Mobile App Security (Angry Birds Hacked My Phone) · Traditional Windows ... Moving “up the stack” from OS and file to app ... Mobile App Security (Angry Birds Hacked My Phone)

Mobile App Security (Angry Birds Hacked My

Phone) Start Time: 9 am US Pacific / 12 noon US Eastern / 5 pm London Time

#ISSAWebConf

Mobile App Security (Angry Birds Hacked My Phone)


Welcome Conference Moderator

David Cruz ISSA Central Florida Chapter Secretary

#ISSAWebConf

02/23/2016 2

Speaker Introduction


• Michael Raggo

Director, MobileIron Security Labs

• David Jevans

Vice President of Mobile Security, Proofpoint

• Jeff Stapleton

Information Security Architect, X9F4 Cryptographic

Protocol and Application Security Workgroup

• Ralph Spencer Poore, PCIP, CFE, CISA, CISSP, CHS-

III

Director of Emerging Standards, PCI Security

Standards Council To ask a question:

Type in your question in the Chat area of your screen.

You may need to click on the double arrows to open this function.

#ISSAWebConf

02/23/2016 3


Michael Raggo

Director, MobileIron Security Labs To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.

#ISSAWebConf

02/23/2016


4

#whoami

Mobile App Security (Angry Birds Hacked My Phone) 5

02/23/2016

Mike Raggo

• Director of Security Research, MobileIron

• Managed MobileIron Security Labs (MISL)

• CISSP, NSA-IAM, CCSI, SCSA, ACE, CSI

• Author of “Data Hiding” & “Mobile Data Loss Threats & Countermeasures”

• Member PCI Mobile Task Force and BITS/FSISAC Financial Services international roundtable focused on mobile security

• Speaker at BITS, Black Hat, DEF CON, OWASP, and SANS

Mobile App Security (Angry Birds Hacked My Phone) 6 02/23/2016

Server

Users

Network edge has blurred

New generation operating systems are sandboxed

Users are low-hanging fruit

Hackers know mobile is different

02/23/2016 Mobile App Security (Angry Birds Hacked My Phone) 7

The mind of the mobile hacker


User mode

Kernel mode

Traditional Windows

Evolution of operating system architecture

Win32 API

NTDLL.DLL

Logon

Session manager

Graphics drivers

Printer drivers

Win32K.sys

HAL

From open file system to application sandboxing (security, no app conflicts, no “DLL hell”) 1

From unprotected to protected OS kernel (stability, ease of update, ease of patching) 2

From untrusted to trusted management primitives (simplicity, consistency) 3

iOS / Android / Windows 10

User mode

Kernel mode

System utilities

Kernel

Classes/utilities

Video

UI components

Graphics Audio

Management primitives

1

2

3


Mobile Threat Landscape

App

Device

User

Network

User data leakage Copy/paste, screenshot, open-in

Malware and Risky Apps Data exfiltration

Jailbreak / Root Device opened to vulnerabilities leading to data exposure

Unprotected Networks Rogue Access Points, MiTM

Hotspot

Smartwatches, Wearables, IoT Email, contacts, calendar, SMS,

camera, and more…


Hackers look to the app


Bad apps New generation of malware Moving “up the stack” from OS and file to app ~ 10,000 malware apps in the Android and iOS app stores

Countermeasure: Reputation analysis and mitigation

Good apps behaving badly Excessive permissions No obvious malicious intent 80% of popular 3rd party apps contain security, privacy, and data exfiltration risks (Appthority)

From file infection (PC) to app infection (Mobile)


Bad Apps

Notified: Jul 27, 2015 Attacks through overflow vulnerability in old versions of Android Mitigate: Quarantine by OS version until affected devices upgraded ActiveSync can’t protect EMM required

Notified: Sept 1, 2015 Exposes owner’s iTunes credentials on jailbroken iOS devices Mitigate: Identify and selectively wipe jailbroken devices ActiveSync can’t protect EMM required

Notified: Sept 17, 2015 Hacked dev tool library allows phishing and information collection Mitigate: Identify and quarantine devices with compromised apps ActiveSync can’t protect EMM required

Notified: Oct 4, 2015 Compromise, replace, and launch apps through abuse of private APIs Mitigate: Quarantine by OS version until affected devices upgraded ActiveSync can’t protect EMM required

EMM has become the security hub for data protection and incident response


XcodeGhost

Notified: Sept 17, 2015 Hacked dev tool library allows phishing and information collection Mitigate: Identify and quarantine devices with compromised apps

Details & Mitigation:

What: Xcode is an Apple-provided suite of software dev tools for iOS and OS X. Malware infested versions of Xcode have been found on sites other than Apple. Developers unknowingly used these to develop apps infested with malware. NO JAILBREAK REQUIRED!!!

