... Mobile App Reputation Services THE RADICATI GROUP, INC.

Transcription

1 . The Radicati Group, Inc Embarcadero Road, Suite 206 Palo Alto, CA Phone Fax THE RADICATI GROUP, INC. Mobile App Reputation Services Understanding the role of App Reputation Services in delivering Enterprise Grade Mobile Security A Whitepaper by The Radicati Group, Inc.

2 Table of Contents Introduction The Growth in Number of Mobile Apps Different Layers of Mobile Security Current Approaches for Dealing with App Security Webroot s Mobile App Reputation Service Conclusions and Recommendations...11 This whitepaper was sponsored by Copyright May 2013, The Radicati Group, Inc. 2

3 INTRODUCTION Smartphones and tablets continue to be heavily adopted by enterprises and consumers alike and have changed the way people live and work. While this leads to greater user freedom and empowerment it also opens the way to more security vulnerabilities than ever before, as mobile devices are increasingly becoming the target of hackers and cybercriminals. Security concerns exist at all levels of the mobile ecosystem, including the mobile device hardware, the operating system layer and the mobile browser capabilities, however, nowhere is the threat of malware or malicious activity more challenging than at the application level. The sheer number of apps from different sources, presents an enormous threat vector for malware and malicious activity, particularly as users are not always fully aware of how apps behave and are therefore lax in how they protect against potential unwanted behavior. Mobile app stores provide access to billions of apps, some of which have been tested to some degree but many of which are only minimally vetted before being accepted for store distribution. The Apple itunes store boasts 775,000 apps as of January 2013, while the Google Play Store had 900,000 apps online as of May While Apple is famous for its strict app vetting approach, Google has taken a more relaxed attitude and allows app developers greater freedom to upload apps to its store. Regardless of the amount of testing that an app store vendor may do, however, the sheer volume of these apps makes it impossible for a single user or organization to be 100% sure of which apps are trustworthy. In addition, app behavior can range widely from mildly annoying, such as issuing excessive pop-ups, to unwanted excessive use of the mobile device s communication capabilities, to outright downloading of malicious viruses or Trojan code. The only way to successfully deal with the onslaught of apps and the potential risks they represent is to rely on a mobile app reputation service. Mobile app reputation services can provide intelligence and granular threat assessments on millions of apps and are an essential aspect of a complete security strategy for Mobile App Developers, Mobile Device Management (MDM) vendors, Mobile App Store vendors, mobile carriers and anyone who needs to deliver application security to their customers. This whitepaper discusses the need for mobile app reputation services, and presents Webroot s App Reputation Service and the unique threat protection capabilities it delivers to partners and Copyright May 2013, The Radicati Group, Inc. 3

4 customers to ensure that their mobile applications are safe and compliant. In addition, Webroot s App Reputation Service provides a wealth of general information about app characteristics which can be used to set granular policies on app delivery and behavior permissions. 1.0 THE GROWTH IN NUMBER OF MOBILE APPS The number of apps available for mobile devices continues to climb sharply. In early 2013, Apple was adding apps to its store at a rate of about 20,000 apps per month, and Android apps were appearing at a similar pace. These apps are made by a variety of publishers. Well-known companies in different verticals, such as media, entertainment, and gaming, all have multiple apps available on multiple mobile OS platforms. The publication process for apps is also relatively easy, enabling sole developers to create an app in their spare time. With such a large number of apps available, it is not surprising that the app stores run by Apple and Google have over 1.5 million applications available for download. As of mid-2013, there have been approximately 100 billion downloads of apps between these two stores at a roughly even split with Apple announcing its 50 billionth app downloaded and Google announcing 48 billion app downloads just one day apart. With the massive growth in these numbers, we expect users to download another 100 billion apps in less than a year from these announcements. 2.0 DIFFERENT LAYERS OF MOBILE SECURITY The dramatic increase in the number of apps available has been fueled by the growing number of mobile devices that are used by consumers and business users. In fact, often these two types of users are fused into one with the Bring Your Own Device (BYOD) trend that has become popular across all verticals. Organizations were at first ambivalent, if not out-right opposed, to the idea of their employees being able to take home corporate data on a device easily misplaced, lost, or stolen. Organizations, however, are not able to stop or slow down this trend. This means that mobile security is more important than ever. Today, we can think of mobile security as comprising three different layers: Copyright May 2013, The Radicati Group, Inc. 4

