SlideShare una empresa de Scribd logo
1 de 37
Descargar para leer sin conexión
Mobile Threats
Things Your Smartphone Does When Nobody is Looking
Agenda
    The “What”


The Problem               Mobile Ecosystem




  1              2            3              4
                Threat                       The Fix
              Landscape
The Problem




  1
What Are The Risks
 Define the Threats
Moving Into The Enterprise
  Bring Your Own Device




 Security      Compliance   Privacy
Mobile Crossroads
    The Inflection Point




  63%
Do you trust the security of your mobile device…




         Have yet to make up their minds
Threat Landscape




     2
The Mobile Threat Landscape
Mobile Malware
Mobile Networks
   Decentralized
   Interconnected
   Mobile
   Quick Content Retrieval

Perfect Malware
   Decentralized
   Interconnected
   Mobile
   Quick Content Retrieval
Statistics
Malware Timeline


2011

July    August    September     October     November




  Early to       Malware Wave             Exponential
 the Game           Begins                  Growth
Primary Target
Android Most Targeted (65%)
iOS Absent (<1%)
                                             WHY              •   Closed Technology
                                   1%
                                                              •   Harder to Reverse Engineer
                             7%
                                                              •   Stronger OS Security
                                                        65%
                 27%                                          •   Better App Store Security
                                                              •   No Fragmentation Issue
Android
J2ME
Symbian
Windows Mobile

      Distribution of Mobile Threats by Platform 2011
Mobile Malware

86%                                                            7%
      Repackaging                  Update
      •Choose popular app          •Similar to repackaging
      •Disassemble                 •Does not add full
      •Add malicious payloads       payload
      •Re-assemble                 •Adds small downloader
      •Submit new app to           •Payload downloaded at
       public market                runtime




      Drive-By                     Standalone
      •Entice users to             •Commercial spyware
       download malware            •Non functional fake apps



<1%                                                            14%
      •Distributed via malicious    (Fake Netflix)
       websites                    •Functional Trojan code
      •May or may not contain      •Apps with root exploits
       a browser exploit
Mobile Malware

37%   Privilege Escalation
      •Attempts root exploits
      •Small number of platform
       vulnerabilities
                                   Remote Control
                                   •Similar to PC bots
                                   •Most use HTTP based web
                                    traffic as C&C
                                                                93%
      •May use more than one       •Advanced C&C models
       exploit for attack           translating from PC world
      •Advanced obfuscation seen
       in the wild



      Financial Charges            Information Collection

45%
      •Premium rate SMS
      •Both hard-coded and
       runtime updated numbers
      •Employ SMS filtering
                                   •Harvests personal
                                    information and data
                                   •User accounts
                                   •GPS location
                                                                45%
SMS                                •SMS and emails
                                   •Phone call tapping
                                   •Ad Libraries
                                                                Phone
                                                                Number
Application Behaviors

 Previous Code        Web Sources




              Your Code




Binary 3rd Party     Source 3rd Party
    Libraries           Libraries
Case studies
               …   !
Vulnerabilities
• Sensitive data leakage
  (inadvertent or side channel)

• Unsafe sensitive data storage

• Unsafe sensitive data
  transmission

• Hardcoded password/keys
Vulnerabilities

• Layered APIs on common
  languages

• Blackberry and Android
  use Java as a base

• Non-issue for Objective-C
  (it’s own language)
Mobile Ecosystem




     3
The Mobile Ecosystem
 The Players of the Game




                 Consumer
MDM Vendors
 The Enterprise Choke Point



                              Enterprise Control Point
                              What They Provide
                               Device Enrollment and Management
                               Security Management
                               Device Configuration
                               Device Monitoring
                               Software Management
                              Security Components
                               Passcode Enforcement
                               Encryption
                               Feature Restriction
                               Compliance
                               Locate and Wipe
                               Certificate Management
Mobile Anti-Virus
 Old Methods Rehashed



                        Old Methods Rehashed
                        What They Provide
                         Quarantine and Eradicate Malware
                         Signature Based Analysis

