Fraunhofer Institute for Secure Information Technology: Security and Privacy for Mobile Applications

Fraunhofer-Gesellschaft 2013 Fraunhofer Institute for Secure Information Technology: Security and Privacy for Mobile Applications Dr. Jens Heider Head of Department Testlab Mobile Security Amt für Wirtschaft und Stadtentwicklung, Darmstadt

I need a good PDF viewer for my iphone! Dave CEO 2

PDF viewer Choose! 3

PDF Reader from UltraSoft extends the use of PDF to mobile devices, providing users with the ability to view and interact with the PDF directly on iphone or ipad devices. PDF Reader uses the same format technology used in Adobe Reader for Desktop. Created by UltraSoft, chosen partner of Adobe and established leader in engineering visualization, PDF Reader is the premier solution for mobile users. Multi-touch gestures let you pan, zoom, and rotate PDFs easily. Install! 4

Dave, wait! How do we know it s security compliant? Kate CSO 5

Come on! it's just a PDF viewer. What can be wrong? 6

Quite a lot 7

Information Disclosure through usage of System features Authentication Flaws Eavesdropping Corporate Data inadequately protected A Retrieval of Corporate Data in malicious app Storage Unwanted interaction with app / server Enterprise Server B Unauthorized usage of sensors / resources AA Flaws in Mobile API 8

Co-staring Greg CTO Mike IT Roy Indie Dev

How do Enterprises deal with the App Problem? Strict Whitelisters Only verified apps allowed Who verifies, what and how? Blacklisters Forbid insecure apps Where do we get blacklists from? Active Protectors Only scan for known malware Who verifies the scanner? Passive Protectors Only monitor for bad impacts How do we find malicious impacts? Final Straw We need it, we have to trust the provider/ developer Is there no better solution? 10

Appicaptor Framework Framework combining workflow and analyzing process for automated and manual app security evaluation Distributed system, with simple test extensions Dynamic and static code analysis Scans for known weak/erroneous implementations of security functionality and malicious patterns Based on know-how of manual testing and integrates conceptual research of CASED Individual report generation and weakness descriptions Policy-based recommendations for enterprise suitability 11

Runtime Security 100% 80% 60% 40% 20% 0% Protection by Compiler Flags 66% 65% ARC 86% 85% 86% 84% Stack Protection ASLR/PIE Top400 ios Business Apps Top400 ios Utility Apps Appicaptor Analysis, German App Store, 6.2.2014 10% 12% No Protection Hardening of Apps by Compiler Simple to active; partly now default setting Automatic Reference Counting: less risk for memory management flaws Stack Protection: increase security of stack integrity Address Space Layout Randomization: increase effort to exploit vulnerabilities Result of control sample No significant difference between business and utility apps More apps than expected have no protection 12

Ad- / Tracking Frameworks Top 400 Utilities 60% 50% 40% 30% 20% 3 : 15% 4 : 8% 2 : 14% 5 12 19% 1 : 16% No Tracking 28% 10% 0% 2013-09 2014-02 Appicaptor Analysis, German App Store, 6.2.2014 13

Top ios Apps Appicaptor Chart Statistics to be published soon

Random ios Apps Appicaptor Chart Statistics to be published soon

Appicaptor Framework Analysis workflow Apple AppStore Google Play Data Extraction Rating and Documentation App-Bundle Binaries Metadata Postprocessed analysis data Reversing Decrypt Decompile Disassemble Parse, Run... Analysis and correlation of Raw data Indicators Usable, structured data List of Indicators Raw analysis data Analysis of Source code Disassembly Metadata Behavior Investigation required Identified relevant Entry Points Focused Manual Analysis Direct Findings No automated Findings Privacy & Security Implications Manual Findings No Findings Visualization Interaction

Individual Policy Based Test Results Enterprise Appicaptor Policies: Privacy violations Malicious behaviour Suspicious behaviour Implementation flaws Test Categories: Communication Security Data Security Input Interface Security Privacy Runtime Security Enterprise security requirement specific report: App Whitelist App Blacklist Estimation on overall app security quality Evaluation of policy fulfillment Test Results: SSL Flaw Privacy Leakage... 17

Appicaptor Example Report individual policy fulfillment evaluation Test Results 18

Conclusion Only trusted applications should be used to handle enterprise data Official app markets can be a trusted source, but do not provide enterprise-grade security Define platform and application specific policies Automated testing processes support app baseline security but do not replace manual review for critical environments Specify platform specific security measures already in contract specification Keep right to use code for security audit White-box test more cost efficient Don t take security for granted. The devil is in the detail! 19

Contact Dr. Jens Heider Rheinstr. 75 64295 Darmstadt Germany E-Mail: jens.heider@sit.fraunhofer.de Web: http://www.appicaptor.de http://www.sit.fraunhofer.de 20

Picture Credits IT-Guy Photo: Kris Krüg - CC BY-SA 2.0 https://www.flickr.com/photos/kk/3193513662/ CEO Photo: Sage Ross - CC BY-SA 2.0 https://www.flickr.com/photos/ragesoss/2374914189/ CSO Photo: Christopher Michel CC BY-NC 2.0 https://www.flickr.com/photos/cmichel67/5087690757/ CTO Photo: Loren Kerns - CC BY 2.0 https://www.flickr.com/photos/lorenkerns/8586926889/ Indie-Dev Photo: Paul Downey - CC BY 2.0 https://www.flickr.com/photos/psd/3696651661/ 21