mobile app security (angry birds hacked my phone) · traditional windows ... moving “up the...
TRANSCRIPT
Mobile App Security (Angry Birds Hacked My
Phone) Start Time: 9 am US Pacific / 12 noon US Eastern / 5 pm London Time
#ISSAWebConf
Mobile App Security (Angry Birds Hacked My Phone)
Mobile App Security (Angry Birds Hacked My Phone)
Welcome Conference Moderator
David Cruz ISSA Central Florida Chapter Secretary
#ISSAWebConf
02/23/2016 2
Speaker Introduction
Mobile App Security (Angry Birds Hacked My Phone)
• Michael Raggo
Director, MobileIron Security Labs
• David Jevans
Vice President of Mobile Security, Proofpoint
• Jeff Stapleton
Information Security Architect, X9F4 Cryptographic
Protocol and Application Security Workgroup
• Ralph Spencer Poore, PCIP, CFE, CISA, CISSP, CHS-
III
Director of Emerging Standards, PCI Security
Standards Council To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
02/23/2016 3
Mobile App Security (Angry Birds Hacked My Phone)
Michael Raggo
Director, MobileIron Security Labs To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
#ISSAWebConf
02/23/2016
Mobile App Security (Angry Birds Hacked My Phone)
4
#whoami
Mobile App Security (Angry Birds Hacked My Phone) 5
02/23/2016
Mike Raggo
• Director of Security Research, MobileIron
• Managed MobileIron Security Labs (MISL)
• CISSP, NSA-IAM, CCSI, SCSA, ACE, CSI
• Author of “Data Hiding” & “Mobile Data Loss Threats & Countermeasures”
• Member PCI Mobile Task Force and BITS/FSISAC Financial Services international roundtable focused on mobile security
• Speaker at BITS, Black Hat, DEF CON, OWASP, and SANS
Mobile App Security (Angry Birds Hacked My Phone) 6 02/23/2016
Server
Users
Network edge has blurred
New generation operating systems are sandboxed
Users are low-hanging fruit
Hackers know mobile is different
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 8
User mode
Kernel mode
Traditional Windows
Evolution of operating system architecture
Win32 API
NTDLL.DLL
Logon
Session manager
Graphics drivers
Printer drivers
Win32K.sys
HAL
From open file system to application sandboxing (security, no app conflicts, no “DLL hell”) 1
From unprotected to protected OS kernel (stability, ease of update, ease of patching) 2
From untrusted to trusted management primitives (simplicity, consistency) 3
iOS / Android / Windows 10
User mode
Kernel mode
System utilities
Kernel
Classes/utilities
Video
UI components
Graphics Audio
Management primitives
1
2
3
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 9
Mobile Threat Landscape
App
Device
User
Network
User data leakage Copy/paste, screenshot, open-in
Malware and Risky Apps Data exfiltration
Jailbreak / Root Device opened to vulnerabilities leading to data exposure
Unprotected Networks Rogue Access Points, MiTM
Hotspot
Smartwatches, Wearables, IoT Email, contacts, calendar, SMS,
camera, and more…
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 11
Bad apps New generation of malware Moving “up the stack” from OS and file to app ~ 10,000 malware apps in the Android and iOS app stores
Countermeasure: Reputation analysis and mitigation
Good apps behaving badly Excessive permissions No obvious malicious intent 80% of popular 3rd party apps contain security, privacy, and data exfiltration risks (Appthority)
From file infection (PC) to app infection (Mobile)
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 12
Bad Apps
Notified: Jul 27, 2015 Attacks through overflow vulnerability in old versions of Android Mitigate: Quarantine by OS version until affected devices upgraded ActiveSync can’t protect EMM required
Notified: Sept 1, 2015 Exposes owner’s iTunes credentials on jailbroken iOS devices Mitigate: Identify and selectively wipe jailbroken devices ActiveSync can’t protect EMM required
Notified: Sept 17, 2015 Hacked dev tool library allows phishing and information collection Mitigate: Identify and quarantine devices with compromised apps ActiveSync can’t protect EMM required
Notified: Oct 4, 2015 Compromise, replace, and launch apps through abuse of private APIs Mitigate: Quarantine by OS version until affected devices upgraded ActiveSync can’t protect EMM required
EMM has become the security hub for data protection and incident response
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 13
XcodeGhost
Notified: Sept 17, 2015 Hacked dev tool library allows phishing and information collection Mitigate: Identify and quarantine devices with compromised apps
Details & Mitigation:
What: Xcode is an Apple-provided suite of software dev tools for iOS and OS X. Malware infested versions of Xcode have been found on sites other than Apple. Developers unknowingly used these to develop apps infested with malware. NO JAILBREAK REQUIRED!!!