                        Security Components
                         Locate, Lock, and Wipe
                         Cloud Analysis
                         Spam Filtering
                         Email Attachment Scanning
                         Data Backup
Application Markets
 The Distributor



                   The Distributor

                   What They Provide
                    Marketplace for Applications
                    User Ratings
                    Application Updates

                   Security Components
                    Application Approval Process
                            Android Bouncer
                            iOS Scanning
Developers
 The Source



              The Source

               What They Provide
               Enterprise Application Development
               Consumer Application Development
               Cross-platform Expertise


               Security Components
               Variable on Developer Capabilities
The Fix




4
The Fix
 Securing Against Multiple Threats



Capabilities Mapping

     Malware Detection

Vulnerability Analysis
Capabilities Mapping
 Features and Permissions

                   Data Sources            Data Sinks                 Mapping


               •   Location Data     •   HTTP Requests
 User Facing




               •   Contacts          •   Outbound SMS
               •   Email             •   Outbound Email        •   Trace Sources to Sinks
               •   SMS Data          •   DNS Requests          •   Application “Intent”
               •   SQL Access        •   TCP                   •   Permission Mapping
               •   File System       •   UDP                   •   Human Intelligence
               •   Photos            •   Vulnerable Code
               •   Phone ID Values




                       Code Flow                           Data Flow
Malware Detection
   Learn From Previous Mistakes

                                    Static
 Signatures                        Analysis
 Signatures                         Human
 Signatures
                                  Intelligence

                                   Dynamic
Basic Heuristics                   Analysis
Vulnerability Analysis
 Find the Flaws



          Environmental
              Flaws



  Application
    Flaws
Strategic Control Points
 Security and Power


   Application Markets
                         Enterprise Developers

   MDM                            Consumer Developers
                          Outsourced Developers
   Anti-Virus                        COTS Developers
                           … Developers
   Enterprise
Enterprise Fixes
  De-Risk B.Y.O.D




Policy

Process

Technical
  Controls
Consumer Fixes
     Will Users Learn?

Security Awareness
• Read EULAs & prompts..
• Understand permissions
• Know what jail breaking
  does to the security
  posture of the device
• Recognizing phishing and
  social engineering
• Practice practice practice
Permissions
  *SCOFF*




Just Let Me Fling Birds at Pigs Already!
Vendor Fixes
  It Takes a Village


         Verification

Process and Policy


     User Facing

         Platform Security
Developer Fixes
 Secure Coding



                  TRAINING
                    SDLC
                 AWARENESS
The Road Ahead
 Where do we go from here?




 Capabilities   Malware     Vulnerability    A Safer
              +           +               =
  Mapping       Detection     Analysis      Mobile Path
Sources
 Show me the data
•   http://www.juniper.net/us/en/local/pdf/additional-resources/7100155-en.pdf
      Juniper Network Trusted Mobility Index
•   http://countermeasures.trendmicro.eu/wp-content/uploads/2012/02/History-of-Mobile-Malware.pdf
      A History of Malware – Trend Micro
•   http://www.cs.berkeley.edu/~afelt/felt-mobilemalware-spsm.pdf
      A Survey of Mobile Malware In The Wild – UC Berkeley
•   http://www.securelist.com/en/analysis/204792222/Mobile_Malware_Evolution_Part_5
      Mobile Malware Evolution Part 5 – Kaspersky Labs
•   http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf
      Dissecting Android Malware: Characterization and Evolution – Yajin Zhou and Xuxian Jiang
•   http://www.fiercemobilecontent.com/story/apples-new-ios-6-adds-deep-facebook-integration-dumps-google-
    maps/2012-06-11
      Apple's new iOS 6 adds deep Facebook integration, dumps Google Maps
•   http://www.net-security.org/secworld.php?id=13050
      LinkedIn Privacy Fail
•   http://www.trailofbits.com/resources/mobile_eip_2.pdf
      Mobile Exploit Intelligence Project – Trail of Bits
•   http://www.net-security.org/secworld.php?id=12418
      Social Mobile Apps Found Storing User’s Content Without Permission

