Managing Mobile Risk

Data-Driven Conditional Access

David Richardson, Director of Products | May, 2017

dr@lookout.com

Who am I?

• Engineer/Hacker/Product Manager

• Currently run enterprise products at Lookout

• Employee #10 at Lookout (now 450 employees)

• Have discovered and revealed mobile 0-days at Black Hat and Defcon

• 20+ patents granted related to mobile security

Why Do Mobile Risks Matter?

Your mobile device is a gold mine for hackers

ENTERPRISE EMAIL

ENTERPRISE NETWORKVPN, WiFi

ENTERPRISE APPSSaaS, Custom Apps

CREDENTIALSStored, Soft Tokens

PHOTO ALBUMWhiteboard Screenshots, IDs

SENSORSGPS, Microphone, Camera

“Today, mobile malware costs organizations $16.3M

per year, or $9,485 per infected device.”

Ponemon

The Consequences are real

Mobile Risks

• Vulnerabilities

• OS vulnerabilities

• App vulnerabilities

• Risky Behaviors

• Leaky apps

• Misconfigured devices (no passcode, no encryption, debugging enabled)

• Threats

• Mass market malware

• Targeted malware

• Man-in-the-Middle attacks

Vulnerabilities

• Android Security Patch Level –April 2017 & May 2017

• 219 vulnerabilities patched

• 96 allow arbitrary code execution

• 98 allow privilege escalation to

kernel or root privileges

• 18 allow remote code execution

• iOS 10.3.1 and 10.3

• 92 vulnerabilities patched

• 33 allow arbitrary code execution

• 10 allow privilege escalation to

kernel or root privileges

• 22 are WebKit vulnerabilities

(remotely exploitable)

8

Vulnerabilities patched in the last 6 weeks

9

4+ years of Android OS version history 10 months of iOS version history

On Android, 50% of active devices are running

the latest version 1 year after release.

On iOS, 50% of active devices are running

the latest version 1 month after release.

Risky App Behaviors

Key trends of mobile apps

*Source: Forrester

When apps are

free, sensitive

data becomes

the currency.

Employees source

the majority of

mobile apps they

need on

their own*.

Mobile apps

are assembled

from libraries,

not written.

Exhibits no sensitive

behaviors

Exhibits one or more sensitive

behaviors

Exhibits malicious

behaviors

App behavior risk spectrum

Apps that exhibit sensitive behaviors

Access to sensitive data

Apps that access sensitive

corporate or employee data,

including PII

Data exfiltration

Apps that upload sensitive data

to external servers

Data sovereignty violation

Apps that violate data sovereignty

regulations or send data to risky

geographies

Use of cloud services

Apps that access cloud storage

providers, social networking services,

or peer-to-peer networks

Insecure data handling

Apps that don’t use proper encryption when storing or sending data

Vulnerabilities

Applications with known

vulnerabilities

Threats

xRanger

Allows third party to send large # of

ads to the device. Sends device

information to a third party, causing

unexpected data usage

A banking trojan that steals banking

credentials & intercepts text messages

Acecard

Mapin

Hazardous adware trojan. Its goal is to

gain benefits from pay -per click policy

by redirecting you to commercial

websites.

Mayis

Clicks background advertisements in

order to defraud ad networks. May result

in overages of user’s data plan and unexpected bill charges

InstaAgent

Sends your Instagram credentials to

an unknown third party. This may

result in privacy loss

LevelDropper

Auto-rooting trojan that silently

installs apps on a victim’s device

210 Lookout-discovered threats in the Google Play Store (2016)

April 8 April 25 May 9 May 30 June 7 June 8

3 1 2 6 1 1

= Discovered by Lookout in Play Store and subsequently removed by Google.

BouncerBounce

Malware that works around Google’s review process to plant malicious

apps in Play Store.

Spyware targeting foreign travelers

searching for Embassy locations.

Steals contact and location data

OverSeer

DressCode

Can make the device a proxy for

network traffic on corporate

networks

DressCode

We discovered more apps on Play

injected with this trojan.

TcemuiPhoto

Uploader

Lookout discovered this malware

family in fake versions of popular

apps on Play.

XRanger

167 apps in Play infected with

this app dropper.

July 15 Aug 4Sep 7 Oct 19 Oct-Nov June 8

4 13 2 1671 3

Sep 30

1

WakefulApp

Download

Malware hidden in "File Explorer" app

that had gotten into Play, downloads

and launches additional apps.

