mobile app evidence, security and privacy
TRANSCRIPT
Carney Forensics
Mobile App Evidence,
Security and Privacy John J. Carney, Esq.
SECURE360 Conference
May 13, 2015
Why Mobile Evidence?
Mobile Devices are Everywhere & Touch Everything
• 41% of Americans Have No Landline
• 66% of Ages 25 to 29 are Wireless
• 71% of Americans Use Smart Phones
• 57% of Americans Use Tablets
• 80% Use Smart Phone within 15 Mins of Wake Up
• Apple Sold 10M New iPhone6 Units in 1st Weekend
“Phones contain more probative
evidence per byte of data than
computer hard drives do.” Gary C. Kessler, Ph.D.
The Year Ahead for Mobile Forensics
Cellebrite’s Panel Predictions for 2013
Why Mobile Evidence?
Discoverable Evidence in Smart Devices
E-mail and Attachments
Documents
Text Messages
Multi-media Messages
Instant Messaging and Chat
Contacts
Appointments and Calendar
Voice Calls
Voice Mail
Photographs
Video and Audio Recordings
Web Browsing History
Social Media
Mobile Apps
Metadata Smart Phone Device
• Make, Model, Equipment IDs, Phone Number
• Software Versions, Language
• Date, Time, Time Zone, DST
Forensic Tool • Identification (Make, Model, Serial Number)
• Software Versions
• Exam Date, Time, Time Zone, DST
Case • Case Id, Evidence Id, Agency, Examiner
Smart Phone Content • Hash codes (MD5, SHA1)
• Date and Time Stamps
• Geolocation Information (Geotags) • EXIF data from onboard camera snapshots and video
• Access point data from Wi-Fi logins and activity
• Reminders
Discoverable Evidence in Smart Devices
“There’s An App for That”
“Apps are nuggets of magic” Bart Decrem, CEO, Tapulous
App Downloads
We download 10 apps for every single woman, man, and
child on planet Earth annually
Exponential Growth in App Installs
App Platforms
Pure Oxygen Labs, LLC
Growth in Unique Apps
• >1M unique iOS apps with multiple releases & languages
• >1M unique Android apps with multiple releases & languages
• How Many Dark Apps? • Corporate Apps in Enterprises behind Corporate Firewalls
• Absent from App Stores
Apps in the Enterprise
Apps – Categories to Watch
Mobile Messaging – Consumer
Mobile Messaging – Enterprise Mobility
Mobile Messaging – Expiration / Retention
Personal Navigation – GPS
Payment – Apple Pay, Google Wallet, PayPal
Social Media
Photo Sharing
Document Creation
Web Mail
Productivity – Calendars, Notes, To-do List
Storage/Backup – Cloud Documents
Spyware – SpouseWare
Mobile Messaging Apps
Mobile Messaging Apps
• Popular “Text Message Killers”
• Use Internet and App Servers
• Text Free from Costs & Quotas
• Multi-platform for Many Devices
• Global to Bypass Country Limits
• Special and Unique Features
Mobile Messaging Apps
• Attorneys often Unaware of
Exploding Use in U.S. and
Abroad
• Evidence Recovery Challenging
• Subpoena or Court Order Issues
• Advanced Decoding Required
Mobile Messaging Apps
Enterprise Mobility
Mobile Messaging Apps
Expiration / Retention
Social Media Apps
Cloud Storage Apps
iPhone Personal Navigation Apps
• Apple Maps
• Garmin USA
• Magellan RoadMate
• TomTom
• Navigon North America
• Google Maps
• CoPilot Live
• MotionX GPS Drive
• MapQuest
• Scout by TeleNav
• Bing Maps
• Waze – Social GPS
Android Personal Navigation Apps
• Google Maps
• Wisepilot
• Navigon North America
• CoPilot Live
• MapQuest
• Scout by TeleNav
• Waze – Social GPS Maps
• GPS Navigation by Sygic
• iGO My Way
• BackCountry Navigator
• MapFactor
• OsmAnd+ Maps & Navigation
Web Mail Apps
Payment Apps
Apps Security Rationale Critical Role of Mobile App Data Security
Protection Required for: • Protected Health Information (PHI) – HIPAA
• Consumer & Security Firm Financial Info – GLBA / FINRA
• Student Records – FERPA
• Personally Identifiable Information (PII) – State Data Breach Laws
Apps HIPAA / HITECH Compliance
Final Ruling (Civil Money Penalties)
Apps HIPAA / HITECH Compliance
mHealth / Electronic Health Record Apps • Epic Systems – MyChart, MyChart Bedside, Haiku
• SAP – EMR Unwired, Clinical Task Tracker
• Humetrix – iBlueButton, ICEBlueButton
• Mayo Clinic Patient
• Cognovant PocketHealth
• drchrono EHR
• Quest Diagnostics Care360 Mobile
• CVS Caremark, Pharmacy
MedTech Apps Medtronic CareLink Mobile
St. Jude Medical Merlin.net Patient Care Network
AliveCor Heart Monitor
Banking Apps Rationale
• “Concerns about security are holding back the adoption of mobile financial services.”
