Session 810: The Security Risks of Mobile Environments and How

to Protect Against Them

Ken Huang, Director of Security Engineering, CGI

Who am I ?

• Ken Huang– Director of Security Engineering, CGI• Cloud/Mobile Security• Security testing and evaluation• Identity and Access Management• Frequent Speaker• Blog: http://mobile-cloud-security.blogspot.com/• Linkedin: www.linkedin.com/in/kenhuang8• Twitter: http://twitter.com/#!/kenhuangus

Topics

• Mobile Technology and Trends• Mobile Application and Trends• Mobile Security and Trends• Defense in Depth Solutions• Conclusion and Questions

Mobile Technology and Trends

Technology Trends

Wi-Fi •More Wi-Fi hotspots will be added•Wi-Fi still plays a huge role in WLAN

3G & 4G•3G will gradually phase out•4G networks will increase, as it is a major competing ground for carriers to attract new customers

Bluetooth •Will continue to be used to connect personal network devices

NFC•Will gain more momentum for payment, ticketing, and check-in devices

3G vs 4G Networks

3G 4G

DSL speeds Wired network speeds

Max speed up to 3.1 Mbps Max speed up to 100+ Mbps

Includes all 2G and 2.5G features plus:•Real-time location-based services•Full motion videos•Streaming music•3D gaming•Faster web browsing

Includes all 3G features plus:•On-demand video•Video conferencing•High-quality streaming video•High-quality Voice-over-IP (VoIP)•Added security features

Trends: 4G will be the winner

WiMAX vs. Wi-Fi

WiMAX Wi-Fi

Speed Up to 4 Mbps Up to 2 Mbps

Bandwidth Up to 75 Mbps Up to 54 Mbps

Range 30 miles (50 km) 100 feet (30 m)

Intended Number of Users 100+ 20

Quality of Service Weaker encryption (WEP or WPP)

Stronger encryption (TDES or AES)

Trends: Both WiMAX and Wi-Fi will co-exist for the foreseeable future

NFC

• Uses less power than Bluetooth• Does not need pairing• Based on RFID Technology at 13.56 MHz• Operating distance typically up to 10 cm

Trends: NFC will get wider use due to payment and ticketing apps

Mobile Application Trends

• Payment– Using your phone to pay will become a reality

• Federal Government Adoption– Mobile apps will become more widely used– Cloud and Mobile Computing

• During an appearance in Silicon Valley, Aneesh Chopra, the nation’s first-ever CTO, acknowledged the inevitable emergence of cloud and mobile as solutions for the federal government, but sees them as supplementing, rather than replacing, legacy systems

– Transportation Department gets $100 million for mobile apps

Mobile Application Trends (cont.)

• Federal Government Adoption (cont.)– FBI – most wanted listing app on iPhone– IRS – check refund status– The White House mobile app – news, videos, podcasts, blogs,

etc.– More than half of federal websites are planning to develop a

mobile-optimized website, according to a poll by ForeSee Results.

• Productivity tool– Mobile apps will become more mature over time

• Banking and Mobile Commerce– Check balances, transfer funds, etc.

Mobile Application Trends (cont.)

• Entertainment– Videos, gaming, etc.

• Social networking– Facebook– Twitter– Foursquare– Linkedin– Instagram

• Activists– Collective bargaining

and strikes• Other– Price comparison for

various products (Sanptell)

Wi-Fi Security

• Use a strong password• Don’t broadcast your SSID• Use good wireless encryption (WPA, not WEP)• Use another layer of encryption when possible (e.g. VPN, SSL)• Restrict access by MAC address• Shut down the network and wireless network when not in use• Monitor your network for intruders• Use a firewall

Trends: More Wi-Fi hotspots (but more attacks on hotspots as well) – avoid free Wi-Fi whenever possible; Wi-Fi-enabled mobile devices can become the stepping stone to your secured network

4G Security Trends

• Backward compatibility to 3G or GSM capabilities exposes 4G to 3G and GSM security vulnerabilities

• 4G also has a roaming vulnerability associated with mutual authentication: a fake network can easily claim to be a “roaming

partner”

Trends: More bandwidth comes with a greater possibility of being attacked

Bluetooth Security Trends

• Bluejacking– Sending either a picture or a message from one user to an unsuspecting

user through Bluetooth wireless technology.

• DoS Attacks• Eavesdropping• Man-in-the-middle attacks• Message modification• NIST published a Guide to Bluetooth Security in 2008

Trends: Dependent on new apps on bluetooth – I don’t see any significant increase in attacks on bluetooth

NFC Security Trends

• Eavesdropping– Hacker must have a good receiver and stay close– To avoid this, use a secure channel as compensating control

• Data Corruption and Modification– Jams the data so that it is not readable by the receiver– Check RF field as compensating control.

Trends: • wide spread adoption expected at 2015• Secure channels for NFC• Payments through smartphones will replace plastic cards and keys

Attack on the app

• Currently, Androids are the target due to Google’s loose vetting process– Law360, New York (March 15, 2012, 10:18 PM ET) --

Android cellphone users sued Google Inc over faulty Android App

• iPhones and iPads are lightly hacked – but will become targets in the futureTrends: Apps will be more vulnerable to attacks in the future

OWASP Top 10 Mobile Risks • Insecure Data Storage• Weak Server Side Controls• Insufficient Transport Layer Protection• Client Side Injection• Poor Authorization and Authentication• Improper Session Handling• Security Decisions Via Untrusted Inputs• Side Channel Data Leakage• Broken Cryptography• Sensitive Information Disclosure• Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

M1: Insecure Data Storage

• Sensitive data left unprotected• Applies to locally stored data + cloud synced• Generally a result of:

– Not encrypting data– Persist data not intended for long-term storage– Weak or global permissions– Not leveraging platform best-practices

• Risk– Confidentiality of data lost– Credentials disclosed– Privacy violations– Non-compliance

M2: Weak Server Side Controls

• We cannot trust mobile client app• Risk: confidentiality and integrity of data

M3: Insufficient Transport Layer Protection

• No encryption for data in transit• Weak encryption. Encoding is not encryption• Strong encryption but ignoring the security

warnings. – If certificate validation errors happen, fall back to

clear text. • Risk: confidentiality and integrity of data

M4: Client Side Injection

• XSS or SQL injection• SMS injection (Apple patched iphone SMS flaw

in iOS 3.0.1 in Aug. 2009).• Risk: toll fraud, device compromise, privilege

escalation etc.

