Future of Mobile App Security. Vincent Sritapan Program Manager Cyber Security Division Science and Technology Directorate



Similar documents
Enterprise Mobile Threat Report

Protecting against Mobile Attacks

BYPASSING THE ios GATEKEEPER

Enterprise Mobile Security. Managing App Sideloading Threats on ios

Tutorial on Smartphone Security

Enterprise Apps: Bypassing the Gatekeeper

How To Protect Your Mobile Device From Attack

The Increasing Threat of Malware for Android Devices. 6 Ways Hackers Are Stealing Your Private Data and How to Stop Them

Protecting Android Mobile Devices from Known Threats

Secure Your Mobile Workplace

Advanced Online Threat Protection: Defending. Malware and Fraud. Andrew Bagnato Senior Systems Engineer

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Mobile Device Management

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Securing mobile devices in the business environment

Defending Behind The Device Mobile Application Risks

BYOD Guidance: BlackBerry Secure Work Space

BlackBerry Device Software. Protecting BlackBerry Smartphones Against Malware. Security Note

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Threat Model for Mobile Applications Security & Privacy

Guideline on Safe BYOD Management

Whitepaper. Mobile Security. The 5 Questions Modern Organizations Are Asking

CSUF Tech Day Security Awareness Overview Dale Coddington, Information Security Office

... Mobile App Reputation Services THE RADICATI GROUP, INC.

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

The ForeScout Difference

Security Best Practices for Mobile Devices

Kony Mobile Application Management (MAM)

Practical Attacks against Mobile Device Management Solutions


Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

NTT R&D s anti-malware technologies

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

Detailed Description about course module wise:

Managing Mobility. 10 top tips for Enterprise Mobility Management

OS Security. Malware (Part 2) & Intrusion Detection and Prevention. Radboud University Nijmegen, The Netherlands. Winter 2015/2016

Total Enterprise Mobility

Mobile First Government

Hesperbot. Analysts at IKARUS Security Software GmbH successfully removed a self-locking Android Malware from an infected smartphone

Security Threats for Mobile Platforms

Course Content: Session 1. Ethics & Hacking

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Basic PC Maintenance. Instructors. Action Center

Mobile Malware Network View. Kevin McNamee : Alcatel-Lucent

Trust Digital Best Practices

ONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

APPLE WITHOUT A SHELL IOS UNDER TARGETED ATTACK Tao Wei, Min Zheng, Hui Xue & Dawn Song FireEye, Inc., USA

Practical Attacks against Mobile Device Management (MDM) Michael Shaulov, CEO Daniel Brodie, Security Researcher Lacoon Mobile Security

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

BE SAFE ONLINE: Lesson Plan

G DATA MOBILE MALWARE REPORT THREAT REPORT: Q1/2015

ASEC REPORT VOL AhnLab Monthly Security Report. Malicious Code Trend Security Trend Web Security Trend

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

Utilizing Pervasive Application Monitoring and File Origin Tracking in IT Security

AirWatch Solution Overview

(General purpose) Program security. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls.

Mobile phone security. Prof. Do van Thanh

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

Enterprise Mobility Management

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Chris Boykin VP of Professional Services

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

ZNetLive Malware Monitoring

The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Izplatītākie mobilo iekārtu lietošanas riski, kas apdraud organizācijas datu un informācijas sistēmu drošību Raivis Kalniņš 2015, Riga

Android vs. Apple ios Security Showdown Tom Eston

Mobile Security & BYOD Policy

Analysis of advanced issues in mobile security in android operating system

Transcription:

Future of Mobile App Security Vincent Sritapan Program Manager Cyber Security Division Science and Technology Directorate

Do You Know What Your Apps Are Doing? Spying Microphone & camera surveillance $ Location tracking Read browser history, chat msg Stealing Money Premium-rate SMS & calls Interception of mobile banking passwords Mobile ransomware Stealing Data Collect device data (IMEI, OS, config) Collect user data (media, docs, account info) Reconfiguring Settings Elevate privileges Modify user & device settings 2

