Mobile Security Presentation at HDI 2012

1. Session 810: The Security Risks of
Mobile Environments and How to
Protect Against Them
Ken Huang, Director of Security Engineering, CGI

2. Who am I ?
• Ken Huang
– Director of Security Engineering, CGI
• Cloud/Mobile Security
• Security testing and evaluation
• Identity and Access Management
• Frequent Speaker
• Blog: http://mobile-cloud-security.blogspot.com/
• Linkedin: www.linkedin.com/in/kenhuang8
• Twitter: http://twitter.com/#!/kenhuangus

3. Topics
• Mobile Technology and Trends
• Mobile Application and Trends
• Mobile Security and Trends
• Defense in Depth Solutions
• Conclusion and Questions

4. Mobile Technology and Trends
Technology Trends
•More Wi-Fi hotspots will be added
Wi-Fi
•Wi-Fi still plays a huge role in WLAN
•3G will gradually phase out
•4G networks will increase, as it is a
3G & 4G
major competing ground for carriers
to attract new customers
•Will continue to be used to connect
Bluetooth
personal network devices
•Will gain more momentum for
NFC payment, ticketing, and check-in
devices

5. 3G vs 4G Networks
3G 4G
DSL speeds Wired network speeds
Max speed up to 3.1 Mbps Max speed up to 100+ Mbps
Includes all 2G and 2.5G features plus: Includes all 3G features plus:
•Real-time location-based services •On-demand video
•Full motion videos •Video conferencing
•Streaming music •High-quality streaming video
•3D gaming •High-quality Voice-over-IP (VoIP)
•Faster web browsing •Added security features
Trends: 4G will be the winner

6. WiMAX vs. Wi-Fi
WiMAX Wi-Fi
Speed Up to 4 Mbps Up to 2 Mbps
Bandwidth Up to 75 Mbps Up to 54 Mbps
Range 30 miles (50 km) 100 feet (30 m)
Intended Number of
100+ 20
Users
Weaker encryption (WEP or Stronger encryption (TDES
Quality of Service
WPP) or AES)
Trends: Both WiMAX and Wi-Fi will co-exist for the foreseeable future

7. NFC
• Uses less power than Bluetooth
• Does not need pairing
• Based on RFID Technology at 13.56 MHz
• Operating distance typically up to 10 cm
Trends: NFC will get wider use due to payment and ticketing apps

8. Mobile Application Trends
• Payment
– Using your phone to pay will become a reality
• Federal Government Adoption
– Mobile apps will become more widely used
– Cloud and Mobile Computing
• During an appearance in Silicon Valley, Aneesh Chopra, the
nation’s first-ever CTO, acknowledged the inevitable emergence of
cloud and mobile as solutions for the federal government, but sees
them as supplementing, rather than replacing, legacy systems
– Transportation Department gets $100 million for
mobile apps

9. Mobile Application Trends (cont.)
• Federal Government Adoption (cont.)
– FBI – most wanted listing app on iPhone
– IRS – check refund status
– The White House mobile app – news, videos, podcasts,
blogs, etc.
– More than half of federal websites are planning to develop
a mobile-optimized website, according to a poll by ForeSee
Results.
• Productivity tool
– Mobile apps will become more mature over time
• Banking and Mobile Commerce
– Check balances, transfer funds, etc.

10. Mobile Application Trends (cont.)
• Entertainment
– Videos, gaming, etc.
• Social networking • Activists
– Facebook – Collective bargaining
– Twitter and strikes
– Foursquare • Other
– Linkedin – Price comparison for
– Instagram various products
(Sanptell)

11. Wi-Fi Security
• Use a strong password
• Don’t broadcast your SSID
• Use good wireless encryption (WPA, not WEP)
• Use another layer of encryption when possible (e.g. VPN, SSL)
• Restrict access by MAC address
• Shut down the network and wireless network when not in use
• Monitor your network for intruders
• Use a firewall
Trends: More Wi-Fi hotspots (but more attacks on hotspots as well) – avoid free Wi-Fi
whenever possible; Wi-Fi-enabled mobile devices can become the stepping stone to your
secured network