5 Device layer protects and enforces policies on the physical hardware of mobile devices. Most mobile devices today come with cameras, GPS, Bluetooth, and other sophisticated hardware that can be exploited in certain scenarios. Getting a hold of these device-level features paves the way to enforce security on the operating system and application layers that rely on the device-level features for input. The operating system layer is the driving force of a mobile device, it takes inputs from the user and provides the user with feedback in return. The operating system layer is fundamental to device security as it and can enforce passcodes for device access, remote wipe features, block access to device communication resources, such as GPS or Bluetooth connectivity. However, protection at this layer is not able to recognize unwanted or malicious behavior by individual apps. App layer applications can store sensitive data that employees need to access on a daily basis. The security risk for these apps relates to loss of data. In order to ensure the integrity of the data contained within apps, organizations use additional forms of authentication, encryption, VPN tunneling, and more. In addition, certain apps cannot be trusted, such as games or rogue mobile banking apps, and must be blacklisted based on their threat to worker productivity, data exploitation, and other threats. Table 1, summarizes some of the security threats that may be found at each layer. Layer Device Operating System Applications Mobile Security Threats Threat Examples WiFi connecting to a rogue network; compromised Bluetooth connection; unauthorized camera usage; etc. Devices without a passcode; flaw or exploit in any native; required application (e.g. phone or Web browsing app); etc. Data is left unencrypted when sending over a network; device user is not authenticated when opening an app; etc. Table 1: Common Security Threats at Each Layer of a Mobile Device Copyright May 2013, The Radicati Group, Inc. 5

6 3.0 CURRENT APPROACHES FOR DEALING WITH APP SECURITY The security elements for the device and operating system layers have remained manageable for MDM vendors to keep up with. It is the apps, however, that are difficult to keep up with since they can literally be updated on a daily basis. This makes ensuring security at the application layer a very difficult proposition. Today, app security is normally addressed with some of the following techniques: Mobile device management is seen as the base level of security that utilizes device and operating system controls to keep devices secure. While this type of security keeps an entire device secure, there are minimal features available for applying granular protection to individual apps on the mobile device. App whitelisting/blacklisting addresses the security of applications on a mobile device. Administrators decide which apps to block or allow in a strictly binary fashion. While this does solve the problem of app security, the success of this approach is proportional to the amount of time spent by an administrator to decide which apps to whitelist or blacklist. With a growing number of apps available that users need to install on their mobile device, it will be impossible to maintain a list of every app that is good or bad. In addition, due to their binary nature, whitelist/blacklist approaches tend to easily generate false positives. Containerization also addresses the security aspect of applications, but this is a long and arduous process that should be reserved for custom-built apps or apps that contain very sensitive data. It is not necessary to containerize apps that are seemingly harmless, yet these apps must be addressed with some type of security feature. Containerizing every app would simply be too labor intensive. Table 2, summarizes these approaches to mobile device protection and some of the limitations they present in dealing specifically with app security. Copyright May 2013, The Radicati Group, Inc. 6

