Mobile Security A Glimpse from the Trenches

Yair Amit CTO & Co-Founder Skycure @YairAmit

!  Today

!  CTO & co-founder of Skycure

!  Previously

!  Managed the Application Security Group at IBM

!  Joined IBM through the acquisition of Watchfire

!  Loves and lives security

!  Filed over 15 security patents

About&Me&

A&Holis-c&Outlook&on&Mobile&Security&

Physical&Security&

Network&

Applica-on&Security&&&Privacy&

Biggest'Threat

Changing'Threat Emerging'Threat

Basic'Threat

Malware&

The$Physical$Layer$Physical&Security&

Network&

Applica-on&Security&&&Privacy&

Malware&

!  Threat&vector&!  Device'lost'/'device'stolen'/'temporary'physical'access

!  Basic&physical&security&needs:&!  Remote'wipe !  Locate'device !  Backup !  Local'storage !  Passcode'protec@on

!  The&above&becomes&OS&responsibility&!  MDM&provides&the&above&OS&features&together&with&management&and&policy&enforcement&

The&Physical&Layer&

Network$Based$A6acks$Physical&Security&

Network&

Applica-on&Security&&&Privacy&

Malware&

Based on Skycure enabled devices worldwide

Real World Incident Statistics&

Affected Devices Over Time

0%&

10%&

20%&

30%&

40%&

50%&

0%&

23%&30%&

35%& 41%&

1&Month& 2&Months&3&Months& 4&Months&

!&

&!  Did&network&aNacks&happen&near&your&office?&!  Are&airports&more&suscep-ble&to&aNacks?&!  Which&networks&at&a&conference&should&I&be&avoiding?&

Global&RealUTime&Threat&Map&&

hNps://maps.skycure.com&

$$

Implementa;on<Based$Vulnerabili;es$$Vs.$$

Design<Based$Vulnerabili;es$

Network&Based&ANacks&

Physical&Security&

Network&

Applica-on&Security&&&Privacy&

Malware&

Network$Based$A6acks$$

Implementa-on&issues$

Physical&Security&

Network&

Applica-on&Security&&&Privacy&

Malware&

$iOS$vs.$Android$

Implementa-onUBased&Vulnerabili-es&

!  Example&I:&&

gotofail&

Implementa-onUBased&Vulnerabili-es&

>>'Read'more

Gotofail&–&The&Code&

static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen) { … if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail;

err = sslRawVerify(ctx, ctx->peerPubKey, dataToSign, /* plaintext */ dataToSignLen, /* plaintext length */ signature, signatureLen); …fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err;}&

Always&goto&“fail”,&even&if&

err==0&

Code&is&skipped&(even&though&err&==&0)&

Func-on&returns&0&(i.e.&verified),&even&though&sslRawVerify&was&

not&called&

!  Example&II:&&

Heartbleed&

Implementa-onUBased&Vulnerabili-es&

>>'Read'more

Heartbleed&

Network$Based$A6acks$$

Design&issues$

Physical&Security&

Network&

Applica-on&Security&&&Privacy&

Malware&

!  Design&issues&are&much&more&interes-ng&!  …'and'much'harder'to'fix

!  These&are&divided&into&two&types:&!  General'“protocol”'vulnerabili@es !  Design'issues'affec@ng'mobile'OS

!  Mobile&devices&are&more&suscep-ble:&!  Classical'solu@ons'are'inadequate !  Excessive'use'of'untrusted'networks

DesignUBased&Vulnerabili-es&

!  Example&I:&&& sslstrip&

DesignUBased&Vulnerabili-es&(Generic)&

ANacker&removes&redirec;ons$and&links&to&HTTPS&

Vic-m&con-nues&to&interact&via&HTTP&instead&of&HTTPs&

Server&returns&a&redirec-on&to&HTTPS&

>>'Read'more

!  Example&II:&

SSL&decryp-on&

DesignUBased&Vulnerabili-es&(Generic)&

92%'of'users'click'on'“Con@nue” compromising'their'Exchange'iden@ty''(username'and'password)

Con@nue 92%

Cancel 8%

!  Example&III:&

Karma&

DesignUBased&Vulnerabili-es&(Generic)&

Hak5’s'WiFi'Pineapple

>>'Read'more

Network$Based$A6acks$$

MobileUspecific&design&issues$

Physical&Security&

Network&

Applica-on&Security&&&Privacy&

Malware&

iOS sandbox approach

Source: Apple’s App Sandbox Design Guide

App Characteristics$!  One&Store&

!  Heavy&Screening&

!  App&Sandboxing&

Profile Characteristics

!  No&Store&

!  No&Screening&

!  No&Sandboxing&

iOS Security Model&

Where$Do$We$Find$Them?$!  Mobile&Device&Management&(MDM)&!  Cellular&carriers&

!  Usually'used'for'APN'se\ngs

!  Mobile&applica-ons&!  Service&providers&

Configura-on&Profiles&

Configura;on$profiles$can$also$be$malicious$!  Malicious&“service&providers”&(apps/services/WiUFis/etc.)&!  Vulnerable&services&!  Privacy&viola-ng&services&

Malicious&Profiles&

Click to install streaming profile

Welcome to iOS Streamer

Watch TV shows and movies free online.