M5: Poor Authorization and Authentication

• Device authentication based on IMEI, IMSI, UUID is not sufficient

• Hardware identifiers persist across data wipes and factory resets

• Adding contextual information is useful, but not foolproof

• Out of band does not work for the same device. • Risk: Privilege escalation and Unauthorized access

M6: Improper Session Handling

• Mobile session is usually longer for usability and convenience

• Why it is bad idea to use device identifier as session token?

• Risk: unauthorized access and privilege escalation

M7: Security Decisions Via Untrusted Inputs

• Security needs to be based on server side variables, not client input data

• Risk: Can cause privilege escalation and consume paid resources

M8: Side Channel Data Leakage

• Caused by platform feature or app flaws• Potential channel– Caches – Keystroke logging– Screenshots– Logs (system, crash, app)– Temp directory

• Risk: Privacy violation

M9: Broken Cryptography

• Broken implementation using strong encryption library

• Custom weak encryption implementation.• Risk: loss of data confidentiality

M10: Sensitive Information Disclosure

• Hard coded sensitive information– User id, password– SSN– API keys– Sensitive business logic

• Risk: credentials disclosed, IP disclosed.

OWASP: Top 10 Security Mobile Controls

• Identify and protect sensitive data • Handle password credentials securely on the device• Ensure sensitive data is protected in transit• Implement user authentication/authorization and session management

correctly• Keep the backend APIs (Rest vs. SOAP) Secure• Secure integration with third party app and data (ID Federation)• Get user consent for the collection and use of the data• Implement Access Control and Digital Rights Management for paid

resources• secure distribution/provisioning of mobile apps• check runtime code errors

VPN for Smartphone

• Provide secure mobile access to enterprise network

• Sample Mobile VPN products– PandaPowVPN for Android– Hotspot Shield for iphone– CISCO

Virus Scan and Personal Firewall for Mobile Device

• Lookout Premium• Trend Micro Mobile Security• F-Secure Mobile Security• NetQin Mobile Security• Webroot Secure Anywhere Mobile

Mobile Device Management Features• Remote Locate - Shows you the location of your phone via Web or SMS, so

you can find it if it’s lost or stolen.• Remote Lock - Lets you remotely lock your lost or stolen phone via Web or

SMS to prevent strangers from seeing your private stuff or running up your mobile bill.

• Remote Wipe - Lets you remotely erase the stuff on your phone via SMS if it’s lost or stolen, including any data on your phone’s memory card.

• Web-based Lost Notice - Displays a customizable message to anyone who finds your missing device, so you can make arrangements to get it back.

• Web-based Sneak Peek - Snaps photos of anyone in front of your device then saves the images. (Webcam devices only.)

• Antiphishing Web Protection - Blocks fraudulent (phishing) websites. Protects your device and your stuff on mobile networks and Wi-Fi connectionsi

• Download Threat Protection - Automatically scans all the apps and app updates you download to your mobile device for threats.

Gartner Magic Quadrant for MDM

Mobile Application Management (MAM)

• The BYOD (“Bring Your Own Device”) phenomenon is a factor behind MAM

• Manage Business Apps using internal App Store for both BOYD and Company Mobile Device

• Key Features– App delivery– App updating– User authentication– User authorization– Version checking– Push services– Reporting and tracking

Current MAM Players

• App47• SOTI MobiControl• AppBlade from Raizlabs• AppCentral• Apperian• Better MDM• JackBe• Nukona• Partnerpedia• WorkLight

Mobile Data Protection (MDP)

• MDP is an established market • Safeguard stored data on mobile devices by

means of encryption and authentication• Provide evidence that the protection is

working.• Widely used in Window based Laptop• Not yet available for mobile phone or tablet

Gartner Magic Quadrant for MDP

Smartphone Encryption• Android

– WhisperCore: whole flash memory– Droid Crypt: files– AnDisk Encryption: file– RedPhone: voice– Text Secure: text

• iPhone– Impossible to encrypt the whole system– Update to iOS5 to encrypt outgoing iMessage.– Voice Encryption App

• Kryptos• Cellcrypt

– Text Encryption App: Encrypt SMS– E-mail Encryption: SecureMail use OpenPGP

Mobile Virtualization

• Support multiple domains/operating systems on the same hardware

• Enterprise IT department can securely manage one domain (in a virtual machine), and the mobile operator can separately manage the other domain (in a virtual machine)

Current Players in Mobile Virtualization

• Green Hills Software• Open Kernel Labs• Red Bend Software• VMware• B Labs• Bitzer Mobile IncReference: http://www.virtualization.net/tag/mobile/

Mobile User willing to pay more for security

• AdaptiveMobile published the third "Global Security Insights in Mobile" report which indicates that 83% people surveyed willing to pay more for security.

Conclusion and Questions

• Defense in depth for mobile environment• Device Security vs. App Security• OWASP Top 10 Risk and Controls• VPN, Virus Scan, MDM, MAM, MDP,

Encryption and Mobile Virtualization• Questions?

Thank you for attending this session. Don’t forget to complete the evaluation!