android 8 oreo and ios 11 security updates: what you need to know

Android 8 “Oreo” & iOS 11 security updates:What you need to know

8X FASTER3X DEEPER

MOST TRUSTED© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

NowSecure #MobSec5Weekly mobile security news update

SUBSCRIBE NOW:www.nowsecure.com/go/subscribe

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

AGENDA + SPEAKERS

Android 8 (“Oreo”)▪ Google Play Protect▪ App permissions changes▪ WebViews security enhancements▪ Other Android 8 security quick hits

iOS 11 - available Sept. 19

▪ Password AutoFill▪ FileProvider▪ New barriers to unlocking phones▪ Other iOS 11 security quick hits

Tony RamirezMobile Security Analyst

Michael KruegerMobile Security Analyst


Android 8 “Oreo”Security Highlights


Google Play Protect

Malware scanning▪ Scans and reports on apps on the device▪ Will also scan unknown/side-loaded apps

SafetyNet Verify Apps API▪ An app can query apps on a device

prior to executing▪ And refuse to run if known malicious

app is found


Noteworthy app permissions changes

Install unknown apps (side-loaded apps)▪ Replaces “Allow unknown sources”▪ Required for sources other than trusted stores▪ Defense against “hostile downloaders”

TYPE_APPLICATION_OVERLAY▪ Stops apps from over-laying critical windows▪ Fights against overlay malware

More granular granting of app permissions▪ Entire permission groups no longer granted▪ Automatically-grants subsequent requests for

additional permissions within the same groupExample unknown

app alert


WebView security enhancements

Multi Process mode▪ Isolates WebView from app▪ Prevents malicious content from accessing the app▪ Good for security, but won’t fix every issue

Safe Browsing API▪ Protection against known bad websites▪ WebViews are easy to re-direct and use

for executing phishing attacks

ExampleSafe Browsing alert


PROJECT TREBLE

▪Creates vendor interface in Android

▪Makes the OS more modular

▪Purpose is to make OEM updates faster & easier

▪Hardware Abstraction Layers (HAL) limit media framework access to kernel

Other Android 8 Security Quick Hits

8

NETWORK SECURITY

▪HttpsURLConnection will not fall back to insecure versions of SSL/TLS

▪Drops support for SSLv3

OS DOWNGRADE PROTECTION

▪Prevents downgrading a device to a more vulnerable version of Android

DEVELOPER OPTIONS - PASSWORD

▪Now requires password for access

▪Privileged access (e.g., debug mode, bootloader, developer tools)

SECCOMP FILTER

▪Secure Computing (SECCOMP) filter applied to all apps

▪System calls can expose the kernel to attack


iOS 11Security Highlights


Password AutoFill

Features▪ Existing iCloud Keychain & Safari AutoFill passwords

available on the QuickType bar within apps▪ Button on right authenticates with TouchID

Security▪ Only presents credentials associated with the app▪ Website associations stored in app entitlements▪ The JSON file apple-app-site-association on

the server-side points to the allowed apps

Example password autofill implementation


FileProvider Enhancements (new Files App)

▪ Organizes, shares, and opens documents connected to cloud storage via the Document Browser

▪ “On My <iPad/iPhone>” FileProvider• Only local FileProvider• Apps use it to expose local documents to other apps

▪ Data saved and what apps can save data will be important

▪ Testing should evaluate data stored and accessFile Providers

DocumentBrowser UI

Documentbased app

Cloud backend


New barriers to unlocking phones

Emergency SOS Mode▪ Activated by pressing the lock button 5 times

• Phone enters emergency mode• SOS button• Alerts emergency contacts to location• Can auto-call emergency services

▪ Also locks down device• Disables TouchID (passcode required)• Does NOT require you to actually call

emergency services

“...handy if you're being mugged or arrested and don't want to be compelled to unlock your device.”http://www.macworld.co.uk/how-to/iphone/how-use-sos-mode-on-iphone-3663371/

http://www.macworld.co.uk/how-to/iphone/how-use-sos-mode-on-iphone-3663371/

http://www.macworld.co.uk/how-to/iphone/how-use-sos-mode-on-iphone-3663371/


Other iOS 11 security quick hits

13

FACE RECOGNITION - IPHONE X

▪Protected by secure enclave

▪Requires user attention to unlock

▪Photo alone won’t work to bypass

▪Questions about privacy of data

OFFLOAD UNUSED APPS

▪Delete an app from your phone, but save the data▪Data’s still there, will it be protected?

TLS CONNECTIONS

▪Preliminary TLSv1.3 support▪TLSv1.2 now default▪ 3DES no longer an approved cipher▪SHA1 no longer accepted▪RSA keys must be at least 2048 bits

LOCATION SERVICES

▪More granularity about when apps can use them▪Blue bar displays when in use

SAFARI - TRACKING PREVENTION

▪ Intelligent tracking prevention (ITP)▪Cookies for tracking and re-targeting disabled after 24 hours & purged after 30 days

NATIVE SCREEN RECORDING

▪Where will screen recordings reside?▪Malicious use of screen recordings


In action: Keeping up with the latest OS updates


BEST PRACTICE RECOMMENDATIONS

1. Recognize that every new OS release - big or small - can introduce new gaps and risks

2. Find a reputable source you can count on to keep you up to date

a. Sign up for Nowsecure #MobSec5 at www.nowsecure.com/go/subscribe.

b. Read our blog at www.nowsecure.com/blog

3. Test existing apps on new OS versions to identify potential risks and gaps

4. Re-test apps when update take advantage of new OS features to identify potential risks and gaps

5. Add a mobile app security testing platform to your app factory to test custom and 3rd party apps

http://www.nowsecure.com/subscribe

http://www.nowsecure.com/blog

Case study:Global Entertainment Brand

● PAIN: Staying current on Android/iOS updates

● Mobile app security requirements service

● Continually updated BPs to account for latest threats and versions of Android and iOS

“By the time we finished a draft of requirements specific to one version of iOS, Apple released the next one. We couldn’t keep up with the changes in iOS and also do the same for Android.”

— Security Engineer, Multi-billion Dollar Global Brand

As a global leader in high quality entertainment delivered through an array of channels, this brand harnessed the power of mobile technology early.

https://www.nowsecure.com/case-studies/mobile-app-security-program-for-global-entertainment-brand/

GlobalEntertainment

Brand

https://www.nowsecure.com/case-studies/mobile-app-security-program-for-global-entertainment-brand/


NowSecure INTELLIGENCEAlwaysOn AppStore Cloud Analysis

for EMM & Security teams

NowSecure AUTOMATEDOnDemand Fast Cloud Analysis

for Dev, QA & Security teams

NowSecure WORKSTATION

Deep Pen Testing Analysisfor Security Analysts

NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING

NowSecure SERVICESExpert Pen Testing, Training & Programs

for App Owners & Security teams

17

8X FASTER – 3X DEEPER – MOST TRUSTED

Let’s talk

NowSecure+1 312.878.1100

@NowSecureMobilewww.nowsecure.com

Subscribe to #MobSec5 A digest of the week’s mobile security news that matters

https://www.nowsecure.com/go/subscribe