12. 4G Security Trends
• Backward compatibility to 3G or GSM capabilities exposes 4G to
3G and GSM security vulnerabilities
• 4G also has a roaming vulnerability associated with mutual
authentication: a fake network can easily claim to be a “roaming
partner”
Trends: More bandwidth comes with a greater possibility of being
attacked

13. Bluetooth Security Trends
• Bluejacking
– Sending either a picture or a message from one user to an unsuspecting
user through Bluetooth wireless technology.
• DoS Attacks
• Eavesdropping
• Man-in-the-middle attacks
• Message modification
• NIST published a Guide to Bluetooth Security in 2008
Trends: Dependent on new apps on bluetooth – I don’t see any
significant increase in attacks on bluetooth

14. NFC Security Trends
• Eavesdropping
– Hacker must have a good receiver and stay close
– To avoid this, use a secure channel as compensating control
• Data Corruption and Modification
– Jams the data so that it is not readable by the receiver
– Check RF field as compensating control.
Trends:
• wide spread adoption expected at 2015
• Secure channels for NFC
• Payments through smartphones will replace plastic cards and keys

15. Attack on the app
• Currently, Androids are the target due to Google’s
loose vetting process
– Law360, New York (March 15, 2012, 10:18 PM ET) --
Android cellphone users sued Google Inc over faulty
Android App
• iPhones and iPads are lightly hacked – but will
become targets in the future
Trends: Apps will be more vulnerable to attacks in the future

16. OWASP Top 10 Mobile Risks
• Insecure Data Storage
• Weak Server Side Controls
• Insufficient Transport Layer Protection
• Client Side Injection
• Poor Authorization and Authentication
• Improper Session Handling
• Security Decisions Via Untrusted Inputs
• Side Channel Data Leakage
• Broken Cryptography
• Sensitive Information Disclosure
• Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

17. M1: Insecure Data Storage
• Sensitive data left unprotected
• Applies to locally stored data + cloud synced
• Generally a result of:
– Not encrypting data
– Persist data not intended for long-term storage
– Weak or global permissions
– Not leveraging platform best-practices
• Risk
– Confidentiality of data lost
– Credentials disclosed
– Privacy violations
– Non-compliance

18. M2: Weak Server Side Controls
• We cannot trust mobile client app
• Risk: confidentiality and integrity of data

19. M3: Insufficient Transport Layer
Protection
• No encryption for data in transit
• Weak encryption. Encoding is not encryption
• Strong encryption but ignoring the security
warnings.
– If certificate validation errors happen, fall back to
clear text.
• Risk: confidentiality and integrity of data

20. M4: Client Side Injection
• XSS or SQL injection
• SMS injection (Apple patched iphone SMS
flaw in iOS 3.0.1 in Aug. 2009).
• Risk: toll fraud, device compromise, privilege
escalation etc.

21. M5: Poor Authorization and
Authentication
• Device authentication based on IMEI, IMSI, UUID
is not sufficient
• Hardware identifiers persist across data wipes
and factory resets
• Adding contextual information is useful, but not
foolproof
• Out of band does not work for the same device.
• Risk: Privilege escalation and Unauthorized
access

22. M6: Improper Session Handling
• Mobile session is usually longer for usability
and convenience
• Why it is bad idea to use device identifier as
session token?
• Risk: unauthorized access and privilege
escalation

23. M7: Security Decisions Via Untrusted
Inputs
• Security needs to be based on server side
variables, not client input data
• Risk: Can cause privilege escalation and
consume paid resources

24. M8: Side Channel Data Leakage
• Caused by platform feature or app flaws
• Potential channel
– Caches
– Keystroke logging
– Screenshots
– Logs (system, crash, app)
– Temp directory
• Risk: Privacy violation

25. M9: Broken Cryptography
• Broken implementation using strong
encryption library
• Custom weak encryption implementation.
• Risk: loss of data confidentiality

26. M10: Sensitive Information Disclosure
• Hard coded sensitive information
– User id, password
– SSN
– API keys
– Sensitive business logic
• Risk: credentials disclosed, IP disclosed.