Impact: FireEye has reported >4,000 apps found in the Apple App Store, many now removed by Apple.

Current state: These malicious apps have been found on devices

Mitigations:

Review Blog: https://www.mobileiron.com/en/smartwork-blog/xcodeghost-malware-and-protecting-your-ios-devices - List of known infected apps listed in blog provided link

Enhance your deployment with App Reputation/Mobile Threat Prevention integrated into EMM deployment to quarantine devices

Use Container to isolate the threat from corporate data (outside of the container)


Anti-Malware/MTP/App Reputation Ecosystem

App Based • Uses vendors own app • Pull inventory from device • Uses APIs to apply

MobileIron label for control

• Policy in vendor portal

API Based • Using MobileIron API • Pull inventory from

MobileIron • Policy set in vendor

portal • Updates MobileIron risk

ratings and blacklist


Separation of Duties – Mobile Apps


A phased approach to malicious & risky apps

Phase 1

• OS Compromise Detection (jailbreak/root)

• Quarantine (block network access, wipe, selective wipe)

Phase 2

• Blacklist Unwanted Apps

• Containerize corporate apps and data

• Fine tune MobileIron quarantine policies

Phase 3

• App Reputation, App Risk Management, Mobile Threat Prevention

• Fine tune MobileIron quarantine policies if needed

Maturity of app security program

App SDK (public) or Wrapping (internal) Comprehensive Data Security

Container

Secure Storage & DB Secure Network I/O

Secure inter-app communications bus

apps/config

System Storage and Network Stack

Tunnel

Share- point

Doc Viewer

In- house

Secure apps - Only trusted apps get in - Certs stored in container - Support 3rd party & in-house

apps

Secure access - Provision with enterprise identity - Password authentication - Single sign-on for all applications

Secure data - AES-256 encryption - FIPS 140-2 validated - Secure IPC - Secure network i/o* - Lock and wipe



See our blogs for further guidance and details

https://www.mobileiron.com/en/smartwork-blog


Hackers look to the device


Compromise OS integrity

gain access to password and resources

Countermeasure: Detection and mitigation

Jailbroken iPhone = Windows 7


Hackers look to the network


Man-in-the-middle attack SSID = CoffeeShop

Active Directory

Email

Apps

Content

Corporate

Mobile device

SSID = CoffeeShop

Countermeasure: Session trust through certificates

X

Compromising the session

• Thwart Man-in-the-Middle attacks on Open WiFi • By using certificates, the mutual authentication fails between the Device certificate and Sentry server

certificate due to fake certificate presented by attacker. Combine with certificate pinning. • Therefore, no SSL connection is established and no data is exposed.


Establishing device trust • Jailbreak / root detection • Encryption enforcement • Passcode / biometrics • Contextual authentication

Establishing app trust • Secure distribution • Containerised data store • Reputation analysis • Local DLP controls

Establishing session trust • Secure gateway • Certs, SSO, IAM • Per-app VPN • Conditional access

Device trust

App trust

User trust

Session trust

Components of a managed trust framework

Question and Answer


Michael Raggo

Director, MobileIron Security

Labs

To ask a question:



#ISSAWebConf

02/23/2016 24


Thank you Michael Raggo


02/23/2016


25


David Jevans

Vice President of Mobile Security,

Proofpoint To ask a question: Type in your question in the Chat area of your screen. You may need to click on the double arrows to open this function.

#ISSAWebConf

02/23/2016


26

Riskware, Malware & Targeted Attacks

• Riskware

• Apps that consumers install that collect corporate data

• Malware

• Apps with technical exploits on app stores

• Sleeper cell apps on app stores

• Targeted app attacks via social engineering


53% of app

publishers do not have

a privacy policy

Data can be sold or

publicly leaked without

recourse


25%

Apps may send

contacts, ActiveDirectory

to unknown servers

Exposes companies to

targeted APTs, spear

phishing, employee

privacy violations

of iOS Apps Access Your Contact Database


of Android apps can leak users’ private data. 30%


6% of Android apps read browser histories which can lead to account takeover.