Nov 25

210 Lookout-discovered threats in the Google Play Store (2016)

iOS Research and Report

Sep 2015 Aug 2016 Sep 2016 Nov 2016

XcodeGhost

XcodeGhost-infected apps can steal

data and potentially trick people into

providing personally identifiable

information. Dozens of XcodeGhost

apps were found in the App Store.

Trident – Kernel(1)*

A kernel base mapping vulnerability that allows attacker to calculate the kernel’s location in memory (CVE-2016-4655)

Trident – Kernel(2)*

iOS kernel-level vulnerabilities that allow the

attacker to silently jailbreak the device and

install surveillance software (CVE-2016-4656)

Trident – Safari OS*A vulnerability in the Safari WebKit that allows

the attacker to compromise the device when

the user clicks on a link (CVE-2016-4657)

Pegasus Surveillance

Malware*The most sophisticated attack we’ve seen on any endpoint. A full take of data off the iOS

device and device’s surroundings.

Dribbble – App

that jailbreaks

iPhone

Lookout discovered the Dribble

client that can jailbreak your iPhone,

on apple store. It appears that the

app had been in the App Store since

July 30th.

Fake retail apps

in App Store

Fraudsters were able to get fake

retail apps into the App Store.

Victims were subject to ID and

sensitive data theft, including credit

card and home address details. In

media reports, including Good

Morning America, Lookout

researchers provided advice to

users.

* Discovered and analyzed by Lookout along with Citizen Lab

InstaAgent

Sends your Instagram credentials to

an unknown third party. This may

result in privacy loss

Why Lookout?

• Founded in 2007

• Focused exclusively on securing mobility

• Security for organizations and consumers

• Worldwide distribution and support

OUR PARTNERS

World’s largest mobile sensor networks117M+ mobile sensors in more than 100 countries

1MSENSORS

37MSENSORS

100MSENSORS

70MSENSORS

12MSENSORS

117MSENSORS

Web Crawlers

Dynamic Analysis

Binary SimilarityStatic

Analysis

22

So we can approach mobile security as a big data problem

App store APIs

Malware Assessment

Capability Assessment

Exploit Assessment

Mobile Sensors

Reputation Analysis

Binary Similarity

117M+ Sensors

90K+ new apps per day 40M+ apps analyzed ~5K new threats per day

OS Apps

Network

Mobile risks Lookout addresses

• Malicious apps

• Non-compliant apps

• App vulnerability exploits

• Data leakage

• Malicious MitM attacks

• Anomalous Root CA

End user jailbreak/root •

Malicious jailbreak/root •

OS vulnerabilities exploitation •

Conditional Access w/ EMS

Seamless enrollment

Signs in using AAD credentials

User installsCompany Portal app

Goes through enrollment process

Now must make sure device is compliant

Compliance requires Lookout

Mobile productivity enabled

Lookout for Work is not installed

Tap the required app notification in the

notification area

How to resolve this

User must install Lookout

Seamless installation and enrollment using AAD credentials

Device is now compliant

LOOKOUT MTP CONSOLE

INTUNE CONSOLE

ALERT

MALWARE DETECTED

MALWARE DETECTED

CONDITIONAL

ACCESS

CONDITIONAL ACCESS

STOP EMAIL ACCESS

LOCK MANAGED APPS

APP-BASED THREAT TRIGGERS CONDITIONAL ACCESS TO O365

ALERTCONDITIONAL

ACCESS

APP-BASED THREAT TRIGGERS CONDITIONAL ACCESS TO O365

LOOKOUT MTP CONSOLE

INTUNE CONSOLE

MALWARE DETECTED

MALWARE DETECTED

CONDITIONAL ACCESS

STOP EMAIL ACCESS

LOCK MANAGED APPS

USER REMEDIATIONCONDITIONAL

ACCESS

THREAT REMEDIATED

THREAT REMEDIATED

Key Takeaways

• You can’t ignore mobile risks• Mobile is your single point of failure (MFA token + SMS + passwords + sensors)

• Attackers will find the weak links in your security

• There are hundreds of (unpatched) holes in your mobile devices

• Invest in visibility and protection from mobile risks across the whole spectrum

• Threats

• Vulnerabilities

• Risky Behaviors

• MDM/MAM is management, not security

• Integrate mobile security into existing workflows for onboarding and conditional

access

THANK YOU