Future of Mobile App Security. Vincent Sritapan Program Manager Cyber Security Division Science and Technology Directorate

Size: px

Start display at page:

Download "Future of Mobile App Security. Vincent Sritapan Program Manager Cyber Security Division Science and Technology Directorate"

Juniper McGee
9 years ago
Views:

1 Future of Mobile App Security Vincent Sritapan Program Manager Cyber Security Division Science and Technology Directorate

2 Do You Know What Your Apps Are Doing? Spying Microphone & camera surveillance $ Location tracking Read browser history, chat msg Stealing Money Premium-rate SMS & calls Interception of mobile banking passwords Mobile ransomware Stealing Data Collect device data (IMEI, OS, config) Collect user data (media, docs, account info) Reconfiguring Settings Elevate privileges Modify user & device settings 2

Money Premium-rate SMS & calls Interception of mobile banking passwords Mobile ransomware Stealing

3 The Mobile App Security Problem Developers focus on productivity and innovation Security & Privacy are an afterthought Malicious, exploitative, and low-quality apps are sold or given away across wide range of regulated and unregulated marketplaces Users have little understanding of app permissions and behaviors 3

low-quality apps are sold or given away across wide range of regulated and

4 Securing Mobile Apps is Hard! Broad and Varied Attack Surface Data at Rest 3 rd Party Libraries Data in Transit Dev Platform Constant Change new apps, app updates, new device OS updates, service provider updates App Code Attack Surface Permission Levels Need Security Evaluation at Different Stages of App Lifecycle Need Mixture of Different Security Analysis Tools Evaluate App Lifecycle Evaluate Evaluate Dynamic Evaluate Static Behavioral 4

new apps, app updates, new device OS updates, service provider updates App Code Attack Surface Permission

5 Mobile Malware OOPS! Fake Dead Gray ware Malware Poorly Designed Apps Well-intended, but security models not sound or incomplete Fake/Rogue App disguised as legitimate app to confuse consumer Dead Apps revoked apps that remain in use Grayware Apps not technically malware, but exhibit undesirable behavior Malware Apps similar to desktop malware viruses, worms, trojans 5

sound or incomplete Fake/Rogue App disguised as legitimate app to confuse consumer Dead Apps

6 Android Malware In 2014, 17% (~1 million) of all Android apps were malware in disguise 1 Bypassing Google Play Screening dynamically download malicious code after installation website tricks user into installing app with malware as update to legitimate app detect if running inside malware debugging software & disable malicious functionality Malware Examples in Google Play Find and Call Finger Hockey Subway Surfers Free Tips RunRunBearII KorBanker FlappyBird clones Durak card game IQ Test app History app BeNews app 1. citation: 6

disable malicious functionality Malware Examples in Google Play 2012 2013 2014 2015 Find and Call Finger Hockey Subway Surfers Free Tips RunRunBearII

7 Apple ios Malware Less common (less market share), but subject to similar vulnerabilities and attack methods Bypassing Apple Screening abuse enterprise provisioning process normally intended for distributing custom enterprise apps appears benign on original submission, but includes gadgets that self-assemble to create exploit after app approved exploit URL Schemes to hijack information passed between apps Malware Examples in Apple App Store Find and Call Jekyll news reader Masque Attack WireLurker Xsser mrat Xara (aka Apple Cored) XAgent 7

gadgets that self-assemble to create exploit after app approved exploit URL Schemes to hijack information passed between apps Malware

8 Mobile App Security R&D Vision Enabling Secure Use of Mobile Apps for the Mission Consistent, repeatable approach to mobile app security testing Increased confidence apps are secure, operating as intended, & do not compromise privacy Continuous Automated Assurance for Mobile Apps Trusted repositories for apps and analysis Improved ability to identify & remediate vulnerabilities and coding flaws 8

as intended, & do not compromise privacy Continuous Automated Assurance for Mobile Apps Trusted

9 Government s Approach Applied Research LRBAA: Kryptowire awarded $2.9M over 30 months Others TBD Partnerships NIST align to federal standards & criteria US-CERT/NIST expand Alerts & National Vulnerability Database capabilities DHS integration with DHS Mobile Car Wash Collaboration T&E pilots with: First Responders Group/ AppCom Intl DHS Components (HQ, FEMA, CBP, ICE, etc) DOJ, GSA, and others 9

expand Alerts & National Vulnerability Database capabilities DHS integration with DHS Mobile Car

10 R&D Technology: Kryptowire 10

11 Kryptowire Portal 11

12 Example Analysis Report: Yelp 12

13 Summary Securing Mobile Apps for the Enterprise is a Challenge The Future of Mobile App Security: Collaborative Effort by Government & Industry to Develop Mobile App Vetting and Archiving Tools and API Align with Government & Industry Standards and Best Practices Convergence in the mobile technology landscape (e.g. integration with MDM s or EMM s that include Application Vetting.) Solution needs to be seamless, a.k.a. continuous automated assurance for mobile apps 13

Industry Standards and Best Practices Convergence in the mobile technology landscape (e.g. integration with MDM s or EMM s that include Application Vetting.

14 Thank You & Questions Point of Contact: Vincent Sritapan HSARPA Program Manager Cyber Security Division DHS Science & Technology 14

16 Do You Know What Your Apps Are Doing? Citation: 16

Enterprise Mobile Threat Report

Enterprise Mobile Threat Report The State of ios and Android Security Threats to Enterprise Mobility I. Introduction This report examines enterprise security threats for ios and Android. While Android