SlideShare uma empresa Scribd logo

Defending Behind the Mobile Device

Tyler Shields
Tyler Shields

RSA Europe 2012 presentation on a holistic view to securing the mobile application ecosystem.

Tecnologia
1 de 36
Defending Behind The Device Mobile Application Risks Tyler Shields Product Manager and Strategist Veracode, Inc Session ID: MBS-301 Session Classification: Something for everyone
Agenda The “What” The Mobile Problem Ecosystem 1 2 3 4 Threat The Fix Landscape
The Problem 1 3
What Are The Risks Define the Threats 4
Securing the SDLC The Developer View Identify Priorities 1. Vulnerabilities Retest Educate 2. Capabilities 3. Malware Remediate 5
Moving Into The Enterprise Bring Your Own Device Priorities 1. Malware 2. Capabilities 3. Vulnerabilities 6
Risk is not binary Risk is analog Policy Confidentiality Accessibility Integrity Rating Rating Rating Exfiltration of Disclosure of Can Data be Is Data Always Sensitive Data Secrets Modified Accessible 7
Mobile Crossroads The Inflection Point Do you trust the security of your mobile device… 63% Have yet to make up their minds 8
Threat Landscape 2 9
The Mobile Threat Landscape 10
Mobile Malware Mobile Networks Decentralized Interconnected Mobile Quick Content Retrieval Perfect Malware Decentralized Interconnected Mobile Quick Content Retrieval 11
Statistics 12
Malware Timeline 2011 Jul August Septembe O ct ob er November y r Malware Early to Exponential Wave the Game Growth Begins 13
Primary Target Android Most Targeted (65%) iOS Absent (<1%) WHY • Closed Technology • Harder to Reverse Enginee 7% 1% • Stronger OS Security 27% 65% • Better App Store Security • No Fragmentation Issue Android J2ME Symbian Windows Mobile Distribution of Mobile Threats by Platform 2011 14
Mobile Malware Repackaging Update 86% • Choose popular app • Disassemble • Add malicious payloads • Re-assemble • Similar to repackaging • Does not add full payload • Adds small downloader 7% • Submit new app to • Payload downloaded at public market runtime Drive-By Standalone • Entice users to • Commercial spyware download malware • Non functional fake <1% • Distributed via malicious websites • May or may not contain a browser exploit apps (Fake Netflix) • Functional Trojan code • Apps with root exploits 14% 15
Mobile Malware Privilege Escalation Remote Control 37% •Attempts root exploits •Small number of platform vulnerabilities •May use more than one •Similar to PC bots •Most use HTTP based web traffic as C&C •Advanced C&C models 93% exploit for attack translating from PC world •Advanced obfuscation seen in the wild Financial Charges Information Collection •Premium rate SMS •Harvests personal 45% •Both hard-coded and runtime updated numbers •Employ SMS filtering information and data •User accounts •GPS location 45% •SMS and emails Phone SMS •Phone call tapping •Ad Libraries Number 16
Application Behaviors Previous Code Web Sources Your Code Binary 3rd Party Source 3rd Party Libraries Libraries 17
Case studies WoW… Lots! 18
Vulnerabilities • Sensitive data leakage (inadvertent or side channel) • Unsafe sensitive data storage • Unsafe sensitive data transmission • Hardcoded password/keys 19
Vulnerabilities • Layered APIs on common languages • Blackberry and Android use Java as a base • Non-issue for Objective-C (it’s own language) 20
Mobile Ecosystem 3 21
The Mobile Ecosystem The Players of the Game Consumer 22
