Protecting Android Mobile Devices from Known Threats Android OS A Popular Target for Hacks White Paper Zero Trust Mobile Security An Introduction to the BETTER Mobile Security Platform BETTER at work. Contact us BETTER Mobile Security 110 Fifth Avenue New York, NY 10023 +1 877-710-5636 info@better.mobi In the tech industry, it s a truism that hackers focus their attention on afflicting the largest number of targets possible, resulting in a perception that market giants are riddled with vulnerabilities. Google s Android operating system is just such a target. According to an IDC study, Android possesses an 81.1% share of the smartphone market. Numbers that high are irresistible to hackers which is why Android devices need to be protected from unauthorized access. Add to the equation too that the Android operating system has been implemented on many disparate devices designed by myriad vendors. www.better.mobi This distributed implementation scenario has fragmented Android s native security model, which has resulted infringement a variety of the respective of openings owner s that property. of cyber attackers can exploit. Common Android Vulnerabilities Once an attacker gains access to a device s operating system, they can gain elevated privileges to monitor user activity, thereby putting personal data and security at risk. They can also execute malicious code and run unwanted programs to bend the device to their will. All of this can be done without the user suspecting that their device has been infected. Here are some of the most common Android vulnerabilities that malicious programmers seek to exploit. It should be noted that many of these vulnerabilities are inherent to mobile and Wi-Fi devices in general, and do not necessarily reflect a flaw in Android s design and implementation. All trademarks and registered trademarks contained herein are property of their respective holders. Rather than identifying a trademark by symbol with every occurrence, names and logos are used in an editorial fashion, with no intention
2 Executive Summary The increasing threats to mobile security. The cumulative number of mobile threats is expected to double from the previous year reaching over 8 million spread across devices and applications 1. While analysts have identified the need for real-time, self-aware and self-protecting endpoints, MDM/ EMM and MAM solutions that do not address real time threats still dominate the market. A zero trust approach for protecting today s mobile user. According to cyber security research, the vulnerabilities in mobile devices and apps will become even greater risks in 2015. 1 Zero trust is an approach to security that follows the mantra of never trust, always verify. It views every entity, including networks and apps, as hostile and that a breach is inevitable. Operating from that perspective sets a mandate for a more complete security solution as opposed to traditional perimeter-based approaches. When applied to mobile security, a zero trust approach continuously monitors and verifies exactly what is happening on the network, the mobile device itself, the apps installed on the device, and actively detects and prevents threats in real time. In order for a zero trust mobile security solution to be effective, it has to operate based on the following principles: You cannot trust the network You cannot trust the device You cannot trust the apps You cannot trust the user A zero trust approach follows the mantra of never trust, always verify. In this white paper, the following will be covered: The current mobile threat landscape and how there is an immediate need for a zero trust mobile security solution An explanation of zero trust How to apply a zero trust model to mobile security How a zero trust solution for mobile devices needs to operate under the principles of secure and verify How BETTER Mobile Security provides the only comprehensive zero trust mobile security solution that is able to secure and verify mobile devices, apps, users and the network in real time BETTER s zero trust mobile security solution operates under the assumption that an attack on a mobile device will happen, and that the network, device, apps, and user can be hostile. Our solution provides both the security to prevent such attacks as well as the measures necessary to protect if a breach should occur.