Impact: FireEye has reported >4,000 apps found in the Apple App Store, many now removed by Apple.
Current state: These malicious apps have been found on devices
Mitigations:
Review Blog: https://www.mobileiron.com/en/smartwork-blog/xcodeghost-malware-and-protecting-your-ios-devices - List of known infected apps listed in blog provided link
Enhance your deployment with App Reputation/Mobile Threat Prevention integrated into EMM deployment to quarantine devices
Use Container to isolate the threat from corporate data (outside of the container)
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 14
Anti-Malware/MTP/App Reputation Ecosystem
App Based • Uses vendors own app • Pull inventory from device • Uses APIs to apply
MobileIron label for control
• Policy in vendor portal
API Based • Using MobileIron API • Pull inventory from
MobileIron • Policy set in vendor
portal • Updates MobileIron risk
ratings and blacklist
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 16
A phased approach to malicious & risky apps
Phase 1
• OS Compromise Detection (jailbreak/root)
• Quarantine (block network access, wipe, selective wipe)
Phase 2
• Blacklist Unwanted Apps
• Containerize corporate apps and data
• Fine tune MobileIron quarantine policies
Phase 3
• App Reputation, App Risk Management, Mobile Threat Prevention
• Fine tune MobileIron quarantine policies if needed
Maturity of app security program
App SDK (public) or Wrapping (internal) Comprehensive Data Security
Container
Secure Storage & DB Secure Network I/O
Secure inter-app communications bus
apps/config
System Storage and Network Stack
Tunnel
Share- point
Doc Viewer
In- house
Secure apps - Only trusted apps get in - Certs stored in container - Support 3rd party & in-house
apps
Secure access - Provision with enterprise identity - Password authentication - Single sign-on for all applications
Secure data - AES-256 encryption - FIPS 140-2 validated - Secure IPC - Secure network i/o* - Lock and wipe
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 17
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 18
See our blogs for further guidance and details
https://www.mobileiron.com/en/smartwork-blog
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 20
Compromise OS integrity
gain access to password and resources
Countermeasure: Detection and mitigation
Jailbroken iPhone = Windows 7
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 22
Man-in-the-middle attack SSID = CoffeeShop
Active Directory
Apps
Content
Corporate
Mobile device
SSID = CoffeeShop
Countermeasure: Session trust through certificates
X
Compromising the session
• Thwart Man-in-the-Middle attacks on Open WiFi • By using certificates, the mutual authentication fails between the Device certificate and Sentry server
certificate due to fake certificate presented by attacker. Combine with certificate pinning. • Therefore, no SSL connection is established and no data is exposed.
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 23
Establishing device trust • Jailbreak / root detection • Encryption enforcement • Passcode / biometrics • Contextual authentication
Establishing app trust • Secure distribution • Containerised data store • Reputation analysis • Local DLP controls
Establishing session trust • Secure gateway • Certs, SSO, IAM • Per-app VPN • Conditional access
Device trust
App trust
User trust
Session trust
Components of a managed trust framework
Question and Answer
Mobile App Security (Angry Birds Hacked My Phone)
Michael Raggo
Director, MobileIron Security
Labs
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
02/23/2016 24
Mobile App Security (Angry Birds Hacked My Phone)
Thank you Michael Raggo
Director, MobileIron Security Labs
02/23/2016
Mobile App Security (Angry Birds Hacked My Phone)
25
Mobile App Security (Angry Birds Hacked My Phone)
David Jevans
Vice President of Mobile Security,
Proofpoint To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.
#ISSAWebConf
02/23/2016
Mobile App Security (Angry Birds Hacked My Phone)
26
Riskware, Malware & Targeted Attacks
• Riskware
• Apps that consumers install that collect corporate data
• Malware
• Apps with technical exploits on app stores
• Sleeper cell apps on app stores
• Targeted app attacks via social engineering
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 28
53% of app
publishers do not have
a privacy policy
Data can be sold or
publicly leaked without
recourse
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 29
25%
Apps may send
contacts, ActiveDirectory
to unknown servers
Exposes companies to
targeted APTs, spear
phishing, employee
privacy violations
of iOS Apps Access Your Contact Database
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 30
of Android apps can leak users’ private data. 30%
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 31
6% of Android apps read browser histories which can lead to account takeover.