MDM Vendors The Enterprise Choke Point Enterprise Control Point What They Provide Device Enrollment and Management Security Management Device Configuration Device Monitoring Software Management Security Components Passcode Enforcement Encryption Feature Restriction Compliance Locate and Wipe Certificate Management 23
Mobile Anti-Virus Old Methods Rehashed Old Methods Rehashed What They Provide Quarantine and Eradicate Malware Signature Based Analysis Security Components Cloud Analysis Spam Filtering Email Attachment Scanning Data Backup 24
Application Markets The Distributor The Distributor What They Provide Marketplace for Applications User Ratings Application Updates Security Components Application Approval Process Android Bouncer iOS Scanning 25
Developers The Source The Source What They Provide Enterprise Application Development Consumer Application Development Cross-platform Expertise Security Components Variable on Developer Capabilities 26
The Fix 4 27
The Fix Securing Against Multiple Threats Behavioral Analysis Malware Detection Vulnerability Analysis 28
Static Behavioral Analysis Features and Permissions Data Sources Data Sinks Mapping User Facing • Location Data • HTTP Requests • Contacts • Outbound SMS • Trace Sources to • Email • Outbound Email Sinks • SMS Data • DNS Requests • Application “Intent” • SQL Access • TCP • Permission • File System • UDP Mapping • Photos • Vulnerable Code • Human Intelligence • Phone ID Values Code Flow Data Flow 29
Dynamic Behavioral Analysis Playing in the Sandbox Instrumented Analysis Example Data Gathered • Sandboxed Emulator • Network Traffic • Instrumented Fuzzy Logic Inputs • CPU Utilization • Tracked Outputs • Memory Footprint • Tracked System State • Mapping Screen to Functionality 30
Malware Detection Learn From Previous Mistakes Static Signatures Analysis Signatures Signatures Human Intelligence Dynamic Basic Heuristics Analysis 31
Vulnerability Analysis Find the Flaws Environmental Flaws Application Flaws 32
Strategic Control Points Security and Power Application Markets Enterprise Developers MDM Consumer Developers Outsourced Developers Anti-Virus COTS Developers … Developers Enterprise 33
Enterprise Fixes De-Risk B.Y.O.D Policy Process Technical Controls 34
The Road Ahead Where do we go from here? Capabilities Malware Vulnerability A Safer + + = Mapping Detection Analysis Mobile Path 35
Sources @txs tshields@veracode.com Show me the data • http://www.juniper.net/us/en/local/pdf/additional-resources/7100155-en.pdf Juniper Network Trusted Mobility Index • http://countermeasures.trendmicro.eu/wp-content/uploads/2012/02/History-of-Mobile-Malware.pdf A History of Malware – Trend Micro • http://www.cs.berkeley.edu/~afelt/felt-mobilemalware-spsm.pdf A Survey of Mobile Malware In The Wild – UC Berkeley • http://www.securelist.com/en/analysis/204792222/Mobile_Malware_Evolution_Part_5 Mobile Malware Evolution Part 5 – Kaspersky Labs • http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf Dissecting Android Malware: Characterization and Evolution – Yajin Zhou and Xuxian Jiang • http://www.fiercemobilecontent.com/story/apples-new-ios-6-adds-deep-facebook-integration-dumps- google-maps/2012-06-11 Apple's new iOS 6 adds deep Facebook integration, dumps Google Maps • http://www.net-security.org/secworld.php?id=13050 LinkedIn Privacy Fail • http://www.trailofbits.com/resources/mobile_eip_2.pdf Mobile Exploit Intelligence Project – Trail of Bits • http://www.net-security.org/secworld.php?id=12418 Social Mobile Apps Found Storing User’s Content Without Permission • And More…. Contact me if you need something specific I may have left out… 36