3 The Mobile Threat Landscape Attacks on mobile devices are rapidly evolving. Forrester Research reported that over 61% of enterprises stated that app security is their greatest mobile security challenge. The mobile threat landscape is changing rapidly. Mobile attackers are taking traditional methods from the wired world and adapting them to the mobile one, as well as coming up with new, never before seen tactics that take advantage of the new avenues mobile devices offer into an organization s network. Mobile devices are constantly switched on and they bounce from one connection to another, allowing a hacker to have multiple attempts to gain access to a device. A new end-point of corporate risk. Kapersky Labs reported that attacks on mobile devices have increased by over 400% in the last year. Mobile threats can wreak havoc on both mobile devices and the corporate network. Once a trusted device has been compromised, an attacker may have priviledged access to the corporate network. Depending on the type of attack, they will be able to decrypt secure communications, intercept traffic to and from the device, install apps or keyloggers, take screen captures, access any information stored on the device or within apps, including passwords, email, and text messages. These attacks can go as far as to give themselves root privileges, jailbreak the device, or leverage the device as part of a mobile botnet to mount DDoS attacks. Connected by design, vulnerable as a result. Mobile devices connect to upwards of 10x more networks than other end-point devices. Our research indicates that mobile devices connect to upwards of ten times more networks than other end-points. The tools required to intercept, modify, and push network data are relatively inexpensive, readily available, and their uses are becoming more sophisticated and nefarious. Man-in-the-Middle (MitM) attacks can perform active eavesdropping, intercept, and alter traffic between a mobile device and a remote server. The user believes they are interacting with a known and trusted entity but, in fact, they are being rerouted through an attacker controlled device. Once connected to the attacker s device, all communication going to and from the victim s mobile device is seen by the attacker, regardless of encryption such as SSL. Malicious apps and their means of entry. Malicious apps can come from anywhere and wreak all kinds of havoc. With no means of protection, the recommendation to users has always been to not download apps from unknown sources. This is not a viable approach, because it requires device users to know what is a trusted source and what is not. Another problem with this approach is that today s
4 attackers are adept at convincing users to trust that an app is genuine and beneficial to their needs. Malicious apps can steal passwords, email, text messages and corporate data. They can also log keystrokes and screen scrape. Malicious apps can even be side-loaded onto an ios device through the use of stolen or illegally-acquired enterprise or developer certificates. This gives the attacker the ability to gain access to encrypted data, bypass VPN tunneling, and break the OS sandbox, providing access to containerized apps. This access enables the attacker to view the contents of secure containers and wrapped apps, thus nullifying those attempts to protect sensitive data. The introduction of WireLurker and Masque attacks formally marked the beginning of a new era of ios vulnerability. Today s malicious apps appear and behave just like the authentic versions. WireLurker: the advent of ios threats. An ios malware example, named Wirelurker, uses a stolen enterprise certificate and a vulnerability in how the trust of the bundle identifier works to install a malicious app onto a mobile device. Wirelurker was first brought to light by Palo Alto Networks 2. It bypasses the security features on ios devices and installs malicious apps onto it, without the need of first jailbreaking the device. The WireLurker Trojan installs itself on an OS X machine, rooting itself into the operating system, and then waits until an ios device connects to the computer. It then abuses the trusted pairing relationship between the devices to read the mobile device s serial number, phone number, itunes store identifier, plus a host of other sensitive information. This data is all sent to the attacker s remote server. It then installs a series of malicious, though benign looking, apps onto the mobile device. The Wirelurker threat shows how vulnerable ios devices are to attacks and that the path to infection can come from anywhere. Masque attacks: appearances can be deceiving. BYOD Explosion: Gartner has stated that the number of employeeowned devices used for work will be greater than corporate-owned by 2018. Masque attacks get users to install malicious apps on their devices through refined social engineering techniques such as phishing emails or messages from trusted sources. These apps take the form of updates to existing apps and are therefore not detectable by traditional MDM and EMM solutions. Once on the device, they have access to all data stored within the app. Since these apps are by all appearances genuine and have the same bundle ID, they go undetected by MDM and EMM solutions, so it is virtually impossible to know if your data has been compromised. What can be done to protect my mobile device? Today, MDM/EMM mobile security solutions offer little to no protection against these attacks. Hackers play a numbers game with the general public, since all they need is for just one person to slip up one time to gain access to a corporate network. These attacks
5 happen fast, compromising devices, apps, or communications in the blink of an eye, without being detected. To fully secure mobile devices from threats, the network, users, apps and the device itself all need to be viewed as potentially hostile. The solution must operate on the assumption that eventually the device will get into the wrong hands, apps will be compromised, and communications will be intercepted. The new generation of ios and Android advanced threats has demonstrated that mobile device management is not the same as mobile device security. BETTER Mobile Security provides enterprises with the only comprehensive zero trust mobile security platform on the market. With a trust no one, verify everything approach as our focus, BETTER is able to provide complete protection for mobile devices in real time. Our solution is end-point based, residing on the device itself, and continuously monitors the device, apps and connections for any behavioral abnormalities. When coupled with the BETTER App Shield, the resulting solution has the ability to provide comprehensive real-time threat detection and prevention. It is this trust no one, verify everything approach that makes BETTER s mobile security solution truly complete. In order for enterprise to fully protect ios and Android devices, they must adopt a zero trust approach to mobile security. BETTER Active Shield Mobile Security Requirements - Comparison Chart (ios) MDM/EMM Mobile AV Container Wrapper Can Detect Zero-Day Malicious Apps Can Detect Known/Signature Malicious Apps Can Detect Exploits Can Detect MitM Attacks Can Detect Malicious Profiles Can Detect Threats in Real-Time Can Detect Unknown Threats Real-time Device Monitoring Continuously Monitors Apps Continuously Monitors Network Can Prevent Threats in Real-Time Can Prevent Unknown Threats Provides Device Visibility Provides Device Controls Secures Mobile Devices Secures Mobile Apps Segregates Data BETTER Can Detect a Jailbroken Device * * Prevents Lateral Movement of Data Operates Under Zero Trust * During enrollment and intermittently.