•   And More…. Contact me if you need something specific I may have left out…

Más contenido relacionado

La actualidad más candente

Cyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureCyber Security for Critical Infrastructure
Cyber Security for Critical Infrastructure
Mohit Rampal
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
Andrew Wong
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defense
Zsolt Nemeth
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
Zsolt Nemeth
 
HIERARCHICAL DESIGN BASED INTRUSION DETECTION SYSTEM FOR WIRELESS AD HOC SENS...
HIERARCHICAL DESIGN BASED INTRUSION DETECTION SYSTEM FOR WIRELESS AD HOC SENS...HIERARCHICAL DESIGN BASED INTRUSION DETECTION SYSTEM FOR WIRELESS AD HOC SENS...
HIERARCHICAL DESIGN BASED INTRUSION DETECTION SYSTEM FOR WIRELESS AD HOC SENS...
IJNSA Journal
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof Sood
Zsolt Nemeth
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Security B-Sides
 

La actualidad más candente (20)

CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha Kranjac
 
Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?
 
Day1
Day1Day1
Day1
 
Cyber Security for Critical Infrastructure
Cyber Security for Critical InfrastructureCyber Security for Critical Infrastructure
Cyber Security for Critical Infrastructure
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systems
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
Detecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsDetecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT Botnets
 
Safe Computing At Home And Work
Safe Computing At Home And WorkSafe Computing At Home And Work
Safe Computing At Home And Work
 
35 38
35 3835 38
35 38
 
Day4
Day4Day4
Day4
 
Efficient String Matching Algorithm for Intrusion Detection
Efficient String Matching Algorithm for Intrusion DetectionEfficient String Matching Algorithm for Intrusion Detection
Efficient String Matching Algorithm for Intrusion Detection
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defense
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
 
HIERARCHICAL DESIGN BASED INTRUSION DETECTION SYSTEM FOR WIRELESS AD HOC SENS...
HIERARCHICAL DESIGN BASED INTRUSION DETECTION SYSTEM FOR WIRELESS AD HOC SENS...HIERARCHICAL DESIGN BASED INTRUSION DETECTION SYSTEM FOR WIRELESS AD HOC SENS...
HIERARCHICAL DESIGN BASED INTRUSION DETECTION SYSTEM FOR WIRELESS AD HOC SENS...
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof Sood
 
DYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFA
DYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFADYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFA
DYNAMIC IDP SIGNATURE PROCESSING BY FAST ELIMINATION USING DFA
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 

Destacado (7)

Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora Pitfall
 
Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaSocial Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social Media
 
Del Garabateo A La Escritura Convencional
Del Garabateo A La Escritura ConvencionalDel Garabateo A La Escritura Convencional
Del Garabateo A La Escritura Convencional
 

Similar a The New Mobile Landscape - OWASP Ireland

Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your Privacy
Tyler Shields
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
Symantec
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded Devices
Işınsu Akçetin
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
Brendaly Marcano
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
Antiy Labs
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint Protection
Sophos
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
Harsimran Walia
 

Similar a The New Mobile Landscape - OWASP Ireland (20)

Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
 
iScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceiScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task Force
 
Security and Mobile Application Management with Worklight
Security and Mobile Application Management with WorklightSecurity and Mobile Application Management with Worklight
Security and Mobile Application Management with Worklight
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout session
 
Enterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - IntelEnterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - Intel
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your Privacy
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded Devices
 
8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
 
Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011
 
NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012NIC2012 - System Center Endpoint Protection 2012
NIC2012 - System Center Endpoint Protection 2012
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint Protection
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 

Más de Tyler Shields

Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Tyler Shields
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Tyler Shields
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the Berries
Tyler Shields
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the Berries
Tyler Shields
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
Tyler Shields
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Tyler Shields
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers View
Tyler Shields
 
