lon kastenson security of mobile devices. overview types of attacks security in android security in...
TRANSCRIPT
Lon Kastenson
Security of Mobile Devices
• Overview• Types of attacks• Security in Android• Security in iOS• Security in other mobile platforms• Current protocols and solutions• Security in the future• Questions
Agenda
• June 2004: Cabir• The Evolution after Cabir
– 2006: 31 Families, 170 Variants – Cabir, Comwar, Skuller.gen– In Symbian Alone!
• Windows Mobile 2003 and PocketPC– Comwar
Overview: History
• 2007 Jailbreaking iPhones and iPods reveals critical flaw in iOS
• 2008, exploits found in both Android and iOS
• 2009: Blackberry Hacked• 2010, 5% of apps contain malicious code• 2011, The Apple user tracking debate• 2011, confirmed attack on Android Market
Overview: History
• 1.6 billion smartphone sales worldwide (as of 2010)
Overview: Present
38%
23%
16%
16%
4% 4%
Percent of Worldwide Smartphone Sales
SymbianAndroidRIM (Blackberry)iOSMicrosoftOther
Source: http://www.gartner.com/it/page.jsp?id=1543014
• Both Android and iOS have known security risks.
• IBM X-Force predicts the number of attacks this year will double since last year.
• Popular attacks remain Trojan Horses and Social Engineering hacks.
Overview: Present
• Trojan Horse (Most popular, evident in Android Market Attack)
• Worm• Virus• Socially Engineered• Man in the middle attacks• Privacy Issues? (Application Terms of
Service Agreement)
Types of Attacks
March 2011 Attack on Android Market
Source: http://www.androidpolice.com/2011/03/01/the-mother-of-all-android-malware-has-arrived-stolen-apps-released-to-the-market-that-root-your-phone-steal-your-data-and-open-backdoor/
• Direct Install (Trojan)• Bluetooth• MMS message• Memory card• File Injection• Other methods?
Propagation Methods
• iOS tracking users?• Privacy Policy for smartphone apps• Apps having too much access?• http://blogs.wsj.com/wtk-mobile/
Privacy Issues
• Hardware level• Kernel level
– Linux kernel– “ROMs”
• Android Security Program
Android Security
• NX bit • NFC for wallet transactions• Hardware DRM (locked bootloader)• Off system encryption key
Hardware Level Security
• Hardware Drivers located in the kernel• Explicit permission needed• Only kernel level applications have root
access• Secure Inter-process Communication• Dalvik Virtual Machine
Kernel Level Security
• “Application Sandbox”• Protection for rooted users?
Dalvik Virtual Machine
Source: http://source.android.com/tech/security/
• System Partition and Safe Mode• Filesystem Permissions• Filesystem Encryption
Operating System Security
• Design Review• Penetration Testing and Code Review• Open Source and Community Review• Incident Response• OTA updates• What happened with the March 2011
attack?
Android Security Program
• Rooted Devices• Android Market• Pipes• JNI• Permissions Prompt
Android Security Issues
I agree
Next
I accept
Continue?
Really Continu
e?
• Closed Source• Market App Approval• Security Architecture
– Security APIs– Authentication– Encryption– Permissions
iOS Security
• Apple Developer Program approved developers only allowed to put applications on the market.
• Strict guidelines for application approval• Must adhere to style guides
iStore Market Approval System
• Security Server Daemon• Security APIs• Core OS based encryption
Security Architecture
• Keychain• CFNetwork• Certificate, Key and Trust Services• Randomization Services• Objective-C API
Security APIs
• Filesystem Permissions• Filesystem Encryption• Address Space Layout Randomization• Data Execution Prevention
Other Security Services
• Weak “sandbox”• Vulnerable applications a threat• Closed source approach• Jailbroken devices
iOS Security Issues
• Capability Model• Process Identity• Data Caging• Certification
Symbian Security
• Each binary is a capability• User Capabilities• System Capabilities• How it all works
Capability Model
• “Copies” of DLLs are made and the kernel will check for any forged function calls.
