360 likes | 546 Views
Security of Mobile Devices. Lon Kastenson. Agenda. Overview Types of attacks Security in Android Security in iOS Security in other mobile platforms Current protocols and solutions Security in the future Questions. Overview: History. June 2004: Cabir The Evolution after Cabir
E N D
Security of Mobile Devices Lon Kastenson
Agenda • Overview • Types of attacks • Security in Android • Security in iOS • Security in other mobile platforms • Current protocols and solutions • Security in the future • Questions
Overview: History • June 2004: Cabir • The Evolution after Cabir • 2006: 31 Families, 170 Variants • Cabir, Comwar, Skuller.gen • In Symbian Alone! • Windows Mobile 2003 and PocketPC • Comwar
Overview: History • 2007 Jailbreaking iPhones and iPods reveals critical flaw in iOS • 2008, exploits found in both Android and iOS • 2009: Blackberry Hacked • 2010, 5% of apps contain malicious code • 2011, The Apple user tracking debate • 2011, confirmed attack on Android Market
Overview: Present • 1.6 billion smartphone sales worldwide (as of 2010) Source: http://www.gartner.com/it/page.jsp?id=1543014
Overview: Present • Both Android and iOS have known security risks. • IBM X-Force predicts the number of attacks this year will double since last year. • Popular attacks remain Trojan Horses and Social Engineering hacks.
Types of Attacks • Trojan Horse (Most popular, evident in Android Market Attack) • Worm • Virus • Socially Engineered • Man in the middle attacks • Privacy Issues? (Application Terms of Service Agreement)
March 2011 Attack on Android Market Source: http://www.androidpolice.com/2011/03/01/the-mother-of-all-android-malware-has-arrived-stolen-apps-released-to-the-market-that- root-your-phone-steal-your-data-and-open-backdoor/
Propagation Methods • Direct Install (Trojan) • Bluetooth • MMS message • Memory card • File Injection • Other methods?
Privacy Issues • iOS tracking users? • Privacy Policy for smartphone apps • Apps having too much access? • http://blogs.wsj.com/wtk-mobile/
Android Security • Hardware level • Kernel level • Linux kernel • “ROMs” • Android Security Program
Hardware Level Security • NX bit • NFC for wallet transactions • Hardware DRM (locked bootloader) • Off system encryption key
Kernel Level Security • Hardware Drivers located in the kernel • Explicit permission needed • Only kernel level applications have root access • Secure Inter-process Communication • Dalvik Virtual Machine
Dalvik Virtual Machine • “Application Sandbox” • Protection for rooted users? Source: http://source.android.com/tech/security/
Operating System Security • System Partition and Safe Mode • Filesystem Permissions • Filesystem Encryption
Android Security Program • Design Review • Penetration Testing and Code Review • Open Source and Community Review • Incident Response • OTA updates • What happened with the March 2011 attack?
Android Security Issues • Rooted Devices • Android Market • Pipes • JNI • Permissions Prompt
Continue? I agree Next Really Continue? I accept
iOS Security • Closed Source • Market App Approval • Security Architecture • Security APIs • Authentication • Encryption • Permissions
iStore Market Approval System • Apple Developer Program approved developers only allowed to put applications on the market. • Strict guidelines for application approval • Must adhere to style guides
Security Architecture • Security Server Daemon • Security APIs • Core OS based encryption
Security APIs • Keychain • CFNetwork • Certificate, Key and Trust Services • Randomization Services • Objective-C API
Other Security Services • Filesystem Permissions • Filesystem Encryption • Address Space Layout Randomization • Data Execution Prevention
iOS Security Issues • Weak “sandbox” • Vulnerable applications a threat • Closed source approach • Jailbroken devices
Symbian Security • Capability Model • Process Identity • Data Caging • Certification
Capability Model • Each binary is a capability • User Capabilities • System Capabilities • How it all works
How Capability Works • “Copies” of DLLs are made and the kernel will check for any forged function calls. Source: http://www.developer.nokia.com/Community/Wiki/File:Capability_subversion.PNG
Process Identity • SecureID • VendorID
Data Caging • Applications restricted what data is accessed • File server controls access, capability. • Sharing data privately • Databases and data caging
Certification and Platform Security • Certification Assignment • Untrusted Applications • Trusted Applications • Self-signing Applications
Symbian Security Issues • Been around longest, more malware out there. • Currently supported, but no longer a priority for development at Nokia. • Capability model has shown weakness in the past.