Recomendados

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Tyler Shields
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
Antiy Labs
 
Junos Pulse Mobile Security Suite Launch
Junos Pulse Mobile Security Suite LaunchJunos Pulse Mobile Security Suite Launch
Junos Pulse Mobile Security Suite Launch
Juniper Networks
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
Xavier Mertens
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
TUESDAY Business Network
 
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonPCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
IBM Danmark
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011
Filip Maertens
 

Recomendados

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
Tyler Shields
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Tyler Shields
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
Antiy Labs
 
Junos Pulse Mobile Security Suite Launch
Junos Pulse Mobile Security Suite LaunchJunos Pulse Mobile Security Suite Launch
Junos Pulse Mobile Security Suite Launch
Juniper Networks
 
Mobile Apps Security
Mobile Apps SecurityMobile Apps Security
Mobile Apps Security
Xavier Mertens
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
TUESDAY Business Network
 
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael AnderssonPCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
PCTY 2012, Threat landscape and Security Intelligence v. Michael Andersson
IBM Danmark
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011
Filip Maertens
 
Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUG
tovmug
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security Monitoring
Anton Goncharov
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
Andrew Wong
 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited Ressources
Secunia
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep Security
Andrew Wong
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance
1CloudRoad.com
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security Solutions
Symantec
 
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS AttacksDSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
Andris Soroka
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
DefconRussia
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
Amazon Web Services
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
santosomar
 
Gigamon U - Eye Of The Fire, Network Malware Control System
Gigamon U - Eye Of The Fire, Network Malware Control SystemGigamon U - Eye Of The Fire, Network Malware Control System
Gigamon U - Eye Of The Fire, Network Malware Control System
Grant Swanson
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
Trend Micro (EMEA) Limited
 
Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC Presentation
CloudComputing
 
Trend Micro - 13martie2012
Trend Micro - 13martie2012Trend Micro - 13martie2012
Trend Micro - 13martie2012
Agora Group
 
AGILE SECURITY™ Security for the Real World
AGILE SECURITY™ Security for the Real WorldAGILE SECURITY™ Security for the Real World
AGILE SECURITY™ Security for the Real World
Cisco Russia
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
Amazon Web Services
 
Emerging cyber threats_report2012
Emerging cyber threats_report2012Emerging cyber threats_report2012
Emerging cyber threats_report2012
day4justice
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobiles
Bee_Ware
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
Trend Micro
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora Pitfall
Tyler Shields
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
Tyler Shields
 

Mais conteúdo relacionado

Mais procurados

Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUG
tovmug
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security Monitoring
Anton Goncharov
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
Andrew Wong
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security Solutions
Symantec
 
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS AttacksDSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
Andris Soroka
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
DefconRussia
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
Amazon Web Services
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
santosomar
 
Trend Micro - 13martie2012
Trend Micro - 13martie2012Trend Micro - 13martie2012
Trend Micro - 13martie2012
Agora Group
 
AGILE SECURITY™ Security for the Real World
AGILE SECURITY™ Security for the Real WorldAGILE SECURITY™ Security for the Real World
AGILE SECURITY™ Security for the Real World
Cisco Russia
 
Emerging cyber threats_report2012
Emerging cyber threats_report2012Emerging cyber threats_report2012
Emerging cyber threats_report2012
day4justice
 

Mais procurados (20)

Trend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUGTrend Micro Dec 6 Toronto VMUG
Trend Micro Dec 6 Toronto VMUG
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security Monitoring
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited Ressources
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep Security
 
Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance Trend Micro - Virtualization and Security Compliance
Trend Micro - Virtualization and Security Compliance
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security Solutions
 
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS AttacksDSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
AWS Partner Presentation - TrendMicro - Securing your Journey to the Cloud, A...
 
It's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar SantosIt's 2012 and My Network Got Hacked - Omar Santos
It's 2012 and My Network Got Hacked - Omar Santos
 
Gigamon U - Eye Of The Fire, Network Malware Control System
Gigamon U - Eye Of The Fire, Network Malware Control SystemGigamon U - Eye Of The Fire, Network Malware Control System
Gigamon U - Eye Of The Fire, Network Malware Control System
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
 
Pawaa OCC Presentation
Pawaa OCC PresentationPawaa OCC Presentation
Pawaa OCC Presentation
 
Trend Micro - 13martie2012
Trend Micro - 13martie2012Trend Micro - 13martie2012
Trend Micro - 13martie2012
 