An enterprise with

2,000 BYOD users

will be exposed to

over 20,000 unique

apps Source: Proofpoint customer data


Those apps communicate with servers in more than 30 countries


Photo Editing App Sends User Data to 7 Countries


Photo Editing App Sends User Data to 7 Countries


Chinese “Security Apps” Scanning Your Network


• Popular business card scanning app

with millions of downloads

• Uploads scanned card information

to China

• Uploads your personal data to

China

• Also reads device contact database

• Sends data to 3rd party ad networks

• Communicates data in non-secure

ways

iOS Riskware Example: CamCard v5.5.2 (iOS)


Communicates to 50 servers around the world …

And if you weren’t concerned yet …

Read the Privacy Policy !

Your personal information is available to the public

Your data may be distributed across China or other

countries

You may receive unsolicited information… emails, SMS

Laws of the Hong Kong Special Administrative Region of

the People's Republic of China shall apply

Worse yet: September 2015 – infected with XcodeGhost

malware


XcodeGhost iOS Malware, Sept 2015


How Did XcodeGhost Infect Apps?

This is the first “compiler malware” for iOS

App development tools Xcode were infected by

attackers and posted to Baidu’s cloud file sharing

service for use by Chinese iOS programmers

Hundreds of app developers used this tainted code to

build thousands of apps



Thousands of Infected Apps Were Published

All of these apps passed Apple’s vetting process

Over 4,000 infected apps were published on Apple app

stores around the world

Over 1,100 apps were published on the US app store


A Customer with 51 Infected iPhones


iBackDoor – Infected Ad Library

November 2015 iBackDoor Malware on iOS

Infected adware library

Developer in China infected the iOS library with code

that can sideload apps

mobiSage from adSage v 5.3.3 through 6.4.4 were

infected

494 infected apps in the US and Australia app stores,

over 2,000 when including the Apple China app store


YiSPecter iOS Malware

• October 4, 2015

• Enterprise-signed malware

• Abuses private iOS APIs

• Attacks non-jailbroken phones

• Spread by ISPs


Rogue App Marketplace


40% of Enterprises Are Affected


A Global Criminal Enterprise

1. What Can You Do?

Mobile Device Management so you

can take action when risks are

detected

2. What Can You Do?

Implement app reputation and

analysis for risk detection in the app

ecosystem

3. What Can You Do?

Establish security and compliance

rules for your organization

4. What Can You Do?

Automate rules and enforcement

5. What Can You Do?

Empower the user to manage their

own risk with a local app

Question and Answer


David Jevans

Vice President of Mobile

Security, Proofpoint

To ask a question:



#ISSAWebConf

02/23/2016 56


Thank you David Jevans


02/23/2016


57


Jeff Stapleton Information Security Architect, X9F4 Cryptographic Protocol and Application Security Workgroup To ask a question:



#ISSAWebConf

02/23/2016


58


Ralph Poore Director of Emerging Standards, PCI Security Standards Council To ask a question:



#ISSAWebConf

02/23/2016


59

Banking & Payments Evolution

Mobile App Security (Angry Birds Hacked My Phone) 60 02/23/2016

Risk

Merchants

• Card Present

• Attended

• Location

MOTO

• CNP

• Attended

• Phone number

Online shopping

• CNP

• Unattended

• Wired

• Malware

World Wide Web

• CNP

• Unattended

• Wireless

• Malware

World Wide Web

• CNP

• Unattended

• Mobile

• Malware

Convenience

Risk Risk

Risk

Cardholder

Mobile gone Viral


• 2015 more smartphones than humans • 2016 estimate 10 billion smartphones (1.4 for each human)

• John Connor: By the time Skynet became self-aware it had spread into millions of computer servers across the planet. Ordinary computers in office buildings, dorm rooms; everywhere. It was software; in cyberspace. There was no system core; it could not be shutdown.