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 32
An enterprise with
2,000 BYOD users
will be exposed to
over 20,000 unique
apps Source: Proofpoint customer data
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 33
Those apps communicate with servers in more than 30 countries
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 34
Photo Editing App Sends User Data to 7 Countries
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 35
Photo Editing App Sends User Data to 7 Countries
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 36
Chinese “Security Apps” Scanning Your Network
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 37
• Popular business card scanning app
with millions of downloads
• Uploads scanned card information
to China
• Uploads your personal data to
China
• Also reads device contact database
• Sends data to 3rd party ad networks
• Communicates data in non-secure
ways
iOS Riskware Example: CamCard v5.5.2 (iOS)
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 38
Communicates to 50 servers around the world …
And if you weren’t concerned yet …
Read the Privacy Policy !
Your personal information is available to the public
Your data may be distributed across China or other
countries
You may receive unsolicited information… emails, SMS
Laws of the Hong Kong Special Administrative Region of
the People's Republic of China shall apply
Worse yet: September 2015 – infected with XcodeGhost
malware
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 39
How Did XcodeGhost Infect Apps?
This is the first “compiler malware” for iOS
App development tools Xcode were infected by
attackers and posted to Baidu’s cloud file sharing
service for use by Chinese iOS programmers
Hundreds of app developers used this tainted code to
build thousands of apps
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 41
Thousands of Infected Apps Were Published
All of these apps passed Apple’s vetting process
Over 4,000 infected apps were published on Apple app
stores around the world
Over 1,100 apps were published on the US app store
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 43
November 2015 iBackDoor Malware on iOS
Infected adware library
Developer in China infected the iOS library with code
that can sideload apps
mobiSage from adSage v 5.3.3 through 6.4.4 were
infected
494 infected apps in the US and Australia app stores,
over 2,000 when including the Apple China app store
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 46
YiSPecter iOS Malware
• October 4, 2015
• Enterprise-signed malware
• Abuses private iOS APIs
• Attacks non-jailbroken phones
• Spread by ISPs
Question and Answer
Mobile App Security (Angry Birds Hacked My Phone)
David Jevans
Vice President of Mobile
Security, Proofpoint
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
02/23/2016 56
Mobile App Security (Angry Birds Hacked My Phone)
Thank you David Jevans
Vice President of Mobile Security, Proofpoint
02/23/2016
Mobile App Security (Angry Birds Hacked My Phone)
57
Mobile App Security (Angry Birds Hacked My Phone)
Jeff Stapleton Information Security Architect, X9F4 Cryptographic Protocol and Application Security Workgroup To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
02/23/2016
Mobile App Security (Angry Birds Hacked My Phone)
58
Mobile App Security (Angry Birds Hacked My Phone)
Ralph Poore Director of Emerging Standards, PCI Security Standards Council To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
02/23/2016
Mobile App Security (Angry Birds Hacked My Phone)
59
Banking & Payments Evolution
Mobile App Security (Angry Birds Hacked My Phone) 60 02/23/2016
Risk
Merchants
• Card Present
• Attended
• Location
MOTO
• CNP
• Attended
• Phone number
Online shopping
• CNP
• Unattended
• Wired
• Malware
World Wide Web
• CNP
• Unattended
• Wireless
• Malware
World Wide Web
• CNP
• Unattended
• Mobile
• Malware
Convenience
Risk Risk
Risk
Cardholder
Mobile gone Viral
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 61
• 2015 more smartphones than humans • 2016 estimate 10 billion smartphones (1.4 for each human)
• John Connor: By the time Skynet became self-aware it had spread into millions of computer servers across the planet. Ordinary computers in office buildings, dorm rooms; everywhere. It was software; in cyberspace. There was no system core; it could not be shutdown.
