Making Enterprise Ready Sean Yarger Sr. Manager, Mobility and Identity Making Android Enterprise Ready 1
Enterprise Benefits of Android Java-based, get up and running with ease Open source, no license or royalties Choice of distribution mechanisms Inter-application and inter-process architectures for unified applications (enhanced UX) Low cost of entry Embeds better Others? 2
Consumer 69.7% 20.9% 3
Enterprise ~77% 4
Security Concerns: Fragmentation 5
OS Fragmentation Version Codename Distribution 2.2 Froyo 1.10% 2.3.3 - Gingerbread 2.3.7 17.80% 3.2 Honeycomb 0.10% 4.0.3 - Ice Cream Sandwich 4.0.4 14.30% 4.1.x Jelly Bean 34.40% 4.2.x 18.10% 4.3 8.90% 4.4 KitKat 5.30% 6
Device Fragmentation Source: OpenSignal 7
Device Fragmentation Source: OpenSignal 599 11,800+ Android Manufacturers Distinct Android Devices 8
Android Screen Real Estate Source: OpenSignal 9
ios Screen Real Estate Source: OpenSignal 10
Fragmentation Manufacturers fall behind Google s reference release due to their own changes Carriers can take months or even years to update the OS on their offered devices Vulnerabilities get left unpatched on older versions To COPE or not to COPE? 11
Security Concerns: Marketplaces 12
Android 13
Apple 14
Marketplaces Android is a truly open OS Curation is based mainly on categorization Security is loose or non-existent Google Play is the king of malware Users don t pay attention to app permissions Vulnerabilities can cause actual performance issues and data loss -- not just minor inconveniences 15
Security Concerns: Malware 16
17
Mobile Threats Mobile Threats: Malicious Code by Platform, 2013 Source: Symantec Platform Android Symbian Windows Number of Threats 57 1 1 Percent of Threats 97% 2% 2% ios 0 0% Android remains the platform of choice for malware authors 18
Mobile Malware Average Number of Variant Per Family Average Number of Variant Per Family 2012 2013 1:38 1:57 Creation of new mobile malware slowed as malware authors focused on improving existing malware Average number of variants per family in 2012 was 1:38 Increased to 1:57 in 2013 19
Mobile Users at Risk 38 % 50 % Of smartphone users have experienced mobile cybercrime in past 12 months Don t use basic precautions such as passwords, security software or back up files for their mobile device Source: 2013 Norton Report 20
Mobile Security IQ DELETE SUSPICIOUS EMAILS FROM PEOPLE THEY DON T KNOW HAVE AT LEAST A BASIC FREE ANTIVIRUS SOLUTION AVOID STORING SENSITIVE FILES ONLINE 90% 72% 78% 56% 48% 33% Source: 2013 Norton Report 21
Mobile: A Dangerous Mix 1. Prevalence of mobile devices 2. Maturing of mobile malware 3. Mixing of work and personal information on devices 4. User s lack of smart smartphone risk awareness 22
Mitigating Mobile Attacks Device Management Identity & Access Control Device Security Remotely wipe devices in case of theft or loss, control password policies Update devices with applications as needed without physical access Provide strong authentication and authorization for access to enterprise applications and resources Ensure safe access to enterprise resources from right devices with right postures Guard mobile device against malware Prevent the device from becoming a vulnerability Application Management Secure data in corporate applications regardless of device ownership Secure File Sharing Enable encrypted file sharing to ensure security as users share information 23
Mitigation: Device Management 24
Why MDM [Alone] Doesn t Solve the Problem MDM being used to solve broader mobile challenges can bring unplanned challenges Diminished user privacy Managing personal devices = more overhead Cannot take targeted remediation; whole device or nothing All or nothing policies (ex: block Airdrop & icloud) User experience is impacted Making Android Enterprise Ready @SeanYarger SYMANTEC VISION 2014 25
Mitigation: Identity & Access Control 26
