Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lon Kastenson Security of Mobile Devices. Overview Types of attacks Security in Android Security in iOS Security in other mobile platforms Current protocols.

Similar presentations

Presentation on theme: "Lon Kastenson Security of Mobile Devices. Overview Types of attacks Security in Android Security in iOS Security in other mobile platforms Current protocols."— Presentation transcript:

1 Lon Kastenson Security of Mobile Devices

2 Overview Types of attacks Security in Android Security in iOS Security in other mobile platforms Current protocols and solutions Security in the future Questions Agenda

3 June 2004: Cabir The Evolution after Cabir –2006: 31 Families, 170 Variants –Cabir, Comwar, Skuller.gen –In Symbian Alone! Windows Mobile 2003 and PocketPC –Comwar Overview: History

4 2007 Jailbreaking iPhones and iPods reveals critical flaw in iOS 2008, exploits found in both Android and iOS 2009: Blackberry Hacked 2010, 5% of apps contain malicious code 2011, The Apple user tracking debate 2011, confirmed attack on Android Market Overview: History

5 1.6 billion smartphone sales worldwide (as of 2010) Overview: Present Source:

6 Both Android and iOS have known security risks. IBM X-Force predicts the number of attacks this year will double since last year. Popular attacks remain Trojan Horses and Social Engineering hacks. Overview: Present

7 Trojan Horse (Most popular, evident in Android Market Attack) Worm Virus Socially Engineered Man in the middle attacks Privacy Issues? (Application Terms of Service Agreement) Types of Attacks

8 March 2011 Attack on Android Market Source: root-your-phone-steal-your-data-and-open-backdoor/

9 Direct Install (Trojan) Bluetooth MMS message Memory card File Injection Other methods? Propagation Methods

10 iOS tracking users? Privacy Policy for smartphone apps Apps having too much access? Privacy Issues

11 Hardware level Kernel level –Linux kernel –ROMs Android Security Program Android Security

12 NX bit NFC for wallet transactions Hardware DRM (locked bootloader) Off system encryption key Hardware Level Security

13 Hardware Drivers located in the kernel Explicit permission needed Only kernel level applications have root access Secure Inter-process Communication Dalvik Virtual Machine Kernel Level Security

14 Application Sandbox Protection for rooted users? Dalvik Virtual Machine Source:

15 System Partition and Safe Mode Filesystem Permissions Filesystem Encryption Operating System Security

16 Design Review Penetration Testing and Code Review Open Source and Community Review Incident Response OTA updates What happened with the March 2011 attack? Android Security Program

17 Rooted Devices Android Market Pipes JNI Permissions Prompt Android Security Issues

18 Next I accept Continue? Really Continue?

19 Closed Source Market App Approval Security Architecture –Security APIs –Authentication –Encryption –Permissions iOS Security

20 Apple Developer Program approved developers only allowed to put applications on the market. Strict guidelines for application approval Must adhere to style guides iStore Market Approval System

21 Security Server Daemon Security APIs Core OS based encryption Security Architecture

22 Keychain CFNetwork Certificate, Key and Trust Services Randomization Services Objective-C API Security APIs

23 Filesystem Permissions Filesystem Encryption Address Space Layout Randomization Data Execution Prevention Other Security Services

24 Weak sandbox Vulnerable applications a threat Closed source approach Jailbroken devices iOS Security Issues

25 Capability Model Process Identity Data Caging Certification Symbian Security

26 Each binary is a capability User Capabilities System Capabilities How it all works Capability Model

27 Copies of DLLs are made and the kernel will check for any forged function calls. How Capability Works Source:

28 SecureID VendorID Process Identity

29 Applications restricted what data is accessed File server controls access, capability. Sharing data privately Databases and data caging Data Caging

30 Certification Assignment Untrusted Applications Trusted Applications Self-signing Applications Certification and Platform Security

31 Been around longest, more malware out there. Currently supported, but no longer a priority for development at Nokia. Capability model has shown weakness in the past. Symbian Security Issues

32 Unique certification for Windows Phone Marketplace Mandatory Code Signing.NET managed Code Isolated storage sandbox SSL root certificates Data Encryption Windows Phone Security

33 Hardening –On a hardware level –On a software level Attack Surface Reduction Internet (Cloud) based protection Telecom based protection Privacy Argument, how much security is too much? Possible Solutions

34 Speculation by Dr. Charlie Miller Speculation of IBM X-Force Gostevs Laws of Computer Virus Evolution In the Future

35 Gostev, Alexander. (2006 September) Retrieved October 2011, from Securelist – Mobile Malware Evolution: An Overview Part 1 Gartner (n.d.). Retrieved October 2011, from Gartner – Gartner Says Sales of Mobile Devices in Second Quarter of 2011 Grew 16.5 Percent Year-on-Year; Smartphones grew 74 Percent Google. (n.d.). Android Open Source Project. Retrieved Sept 2011, from Android Open Source – Android Security Overview Apple. (n.d.). Mac OS X Developer Library. Retrieved Sept 2011, from Apple Developer – Security Overview Nokia. (n.d.). Symbian C++ Books. Retrieved October 2011, from Nokia Developer – Fundamentals of Symbian C++/Platform Security Microsoft. (n.d.). MSDN. Retrieved October 2011, from MSDN – Security for Windows Phone us/library/ff402533.aspx us/library/ff402533.aspx IBM. (n.d.). IBM Security Solutions. Retrieved September 2011, from IBM – IBM X-Force 2011 Mid-Year Trend and Risk Report PCWorld. Bradley, Tony. Retrieved September 2011, from PCWorld – Adobe Flash Zero Day Puts Android Smartphones at Risk. Montoro, Massimiliano. Retrieved October 2011from oXit – About Cain (n.d.). Retrieved October 2011 from CyanogenMod Wiki – What is CyanogenMod? Apple (n.d.). Retrieved October 2011 from Apple Developer – Guidelines for Appstore Submissions Accuvant. Farnum, Michael. Retrieved October 2011 from Accuvant – Dr. Charlie Miller Compares the Security of iOS and Android Viega, LeBlanc, Howard. 19 Deadly Sins of Software Security. Emeryville, CA: McGraw Hill-Osborn. 2005. Print. Whitaker, Evans, and Voth. Chained Exploits. Boston, MA: Addison-Weasley. 2009. Print References

36 Questions? ! Are you sure you want to answer questions?

Download ppt "Lon Kastenson Security of Mobile Devices. Overview Types of attacks Security in Android Security in iOS Security in other mobile platforms Current protocols."

Similar presentations

Ads by Google