AGILE SECURITY™ Security for the Real World
AGILE SECURITY™ Security for the Real WorldAGILE SECURITY™ Security for the Real World
AGILE SECURITY™ Security for the Real World
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
 
Emerging cyber threats_report2012
Emerging cyber threats_report2012Emerging cyber threats_report2012
Emerging cyber threats_report2012
 
Les 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobilesLes 10 risques liés aux applications mobiles
Les 10 risques liés aux applications mobiles
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
 

Destaque

United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
Tyler Shields
 
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
Tyler Shields
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
Tyler Shields
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers View
Tyler Shields
 

Destaque (9)

Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora Pitfall
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
 
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
 
Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaSocial Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social Media
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers View
 
Anti Debugging
Anti DebuggingAnti Debugging
Anti Debugging
 
Del Garabateo A La Escritura Convencional
Del Garabateo A La Escritura ConvencionalDel Garabateo A La Escritura Convencional
Del Garabateo A La Escritura Convencional
 

Semelhante a Defending Behind the Mobile Device

C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
Santosh Satam
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your Privacy
Tyler Shields
 
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare GarlatiAPPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
Masha Geller
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
Jimmy Saigon
 
Drainware Corporate
Drainware CorporateDrainware Corporate
Drainware Corporate
Jose Palanco
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
Symantec
 

Semelhante a Defending Behind the Mobile Device (20)

C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
E is for Endpoint II: How to Implement the Vital Layers to Protect Your Endpo...
 
Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011Andrew Jaquith SOURCE Boston 2011
Andrew Jaquith SOURCE Boston 2011
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your Privacy
 
iScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceiScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task Force
 
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare GarlatiAPPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
APPNATION IV - The State of Security in the Mobile Enterprise - Cesare Garlati
 
8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop8 Threats Your Anti-Virus Won't Stop
8 Threats Your Anti-Virus Won't Stop
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout session
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Drainware Corporate
Drainware CorporateDrainware Corporate
Drainware Corporate
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attack
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Learning's from mobile testing
Learning's from mobile testingLearning's from mobile testing
Learning's from mobile testing
 

Mais de Tyler Shields

Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Tyler Shields
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Tyler Shields
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the Berries
Tyler Shields
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the Berries
Tyler Shields
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
Tyler Shields
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Tyler Shields
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software Security
Tyler Shields
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More Problems
Tyler Shields
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every Layer
Tyler Shields
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksIT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
Tyler Shields
 
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareiSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
Tyler Shields
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
Tyler Shields
 
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTriangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Tyler Shields
 
GovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The BerriesGovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The Berries
Tyler Shields
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
Tyler Shields
 
The Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIRThe Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIR
Tyler Shields
 
CarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-DebuggingCarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-Debugging
Tyler Shields
 
CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101
Tyler Shields
 

Mais de Tyler Shields (20)

Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part Deux
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the Berries
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the Berries
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software Security
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More Problems
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every Layer
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksIT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
 
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile SpywareiSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTriangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
 
GovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The BerriesGovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The Berries
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 
The Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIRThe Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIR
 
CarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-DebuggingCarolinaCon 2009 Anti-Debugging
CarolinaCon 2009 Anti-Debugging
 
CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101CarolinaCon 2006 Reverse Engineering 101
CarolinaCon 2006 Reverse Engineering 101
 
CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101CarolinaCon 2005 Web Application Hacking 101
CarolinaCon 2005 Web Application Hacking 101
 
Infragard 2004 - Web Attacks and Defenses
Infragard 2004 - Web Attacks and DefensesInfragard 2004 - Web Attacks and Defenses
Infragard 2004 - Web Attacks and Defenses
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Defending Behind the Mobile Device

