Defending Behind The Device Mobile Application Risks

Similar documents
APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

BYOD: End-to-End Security

Secure Your Mobile Workplace

Practical Attacks against Mobile Device Management Solutions

Practical Attacks against Mobile Device Management (MDM) Michael Shaulov, CEO Daniel Brodie, Security Researcher Lacoon Mobile Security

CHECK POINT Mobile Security Revolutionized. [Restricted] ONLY for designated groups and individuals

Popular Android Exploits

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

Protecting against Mobile Attacks

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Securing mobile devices in the business environment

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

THEODORA TITONIS VERACODE Vice President Mobile

... Mobile App Reputation Services THE RADICATI GROUP, INC.

Why you need. McAfee. Multi Acess PARTNER SERVICES

Mobile Security & BYOD Policy

Mobile Device Management

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Enterprise Application Security Workshop Series

Tutorial on Smartphone Security

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

Next-Generation Firewalls: Critical to SMB Network Security

Feature List for Kaspersky Security for Mobile

Securing end-user mobile devices in the enterprise

Network Test Labs (NTL) Software Testing Services for igaming

Endpoint Business Products Testing Report. Performed by AV-Test GmbH

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

Advanced Online Threat Protection: Defending. Malware and Fraud. Andrew Bagnato Senior Systems Engineer

Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?

Guideline on Safe BYOD Management

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

Kaspersky Security 10 for Mobile Implementation Guide

Adobe Flash Player and Adobe AIR security

User Documentation Web Traffic Security. University of Stavanger

How To Manage Security On A Networked Computer System

BYOD Guidance: BlackBerry Secure Work Space

Covert Operations: Kill Chain Actions using Security Analytics

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

Mobile Exploit Intelligence Project

El costo oculto de las aplicaciones Vulnerables. Faustino Sanchez. WW Security Sales Enablement. IBM Canada

Enterprise Apps: Bypassing the Gatekeeper

Workday Mobile Security FAQ

Mobile App Containers: Product Or Feature?

End User Devices Security Guidance: Apple ios 8

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

Hands on, field experiences with BYOD. BYOD Seminar

Analysis of advanced issues in mobile security in android operating system

Total Enterprise Mobility

Android Security - Common attack vectors

BYPASSING THE ios GATEKEEPER

Norton Mobile Privacy Notice

Security Evaluation CLX.Sentinel

Cloud App Security. Tiberio Molino Sales Engineer

Mobile App Reputation

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Deep Discovery. Technical details

Detecting peer-to-peer botnets

Izplatītākie mobilo iekārtu lietošanas riski, kas apdraud organizācijas datu un informācijas sistēmu drošību Raivis Kalniņš 2015, Riga

Endpoint protection for physical and virtual desktops

The Mobile Malware Problem

Securing Office 365 with MobileIron

MALWARE THREATS AND TRENDS. Chris Blow, Director Dustin Hutchison, Director

Kaspersky Security for Mobile

Endpoint protection for physical and virtual desktops

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Modular Network Security. Tyler Carter, McAfee Network Security

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

Kaspersky Lab Mobile Device Management Deployment Guide

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Securing and Monitoring BYOD Networks using NetFlow

Advanced ANDROID & ios Hands-on Exploitation

SecuRity technologies for mobile and Byod.

ios Security The Never-Ending Story of Malicious Profiles Adi Sharabani Yair Amit CEO & Co-Founder Skycure CTO & Co-Founder

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

The Incident Response Playbook for Android and ios

SYLLABUS MOBILE APPLICATION SECURITY AND PENETRATION TESTING. MASPT at a glance: v1.0 (28/01/2014) 10 highly practical modules

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

Next Generation Firewalls and Sandboxing

Malware Detection in Android by Network Traffic Analysis

How To Protect Your Mobile Device From Attack

Transcription:

Defending Behind The Device Mobile Application Risks Tyler Shields Product Manager and Strategist Veracode, Inc Session ID: MBS-301 Session Classification: Advanced

Agenda The What The Problem Mobile Ecosystem 1 2 3 4 Threat Landscape The Fix

The Problem 1 3

What Are The Risks Define the Threats 4

Securing the SDLC The Developer View Priorities Identify 1. Vulnerabilities 2. Capabilities 3. Malware Retest Educate Remediate 5

Moving Into The Enterprise Bring Your Own Device Priorities 1. Malware 2. Capabilities 3. Vulnerabilities 6

Risk is not binary Risk is analog Policy Confidentiality Rating Integrity Rating Accessibility Rating Exfiltration of Sensitive Data Disclosure of Secrets Can Data be Modified Is Data Always Accessible 7

Mobile Crossroads The Inflection Point Do you trust the security of your mobile device 63% Have yet to make up their minds 8

Threat Landscape 2 9

The Mobile Threat Landscape 10

Mobile Malware Mobile Networks Decentralized Interconnected Mobile Quick Content Retrieval Perfect Malware Decentralized Interconnected Mobile Quick Content Retrieval 11

12 Statistics

Malware Timeline 2011 July August September October November Early to the Game Malware Wave Begins Exponential Growth 13

Primary Target Android Most Targeted (65%) ios Absent (<1%) WHY 7% 1% 65% 27% Closed Technology Harder to Reverse Engineer Stronger OS Security Better App Store Security No Fragmentation Issue Android J2ME Symbian Windows Mobile Distribution of Mobile Threats by Platform 2011 14

