Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
www.enisa.europa.eu
Security… is there an app for that?
December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA
ENISA
www.enisa.europa.eu
o 2010: Smartphone security: Risks, opportunities and recommendations
o 2011: OWASP Mobile security project (ongoing)
o 2011: Appstore security: 5 lines of defense
o 2011: Smart access to the cloud (ongoing)
ENISA’s work on Smartphone security
2
www.enisa.europa.eu
3
Risks
www.enisa.europa.eu 4
Zeus trojan
www.enisa.europa.eu 5
Lulz Security
www.enisa.europa.eu 6
www.enisa.europa.eu
1.Device loss leading to data leakage
2.Improper decommissioning
3.Unintentional data disclosure
4.Phishing attacks
5.Spyware
6.Network spoofing attacks
7.Surveillance attacks
8.Diallerware
9.Financial malware
10.Network congestion
Risks for users
7
www.enisa.europa.eu
1. Sandboxing and capabilities
2. Controlled software distribution
3. Remote application removal
4. Backup and recovery
5. Extra authentication options
6. Extra encryption options
7. Platform diversity
Security opportunities
8
www.enisa.europa.eu
Sample recommendation
9
www.enisa.europa.eu 10
www.enisa.europa.eu 11
www.enisa.europa.eu
o Smartphone is loaded with personal data, with sensors and network interfaces.
o Collecting meaningful consent is difficult
o Covert channels
o Photos may contain location data
o Address book may contain private data
o “I can stalk u” (smartphone version of “Please rob me”)
o Interface to privacy and security settings is not easy
2.Unintended disclosure of data
12
www.enisa.europa.eu
Rootkit Keylogger on Smartphones
13
www.enisa.europa.eu
www.enisa.europa.eu 15
www.enisa.europa.eu
o Malware disguised as popular apps (super guitar solo e.g.).
o 200.000 downloads within days.
o Google used the kill-switch
o Google’s security patches were re-posted with malware in them.
Droid Dream
16
www.enisa.europa.eu
o Diallerware for Windows mobile
o Game demo on shareware site
o search for “3D anti terrorist dialler trojan”
o Trojan sleeps 31 days then calls 5 numbers
o Satelite line, antarctica, africa, south america
o International premium numbers (short-stopped)
o Attacker spends 1 ct, and receives 12 euro
Using diallerware
17
www.enisa.europa.eu
o Using Zitmo (thx to S21sec)
o Attacker steals online username and password using a malware (ZeuS 2.x)
o Attacker infects the smartphone by sending an SMS with a link to Zitmo. The user must accept (‘Nokia update’).
o Attacker logs in with the stolen username and password, using the user's PC as a socks/proxy and performs a banking transaction.
o An SMS is sent to the smartphone with the authentication code. Zitmo forwards the SMS to the attacker.
o Attacker fills in the SMS code and completes transaction.
Using banking malware
18
www.enisa.europa.eu
App-store security: 5 lines of defense
o Apple appstore
o Android market
o Amazon appstore
o Mozilla add ons
o Google chrome store
o Windows phone 7
o …
o Many new app stores are being set up, for enterprises, subscribers.
www.enisa.europa.eu
STRIDE and attack trees
20
I1: App
developer
I2: App store
controller
Approval of app
D1: App store
App and metadata
P5: Publish
apps
P6: Publish
updates and
revocations
App descriptions
and reputations
D2: Local apps
App
I3: Device user
App
P9: Periodic
app check
P3: Revoke
app
Revocation of app
Comment or complaint
about app
P7: Accept
comments or
complaints
App ID
New app
Approval for installation,
update, uninstallation
Updated
app
App ID of revoked
or updated app
P4: Publish
description
and reputation
of apps
P1:
Acceptance
check
P2: Package
and store app
P10: Execute
app
P8: Install,
uninstall apps
App and metadata
App name
Exploit vulnerability in installed app
Prevent detection by device user
Prevent updates, app revocation
Sell/distribute malicious app in
appstore
Get malicious code on the user device
Keep malicious code on the user device
Create malicious app
Circumvent app review
Troll/falsify app reputation
Bypass the appstore
J D, A D A
R
D K, D
Lines of defence:
A App reviewR Reputation mechanismK App revocation (kill-switch)D Device securityJ Jails
www.enisa.europa.eu
The 5 layers of defence
1. Device security (sandboxes, permissions, …)
2. App review
3. App reputation (security aspects)
4. App revocation (aka kill switches)
5. Jails
o Distributed reputation for apps and app developers, across app stores?
www.enisa.europa.eu
www.enisa.europa.eu
o Passwords are cumbersome to use and often insecure
o Authentication with smartphones (Google Authenticator, HOTP, OATH)
o Ongoing work with various industry players (OpenID, Kantara, Google, Blackberry, eBay, Intel, …)
o Comparing pros and cons of authentication schemes
o Password authentication
o Smartphone-based OTP
o Mobile PKI (AKA/GBA)
o App SSO (OAUTH)
o User-friendly, cheap, more secure, strong authentication?
Smart access to the cloud
23
www.enisa.europa.eu 24
www.enisa.europa.eu
Marnix Dekker ([email protected])
Secure applications and services, ENISA
https://www.enisa.europa.eu/act/application-security
25