1 / 36

Security of Mobile Devices

Security of Mobile Devices. Lon Kastenson. Agenda. Overview Types of attacks Security in Android Security in iOS Security in other mobile platforms Current protocols and solutions Security in the future Questions. Overview: History. June 2004: Cabir The Evolution after Cabir

tahir
Download Presentation

Security of Mobile Devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Mobile Devices Lon Kastenson

  2. Agenda • Overview • Types of attacks • Security in Android • Security in iOS • Security in other mobile platforms • Current protocols and solutions • Security in the future • Questions

  3. Overview: History • June 2004: Cabir • The Evolution after Cabir • 2006: 31 Families, 170 Variants • Cabir, Comwar, Skuller.gen • In Symbian Alone! • Windows Mobile 2003 and PocketPC • Comwar

  4. Overview: History • 2007 Jailbreaking iPhones and iPods reveals critical flaw in iOS • 2008, exploits found in both Android and iOS • 2009: Blackberry Hacked • 2010, 5% of apps contain malicious code • 2011, The Apple user tracking debate • 2011, confirmed attack on Android Market

  5. Overview: Present • 1.6 billion smartphone sales worldwide (as of 2010) Source: http://www.gartner.com/it/page.jsp?id=1543014

  6. Overview: Present • Both Android and iOS have known security risks. • IBM X-Force predicts the number of attacks this year will double since last year. • Popular attacks remain Trojan Horses and Social Engineering hacks.

  7. Types of Attacks • Trojan Horse (Most popular, evident in Android Market Attack) • Worm • Virus • Socially Engineered • Man in the middle attacks • Privacy Issues? (Application Terms of Service Agreement)

  8. March 2011 Attack on Android Market Source: http://www.androidpolice.com/2011/03/01/the-mother-of-all-android-malware-has-arrived-stolen-apps-released-to-the-market-that- root-your-phone-steal-your-data-and-open-backdoor/

  9. Propagation Methods • Direct Install (Trojan) • Bluetooth • MMS message • Memory card • File Injection • Other methods?

  10. Privacy Issues • iOS tracking users? • Privacy Policy for smartphone apps • Apps having too much access? • http://blogs.wsj.com/wtk-mobile/

  11. Android Security • Hardware level • Kernel level • Linux kernel • “ROMs” • Android Security Program

  12. Hardware Level Security • NX bit • NFC for wallet transactions • Hardware DRM (locked bootloader) • Off system encryption key

  13. Kernel Level Security • Hardware Drivers located in the kernel • Explicit permission needed • Only kernel level applications have root access • Secure Inter-process Communication • Dalvik Virtual Machine

  14. Dalvik Virtual Machine • “Application Sandbox” • Protection for rooted users? Source: http://source.android.com/tech/security/

  15. Operating System Security • System Partition and Safe Mode • Filesystem Permissions • Filesystem Encryption

  16. Android Security Program • Design Review • Penetration Testing and Code Review • Open Source and Community Review • Incident Response • OTA updates • What happened with the March 2011 attack?

  17. Android Security Issues • Rooted Devices • Android Market • Pipes • JNI • Permissions Prompt

  18. Continue? I agree Next Really Continue? I accept

  19. iOS Security • Closed Source • Market App Approval • Security Architecture • Security APIs • Authentication • Encryption • Permissions

  20. iStore Market Approval System • Apple Developer Program approved developers only allowed to put applications on the market. • Strict guidelines for application approval • Must adhere to style guides

  21. Security Architecture • Security Server Daemon • Security APIs • Core OS based encryption

  22. Security APIs • Keychain • CFNetwork • Certificate, Key and Trust Services • Randomization Services • Objective-C API

  23. Other Security Services • Filesystem Permissions • Filesystem Encryption • Address Space Layout Randomization • Data Execution Prevention

  24. iOS Security Issues • Weak “sandbox” • Vulnerable applications a threat • Closed source approach • Jailbroken devices

  25. Symbian Security • Capability Model • Process Identity • Data Caging • Certification

  26. Capability Model • Each binary is a capability • User Capabilities • System Capabilities • How it all works

  27. How Capability Works • “Copies” of DLLs are made and the kernel will check for any forged function calls. Source: http://www.developer.nokia.com/Community/Wiki/File:Capability_subversion.PNG