  • 1. Defending Behind The Device Mobile Application Risks Tyler Shields Product Manager and Strategist Veracode, Inc Session ID: MBS-301 Session Classification: Something for everyone
  • 2. Agenda The “What” The Mobile Problem Ecosystem 1 2 3 4 Threat The Fix Landscape
  • 4. What Are The Risks Define the Threats 4
  • 5. Securing the SDLC The Developer View Identify Priorities 1. Vulnerabilities Retest Educate 2. Capabilities 3. Malware Remediate 5
  • 6. Moving Into The Enterprise Bring Your Own Device Priorities 1. Malware 2. Capabilities 3. Vulnerabilities 6
  • 7. Risk is not binary Risk is analog Policy Confidentiality Accessibility Integrity Rating Rating Rating Exfiltration of Disclosure of Can Data be Is Data Always Sensitive Data Secrets Modified Accessible 7
  • 8. Mobile Crossroads The Inflection Point Do you trust the security of your mobile device… 63% Have yet to make up their minds 8
  • 10. The Mobile Threat Landscape 10
  • 11. Mobile Malware Mobile Networks Decentralized Interconnected Mobile Quick Content Retrieval Perfect Malware Decentralized Interconnected Mobile Quick Content Retrieval 11
  • 13. Malware Timeline 2011 Jul August Septembe O ct ob er November y r Malware Early to Exponential Wave the Game Growth Begins 13
  • 14. Primary Target Android Most Targeted (65%) iOS Absent (<1%) WHY • Closed Technology • Harder to Reverse Enginee 7% 1% • Stronger OS Security 27% 65% • Better App Store Security • No Fragmentation Issue Android J2ME Symbian Windows Mobile Distribution of Mobile Threats by Platform 2011 14
  • 15. Mobile Malware Repackaging Update 86% • Choose popular app • Disassemble • Add malicious payloads • Re-assemble • Similar to repackaging • Does not add full payload • Adds small downloader 7% • Submit new app to • Payload downloaded at public market runtime Drive-By Standalone • Entice users to • Commercial spyware download malware • Non functional fake <1% • Distributed via malicious websites • May or may not contain a browser exploit apps (Fake Netflix) • Functional Trojan code • Apps with root exploits 14% 15
  • 16. Mobile Malware Privilege Escalation Remote Control 37% •Attempts root exploits •Small number of platform vulnerabilities •May use more than one •Similar to PC bots •Most use HTTP based web traffic as C&C •Advanced C&C models 93% exploit for attack translating from PC world •Advanced obfuscation seen in the wild Financial Charges Information Collection •Premium rate SMS •Harvests personal 45% •Both hard-coded and runtime updated numbers •Employ SMS filtering information and data •User accounts •GPS location 45% •SMS and emails Phone SMS •Phone call tapping •Ad Libraries Number 16
  • 17. Application Behaviors Previous Code Web Sources Your Code Binary 3rd Party Source 3rd Party Libraries Libraries 17
  • 18. Case studies WoW… Lots! 18
  • 19. Vulnerabilities • Sensitive data leakage (inadvertent or side channel) • Unsafe sensitive data storage • Unsafe sensitive data transmission • Hardcoded password/keys 19
  • 20. Vulnerabilities • Layered APIs on common languages • Blackberry and Android use Java as a base • Non-issue for Objective-C (it’s own language) 20
  • 22. The Mobile Ecosystem The Players of the Game Consumer 22
  • 23. MDM Vendors The Enterprise Choke Point Enterprise Control Point What They Provide Device Enrollment and Management Security Management Device Configuration Device Monitoring Software Management Security Components Passcode Enforcement Encryption Feature Restriction Compliance Locate and Wipe Certificate Management 23
