android security - ibcs · pdf fileandroid security perception vs reality pietro maggi ... 1...
TRANSCRIPT
![Page 1: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/1.jpg)
ANDROID SECURITYPerception vs Reality
Pietro Maggi
EMEA SW Consultant Sales Engineer
![Page 2: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/2.jpg)
Is Android secure?
![Page 3: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/3.jpg)
http://www.techrepublic.com/blog/it-security/androids-very-real-master-key-vulnerability/
![Page 5: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/5.jpg)
https://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/
![Page 6: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/6.jpg)
https://arstechnica.com/security/2016/10/android-phones-rooted-by-most-serious-linux-escalation-bug-ever/
https://source.android.com/security/bulletin/2016-11-01.html
![Page 7: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/7.jpg)
Using Data to Monitor Risk: Exploits
Vulnerability Initial Claim Headline Unique APKs
Peak exploitation
after public release
(per install)
Exploitation before
public release
(absolute)
Master Key99% of devices
vulnerable1231 < 8 in a million 0
FakeID82% of Android users
at risk258 <1 in a million 0
Stagefright95% of devices
vulnerableN/A None confirmed N/A
Source: Google Safety Net Data; Masterkey data collected from 11/15/2012 to 8/15/2013 and previously published at VirusBulletin 2013. Fake ID data collected
data collected from 11/15/2012 to 12/11/2014 and previously published at the RSA Conference 2015. Stagefright data current through May 2016.
![Page 8: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/8.jpg)
Potentially Harmful Application Rates Since 2014
1
![Page 9: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/9.jpg)
Potentially Harmful Application Rates Since 2014
1
![Page 10: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/10.jpg)
Verify Apps API
Query for the state of Verify Apps,
and any harmful apps installed
isVerifyAppsEnabled()
enableVerifyApps()
listHarmfulApps()
![Page 11: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/11.jpg)
SafetyNet Attestation
![Page 12: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/12.jpg)
![Page 13: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/13.jpg)
Overall…
For a device to be affected, a user must download and install a PHA that takes
advantage of one of the vulnerabilities.
Using a Device Policy Controller or other lock-down systems is a very good idea
for COSU devices.
![Page 14: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/14.jpg)
Google’s role in Android ecosystem security
![Page 15: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/15.jpg)
Google Security Services
Google Play
Android SDK
Google services / APIs
Security best practices
Security improvement program
Applications
Applications updates
AOSP
CTS/CDD
Security updates
Security best practices
Device with Android OS
Security OTAs
Application
DevelopersDevice Makers
Users
https://source.android.com/security/
![Page 16: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/16.jpg)
Robust
Platform
Comprehensive
Services
Ecosystem
Updates
1 2 3
![Page 17: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/17.jpg)
Android OS Offers Complete Platform Security
1
Application Isolation
Sandboxes & Permissions
SELinux
TrustZone Services
Seccomp
Isolated Process
1
Device Integrity
Hardware Root
Verified Boot
Data Encryption
Security Services
Smart Lock
1
Exploit Mitigation
NX
ASLR
Fortify Source
Updateable WebView
Integer Overflows
Hardened Media Server
1
Management
Profiles
Administrative APIs
Security Integration
(VPN, etc.)
New or substantially changed since Android 5.0
![Page 18: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/18.jpg)
Constant, Independent Verification
11g.co/AndroidSecurityRewards
Hundreds of active
researchers
Over $1 million paid in
last 12 months
![Page 19: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/19.jpg)
Robust
Platform
Comprehensive
Services
Ecosystem
Updates
1 2 3
![Page 20: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/20.jpg)
Verify
Apps
SafetyNet: Complete Security Services for Android
Sensor
Network
Android
Device
Manager
APIS
![Page 21: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/21.jpg)
Architecture: Google’s Safety Net for Android
Knowledge
PHA or NotData
App installs
Install Source
Application Analysis
Static
Dynamic
Reputation
Etc.
Other Google
Services
Search
Drive
Ads
Etc.
SafetyNet
Analysis
Exploit Detection
ACE
SIC
Etc.
Android
App Sandbox
Verified Boot
Encryption
Etc.
