symbian, Windows Phone Security indicators security messages reputation reviews Third-party security software User practices Statistical analysis Risk Assessment method Prediction model Training

33 User practices against malware 17 User practises when installing apps from the app repository Finding 5: Users who occasionally inspect security messages or ignore them at all are more likely to disable encryption 70 Finding 6: Users 60 who always inspect security messages are more likely technically and security savvy users 50 Finding 7: Users 40 who ignore security messages are more likely to also ignore agreement messages agreement pirated reputation reviews security msgs msgs apps % of adoption 10 8,7 10,5 38,6 60,7

34 User practices against malware 17 Poor use of smartphone security software Finding 5: Poor adoption of physical security controls 100 Finding 5.1: Encryption (22.7%) 80 Finding 5.2: Remote data wipe (15.1%) 60 Finding 5.3: Remote device locator (23.1%) 40 Finding 5.4: No adoption of any physical security control (27.9%) 20 Finding 6: 0 Users tend to have disabled smartphone secsoft along searched free with encryption, device smartphone PC secsoft password lock secsoft and remote smartphone device secsoft essential locator secsoft Unaware of smartphone secssoft % of adoption 85,8 24,5 34,

35 User practices against malware 17 Users believe that installing apps from the repository is secure (~3/4 users) These users are exposed to malware Unaware users of smartphone malware more likely trust the app repository Users who trust the repository tend to be unaware about smartphone secsoft Users who trust app repository are less likely to scrutinize security msgs

36 Malware Mitigation 19 Prediction model Trust repository cannot be otherwise identified User practices, skills Prediction Model (TrustRepo) Awareness Training Risk Assessment input Risk Assessment input

37 Malware Mitigation 19 Prediction model Trust repository cannot be otherwise identified p = exp(z) / (1 + exp(z)) User practices, skills Prediction Model (TrustRepo) Awareness Training Risk Assessment input Risk Assessment input

38 Malware Mitigation 19 Prediction model Trust repository cannot be otherwise identified z = 1.351*x *x *x *x *x *x *x 7 User practices, skills Prediction Model (TrustRepo) Awareness Training Risk Assessment input Risk Assessment input

39 Malware Mitigation 19 Prediction model Trust repository cannot be otherwise identified User practices, skills Prediction Model (TrustRepo) Awareness Training Risk Assessment input Risk Assessment input Score\Sample Greek (n=458) UK (n=102) Effectiveness 79.0% 78.4% Type I 74.5% 68.2 Type II 4.0% 8.7%

40 Malware Mitigation 19 Prediction model Trust repository cannot be otherwise identified User practices, skills Prediction Model (TrustRepo) Awareness Training Risk Assessment input Risk Assessment input J1. Mylonas A, Kastania A, Gritzalis D. Delegate the smartphone user? Security awareness in smartphone platforms. Computers & Security 2013;34(0):47 66.

41 Malware Mitigation 19 Risk Assessment for smartphones Treats the device s subassets and not as a whole Treats permission granting as a vulnerability User Impact for assets Past incidents, statistics Risk Assessment Risk Value Vulnerabilities C5. Theoharidou M, Mylonas A, Gritzalis D. A risk assessment method for smartphones. In: Proc. of the 27th IFIP Information Security and Privacy Conference. Springer; AICT-376; p

42 Malware Mitigation 19 Risk Assessment for smartphones Treats the device s subassets and not as a whole Treats permission granting as a vulnerability User Impact for assets (asset, permission combination, threat) Past incidents, statistics Risk Assessment Risk Value Vulnerabilities

43 Malware Mitigation 19 Risk Assessment for smartphones Treats the device s subassets and not as a whole Treats permission granting as a vulnerability User Impact for assets (asset impact, permission likelihood, threat likelihood) Threat Risk Past incidents, statistics Risk Assessment Risk Value Vulnerabilities

44 20 Smartphone Forensics

45 Smartphone Forensics 20 What if the good guys collect the data? Can we control its abuse?

46 Smartphone Forensics Scheme 20 A scheme to avoid intelligence gathering Investigator Independent Authority Suspect P1a: Investigation Request P1b: Investigation Session P2: Evidence Type Selection (Request) P5: Storage P2: Evidence Type Selection (Execution) P4: Evidence Transmission P3: Collection Interface Evidence DB Software Agent

47 Smartphone Forensics Scheme 21 Scheme s processes Evidence Type Selection Investigation Request Investigation Session Evidence Collection Investigation Completion Evidence Transmission Evidence Storage (1 N)

48 Smartphone Forensics 22 Android implementation Mechanisms typically used by attackers Spyware, botnets, social engineering

49 Smartphone Forensics 22 A scheme to avoid intelligence gathering Android implementation

50 22 Smartphone Forensics

51 Future work 24 New user study of the adoption of security controls User study on the usability of web browser controls Design and implement standardized interface for web browsers Study the security models of new platforms Examination of alternative misuse mechanisms for proactive forensics

52 References Mylonas, A., Kastania, A., Gritzalis, D., Delegate the smartphone user? Security awareness in smartphone platforms, Computers & Security, Vol. 34, pp , Mylonas, A., Meletiadis, V., Mitrou, L., Gritzalis, D., Smartphone sensor data as digital evidence, Computers & Security (Special Issue: Cybercrime in the Digital Economy), Vol. 38, pp , Mylonas, A., Dritsas, S., Tsoumas, B., Gritzalis, D., Smartphone security evaluation: The malware attack case, in Proc. of the International Conference on Security and Cryptography, SciTePress; p , Spain Mylonas, A., Tsoumas, B., Dritsas, S., Gritzalis, D., A secure smartphone applications roll-out scheme, in Proc. of the 8 th International Conference on Trust, Privacy & Security in Digital Business, Springer, LNCS-6863, p , Kandias, M., Mylonas, A., Theoharidou, M., Gritzalis, D., Exploitation of auctions for outsourcing security-critical projects, in Proc. of the 16 th IEEE Symposium on Computers and Communications, p , Greece, Mylonas, A., Meletiadis, V., Tsoumas, B., Mitrou, L., Gritzalis, D., Smartphone forensics: A proactive investigation scheme for evidence acquisition, in Proc. of the 27 th IFIP International Information Security and Privacy Conference, Springer, AICT-376, p , Greece, Theoharidou, M., Mylonas, A., Gritzalis, D., A risk assessment method for smartphones, in Proc. of the 27 th IFIP Information Security and Privacy Conference, Springer, AICT-376, p , Greece, Mylonas, A., Gritzalis, D., Tsoumas, B., Apostolopoulos, T., A qualitative metrics vector for the awareness of smartphone security users, in Proc. of the 10 th International Conference on Trust, Privacy & Security in Digital Business, p , Chech Republic, Mylonas, A., Tsalis, N., Gritzalis, D., Evaluating the manageability of web browsers controls, in Proc. of the 9 th International Workshop on Security and Trust Management, Springer, LNCS-8203, p , United Kingdom, Mylonas, A., Dritsas, S., Tsoumas, B., Gritzalis, D., On the feasibility of malware attacks in smartphone platforms, in Security and Cryptography, Springer, p , 2012.