  • 24. Mobile Anti-Virus Old Methods Rehashed Old Methods Rehashed What They Provide Quarantine and Eradicate Malware Signature Based Analysis Security Components Cloud Analysis Spam Filtering Email Attachment Scanning Data Backup 24
  • 25. Application Markets The Distributor The Distributor What They Provide Marketplace for Applications User Ratings Application Updates Security Components Application Approval Process Android Bouncer iOS Scanning 25
  • 26. Developers The Source The Source What They Provide Enterprise Application Development Consumer Application Development Cross-platform Expertise Security Components Variable on Developer Capabilities 26
  • 27. The Fix 4 27
  • 28. The Fix Securing Against Multiple Threats Behavioral Analysis Malware Detection Vulnerability Analysis 28
  • 29. Static Behavioral Analysis Features and Permissions Data Sources Data Sinks Mapping User Facing • Location Data • HTTP Requests • Contacts • Outbound SMS • Trace Sources to • Email • Outbound Email Sinks • SMS Data • DNS Requests • Application “Intent” • SQL Access • TCP • Permission • File System • UDP Mapping • Photos • Vulnerable Code • Human Intelligence • Phone ID Values Code Flow Data Flow 29
  • 30. Dynamic Behavioral Analysis Playing in the Sandbox Instrumented Analysis Example Data Gathered • Sandboxed Emulator • Network Traffic • Instrumented Fuzzy Logic Inputs • CPU Utilization • Tracked Outputs • Memory Footprint • Tracked System State • Mapping Screen to Functionality 30
  • 31. Malware Detection Learn From Previous Mistakes Static Signatures Analysis Signatures Signatures Human Intelligence Dynamic Basic Heuristics Analysis 31
  • 32. Vulnerability Analysis Find the Flaws Environmental Flaws Application Flaws 32
  • 33. Strategic Control Points Security and Power Application Markets Enterprise Developers MDM Consumer Developers Outsourced Developers Anti-Virus COTS Developers … Developers Enterprise 33
  • 34. Enterprise Fixes De-Risk B.Y.O.D Policy Process Technical Controls 34
  • 35. The Road Ahead Where do we go from here? Capabilities Malware Vulnerability A Safer + + = Mapping Detection Analysis Mobile Path 35
  • 36. Sources @txs tshields@veracode.com Show me the data • http://www.juniper.net/us/en/local/pdf/additional-resources/7100155-en.pdf Juniper Network Trusted Mobility Index • http://countermeasures.trendmicro.eu/wp-content/uploads/2012/02/History-of-Mobile-Malware.pdf A History of Malware – Trend Micro • http://www.cs.berkeley.edu/~afelt/felt-mobilemalware-spsm.pdf A Survey of Mobile Malware In The Wild – UC Berkeley • http://www.securelist.com/en/analysis/204792222/Mobile_Malware_Evolution_Part_5 Mobile Malware Evolution Part 5 – Kaspersky Labs • http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf Dissecting Android Malware: Characterization and Evolution – Yajin Zhou and Xuxian Jiang • http://www.fiercemobilecontent.com/story/apples-new-ios-6-adds-deep-facebook-integration-dumps- google-maps/2012-06-11 Apple's new iOS 6 adds deep Facebook integration, dumps Google Maps • http://www.net-security.org/secworld.php?id=13050 LinkedIn Privacy Fail • http://www.trailofbits.com/resources/mobile_eip_2.pdf Mobile Exploit Intelligence Project – Trail of Bits • http://www.net-security.org/secworld.php?id=12418 Social Mobile Apps Found Storing User’s Content Without Permission • And More…. Contact me if you need something specific I may have left out… 36

