Smart phone security ios system

Smart Phone Security Apple iOS Platform Weakness

& Some Tips to Great Defense Jamil S. Alagha

Agenda

Introduction

Apple insufficiency (iOS Platform)

IOS Weaknesses Allow Attacks via Trojan Chargers

Apple acknowledges battery life issue

Jailbreaking

Related work

IPhone Smartphone Security

IPhone and iPod Location Spoofing

Apple developer digital signature

Attack Mitigation (View of Writer)

Applications

2 ©Jamil S. Alagha 2013

Introduction

Smartphones offer many more functions than traditional mobile

phones.

Such as iOS, Android, or Windows Mobile.

Most smartphones support Multimedia Message Service(MMS)

and include embedded sensors such as GPS, gyroscopes, and

accelerometers.

Smartphones and tablets, have been increasingly used for personal

and business purposes in recent years.


Introduction.

By Jan 2013, 500 millions of iOS devices had been

sold worldwide.

Apple’s iTunes App Store contained over 800,000

iOS third-party applications.

Apps had been downloaded for more than 40 billion

times.



Prototype of the malicious charger.

Mobile device will automatically begin the pairing process with the embedded computer within the charger.

It takes less than five seconds to install our payload, but installing the actual Trojan can take up to a minute depending on its size.



Attacks will become more difficult with Apple's coming update, iOS 7

Development versions of the operating system have asked the user for permission before syncing to another computer over USB



A manufacturing issue affecting “a very limited number” of its new flagship iPhone 5S handsets, Apple said.

Means some users will be experiencing longer-than-usual charge times or reduced battery life.

Suggesting the problem may have occurred during the assembly of the device rather than there being an issue with any of its various parts.



A user on Apple’s support pages

“When I go to sleep I put alarm on, close all apps, switch off the

sound, and put the device in airplane mode. When I wake up,

8h, the battery drains 10% or more,”

The user explained. “On the iPhone 4 this wasn’t an issue, max

1-2 percent….Why is this battery draining that fast with nothing

running”


Jailbreaking

("Jailbreaking") : unauthorized modifications to iOS bypass security features and can cause numerous issues to the hacked iPhone, iPad, or iPod touch.


Jailbreaking

("Jailbreaking") :

unauthorized modifications to iOS bypass security features and can cause numerous issues to the hacked iPhone, iPad, or iPod touch.

Security vulnerabilities :

Jailbreaking your device -> eliminates security layers.

Instability :

Frequent and unexpected crashes of the device, crashes and freezes of built-in apps and third-party apps .

Shortened battery life :

caused an accelerated battery drain that shortens the operation


Jailbreaking

Unreliable voice and data :

Dropped calls, slow or unreliable data connections, and delayed or inaccurate location data.

Disruption of services :

Third-party apps that use the Apple Push Notification Service have had difficulty receiving notifications

Inability to apply future software updates :

Some unauthorized modifications have caused damage to iOS that is not repairable


Related Work

IPhone Smartphone Security





Wi-Fi positioning system (WPS) from Skyhook, available for PCs (as a plugin)



Code signing is a security technology.

Benefits

when a piece of code has been signed, it is possible to determine reliably whether the code has been modified by someone other than the signer. The system can detect such alternation whether it was intentional (by a malicious attacker , for example) or accidental (as when a file gets corrupted).



Role in Code Signing: Trust

Trust is determined by policy . A security trust policy determines whether a particular identity should be accepted for allowing something, such as access to a resource or service.


Recommendation for Mitigation Of Attack

Apple’s current vetting and sandbox mechanisms have weaknesses which can be exploited by third-party applications to escalate their privileges and perform serious attacks on iOS users

User must management iPhone carefully when dealing with privacy .

On location service, apple’s user must turn of the location service like foursquare, find my iPhone and photo location.

In web browser, should be careful when dealing with pdf and image files, that may be contain a recall to another function API’s to alter user content.


Don’t Allow Jailbreaking

Bypasses the passcode in some cases

Removes some built-in security features

Can leave you vulnerable to third-party applications not vetted by Apple

Ensure third-party MDM solutions prevent Jailbreaking

For some reason Apple disabled the Jailbreak check API in iOS > 4.2 (mostly for liability reasons)

Address this in your mobile device policy


Applications

You might want to ensure some applications don’t get installed

• “Cloud” data storage applications

– DropBox

– Evernote

– Microsoft OneNote

What about iCloud?

Could your corporate data be floating in the cloud?

Do you have polices and procedures to address this?


Applications – third Party


Enable Remote Management

Enable FindMyPhone (MobileMe) at a minimum

– For very small deployments this could work

For true Enterprise level management you must use a third-party MDM

– Decide which type of enrollment is best for you

– Whitelist approach may be best

Allow only devices you have authorized (corporate owned?)


Keep iOS Up To Date

Always update and use the latest Apple iOS firmware

Many vulnerabilities are fixed

Security always is improving


Thanks for Your Time Questions ? E-mail me

Smart phone security ios system

Education

Transcript of Smart phone security ios system