27. OWASP: Top 10 Security Mobile Controls
• Identify and protect sensitive data
• Handle password credentials securely on the device
• Ensure sensitive data is protected in transit
• Implement user authentication/authorization and session
management correctly
• Keep the backend APIs (Rest vs. SOAP) Secure
• Secure integration with third party app and data (ID Federation)
• Get user consent for the collection and use of the data
• Implement Access Control and Digital Rights Management for
paid resources
• secure distribution/provisioning of mobile apps
• check runtime code errors

28. VPN for Smartphone
• Provide secure mobile access to enterprise
network
• Sample Mobile VPN products
– PandaPowVPN for Android
– Hotspot Shield for iphone
– CISCO

29. Virus Scan and Personal Firewall for
Mobile Device
• Lookout Premium
• Trend Micro Mobile Security
• F-Secure Mobile Security
• NetQin Mobile Security
• Webroot Secure Anywhere Mobile

30. Mobile Device Management Features
• Remote Locate - Shows you the location of your phone via Web or SMS, so
you can find it if it’s lost or stolen.
• Remote Lock - Lets you remotely lock your lost or stolen phone via Web or
SMS to prevent strangers from seeing your private stuff or running up your
mobile bill.
• Remote Wipe - Lets you remotely erase the stuff on your phone via SMS if
it’s lost or stolen, including any data on your phone’s memory card.
• Web-based Lost Notice - Displays a customizable message to anyone who
finds your missing device, so you can make arrangements to get it back.
• Web-based Sneak Peek - Snaps photos of anyone in front of your device
then saves the images. (Webcam devices only.)
• Antiphishing Web Protection - Blocks fraudulent (phishing) websites.
Protects your device and your stuff on mobile networks and Wi-Fi
connectionsi
• Download Threat Protection - Automatically scans all the apps and app
updates you download to your mobile device for threats.

31. Gartner Magic Quadrant for MDM

32. Mobile Application Management (MAM)
• The BYOD (“Bring Your Own Device”) phenomenon is a
factor behind MAM
• Manage Business Apps using internal App Store for
both BOYD and Company Mobile Device
• Key Features
– App delivery
– App updating
– User authentication
– User authorization
– Version checking
– Push services
– Reporting and tracking

33. Current MAM Players
• App47
• SOTI MobiControl
• AppBlade from Raizlabs
• AppCentral
• Apperian
• Better MDM
• JackBe
• Nukona
• Partnerpedia
• WorkLight

34. Mobile Data Protection (MDP)
• MDP is an established market
• Safeguard stored data on mobile devices by
means of encryption and authentication
• Provide evidence that the protection is
working.
• Widely used in Window based Laptop
• Not yet available for mobile phone or tablet

35. Gartner Magic Quadrant for MDP

36. Smartphone Encryption
• Android
– WhisperCore: whole flash memory
– Droid Crypt: files
– AnDisk Encryption: file
– RedPhone: voice
– Text Secure: text
• iPhone
– Impossible to encrypt the whole system
– Update to iOS5 to encrypt outgoing iMessage.
– Voice Encryption App
• Kryptos
• Cellcrypt
– Text Encryption App: Encrypt SMS
– E-mail Encryption: SecureMail use OpenPGP

37. Mobile Virtualization
• Support multiple domains/operating systems
on the same hardware
• Enterprise IT department can securely manage
one domain (in a virtual machine), and the
mobile operator can separately manage the
other domain (in a virtual machine)

38. Current Players in Mobile Virtualization
• Green Hills Software
• Open Kernel Labs
• Red Bend Software
• VMware
• B Labs
• Bitzer Mobile Inc
Reference:
http://www.virtualization.net/tag/mobile/

39. Mobile User willing to pay more
for security
• AdaptiveMobile published the third "Global
Security Insights in Mobile" report which
indicates that 83% people surveyed willing to
pay more for security.

40. Conclusion and Questions
• Defense in depth for mobile environment
• Device Security vs. App Security
• OWASP Top 10 Risk and Controls
• VPN, Virus Scan, MDM, MAM, MDP,
Encryption and Mobile Virtualization
• Questions?

41. Thank you for attending this session. Don’t
forget to complete the evaluation!