6 BETTER Zero Trust Mobile Security Solution The comprehensive mobile security platform for enterprise. According to the 2014 Cyber Threat Defense Report, more than 60% of organizations fell victim to one or more successful cyberattacks in 2013. When is comes to protecting ios and Android mobile devices, 99% secure is the same as 100% vulnerable. BETTER provides enterprises with a zero trust comprehensive mobile endpoint visibility, security, and control with real time, self-protecting advanced mobile threat detection and prevention, that follows the tenant of secure and verify. With BETTER, CSOs and Security Administrators gain mobile application visibility and risk-based intelligence and can add security controls to any app outside of an MDM container to satisfy existing security infrastructure requirements. BETTER does this quickly and seamlessly without coding or wrapping. BETTER promotes trust in BYOD deployments. Employees can use their own mobile devices for business anytime and anywhere in a fully secure way while protecting their personal privacy and without limiting their freedom of use or control of their own device. BETTER s zero trust solution provides self-protecting advanced mobile threat detection and prevention, protecting all of the data on the device at all times. From simple security to complete lockdown, BETTER can secure any ios or Android device and verify that is safe when it matters, before and after an attack occurs. BETTER enables mobile employees to harness the full power of corporate mobility while providing enterprise with complete administrator visibility, risk-based mobile app intelligence, third party app security, and real time, self-protecting advanced mobile threat detection and prevention. BETTER s Advanced Mobile Threat Detection and Prevention Solution provides ios and Android devices with a real time selfprotecting solution against advanced mobile threats and targeted attacks. Only BETTER can identify suspicious activity and secure devices from Man-in-the-Middle attacks, malicious apps, and any other mobile security threats, known and unknown.
7 BETTER Mobile Security Architecture BETTER s app virtualization secures any mobile app without making security and usability tradeoffs. BETTER is the only solution that does not modify ios and Android apps with app-wrapping or require the use of an SDK, and adds the zero trust framework of network security, app security and device integrity. BETTER s app virtualization technology for ios and Android is key to BYOD security because it respects user privacy and choice, limiting IT visibility and control to the enterprise container and giving workers a native user experience on their personal device of choice. Network threats of man-in-the-middle attacks and malware is eliminated because BETTER prevents personal apps from accessing enterprise resources. Zero Trust Mobile Security The primary objective is to minimize the attack surface, so when a breach occurs the damage is negligible Network Security App Analysis & Testing Device Integrity App Virtualization Adaptive Virtual App Perimeter App Original App in its Sandbox
8 BETTER Product Modules The BETTER Mobile Security Platform includes four product modules. BETTER Mobile App Analyzer The Mobile App Analyzer includes a backend service that automatically conducts a complete analysis of any third party or homegrown app. Within minutes, the Mobile App Analyzer generates a risk-based assessment of all behaviors and vulnerabilities for security administrator evaluation prior to deployment. The Mobile App Analyzer also adds real-time security, with continuous device-based verification of the app s authenticity prior to launching, and continuously analyzing the app s behaviors while in use. BETTER Mobile App Analyzer BETTER Mobile Security The Mobile AppShield turns any mobile app into a self-aware and self-protecting app, including all homegrown and third party apps, without wrapping or coding. This includes adding enterprise security controls as well as device usage controls. The Mobile Device BETTER Mobile AppShield Configuration Control is part of BETTER s device-based agent and provides security administrators with the ability to determine, set and enforce policy on any mobile device, including which native and third party applications can be used and if settings may be changed, timefencing, geofencing and more, and provides real time visibility of attempts to use unauthorized apps, change settings, make baseline deviations, as well as advanced mobile threats and targeted attacks. BETTER Threat Detection and Prevention Our Threat Detection and Prevention module instantly detects and prevents any BETTER Mobile Device Configuration Control advanced mobile threat, targeted attack or other hostile behavior on the device as it occurs in real time. BETTER also provides security administrators with real time alerts of targeted attacks, suspicious device behaviors and baseline deviations, giving them a clear overview of the situation and providing them with the ability to take immediate and appropriate action. In addition, BETTER provides the user with the simple steps for full remediation, so they can quickly return to business as usual. BETTER Real Time Mobile Threat Detection and Prevention References 1. The Invisible Becomes Visible: Trend Micro Security Predictions for 2015 and Beyond.