Identity & Access Control Extend enterprise directories to Mobile (via SAML) Integrate CAs where applicable (devices, email, WiFi) Per-app VPNs 2FA We want to prove the user is who they say they are, and then give them access to business resources. 27
Mitigation: Device Security 28
Advice About Android Threats An automated system for generating intelligence about mobile applications Security Identifying malware and goodware (trusted apps) Greyware Risks / Potentially Unwanted Apps (PUAs) Identifying privacy risks and annoyances (e.g. aggressive advertisements) in apps Performance Identifying how apps impact battery life and use cellular data 29
Scale 3 million+ Android apps 10 thousand new apps processed every 24 hours 200+ app stores crawled continuously 2 hundred thousand malicious apps identified 1.5 million apps identified with greyware/pua risks 30
Android Threats - Ratings Security Ratings Score >= 100 Score >= 75 Score >= 50 Score >= 1 Score <= -1 Score <= -25 Score <= -75 Score <=- 100 Known Good (Trusted App) High-Confidence Good (Trusted App) Medium-Confidence Good Low-Confidence Good Low-Confidence Bad Medium-Confidence Bad High-Confidence Bad Known Bad Greyware Ratings (potentially unwanted app behaviors) Performance Ratings 31
Sample Ratings (Example #1) com.rovio.angrybirds v. 3.0.0 Security Rating Score +80 (Trusted App) Application First Seen: 2009-03-05 Popularity: Millions of downloads Signer (Publisher) First Seen: 2009-03-05 Popularity: Millions of downloads SHA256: 89EE8ADD0221029E609D Greyware Risks Exports IMEI to www.cooguo.com Exports device info to www.cooguo.com Exports settings info to data.flurry.com Displays ads in the app (AdMob, Burstly, InMobi) Collects location coordinates (InMobi) Performance Rating Foreground Background Cellular Bandwidth Usage 50 (Moderate Usage) 18 (Low Usage) 50 (Average) 32
Sample Ratings (Example #2) com.tcn_app_newstype v1.1 Security Rating Score +10 (Low-Confidence Good) Application First Seen: 2011-05-04 Popularity: 100s of downloads Signer (Publisher) First Seen: 2011-05-04 Popularity: 100s of downloads SHA256: C2701E8F35F1F52801351 Greyware Risks Exports call logs to 124.243.125.55 Exports contacts to 124.243.125.55 Exports location to 124.243.125.55 Can export phone number Can export IMEI Performance Rating Foreground Background Cellular Bandwidth Usage 20 (Low Usage) 50 (Medium Usage) 70 (Higher than Average) 33
Sample Ratings (Example #3) net.oking.newcommon v1.0 Security Rating Score -110 (High-Confidence Malware) Application First Seen: 2010-03-15 Popularity: 50,000 250,000 Signer (Publisher) Attributes First Seen: 2010-03-15 Popularity: 50,000 250,000 Uses an exploit Uses premium services SHA256: 8476A358C3EB393E86AB Greyware Risks Sends SMS messages Exports settings info to androids-market.ru Exports SMS message history Performance Rating N/A 34
Mitigation: Application Management 35
Containerization and Wrapping Containerization Done in one of three ways: 1. Encrypted Sandbox 2. Hypervisor 3. Wrapping App Wrapping Isolates and encrypts Per app container Allows/disallows OS or app access in/out of the container Most require code edits Important! Solution re-signs app w/out code change No rooting or jailbreaking required Integrated access control 36
Containerization and Wrapping Containerization Done in one of three ways: 1. Encrypted Sandbox 2. Hypervisor 3. Wrapping App Wrapping Authentication Required (SSO) Allow Local Storage Offline Access Run on rooted? Copy/paste Restrict network 37
Android App Stores 38
Apple 39
Enterprise App Store 40
Mitigation: Secure File Sharing 41
Share Files Securely Anytime, Anywhere 42
Secure File Sharing (no really) Encryption Management Secure Authentication SAML support provides strong, certificate-based authentication Single Sign-On (SSO) avoids having separate login credentials Multiblind Key Encryption (MBKE) Companies manage their own keys 43
Device Management Identity & Access Control Device Security Application Management Secure File Sharing 44