Chrome
Smart Lock
Device Manager
Safe Browsing
SafetyNet
Verify Apps
Install Apps
Apps
Knowledge
PHA or not
Best practices
Knowledge
PHA or not
Apps
Knowledge
Risk Signal
Data
Rare Apps
App Install Checks
Attest API
Protections
Warnings
Configuration changes
Etc
Device Data
Events
Measurements
Configurations
Etc.
Play
App X App Y
App Z
![Page 22: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/22.jpg)
2 billiondevices protected
1+ billiondevice scans per day
50+
billionapps checked per day
![Page 23: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/23.jpg)
Robust
Platform
Comprehensive
Services
Ecosystem
Updates
1 2 3
![Page 24: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/24.jpg)
Ecosystem Wide Updates
Application
DevelopersDevice Makers
![Page 25: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/25.jpg)
Application Security Improvements
11
![Page 26: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/26.jpg)
Zebra’s role in Android devices security
![Page 27: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/27.jpg)
Zebra Security – 3 Key Paradigms
Build on a solid
foundation
Android Enterprise
Focus onthe task
EMM, Kiosk
Security Life Cycle
Management
![Page 28: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/28.jpg)
LIFEGUARD FOR
ANDROID
![Page 29: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/29.jpg)
Zebra Extended Life Cycle Security Support
HOW TO SECURE
ENTERPRISE PLATFORMS?
Enterprise Demand
New OS Platforms1
Consumer Market
Adoption is required2
Successful Consumer OS
Will Be Aggressively Attacked 3
30 Day / Quarterly Security Patch Updates
![Page 30: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/30.jpg)
Zebra Extended Life Cycle Security Support
HOW DO I STAY SECURE MEETING MY
TOTAL COST OF OWNERSHIP GOALS?
Consumer Operating Systems
Have limited security support life1
Security Patches 2+ Years Beyond End-of-Sale
Enterprise Customers keep
devices in services for 5yrs or more.2
![Page 31: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/31.jpg)
Zebra Extended Life Cycle Security Support
HOW DO I STAY SECURE
DURING OS UPDATES?
Security OS Transition Period (OTP)
Consumer Operating Systems
Have limited security support life1
Enterprise Customers keep
devices in services for 5yrs or more.2
![Page 32: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/32.jpg)
Zebra Extended Life Cycle Security Support Zebra vs Consumer
Typical Consumer Zebra
Device Life Cycle
Device Avail for Sale No commit, <2yrs 3, 4 or 5yrs
Post End of Ship Service NoneAdditional
3, 4 or 5yrs
Typical Customer Device Refresh 24-29 months* 3-7yrs +
Security Life
Cycle
30 Days Security Updates Some Vendors Yes1
Security Patch Level Indication Yes (M+) Yes (M+)
Update Duration from First Ship 36 months / 40 months *60 months / 84months
OS Transition Period None 12 months
Extended OS Transition Period None Available ($)
1 Security Updates released every quarter during the extended life cycle
![Page 33: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/33.jpg)
Source: USA Department of Homeland Security: Study on Mobile Device Security: link
The most important defense against mobile device security threats is to
ensure devices are patched against publicly known security
vulnerabilities and are running the most recent operating system version.
Installation of patches ensures that devices cannot be trivially targeted
with well- known public exploits, but rather an attacker must invest time,
resources, and risk of detection into developing more sophisticated
attack methods. Running the most recent operating system ensures
devices are benefiting from general security architecture improvements
that provide resilience against vulnerabilities that may not yet be publicly
known.
![Page 34: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/34.jpg)
References
• Android security bulletins:https://source.android.com/security/bulletin/index.html
• Android Security 2016 Year in Review:https://security.googleblog.com/2017/03/diverse-protections-for-diverse.html
• LifeGuard for Android:https://www.zebra.com/us/en/products/software/mobile-computers/lifeguard.html
![Page 35: ANDROID SECURITY - IBCS · PDF fileANDROID SECURITY Perception vs Reality Pietro Maggi ... 1 Security Updates released every quarter during the extended life cycle. Source:](https://reader033.vdocuments.us/reader033/viewer/2022051600/5aabf7ad7f8b9a2e088c7fa9/html5/thumbnails/35.jpg)
THANK YOU