Notas do Editor

  1. Everyone has a different definition of riskDevelopers look at threats different than IT peopleIT looks at threats differently than the CSO and CTO of an enterpriseMedia has a totally different view than the rest of the world pushing sensationalist headlines that really shapes how everyone is addressing the problem.Segmentation of population falls generally into two bucketsThe developersOperations people-different view points on what the problems are in mobile and what can be done to fix them
  2. Securing the SDLC is the primary desire of the development side of the house. What can they do to increase the creation rate of secure code. For the longest time the only metric that mattered was, what can be done to increase the rate of creation of code. Bugs and security flaws didn’t matter. Only recently has the developer world really begun to embrace the creation of secure and low bug density code. Vulnerabilities is their primary priority when it comes to securing the development lifecycle. Identifying vulnerabilitieseducating the development team on what the vulnerabilities look like and how to fix themFixing the flawsAnd testing that their flaws were properly fixed.And the cycle continues. Developers traditionally haven’t cared as much about the capabilities of their code or the fact that malware may be embedded in their code.Reasoning: We wrote it. We know what it does and we know that it doesn’t have malware (not always true)Transition to BYOD…
  3. In the Enterprise operations and IT world the priorities are reversed. They want to know first and formost that they don’t have any malware in the applications they are deploying to their user base.They then want to know what the applications are actually capable of doing on the device.And finally, does the application have any vulnerabilities that can be exploited on the device itself.These two types of views require two different types of execution if we are to help the Enterprise solve their mobile related problems
  4. What makes up a risk rating? Risk is grey. It’s not binary, it’s not 0/1. It’s 1-1000000. It’s infinite shades of grey.Risk is made up of the security and privacy levels of application, and does that risk level fit within the acceptable threshhold that has been set by your enterprise risk policy.
  5. We are at a mobile crossroads, an inflection pointJuniper Trust in Mobility Survey Results18% of people do not trust19% of surveyed people DO trust63% have no idea
  6. Three distinct areas, mobile malware, application behaviors, and code vulnerabilitiesEach of these areas is a risk to the enterprise specific to the mobile spaceEach manifests itself in a slightly different attack model (yes we’ve seen each of these in the wild)Each results in a different method by which we must apply security controls
  7. Mobile malware is shaping up to be the perfect storm.Describe perfect malware…DecentralizedInterconnectedMobileAbility to access targeted data quicklyDescribe mobile networks todayDecentralizedInterconnectedMobile – In every wayQuick content access and retrieval
  8. Statistics, everyone has got them.What you see here are a bunch of statistics samples from different vendor researchNumbers are largely irrelevantWhat matters is the trending linesYou can dispute any individual group of statistics, but when every player in the ecosystem is claiming the same trends the data increases in value
  9. Look into one specific set of trends.These results are from the McAffee annual report on threat predictions for 2012The trend is the same as every other report. Exponential growth.From July to November of 2011 there was significant uptick month over month demonstrating the typical exponential curveI’ve been predicting this type of uptick since end of 09 beginning of 10I was wrong. I was early. There was growth but nothing like we saw in 2011 and 2012I was also wrong in predicting where the out break would occur first. I saw the target as Blackberry (but we all know how that story went)It was Android…What I was RIGHT about was the distribution method for malware.. The public marketplace
  10. So why was it Android and not Blackberry or some other player?Close technologyHarder to REStronger OS securityRealistically…Better app store securityNo fragmentation issue
  11. North Carolina state did some significant research they called the mobile genome project.4 common types of infection vectorsRepackaging – 86% HugeDrive by – who caresStandalone – not really an issueUpdate – Coupled with exploitation based attacks and other repackaging for distributionDoesn’t total 100% because some samples contained multiple distribution and infection mechanismsSamples collected between August and October of 2011
  12. What type of payloads were most common..Somewhat well distributed with the exception of remote controlEven spread between:Financial chargesInformation CollectionPriv EscalationRemote control was a larger number most likely because the attackers want to be an ongoing concernDon’t total 100% because some samples contained multiple distribution and infection mechanismsSamples collected between August and October of 2011