Stream your favorite content directly to

your iOS device. Hacker'gains'access'to'your'mail,'business'apps,'cloud'services,'bank'accounts'and'more,'even if traffic is encrypted

>>'Read'more

Going$Viral$!  ANacker&hijacks&vic-m’s&key&iden--es&

!  Corporate'Exchange !  Facebook !  LinkedIn

!  ANacker&sends&mass&messages&to&vic-m’s&contacts,&luring&them&to&install&the&malicious&profile&

!  ANack&propagates&

Malicious&Profiles&

!  Profile&lis-ng&could&indicate&suspicious&profiles&!  CatUandUmouse&game:&aNackers&can&name&their&profile&to&look&benign&&

Am&I&Safe?&

!  Example&II:&

WiFiGate&

DesignUBased&Vulnerabili-es&(Mobile)&

>>'Read'more

App$Level$Security$Physical&Security&

Network&

Applica-on&Security&&&Privacy&

Malware&

!  Mobile&OS&enforce&addi-onal&security&models&!  Sandbox !  Be_er'updates !  Controlled'applica@on'stores

!  AppUlevel&issues&are&now&on&the&rise&

App&Level&Security&&&Privacy&

App$Vulnerabili;es$Physical&Security&

Network&

Applica-on&Security&&&Privacy&

Malware&

!  Example&I:&

Plain&HTTP&

App&Level&Vulnerabili-es&

Daaa!&

!  Example&II:&&

Cer-ficate&Pinning&

App&Level&Vulnerabili-es&

>>'Read'more

A$Long$Way$to$Go$!  Almost&all&major&apps&today&lack&SSL&Pinning&

!  Suscep@ble'to'a_acks'such'as'malicious'profiles'by'design !  Also'exploited'when'a_acker'gains'access'to'a'trusted'CA

!  Slow&adop-on&should&not&come&as&a&surprise&!  Implementa@on'challenges

!  Less'flexibility !  Can'become'a'nightmare'if'done'wrong…

Cer-ficate&Pinning&

!  Example&III:&&

HTTP&Request&&&Hijacking&

App&Level&Vulnerabili-es&

Vic@m'interacts'with'the'malicious'server

A'while'later, vic@m'opens'the'app

App'logic'has'changed!

A_acker'returns'a'301'direc@ve'specifying'a'

permanent'change'in'URI

Victim opens the app in an untrusted environment

App'con@nues'to'connect'to'the'malicious'server!

Malicious'server'can'return'actual'results'from'the'target'server

>>'Read'more

HRH&–&ANack&Flow&

Malicious$Apps$Physical&Security&

Network&

Applica-on&Security&&&Privacy&

Malware&

The year of Android malware [1]

Google reveals “Bouncer” - its malware scanner [2]

Malware is moving out of the Google Play [3]

Google adds full-time app scanning to address malware on external stores [4]

Google’s&Focus&on&Malware&

Android is becoming like iOS

when it comes to malware

!  While&OS&an-Umalware&techniques&advance,&there&are&other&similar&problems&(harder&to&address)&

The&Maliciousness&Axis&

Malicious'Apps

Ad'Networks

Privacy'Viola@ons

Not&an&Android&Only&Issue…&

Summary$

!  The&physical&threats&!  Becomes'the'OS'responsibility

!  Network&based&threats&!  Implementa@on'vulnerabili@es !  Design'vulnerabili@es

!  Generic'vs.'mobile'specific

!  App&level&threats&!  Vulnerabili@es

!  HTTP/S,'Cer@ficate'Pinning,'HTTP'Request'Hijacking

!  The'“maliciousness”'axis !  Malware'!'Ad'Networks'!'Privacy'Viola@ons

Summary&

!  Personal level

!  Maintain'an'up'to'date'opera@nglsystem

!  Update'the'apps'that'you'are'using

!  Be'alerted'and'aware'of'evolving'threats !  Network'layer

!  Thirdlparty'app'stores

!  OS'misconfigura@ons'and'vulnerabili@es

!  Organizational level&!  Deploy'a'mobile'security'solu@on

Recommenda-ons&

Thank you!!  Twi_er: @YairAmit !  Email: yair@skycure.com !  Blog: h_p://www.skycure.com/blog

Seamless Mobile Security