• “Concerns about the security of the technology were the primary reason given for not using mobile payments (42 percent) and the second most common reason given for not using mobile banking (48 percent).”
“68% of mobile device owners who have not adopted
financial apps are holding back due to security fears.” – Mobile Banking, Consumer Security Practices and the Growing Risks to
Banks, Research Report, Metaforic, 2012
Board of Governors of the Federal
Reserve System (March 2012)
App User Security Stats Apps Installed on Average Mobile Device: 320
Apps Send Data to Ad Network: 50%
Permissions Requested by Android Apps: 20 (average)
Devices Don’t Have a Passcode: 40%
Android Devices Have Debugging Mode Enabled: 18%
Android Devices Allow Installation of Unverified Apps: 43%
Devices are Rooted: 9%
Wi-Fi Access Points Connected Everyday: 2 (average)
Insecure Mobile Wi-Fi Connections: 7.6%
Unique IP Addresses Connected Everyday: >160
Analysis from 104M mobile security data points
uploaded daily from 170K mobile devices
Mobile App Security
NowSecure Tested 62K+ Mobile Apps:
48% of Android Apps Have One or More High Risk Security or Privacy Flaws
15% of All Apps Leak Sensitive Data over Network
9.6% of Apps on Mobile Device Leak Data
12.3% leak IMEIs (International Mobile Equipment Identity)
5% leak MAC Addresses
Presented to RSA Conference April 2015
Mobile App Security
NowSecure Tested 62K+ Mobile Apps:
Least Risky App Categories are Flawed • Finance: 29%
• Medical: 33%
• Health and Fitness: 36%
Financial App Insecurities • 28% Have at Least One Security Issue
• 6% Have Sensitive Data Leak
• 1% Leak Superuser Capabilities
Presented to RSA Conference April 2015
Secure Messaging Scorecard
Secure Messaging Scorecard
Mobile App Privacy
“Get It Right From The Start” • Privacy Recommendations from the FTC
• Build Privacy into Apps
• Practice “Privacy by Design” • Limit Information Collected
• Securely Store What Held
• Safely Dispose of Information
• Use App Defaults Users Expect
• Do Mobile Apps Get It Right?
Mobile App Privacy
PiOS: Detecting Privacy Leaks in iOS Apps • Academics Published Study Using Novel Analysis Tool
• Tested 1,400 iPhone Apps for Privacy Threats • 825 Free Apps Vetted by Apple and Available through AppStore
• 582 Jailbroken Apps from Cydia (not associated with Apple)
• Sensitive Information Sources Giving Rise to Privacy Leaks:
Mobile App Privacy
PiOS: Detecting Privacy Leaks in iOS Apps • Did the 1,400 iOS Apps Get It Right?
Most Leaks Supply Access to Unique DeviceID
• Allows Hackers to Create Detailed Profiles of
Users’ App Preferences and Usage Patterns
App Dev Security Testing
Mobile App Development Lifecycle • Often neglected in mobile app “gold rush”
• Test, validate and mitigate data security issues
• Discover and patch data privacy leaks
Test Coverage • Personally Identifiable Information (PII)
• Protected Health Information (PHI)
• User name / Passcode / PIN transmissions
• Browser Artifact Security (Web History, Caching, etc.)
• Man-in-the-Middle Attacks
• Privacy Policy / Permissions Usage Conformance
App Security Vetting
App Security Vetting
Other App Security Services OWASP Mobile Security Project
• Top Ten Mobile Risks
• Mobile Tools
• Mobile Security Testing
• Mobile Cheat Sheet
• Secure Mobile Development
• Top Ten Mobile Controls
• Mobile Threat Model Project
Mobile Application Reputation Service • App Security Testing Vendors
• Veracode, Trend Micro, etc.
Mobile Vulnerability Database from Varutra
Mobile App Security Apps
NowSecure Protect • Generate risk ratings to understand level of device risk
• Understand what data is being sent insecurely
• Get geo-locations of data to find out where data is going
• Learn about malicious and insecure apps
F-Secure App Permissions • “Why Does This App Need So Many Permissions?”
• One App to Reveal Them All
Mobile Device Forensics Tools
Cellebrite UFED • Accounts and Passwords
• Malware Scanner
• Dictionary (keylogger)
Oxygen Forensic • Accounts and iOS Keychain
• Property Lists (plists)
• SQLite databases
• Dictionary (keylogger)
UFED Malware Scanner
UFED Malware Scanner
UFED Malware Scanner
Mobile App Evidence Demo
Questions & Answers
Carney Forensics
Cell Phones / Smart Phones
Smart Tablets
Computer Forensics
GPS Devices
Social Media / Email
Mobile App Testing / Litigation Readiness
Sign up for our Newsletter!!
www.carneyforensics.com
Carney Forensics