www.enisa.europa.eu

Security… is there an app for that?

December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA

ENISA

www.enisa.europa.eu

o 2010: Smartphone security: Risks, opportunities and recommendations

o 2011: OWASP Mobile security project (ongoing)

o 2011: Appstore security: 5 lines of defense

o 2011: Smart access to the cloud (ongoing)

ENISA’s work on Smartphone security

2

www.enisa.europa.eu

3

Risks

www.enisa.europa.eu 4

Zeus trojan

www.enisa.europa.eu 5

Lulz Security

www.enisa.europa.eu 6

www.enisa.europa.eu

1.Device loss leading to data leakage

2.Improper decommissioning

3.Unintentional data disclosure

4.Phishing attacks

5.Spyware

6.Network spoofing attacks

7.Surveillance attacks

8.Diallerware

9.Financial malware

10.Network congestion

Risks for users

7

www.enisa.europa.eu

1. Sandboxing and capabilities

2. Controlled software distribution

3. Remote application removal

4. Backup and recovery

5. Extra authentication options

6. Extra encryption options

7. Platform diversity

Security opportunities

8

www.enisa.europa.eu

Sample recommendation

9

www.enisa.europa.eu 10

www.enisa.europa.eu 11

www.enisa.europa.eu

o Smartphone is loaded with personal data, with sensors and network interfaces.

o Collecting meaningful consent is difficult

o Covert channels

o Photos may contain location data

o Address book may contain private data

o “I can stalk u” (smartphone version of “Please rob me”)

o Interface to privacy and security settings is not easy

2.Unintended disclosure of data

12

www.enisa.europa.eu

Rootkit Keylogger on Smartphones

13

www.enisa.europa.eu

www.enisa.europa.eu 15

www.enisa.europa.eu

o Malware disguised as popular apps (super guitar solo e.g.).

o 200.000 downloads within days.

o Google used the kill-switch

o Google’s security patches were re-posted with malware in them.

Droid Dream

16

www.enisa.europa.eu

o Diallerware for Windows mobile

o Game demo on shareware site

o search for “3D anti terrorist dialler trojan”

o Trojan sleeps 31 days then calls 5 numbers

o Satelite line, antarctica, africa, south america

o International premium numbers (short-stopped)

o Attacker spends 1 ct, and receives 12 euro

Using diallerware

17

www.enisa.europa.eu

o Using Zitmo (thx to S21sec)

o Attacker steals online username and password using a malware (ZeuS 2.x)

o Attacker infects the smartphone by sending an SMS with a link to Zitmo. The user must accept (‘Nokia update’).

o Attacker logs in with the stolen username and password, using the user's PC as a socks/proxy and performs a banking transaction.

o An SMS is sent to the smartphone with the authentication code. Zitmo forwards the SMS to the attacker.

o Attacker fills in the SMS code and completes transaction.

Using banking malware

18

www.enisa.europa.eu

App-store security: 5 lines of defense

o Apple appstore

o Android market

o Amazon appstore

o Mozilla add ons

o Google chrome store

o Windows phone 7

o …

o Many new app stores are being set up, for enterprises, subscribers.

www.enisa.europa.eu

STRIDE and attack trees

20

I1: App

developer

I2: App store

controller

Approval of app

D1: App store

App and metadata

P5: Publish

apps

P6: Publish

updates and

revocations

App descriptions

and reputations

D2: Local apps

App

I3: Device user

App

P9: Periodic

app check

P3: Revoke

app

Revocation of app

Comment or complaint

about app

P7: Accept

comments or

complaints

App ID

New app

Approval for installation,

update, uninstallation

Updated

app

App ID of revoked

or updated app

P4: Publish

description

and reputation

of apps

P1:

Acceptance

check

P2: Package

and store app

P10: Execute

app

P8: Install,

uninstall apps

App and metadata

App name

Exploit vulnerability in installed app

Prevent detection by device user

Prevent updates, app revocation

Sell/distribute malicious app in

appstore

Get malicious code on the user device

Keep malicious code on the user device

Create malicious app

Circumvent app review

Troll/falsify app reputation

Bypass the appstore

J D, A D A

R

D K, D

Lines of defence:

A App reviewR Reputation mechanismK App revocation (kill-switch)D Device securityJ Jails

www.enisa.europa.eu

The 5 layers of defence

1. Device security (sandboxes, permissions, …)

2. App review

3. App reputation (security aspects)

4. App revocation (aka kill switches)

5. Jails

o Distributed reputation for apps and app developers, across app stores?

www.enisa.europa.eu

www.enisa.europa.eu

o Passwords are cumbersome to use and often insecure

o Authentication with smartphones (Google Authenticator, HOTP, OATH)

o Ongoing work with various industry players (OpenID, Kantara, Google, Blackberry, eBay, Intel, …)

o Comparing pros and cons of authentication schemes

o Password authentication

o Smartphone-based OTP

o Mobile PKI (AKA/GBA)

o App SSO (OAUTH)

o User-friendly, cheap, more secure, strong authentication?

Smart access to the cloud

23

www.enisa.europa.eu 24

www.enisa.europa.eu

Marnix Dekker (marnix.dekker@enisa.europa.eu)

Secure applications and services, ENISA

https://www.enisa.europa.eu/act/application-security

25