• Mobile trends • Migrate from computers, laptops, tablets to smartphones • Migrate from Telco, VoIP to smartphones • Migrate from browsers … there’s an app for that • Employer provided or BYOD smartphone programs

Mobile Swiss Cheese

Inputs • Keyboard • Touchscreen • Microphone • Audio jack • Micro SD card • Camera • USB data & power

Wireless • Cellular • Wi-Fi • Bluetooth • NFC • GPS • Infrared (IR) • USB

Wireless device


Mobile Interceptions


• Cellular • Stingray (MITM) or Cloning

• Wi-Fi • Rogue access point • Protocol vulnerabilities

• Proximity capture • Rogue Bluetooth or NFC

• Side-channels • Shoulder surfing, eavesdropping, DPA • Accelerometer, gyroscope, application

• Malware • Don’t get me started…

Mobile Malware


• FSTC / BITS / FSRoundtable M3 2009 Report • Vulnerabilities = Internet + wireless

• Fraud will follow payments to mobile environment

• IBM Trusteer 2015 Threat Report • Mobile infections 1.12% equal to PC rates

• Trend Micro • Continued Rise in Mobile Threats for 2016

• Attack vectors • Operating System vulnerabilities

• SMiShing attacks via text messaging

• Bad apps in mobile software stores

Financial Services

Standards and Organizations


PCI

ISO ANSI

ASC X9 TC68

ISO 12812 Mobile Banking & Payments Part 1: General Framework Part 2: Security and Data Protection Part 3: Financial Application Management Part 4: Mobile Person-to-Person Payments Part 5: Mobile Person-to-Business Payments

Completed CD, 1st DIS, prepping for 2nd DIS

X9.112 Wireless Management & Security Part 1: General Requirements Part 2: ATM and POS Part 3: Mobile

Part 1 and Part 2 published Part 3 in progress via ISO 12812-2

About the PCI Council

Founded in 2006 - Guiding open standards for payment card security

• Development

• Management

• Education

• Awareness

66

PCI Mobile “At a Glance”


Mobile Payments Acceptance with a Smartphone or Tablet

• Partner with a Provider of a Validated Solution

• Use an Approved Point of Interaction (POI) Device

• Comply with the PCI Data Security Standard

Mobile Payment Acceptance


Security Guidelines for Merchants as End-Users

• Objectives and Guidance for the Security of a Payment Transaction

• Guidance for Securing the Mobile Device

• Guidance for Securing the Payment-Acceptance Solution

Mobile Payment Acceptance


Security Guidelines for Developers

• Objectives and Guidance for the Security of a Payment Transaction

• Guidelines for the Risk and Controls in the Supporting Environment

PCI Mobile Activities


• Mobile Task Force • Stay abreast of progress in mobile payment security

• Participate in document reviews

• Mobile Forum Roundtable Discussions

• Participation in X9F4 workgroup • ISO 12812 Mobile Banking and Payments

Part 2: Security

• X9.112 Wireless Security Part 2: Mobile

Countermeasures


• Secure Cryptographic Device (SCD)

• Secure Element (SE)

• Host Card Emulation (HCE)

• Trusted Execution Environment (TEE)

• EMV Tokenization

• Secure Coding

Question and Answer


Jeff Stapleton Information Security Architect, X9F4 Cryptographic


Ralph Poore Director of Emerging Standards, PCI Security Standards

Council

To ask a question:



#ISSAWebConf

02/23/2016 72


Thank you Jeff Stapleton

Information Security Architect, X9F4 Cryptographic Protocol and Application Security Workgroup

Ralph Poore Director of Emerging Standards, PCI Security Standards

Council

02/23/2016


73

Open Panel with Audience Q&A


• Michael Raggo


• David Jevans


• Jeff Stapleton

Information Security Architect, X9F4 Cryptographic


• Ralph Spencer Poore, PCIP, CFE, CISA, CISSP, CHS-III

Director of Emerging Standards, PCI Security Standards

Council

#ISSAWebConf

To ask a question:



02/23/2016 74

Mobile App Security (Angry

Birds Hacked My Phone) Closing Remarks


Thank you

Thank you Citrix for donating the Webcast service

02/23/2016 75

CPE Credit


• Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference quiz.

• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.

• On-Demand Viewers Quiz Link: http://www.surveygizmo.com/s3/2609455/ISSA-Web-

Conference-February-23-2016-Mobile-App-Security

#ISSAWebConf

02/23/2016 76

http://www.surveygizmo.com/s3/2609455/ISSA-Web-Conference-February-23-2016-Mobile-App-Security


















Documents

Mobile App Security (Angry Birds Hacked My Phone) · Traditional Windows ... Moving “up the stack” from OS and file to app ... Mobile App Security (Angry Birds Hacked My Phone)