Mobile Malware Repackaging Update 86% Choose popular app Disassemble Add malicious payloads Re-assemble Submit new app to public market Similar to repackaging Does not add full payload Adds small downloader Payload downloaded at runtime 7% Drive-By Standalone <1% Entice users to download malware Distributed via malicious websites May or may not contain a browser exploit Commercial spyware Non functional fake apps (Fake Netflix) Functional Trojan code Apps with root exploits 14% 15

Mobile Malware Privilege Escalation Remote Control 37% Attempts root exploits Small number of platform vulnerabilities May use more than one exploit for attack Advanced obfuscation seen in the wild Similar to PC bots Most use HTTP based web traffic as C&C Advanced C&C models translating from PC world 93% 45% SMS Financial Charges Premium rate SMS Both hard-coded and runtime updated numbers Employ SMS filtering Information Collection Harvests personal information and data User accounts GPS location SMS and emails Phone call tapping Ad Libraries 45% Phone Number 16

Application Behaviors Previous Code Web Sources Your Code Binary 3 rd Party Libraries Source 3 rd Party Libraries 17

Case studies WoW Lots! 18

Vulnerabilities Sensitive data leakage (inadvertent or side channel) Unsafe sensitive data storage Unsafe sensitive data transmission Hardcoded password/keys 19

Vulnerabilities Layered APIs on common languages Blackberry and Android use Java as a base Non-issue for Objective-C (it s own language) 20

Mobile Ecosystem 3 21

The Mobile Ecosystem The Players of the Game Consumer 22

MDM Vendors The Enterprise Choke Point Enterprise Control Point What They Provide Device Enrollment and Management Security Management Device Configuration Device Monitoring Software Management Security Components Passcode Enforcement Encryption Feature Restriction Compliance Locate and Wipe Certificate Management 23

Mobile Anti-Virus Old Methods Rehashed Old Methods Rehashed What They Provide Quarantine and Eradicate Malware Signature Based Analysis Security Components Cloud Analysis Spam Filtering Email Attachment Scanning Data Backup 24

Application Markets The Distributor The Distributor What They Provide Marketplace for Applications User Ratings Application Updates Security Components Application Approval Process Android Bouncer ios Scanning 25

Developers The Source The Source What They Provide Enterprise Application Development Consumer Application Development Cross-platform Expertise Security Components Variable on Developer Capabilities 26

The Fix 4 27

The Fix Securing Against Multiple Threats Behavioral Analysis Malware Detection Vulnerability Analysis 28

User Facing Static Behavioral Analysis Features and Permissions Data Sources Data Sinks Mapping Location Data Contacts Email SMS Data SQL Access File System Photos Phone ID Values HTTP Requests Outbound SMS Outbound Email DNS Requests TCP UDP Vulnerable Code Trace Sources to Sinks Application Intent Permission Mapping Human Intelligence Code Flow Data Flow 29

Dynamic Behavioral Analysis Playing in the Sandbox Instrumented Analysis Sandboxed Emulator Instrumented Fuzzy Logic Inputs Tracked Outputs Tracked System State Example Data Gathered Network Traffic CPU Utilization Memory Footprint Mapping Screen to Functionality 30

Malware Detection Learn From Previous Mistakes Signatures Signatures Signatures Basic Heuristics Static Analysis Human Intelligence Dynamic Analysis 31

Vulnerability Analysis Find the Flaws Environmental Flaws Application Flaws 32

Strategic Control Points Security and Power Application Markets MDM Anti-Virus Enterprise Developers Consumer Developers Outsourced Developers COTS Developers Developers Enterprise 33

Enterprise Fixes De-Risk B.Y.O.D Policy Process Technical Controls 34

The Road Ahead Where do we go from here? Capabilities Mapping + Malware Vulnerability Detection + Analysis = A Safer Mobile Path 35

Sources Show me the data @txs tshields@veracode.com http://www.juniper.net/us/en/local/pdf/additional-resources/7100155-en.pdf Juniper Network Trusted Mobility Index http://countermeasures.trendmicro.eu/wp-content/uploads/2012/02/history-of-mobile-malware.pdf A History of Malware Trend Micro http://www.cs.berkeley.edu/~afelt/felt-mobilemalware-spsm.pdf A Survey of Mobile Malware In The Wild UC Berkeley http://www.securelist.com/en/analysis/204792222/mobile_malware_evolution_part_5 Mobile Malware Evolution Part 5 Kaspersky Labs http://www.csc.ncsu.edu/faculty/jiang/pubs/oakland12.pdf Dissecting Android Malware: Characterization and Evolution Yajin Zhou and Xuxian Jiang http://www.fiercemobilecontent.com/story/apples-new-ios-6-adds-deep-facebook-integration-dumps-googlemaps/2012-06-11 Apple's new ios 6 adds deep Facebook integration, dumps Google Maps http://www.net-security.org/secworld.php?id=13050 LinkedIn Privacy Fail http://www.trailofbits.com/resources/mobile_eip_2.pdf Mobile Exploit Intelligence Project Trail of Bits http://www.net-security.org/secworld.php?id=12418 Social Mobile Apps Found Storing User s Content Without Permission And More. Contact me if you need something specific I may have left out 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information