Ensuring Security on Mobile Devices It is possible right?
Topics About viaforensics Why mobile security matters Types of security breaches and fraud Anticipated evolution of attacks Common mistakes that developers make How to anticipate and prevent security flaws Conclusion
About viaforensics I m not Andrew Hoog Mobile security, forensics researchers Key tech leaders: Hoog, Cannon, Zdziarski Books, trainings, research papers, news, congressional staff briefing Key products and services: appsecure, liveforensics, AFLogical, viaextract, and Santoku
Why Mobile Device Security Matters Necessity of security - given Importance and growth of mobile Fed study: 20% used mobile banking in 2011, up to 30% will use mobile banking by 2013; Source: http://www.federalreserve.gov/econresdata/mobile-device-report-201203.pdf
Why Mobile Device Security Matters Problems in mobile security to date Rapid growth with little security Trojan/malicious apps, phishing/smishing Perception many consumers unsure Potential for much greater harm Worm or one-click exploit, widespread infection Rapid increased adoption + platforms in flux Potential for pervasive, undetected theft of data
Near-field Data Heist Contactless Credit Cards
Contactless Credit Cards Problem Stories from Channel 4, BBC Watchdog Card info used to make purchases from Amazon UK Not a new problem, but mobiles facilitate exploit Illustrates how ease of use can introduce security risk
Google Wallet Problems Google Wallet leverages NFC on some devices Connects to credit, prepaid cards Leverages secure element on device Significant growing pains so far: viaforensics found excess private data stored Zvelo cracked user PIN Thesmartphonechamp found prepaid card problem
Mobiles as a Target of Attack Mobile is different NAND Memory New mobile OS s, frequent updates Traverse more networks, install more apps Mobile devices are a target Rich target handling banking, email, GPS, PII, PHI Both personal and corporate data Highly connected and can store large datasets Security standards, tools still emerging
Anatomy of a Mobile Attack
Categories of cyber attacks Espionage Goal: Compromise classified materials Approach: Highly sophisticated and targeted Impact: Severe, threat to security Prevention: Complex, expensive Corporate Theft Consumer/Identity Theft Goal: Steal trade secrets, IP and more Approach: Sophisticated, company and individual targeted Impact: High, financial or R&D loss Prevention: Strong security & policies Goal: Financial theft, identity theft Approach: Trivial to sophisticated, broad or company targeted Impact: Small and wide Prevention: Secure mobile development, education
Types of breaches Lost or stolen device Phishing/Smishing Clickjacking Trojan or Malicious apps Man-in-the-middle Man-in-the-mobile Worm
Security Breach Accounting 2012 DBIR, Verizon with USSS and foreign LE Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012-press_en_xg.pdf
Evolution of Attacks Platforms have been compromised repeatedly The quantity and value of information stored and transacted on mobiles is rapidly increasing Attacks follow the money Experts anticipate growth in both broad and targeted attacks on mobile
Reality Check It s about the DATA Most data is handled by apps Ergo, it s about the APPS App security is mobile security Don t we trust device passcodes and encryption?» no
Device Security? viaforensics Mobile Security Risk Report First line of defense Complex passcodes Keychain data protection Remote wipe But secure sensitive data at app level, and assume a hostile environment Do not rely solely on platform security
Apps: Common Problems Authentication: Authentication bypass, lack of multi-factor, session state vulnerability, Insecure data on device: Caching, logging, stored without encryption, improper encryption, ios keychain Network Issues: Improper SSL or storage encryption, MITM vulnerability, SSLstrip Service/Server Vulnerability: Brute force susceptible, server resource exposure, lack of server-side validation Code vulnerabilities: Reverse engineering, debugging
Widespread ios Infection Demo Demonstrates risk to apps on ios platform Discovered by Jonathan Zdziarski Not a way to infect; but steal important data from many apps ios foundation classes hijacked Most apps sensitive data vulnerable One attack could steal credentials and more Potential for pervasive data theft across apps
Secure Mobile App Development Yes, there is such a thing Takes more time, skill and money than the alternative Focus on security before, during and after development Education is Key Testing is Key
Recommendations Integrate security from design phase Maintain traditional security controls Attack your apps Test like black hat Test after updates (platform, app) Use latest mobile techniques and tools
Anticipate and Prevent Anticipate attacks Expect your app to be reverse engineered Expect your back-end services to be attacked Expect your users to be targeted & devices compromised Prevent damage Prevent your data from being exposed Prevent your app from being compromised Prevent attackers from gaining elevated access
Education Resources Secure mobile development resources are increasing Industry technical training viaforensics/comptia certification OWASP Resources Mobile Security Books Zdziarski, Hoog, others
Secure Mobile Dev: 42+ Best Practices FREE Report: https://viaforensics.com/42bp Avoid insecure data caching Avoid simple logic Be aware of the keyboard cache Properly validate SSL/TLS ios-specific issues Android-specific issues
Testing Resources Internal Train existing security engineers Santoku Linux Project External Specialized mobile app security assessment viaforensics appsecure Find mobile expertise Expert, red team mobile assessment
Back to that Fed Study Consumers perception that mobile banking and mobile payments are unsecure is currently one of the primary impediments to adoption. If consumers perception of security issues changes whether due to actual or perceived improvements adoption rates may significantly increase.
Conclusion There is great benefit in mobile for enterprises and consumers, but Mobile attacks are likely to increase Mobile security has been bumpy Consumer trust of mobile security is not strong Secure mobile development is key Education and Testing Anticipate and Prevent Raise the standard and assure consumers