7 Approach Mobile Device Management App Whitelisting / Blacklisting Containerization Protecting Mobile Devices Limitations Focused mainly on device-level controls and not at app-borne threats. Binary approach that is too labor-intensive for the millions of apps available. Can easily generate false positives. Only necessary for enterprise apps, not wellsuited for personal or "mass-market" apps. Malicious apps can still infect the device layer even if they are containerized. Table 2: Protecting Mobile Devices In the current mobile environment that organizations face, there are simply too many apps to handle with containerization or blacklisting/whitelisting. Furthermore, a whitelisted app can easily turn malicious with an update. While it is certainly true that some apps, such as enterprisespecific apps, must be containerized or treated with special care, the majority of apps ought to be secured through an automated process that offers granularity about an apps behavior. An app reputation service can provide this service of pre-vetting apps to determine any malicious intent. App reputation services rely on a large number of inputs to automatically evaluate mobile apps, such as mobile malware signatures, mobile Web URLs, and much more. Using a broad range of inputs, an app reputation service can go beyond binary rankings that send apps to blacklists or whitelists. Furthermore, with the large amount of inputs used, an app reputation system can generate reputation scores that result in few, if any, false positives. 4.0 WEBROOT S MOBILE APP REPUTATION SERVICE While the protection of corporate-sanctioned apps is achieved through their own special, intricate methods of containerization, app wrapping, and more, the protection from the millions of noncorporate-sanctioned apps, such as personal or mass-market apps is too restrictive if it is addressed with only whitelists/blacklists, or too liberal if it is entirely unregulated. All too often mobile device users trust apps with any and all of their information simply because it is downloaded from the Google Play store or Apple App Store. IT Admins need to ability to make decisions on criteria beyond whether or not a mobile app is malicious or not. Copyright May 2013, The Radicati Group, Inc. 7

8 The Webroot Mobile App Reputation Service solves this problem by gauging the riskiness of an app from a massive amount of data from various inputs to determine if the app contains any threats or suspicious behavior. The Webroot Mobile App Reputation Service will rank an app according to the following categories: Malicious the app contains some form of malware designed to exploit the mobile operating system or device. Unwanted the app contains unnecessary and intrusive ads, popups, privacy policies, or other forms of invasive behavior. Suspicious the app contains unwanted or malicious components, but its behavior does not trigger any of Webroot s proprietary heuristics. Moderate the app is likely benign, but it may contain dangerous permissions Benign the app does not contain any dangerous permissions. Trustworthy the app has been scored as safe with no malicious behavior. In order to arrive at these rankings, Webroot takes each app through a five step process that closely examines the behavior, intentions, and risk of an app. The technology that powers the Webroot Mobile App Reputation Service is based on Webroot s principal cloud based security intelligence Webroot Intelligence Network (WIN), which collects billions of pieces of information from multiple sources, such as Web, endpoint, and mobile security services. Relying on WIN technology, Webroot s Mobile App Reputation Service is differentiated by its ability to use automated machine learning to collect, analyze and classify millions of mobile applications. The service also has access to a massive database of over 100 terabytes of every piece of malware that the vendor has ever seen and other proprietary threat databases that each app can be referenced against. The Webroot Mobile App Reputation Service also relies on its own proprietary heuristics that scan app behavior in a mobile sand-boxed environment. This behavior assessment is an essential element of the inspection process as apps are capable of deception and acting differently than assumed. Webroot s behavior inspection, however, helps avoid this type of deception. Figure 1, shows how the Webroot Mobile App Reputation Service arrives at a trust level for an app and its ability to deliver this data to its partners. Copyright May 2013, The Radicati Group, Inc. 8

9 Feedback Loop Mobile App Reputation Services Direct downloads from app stores Collection File sharing among other security vendors Data from millions of Webroot SecureAnywhere users Metadata about each app, such as app user ratings Analysis Package inspection of APK, IPA, etc. Runtime analysis to examine behavior Disassembly for source code inspection AI analysis with proprietary heuristics, SVM, and more MD5 hash inspection for malware Metadata inspection, such as developer or popularity Classification & Scoring Partner API Initialized with a clean score of 100 Once analyzed, scored based on riskiness Ranked from Trustworthy to Malicious Available via a RESTful Web service API Apps can be looked up via package name or MD5 App permission requests, runtime captures, source code files, and more can be accessed via the Partner API Figure 1: Webroot Mobile App Reputation Service Process Based on this process, Webroot assigns a reputation score to each application. Webroot has also devised a simple reputation band classification that streamlines the interpretation of the numeric reputation score. The reputation score and band classification are exposed to partners and developers through an efficient RESTful Web service API. The API can be easily integrated by Mobile App Developers, Mobile Device Management (MDM) vendors, Mobile App Store vendors, mobile carriers and anyone who needs to deliver application security. The API can also expose a great deal of additional information about each mobile app, such as: digital certificate information, runtime captures, and permissions requests, and much more. This information can be used to set policies for app management. For instance, a policy could be created around the categories of apps that should or should not be allowed to be installed on devices; such as an administrator could set a policy to block all games, or social networking apps, etc. Data elements exposed through the API include: Copyright May 2013, The Radicati Group, Inc. 9