• Mobile trends • Migrate from computers, laptops, tablets to smartphones • Migrate from Telco, VoIP to smartphones • Migrate from browsers … there’s an app for that • Employer provided or BYOD smartphone programs
Mobile Swiss Cheese
Inputs • Keyboard • Touchscreen • Microphone • Audio jack • Micro SD card • Camera • USB data & power
Wireless • Cellular • Wi-Fi • Bluetooth • NFC • GPS • Infrared (IR) • USB
Wireless device
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 62
Mobile Interceptions
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 63
• Cellular • Stingray (MITM) or Cloning
• Wi-Fi • Rogue access point • Protocol vulnerabilities
• Proximity capture • Rogue Bluetooth or NFC
• Side-channels • Shoulder surfing, eavesdropping, DPA • Accelerometer, gyroscope, application
• Malware • Don’t get me started…
Mobile Malware
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 64
• FSTC / BITS / FSRoundtable M3 2009 Report • Vulnerabilities = Internet + wireless
• Fraud will follow payments to mobile environment
• IBM Trusteer 2015 Threat Report • Mobile infections 1.12% equal to PC rates
• Trend Micro • Continued Rise in Mobile Threats for 2016
• Attack vectors • Operating System vulnerabilities
• SMiShing attacks via text messaging
• Bad apps in mobile software stores
Financial Services
Standards and Organizations
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 65
PCI
ISO ANSI
ASC X9 TC68
ISO 12812 Mobile Banking & Payments Part 1: General Framework Part 2: Security and Data Protection Part 3: Financial Application Management Part 4: Mobile Person-to-Person Payments Part 5: Mobile Person-to-Business Payments
Completed CD, 1st DIS, prepping for 2nd DIS
X9.112 Wireless Management & Security Part 1: General Requirements Part 2: ATM and POS Part 3: Mobile
Part 1 and Part 2 published Part 3 in progress via ISO 12812-2
About the PCI Council
Founded in 2006 - Guiding open standards for payment card security
• Development
• Management
• Education
• Awareness
66
PCI Mobile “At a Glance”
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 67
Mobile Payments Acceptance with a Smartphone or Tablet
• Partner with a Provider of a Validated Solution
• Use an Approved Point of Interaction (POI) Device
• Comply with the PCI Data Security Standard
Mobile Payment Acceptance
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 68
Security Guidelines for Merchants as End-Users
• Objectives and Guidance for the Security of a Payment Transaction
• Guidance for Securing the Mobile Device
• Guidance for Securing the Payment-Acceptance Solution
Mobile Payment Acceptance
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 69
Security Guidelines for Developers
• Objectives and Guidance for the Security of a Payment Transaction
• Guidelines for the Risk and Controls in the Supporting Environment
PCI Mobile Activities
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 70
• Mobile Task Force • Stay abreast of progress in mobile payment security
• Participate in document reviews
• Mobile Forum Roundtable Discussions
• Participation in X9F4 workgroup • ISO 12812 Mobile Banking and Payments
Part 2: Security
• X9.112 Wireless Security Part 2: Mobile
Countermeasures
02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 71
• Secure Cryptographic Device (SCD)
• Secure Element (SE)
• Host Card Emulation (HCE)
• Trusted Execution Environment (TEE)
• EMV Tokenization
• Secure Coding
Question and Answer
Mobile App Security (Angry Birds Hacked My Phone)
Jeff Stapleton Information Security Architect, X9F4 Cryptographic
Protocol and Application Security Workgroup
Ralph Poore Director of Emerging Standards, PCI Security Standards
Council
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
#ISSAWebConf
02/23/2016 72
Mobile App Security (Angry Birds Hacked My Phone)
Thank you Jeff Stapleton
Information Security Architect, X9F4 Cryptographic Protocol and Application Security Workgroup
Ralph Poore Director of Emerging Standards, PCI Security Standards
Council
02/23/2016
Mobile App Security (Angry Birds Hacked My Phone)
73
Open Panel with Audience Q&A
Mobile App Security (Angry Birds Hacked My Phone)
• Michael Raggo
Director, MobileIron Security Labs
• David Jevans
Vice President of Mobile Security, Proofpoint
• Jeff Stapleton
Information Security Architect, X9F4 Cryptographic
Protocol and Application Security Workgroup
• Ralph Spencer Poore, PCIP, CFE, CISA, CISSP, CHS-III
Director of Emerging Standards, PCI Security Standards
Council
#ISSAWebConf
To ask a question:
Type in your question in the Chat area of your screen.
You may need to click on the double arrows to open this function.
02/23/2016 74
Mobile App Security (Angry
Birds Hacked My Phone) Closing Remarks
Mobile App Security (Angry Birds Hacked My Phone)
Thank you
Thank you Citrix for donating the Webcast service
02/23/2016 75
CPE Credit
Mobile App Security (Angry Birds Hacked My Phone)
• Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.
• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
• On-Demand Viewers Quiz Link: http://www.surveygizmo.com/s3/2609455/ISSA-Web-
Conference-February-23-2016-Mobile-App-Security
#ISSAWebConf
02/23/2016 76