The Mobile App Security Problem Developers focus on productivity and innovation Security & Privacy are an afterthought Malicious, exploitative, and low-quality apps are sold or given away across wide range of regulated and unregulated marketplaces Users have little understanding of app permissions and behaviors 3

Securing Mobile Apps is Hard! Broad and Varied Attack Surface Data at Rest 3 rd Party Libraries Data in Transit Dev Platform Constant Change new apps, app updates, new device OS updates, service provider updates App Code Attack Surface Permission Levels Need Security Evaluation at Different Stages of App Lifecycle Need Mixture of Different Security Analysis Tools Evaluate App Lifecycle Evaluate Evaluate Dynamic Evaluate Static Behavioral 4

Mobile Malware OOPS! Fake Dead Gray ware Malware Poorly Designed Apps Well-intended, but security models not sound or incomplete Fake/Rogue App disguised as legitimate app to confuse consumer Dead Apps revoked apps that remain in use Grayware Apps not technically malware, but exhibit undesirable behavior Malware Apps similar to desktop malware viruses, worms, trojans 5

Android Malware In 2014, 17% (~1 million) of all Android apps were malware in disguise 1 Bypassing Google Play Screening dynamically download malicious code after installation website tricks user into installing app with malware as update to legitimate app detect if running inside malware debugging software & disable malicious functionality Malware Examples in Google Play 2012 2013 2014 2015 Find and Call Finger Hockey Subway Surfers Free Tips RunRunBearII KorBanker FlappyBird clones Durak card game IQ Test app History app BeNews app 1. citation: http://www.symantec.com/security_response/publications/threatreport.jsp 6

Apple ios Malware Less common (less market share), but subject to similar vulnerabilities and attack methods Bypassing Apple Screening abuse enterprise provisioning process normally intended for distributing custom enterprise apps appears benign on original submission, but includes gadgets that self-assemble to create exploit after app approved exploit URL Schemes to hijack information passed between apps Malware Examples in Apple App Store 2012 2013 2014 2015 Find and Call Jekyll news reader Masque Attack WireLurker Xsser mrat Xara (aka Apple Cored) XAgent 7

Mobile App Security R&D Vision Enabling Secure Use of Mobile Apps for the Mission Consistent, repeatable approach to mobile app security testing Increased confidence apps are secure, operating as intended, & do not compromise privacy Continuous Automated Assurance for Mobile Apps Trusted repositories for apps and analysis Improved ability to identify & remediate vulnerabilities and coding flaws 8

Government s Approach Applied Research LRBAA: Kryptowire awarded $2.9M over 30 months Others TBD Partnerships NIST align to federal standards & criteria US-CERT/NIST expand Alerts & National Vulnerability Database capabilities DHS integration with DHS Mobile Car Wash Collaboration T&E pilots with: First Responders Group/ AppCom Intl DHS Components (HQ, FEMA, CBP, ICE, etc) DOJ, GSA, and others 9

R&D Technology: Kryptowire 10

Kryptowire Portal 11

Example Analysis Report: Yelp 12

Summary Securing Mobile Apps for the Enterprise is a Challenge The Future of Mobile App Security: Collaborative Effort by Government & Industry to Develop Mobile App Vetting and Archiving Tools and API Align with Government & Industry Standards and Best Practices Convergence in the mobile technology landscape (e.g. integration with MDM s or EMM s that include Application Vetting.) Solution needs to be seamless, a.k.a. continuous automated assurance for mobile apps 13

Thank You & Questions Point of Contact: Vincent Sritapan HSARPA Program Manager Cyber Security Division DHS Science & Technology vincent.sritapan@hq.dhs.gov 14

Do You Know What Your Apps Are Doing? Citation: http://www.symantec.com/security_response/publications/threatreport.jsp 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information