Owasp Ireland - The State of Software Security
Owasp  Ireland - The State of Software SecurityOwasp  Ireland - The State of Software Security
Owasp Ireland - The State of Software Security
Tyler Shields
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More Problems
Tyler Shields
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every Layer
Tyler Shields
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksIT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
Tyler Shields
 
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareiSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
Tyler Shields
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
Tyler Shields
 
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTriangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Tyler Shields
 
GovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The BerriesGovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The Berries
Tyler Shields
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
Tyler Shields
 
The Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIRThe Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIR
Tyler Shields
 
CarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-DebuggingCarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-Debugging
Tyler Shields
 
CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101
Tyler Shields
 

Más de Tyler Shields (20)

Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part Deux
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the Berries
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the Berries
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers View
 
Owasp Ireland - The State of Software Security
Owasp  Ireland - The State of Software SecurityOwasp  Ireland - The State of Software Security
Owasp Ireland - The State of Software Security
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More Problems
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every Layer
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksIT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
 
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareiSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTriangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
 
GovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The BerriesGovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The Berries
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 
The Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIRThe Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIR
 
CarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-DebuggingCarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-Debugging
 
CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101
 
CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101
 

Último

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Último (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

The New Mobile Landscape - OWASP Ireland

  • 1. Mobile Threats Things Your Smartphone Does When Nobody is Looking
  • 2. Agenda The “What” The Problem Mobile Ecosystem 1 2 3 4 Threat The Fix Landscape
  • 4. What Are The Risks Define the Threats
  • 5. Moving Into The Enterprise Bring Your Own Device Security Compliance Privacy
  • 6. Mobile Crossroads The Inflection Point 63% Do you trust the security of your mobile device… Have yet to make up their minds
  • 8. The Mobile Threat Landscape
  • 9. Mobile Malware Mobile Networks Decentralized Interconnected Mobile Quick Content Retrieval Perfect Malware Decentralized Interconnected Mobile Quick Content Retrieval
  • 11. Malware Timeline 2011 July August September October November Early to Malware Wave Exponential the Game Begins Growth
  • 12. Primary Target Android Most Targeted (65%) iOS Absent (<1%) WHY • Closed Technology 1% • Harder to Reverse Engineer 7% • Stronger OS Security 65% 27% • Better App Store Security • No Fragmentation Issue Android J2ME Symbian Windows Mobile Distribution of Mobile Threats by Platform 2011
  • 13. Mobile Malware 86% 7% Repackaging Update •Choose popular app •Similar to repackaging •Disassemble •Does not add full •Add malicious payloads payload •Re-assemble •Adds small downloader •Submit new app to •Payload downloaded at public market runtime Drive-By Standalone •Entice users to •Commercial spyware download malware •Non functional fake apps <1% 14% •Distributed via malicious (Fake Netflix) websites •Functional Trojan code •May or may not contain •Apps with root exploits a browser exploit