How Capability Works
Source: http://www.developer.nokia.com/Community/Wiki/File:Capability_subversion.PNG
• SecureID• VendorID
Process Identity
• Applications restricted what data is accessed
• File server controls access, capability.• Sharing data privately• Databases and data caging
Data Caging
• Certification Assignment• Untrusted Applications• Trusted Applications• Self-signing Applications
Certification and Platform Security
• Been around longest, more malware out there.
• Currently supported, but no longer a priority for development at Nokia.
• Capability model has shown weakness in the past.
Symbian Security Issues
• Unique certification for Windows Phone Marketplace
• Mandatory Code Signing• .NET managed Code• Isolated storage “sandbox”• SSL root certificates• Data Encryption
Windows Phone Security
• Hardening– On a hardware level– On a software level
• Attack Surface Reduction• Internet (Cloud) based protection• Telecom based protection• Privacy Argument, how much security is
too much?
Possible Solutions
• Speculation by Dr. Charlie Miller• Speculation of IBM X-Force• Gostev’s “Laws of Computer Virus
Evolution”
In the Future
• Gostev, Alexander. (2006 September) Retrieved October 2011, from Securelist – Mobile Malware Evolution: An Overview Part 1 http://www.securelist.com/en/analysis?pubid=200119916
• Gartner (n.d.). Retrieved October 2011, from Gartner – Gartner Says Sales of Mobile Devices in Second Quarter of 2011 Grew 16.5 Percent Year-on-Year; Smartphones grew 74 Percent http://www.gartner.com/it/page.jsp?id=1764714
• Google. (n.d.). Android Open Source Project. Retrieved Sept 2011, from Android Open Source – Android Security Overview http://source.android.com/tech/security/index.html
• Apple. (n.d.). Mac OS X Developer Library. Retrieved Sept 2011, from Apple Developer – Security Overview http://developer.apple.com/library/mac/#documentation/Security/Conceptual/Security_Overview/Introduction/Introduction.html
• Nokia. (n.d.). Symbian C++ Books. Retrieved October 2011, from Nokia Developer – Fundamentals of Symbian C++/Platform Security http://www.developer.nokia.com/Community/Wiki/Fundamentals_of_Symbian_C%2B%2B/Platform_Security
• Microsoft. (n.d.). MSDN. Retrieved October 2011, from MSDN – Security for Windows Phone http://msdn.microsoft.com/en-us/library/ff402533.aspx
• IBM. (n.d.). IBM Security Solutions. Retrieved September 2011, from IBM – IBM X-Force 2011 Mid-Year Trend and Risk Report http://public.dhe.ibm.com/common/ssi/ecm/en/wge03015usen/WGE03015USEN.PDF
• PCWorld. Bradley, Tony. Retrieved September 2011, from PCWorld – Adobe Flash Zero Day Puts Android Smartphones at Risk. http://www.pcworld.com/businesscenter/article/205411/adobe_flash_zero_day_puts_android_smartphones_at_risk.html
• Montoro, Massimiliano. Retrieved October 2011from oXit – About Cain http://www.oxid.it/cain.html • (n.d.). Retrieved October 2011 from CyanogenMod Wiki – What is CyanogenMod? http://
wiki.cyanogenmod.com/index.php?title=What_is_CyanogenMod• Apple (n.d.). Retrieved October 2011 from Apple Developer – Guidelines for Appstore Submissions http://
developer.apple.com/appstore/resources/approval/guidelines.html• Accuvant. Farnum, Michael. Retrieved October 2011 from Accuvant – Dr. Charlie Miller Compares the Security of iOS and
Android http://www.accuvant.com/blog/2011/10/20/dr-charlie-miller-compares-security-ios-and-android• Viega, LeBlanc, Howard. 19 Deadly Sins of Software Security. Emeryville, CA: McGraw Hill-Osborn. 2005. Print.• Whitaker, Evans, and Voth. Chained Exploits. Boston, MA: Addison-Weasley. 2009. Print
References
Questions?
!Are you sure you want to answer
questions?