  28. Process Identity • SecureID • VendorID

  29. Data Caging • Applications restricted what data is accessed • File server controls access, capability. • Sharing data privately • Databases and data caging

  30. Certification and Platform Security • Certification Assignment • Untrusted Applications • Trusted Applications • Self-signing Applications

  31. Symbian Security Issues • Been around longest, more malware out there. • Currently supported, but no longer a priority for development at Nokia. • Capability model has shown weakness in the past.

  32. Windows Phone Security • Unique certification for Windows Phone Marketplace • Mandatory Code Signing • .NET managed Code • Isolated storage “sandbox” • SSL root certificates • Data Encryption

  33. Possible Solutions • Hardening • On a hardware level • On a software level • Attack Surface Reduction • Internet (Cloud) based protection • Telecom based protection • Privacy Argument, how much security is too much?

  34. In the Future • Speculation by Dr. Charlie Miller • Speculation of IBM X-Force • Gostev’s “Laws of Computer Virus Evolution”

  35. References • Gostev, Alexander. (2006 September) Retrieved October 2011, from Securelist – Mobile Malware Evolution: An Overview Part 1 http://www.securelist.com/en/analysis?pubid=200119916 • Gartner (n.d.). Retrieved October 2011, from Gartner – Gartner Says Sales of Mobile Devices in Second Quarter of 2011 Grew 16.5 Percent Year-on-Year; Smartphones grew 74 Percent http://www.gartner.com/it/page.jsp?id=1764714 • Google. (n.d.). Android Open Source Project. Retrieved Sept 2011, from Android Open Source – Android Security Overview http://source.android.com/tech/security/index.html • Apple. (n.d.). Mac OS X Developer Library. Retrieved Sept 2011, from Apple Developer – Security Overview http://developer.apple.com/library/mac/#documentation/Security/Conceptual/Security_Overview/Introduction/Introduction.html • Nokia. (n.d.). Symbian C++ Books. Retrieved October 2011, from Nokia Developer – Fundamentals of Symbian C++/Platform Security http://www.developer.nokia.com/Community/Wiki/Fundamentals_of_Symbian_C%2B%2B/Platform_Security • Microsoft. (n.d.). MSDN. Retrieved October 2011, from MSDN – Security for Windows Phone http://msdn.microsoft.com/en-us/library/ff402533.aspx • IBM. (n.d.). IBM Security Solutions. Retrieved September 2011, from IBM – IBM X-Force 2011 Mid-Year Trend and Risk Report http://public.dhe.ibm.com/common/ssi/ecm/en/wge03015usen/WGE03015USEN.PDF • PCWorld. Bradley, Tony. Retrieved September 2011, from PCWorld – Adobe Flash Zero Day Puts Android Smartphones at Risk. http://www.pcworld.com/businesscenter/article/205411/adobe_flash_zero_day_puts_android_smartphones_at_risk.html • Montoro, Massimiliano. Retrieved October 2011from oXit – About Cain http://www.oxid.it/cain.html • (n.d.). Retrieved October 2011 from CyanogenMod Wiki – What is CyanogenMod? http://wiki.cyanogenmod.com/index.php?title=What_is_CyanogenMod • Apple (n.d.). Retrieved October 2011 from Apple Developer – Guidelines for Appstore Submissions http://developer.apple.com/appstore/resources/approval/guidelines.html • Accuvant. Farnum, Michael. Retrieved October 2011 from Accuvant – Dr. Charlie Miller Compares the Security of iOS and Android http://www.accuvant.com/blog/2011/10/20/dr-charlie-miller-compares-security-ios-and-android • Viega, LeBlanc, Howard. 19 Deadly Sins of Software Security. Emeryville, CA: McGraw Hill-Osborn. 2005. Print. • Whitaker, Evans, and Voth. Chained Exploits. Boston, MA: Addison-Weasley. 2009. Print

  36. Questions? ! Are you sure you want to answer questions?

More Related