  13. I ask developers all the time “Do you know what your code does”. Invariably the answer is “of course I do.. I wrote the code”. I then tell them they are wrong and listen to them fight with me for a few minutes.. And then I explain what I mean.Do you reuse or repurpose code – YESDo you use libraries that other people have written – YESDo you audit the source code of every library you use in your app? – NODo you use any third party binary only libraries – YESDo you reverse engineer and analyze the security of these libraries – NOThen you have no idea what your code really does.You are inheriting and accepting risk into your application every time that you use third party code or libraries
  14. LinkedIn-Transmitted entire calendar entries-Included participant information-Times-Dialin numbers-NotesPath-Transmitted entire address book to the company-Did not disclosure this information to the userPandora-Transmitted GPS location-Phone identifying values (Android ID / iPhone identifiers)-Other sensitive data-Ad libraries-Likely third party library problem
  15. -Sensitive Data Leakage-Unsafe Sensitive Data Storage-Unsafe Sensitive Data Transmission-Hardcoded passwords / keys
  16. Layered APIs on common languagesBlackberry and Android use JavaNon-issue for Objective-C (it’s own language)
  17. MDMGood -Strong policy and configuration mgmt-MAM support growingBAD-Security is secondary-MDM Differentiation is tough-Limited by API set provided by handset vendor-Expensive (40-60 per user per year)-MDM server security
  18. Mobile AVGood-Catching the KNOWN malware-Awesome at killing battery lifeBAD-Inability to catch anything unknown (0day)-Same problem as traditional malware-Persistent resource issue (humans required)-Often highly priviledged apps running on the device(one bug to rule them all)
  19. Good-Primary distributor of applications-Easy to locate desired applications-Trivial installation-Basic curating of applications occurs-Kill switchesBAD-Inadequate curating (incented by the app race)-Inconsistent application of checks-Speed of dissemination of applications
  20. Good-Single source of applications (at the end of the day this is where all apps come from)-Generally not ill intentioned (but not always)BAD-Inadequate security education-Inadvertent code flaws-Intentional code flaws (backdoors)-Not incented to create secure code-Code reuse security paradigm
  21. Capabilities mapping-Knowing what your application does.. EXACTLY what it doesMalware detection-Knowing if there is something hidden in your code (truly a subset of capabilities mapping)Vulnerability Analysis-Knowing if there are code flaws that can be exploited in your applications
  22. Look at what the application DOES via static analysisLook for appropriate permissionsTrace sensitive data from sources to sinksCode flowData flowExecute dynamic runtime analysis as wellInform between the static and dynamic to create the most accurate capabilities picture
  23. The traditional way is broken. Signatures don’t work. Easily evaded.When we put a new piece of malware into the hands of a malware analyst. What do they do with it?They do static analysisThey do runtime analysisThey add human intelligence to the system to determine what the application does and what the risk is of the programBest solution includes a machine learning system that determines what the application does and tries to understand how that maps to malicious intent
  24. Application FlawsBad file permissionsUnprotected programmatic interfaces/APIsThe other usual suspectsSQLi, XSS, exfiltration, poor crypto, etc.Inherited risks via 3rd party libsEnvironmental FlawsRuntime and libraryidiosyncrasies or bugsPrivilege escalation vulns(OS or kernel)Other outdated, vulnerable components
  25. Use all of the strategic control pointsNOT just oneImplement what each one is good atStrengthen each individually with good application security capabilities
  26. PolicyOverarching security strategy drives…BYOD policy, access control, etc.I.R. plans should account for “computer-in-my-pocket”ProcessIdentifying/inventorying mobile devices, usage patterns, security modelsTechnical ControlsMDM and/or “enterprise-friendly” mobile AVDetection, lockdown, alerting, response optionsInternal analysis/testing lab? ($$$)Or just pay external firm to do it
  27. “Mobile malware will continue to grow...”Especially on AndroidThe trajectory for mobile payment apps will eventually make them an enticing target, but not quite there yetThere’s yet an(other) opportunity to learn from previous failures, successes, and innovations in security, and apply them to the mobile spaceTake a holistic view of your ecosystemControl for problems at the choke pointsThis is going to be a journey… It won’t happen over nightIn the short term we have to add these new concepts and capabilities to our mobile environmentDesign your mobile security program keeping these concepts in mindIndividual point solutions will not work…Take a holistic approach