  • 14. Mobile Malware 37% Privilege Escalation •Attempts root exploits •Small number of platform vulnerabilities Remote Control •Similar to PC bots •Most use HTTP based web traffic as C&C 93% •May use more than one •Advanced C&C models exploit for attack translating from PC world •Advanced obfuscation seen in the wild Financial Charges Information Collection 45% •Premium rate SMS •Both hard-coded and runtime updated numbers •Employ SMS filtering •Harvests personal information and data •User accounts •GPS location 45% SMS •SMS and emails •Phone call tapping •Ad Libraries Phone Number
  • 15. Application Behaviors Previous Code Web Sources Your Code Binary 3rd Party Source 3rd Party Libraries Libraries
  • 16. Case studies … !
  • 17. Vulnerabilities • Sensitive data leakage (inadvertent or side channel) • Unsafe sensitive data storage • Unsafe sensitive data transmission • Hardcoded password/keys
  • 18. Vulnerabilities • Layered APIs on common languages • Blackberry and Android use Java as a base • Non-issue for Objective-C (it’s own language)
  • 20. The Mobile Ecosystem The Players of the Game Consumer
  • 21. MDM Vendors The Enterprise Choke Point Enterprise Control Point What They Provide Device Enrollment and Management Security Management Device Configuration Device Monitoring Software Management Security Components Passcode Enforcement Encryption Feature Restriction Compliance Locate and Wipe Certificate Management
  • 22. Mobile Anti-Virus Old Methods Rehashed Old Methods Rehashed What They Provide Quarantine and Eradicate Malware Signature Based Analysis Security Components Locate, Lock, and Wipe Cloud Analysis Spam Filtering Email Attachment Scanning Data Backup
  • 23. Application Markets The Distributor The Distributor What They Provide Marketplace for Applications User Ratings Application Updates Security Components Application Approval Process Android Bouncer iOS Scanning
  • 24. Developers The Source The Source What They Provide Enterprise Application Development Consumer Application Development Cross-platform Expertise Security Components Variable on Developer Capabilities
  • 26. The Fix Securing Against Multiple Threats Capabilities Mapping Malware Detection Vulnerability Analysis
  • 27. Capabilities Mapping Features and Permissions Data Sources Data Sinks Mapping • Location Data • HTTP Requests User Facing • Contacts • Outbound SMS • Email • Outbound Email • Trace Sources to Sinks • SMS Data • DNS Requests • Application “Intent” • SQL Access • TCP • Permission Mapping • File System • UDP • Human Intelligence • Photos • Vulnerable Code • Phone ID Values Code Flow Data Flow
  • 28. Malware Detection Learn From Previous Mistakes Static Signatures Analysis Signatures Human Signatures Intelligence Dynamic Basic Heuristics Analysis
  • 29. Vulnerability Analysis Find the Flaws Environmental Flaws Application Flaws
  • 30. Strategic Control Points Security and Power Application Markets Enterprise Developers MDM Consumer Developers Outsourced Developers Anti-Virus COTS Developers … Developers Enterprise
  • 31. Enterprise Fixes De-Risk B.Y.O.D Policy Process Technical Controls
  • 32. Consumer Fixes Will Users Learn? Security Awareness • Read EULAs & prompts.. • Understand permissions • Know what jail breaking does to the security posture of the device • Recognizing phishing and social engineering • Practice practice practice
  • 33. Permissions *SCOFF* Just Let Me Fling Birds at Pigs Already!
  • 34. Vendor Fixes It Takes a Village Verification Process and Policy User Facing Platform Security
  • 35. Developer Fixes Secure Coding TRAINING SDLC AWARENESS
  • 36. The Road Ahead Where do we go from here? Capabilities Malware Vulnerability A Safer + + = Mapping Detection Analysis Mobile Path
  • 37. Sources Show me the data • http://www.juniper.net/us/en/local/pdf/additional-resources/7100155-en.pdf Juniper Network Trusted Mobility Index • http://countermeasures.trendmicro.eu/wp-content/uploads/2012/02/History-of-Mobile-Malware.pdf A History of Malware – Trend Micro • http://www.cs.berkeley.edu/~afelt/felt-mobilemalware-spsm.pdf A Survey of Mobile Malware In The Wild – UC Berkeley • http://www.securelist.com/en/analysis/204792222/Mobile_Malware_Evolution_Part_5 Mobile Malware Evolution Part 5 – Kaspersky Labs • http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf Dissecting Android Malware: Characterization and Evolution – Yajin Zhou and Xuxian Jiang • http://www.fiercemobilecontent.com/story/apples-new-ios-6-adds-deep-facebook-integration-dumps-google- maps/2012-06-11 Apple's new iOS 6 adds deep Facebook integration, dumps Google Maps • http://www.net-security.org/secworld.php?id=13050 LinkedIn Privacy Fail • http://www.trailofbits.com/resources/mobile_eip_2.pdf Mobile Exploit Intelligence Project – Trail of Bits • http://www.net-security.org/secworld.php?id=12418 Social Mobile Apps Found Storing User’s Content Without Permission • And More…. Contact me if you need something specific I may have left out…