Windows Phone Security • Unique certification for Windows Phone Marketplace • Mandatory Code Signing • .NET managed Code • Isolated storage “sandbox” • SSL root certificates • Data Encryption
Possible Solutions • Hardening • On a hardware level • On a software level • Attack Surface Reduction • Internet (Cloud) based protection • Telecom based protection • Privacy Argument, how much security is too much?
In the Future • Speculation by Dr. Charlie Miller • Speculation of IBM X-Force • Gostev’s “Laws of Computer Virus Evolution”
References • Gostev, Alexander. (2006 September) Retrieved October 2011, from Securelist – Mobile Malware Evolution: An Overview Part 1 http://www.securelist.com/en/analysis?pubid=200119916 • Gartner (n.d.). Retrieved October 2011, from Gartner – Gartner Says Sales of Mobile Devices in Second Quarter of 2011 Grew 16.5 Percent Year-on-Year; Smartphones grew 74 Percent http://www.gartner.com/it/page.jsp?id=1764714 • Google. (n.d.). Android Open Source Project. Retrieved Sept 2011, from Android Open Source – Android Security Overview http://source.android.com/tech/security/index.html • Apple. (n.d.). Mac OS X Developer Library. Retrieved Sept 2011, from Apple Developer – Security Overview http://developer.apple.com/library/mac/#documentation/Security/Conceptual/Security_Overview/Introduction/Introduction.html • Nokia. (n.d.). Symbian C++ Books. Retrieved October 2011, from Nokia Developer – Fundamentals of Symbian C++/Platform Security http://www.developer.nokia.com/Community/Wiki/Fundamentals_of_Symbian_C%2B%2B/Platform_Security • Microsoft. (n.d.). MSDN. Retrieved October 2011, from MSDN – Security for Windows Phone http://msdn.microsoft.com/en-us/library/ff402533.aspx • IBM. (n.d.). IBM Security Solutions. Retrieved September 2011, from IBM – IBM X-Force 2011 Mid-Year Trend and Risk Report http://public.dhe.ibm.com/common/ssi/ecm/en/wge03015usen/WGE03015USEN.PDF • PCWorld. Bradley, Tony. Retrieved September 2011, from PCWorld – Adobe Flash Zero Day Puts Android Smartphones at Risk. http://www.pcworld.com/businesscenter/article/205411/adobe_flash_zero_day_puts_android_smartphones_at_risk.html • Montoro, Massimiliano. Retrieved October 2011from oXit – About Cain http://www.oxid.it/cain.html • (n.d.). Retrieved October 2011 from CyanogenMod Wiki – What is CyanogenMod? http://wiki.cyanogenmod.com/index.php?title=What_is_CyanogenMod • Apple (n.d.). Retrieved October 2011 from Apple Developer – Guidelines for Appstore Submissions http://developer.apple.com/appstore/resources/approval/guidelines.html • Accuvant. Farnum, Michael. Retrieved October 2011 from Accuvant – Dr. Charlie Miller Compares the Security of iOS and Android http://www.accuvant.com/blog/2011/10/20/dr-charlie-miller-compares-security-ios-and-android • Viega, LeBlanc, Howard. 19 Deadly Sins of Software Security. Emeryville, CA: McGraw Hill-Osborn. 2005. Print. • Whitaker, Evans, and Voth. Chained Exploits. Boston, MA: Addison-Weasley. 2009. Print
Questions? ! Are you sure you want to answer questions?