10 Application reputation Blacklist Whitelist Basic file and package information Digital certificate information Manifest data Permission requests Requested phone features Runtime captures Source code files Top number of malicious applications Most recent files added Google Play information Market prevalence information By using this wealth of information about mobile apps, Mobile App Developers, Mobile Device Management (MDM) vendors, Mobile App Store vendors, mobile carriers and others, can leverage Webroot s Mobile App Reputation Service a general purpose mobile app information delivery mechanism in conjunction to its security intelligence capabilities. Using Webroot s Mobile App Reputation Service ratings, an analysis of 2.62 million Android apps and 670,000 ios apps carried out in mid-2013 yielded the scoring shown in Figure 2 below. Android Application Behavior ios Application Behavior Trustworthy 18% Unwanted 7% Benign 41% Suspicious 0.002% Moderate 3% Trustworthy 7% Suspicious 19% Moderate 5% Malicious 10% Benign 90% Figure 2: App Reputation Rankings, 2013 This snapshot of the app reputation rankings taken from Webroot s own Mobile App Reputation Service is quite alarming: more than 4 out of 10 Android apps contain some form of malware, over-stepping permission, or other cause for worry. Mobile apps on ios represented less of an Copyright May 2013, The Radicati Group, Inc. 10

11 obvious threat, mainly due to Apple s own strict app vetting process, but even these apps while not malicious may present some unwanted characteristics. The Webroot Mobile App Reputation Service lets users of its Partner API block apps with a certain reputation, but the service also allows users to achieve even more granularity by letting administrators couple app rankings with individual app permissions. For example, an organization may want to allow apps ranked as Moderate, but it can still disallow Moderate apps that contain certain permissions, such as access to a contact list. With this amount of granularity, the Webroot Mobile App Reputation Service is capable of creating a mobile security policy that isn t too restrictive or too liberal, but is just right for an organization s given risk appetite. 5.0 CONCLUSIONS AND RECOMMENDATIONS With the onslaught of app-borne malware and threats, app reputation services are the only way to effectively protect mobile devices. Mobile device security approaches at the device, operating system, and application layers are necessary, but these approaches need to be augmented with a powerful app reputation service that can deal effectively with the growing challenge posed by app-borne threats. In selecting a potential mobile app reputation service provider it is important to weigh the vendor s overall expertise in the security field as well as their understanding of the specific peculiarities and challenges posed by the mobile world. In particular, it is essential to select a mobile app reputation service that: a. Has constant updates through a broad base of inputs and feedbacks which refresh its definitions frequently and on an on-going basis. b. Is easy to work with and integrates well with a lot of different app delivery scenarios and packaging options. c. Provides deep granularity of information concerning potential threats and multiple app characteristics allowing an IT administrator to make decisions based on risk profile. d. Is easily adapted to meet different security policy needs and can evolve as customer needs change. e. Exposes a wealth of information about mobile apps which can be used for to set policies, analyze trends and develop different use scenarios. Copyright May 2013, The Radicati Group, Inc. 11

12 Webroot s Mobile App Reputation Service offers a top-of-the-line app reputation service, backed by the vendor s core competency in security. Webroot s mobile app reputation service meets all the key characteristics described above and provides a reliable partner with leading edge technology that can be easily incorporated in solutions from Mobile App Developers, Mobile Device Management (MDM) vendors, Mobile App Store vendors, mobile carriers and anyone who needs to deliver mobile application to their customers. Copyright May 2013, The Radicati Group, Inc. 12