security… is there an app for that? · december 1st 2011, ecp epn, the hague dr. marnix dekker,...

www.enisa.europa.eu

Security… is there an app for that?

December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA

ENISA

www.enisa.europa.eu

o 2010: Smartphone security: Risks, opportunities and recommendations

o 2011: OWASP Mobile security project (ongoing)

o 2011: Appstore security: 5 lines of defense

o 2011: Smart access to the cloud (ongoing)

ENISA’s work on Smartphone security

2

www.enisa.europa.eu

3

Risks

www.enisa.europa.eu 4

Zeus trojan

www.enisa.europa.eu 5

Lulz Security

www.enisa.europa.eu 6

www.enisa.europa.eu

1.Device loss leading to data leakage

2.Improper decommissioning

3.Unintentional data disclosure

4.Phishing attacks

5.Spyware

6.Network spoofing attacks

7.Surveillance attacks

8.Diallerware

9.Financial malware

10.Network congestion

Risks for users

7

www.enisa.europa.eu

1. Sandboxing and capabilities

2. Controlled software distribution

3. Remote application removal

4. Backup and recovery

5. Extra authentication options

6. Extra encryption options

7. Platform diversity

Security opportunities

8

www.enisa.europa.eu

Sample recommendation

9

www.enisa.europa.eu 10

www.enisa.europa.eu 11

www.enisa.europa.eu

o Smartphone is loaded with personal data, with sensors and network interfaces.

o Collecting meaningful consent is difficult

o Covert channels

o Photos may contain location data

o Address book may contain private data

o “I can stalk u” (smartphone version of “Please rob me”)

o Interface to privacy and security settings is not easy

2.Unintended disclosure of data

12

www.enisa.europa.eu

Rootkit Keylogger on Smartphones

13

www.enisa.europa.eu

www.enisa.europa.eu 15

www.enisa.europa.eu

o Malware disguised as popular apps (super guitar solo e.g.).

o 200.000 downloads within days.

o Google used the kill-switch

o Google’s security patches were re-posted with malware in them.

Droid Dream

16

www.enisa.europa.eu

o Diallerware for Windows mobile

o Game demo on shareware site

o search for “3D anti terrorist dialler trojan”

o Trojan sleeps 31 days then calls 5 numbers

o Satelite line, antarctica, africa, south america

o International premium numbers (short-stopped)

o Attacker spends 1 ct, and receives 12 euro

Using diallerware

17

www.enisa.europa.eu

o Using Zitmo (thx to S21sec)

o Attacker steals online username and password using a malware (ZeuS 2.x)

o Attacker infects the smartphone by sending an SMS with a link to Zitmo. The user must accept (‘Nokia update’).

o Attacker logs in with the stolen username and password, using the user's PC as a socks/proxy and performs a banking transaction.

o An SMS is sent to the smartphone with the authentication code. Zitmo forwards the SMS to the attacker.

o Attacker fills in the SMS code and completes transaction.

Using banking malware

18

www.enisa.europa.eu

App-store security: 5 lines of defense

o Apple appstore

o Android market

o Amazon appstore

o Mozilla add ons

o Google chrome store

o Windows phone 7

o …

o Many new app stores are being set up, for enterprises, subscribers.

www.enisa.europa.eu

STRIDE and attack trees

20

I1: App

developer

I2: App store

controller

Approval of app

D1: App store

App and metadata

P5: Publish

apps

P6: Publish

updates and

revocations

App descriptions

and reputations

D2: Local apps

App

I3: Device user

App

P9: Periodic

app check

P3: Revoke

app

Revocation of app

Comment or complaint

about app

P7: Accept

comments or

complaints

App ID

New app

Approval for installation,

update, uninstallation

Updated

app

App ID of revoked

or updated app

P4: Publish

description

and reputation

of apps

P1:

Acceptance

check

P2: Package

and store app

P10: Execute

app

P8: Install,

uninstall apps

App and metadata

App name

Exploit vulnerability in installed app

Prevent detection by device user

Prevent updates, app revocation

Sell/distribute malicious app in

appstore

Get malicious code on the user device

Keep malicious code on the user device

Create malicious app

Circumvent app review

Troll/falsify app reputation

Bypass the appstore

J D, A D A

R

D K, D

Lines of defence:

A App reviewR Reputation mechanismK App revocation (kill-switch)D Device securityJ Jails

www.enisa.europa.eu

The 5 layers of defence

1. Device security (sandboxes, permissions, …)

2. App review

3. App reputation (security aspects)

4. App revocation (aka kill switches)

5. Jails

o Distributed reputation for apps and app developers, across app stores?

www.enisa.europa.eu

www.enisa.europa.eu

o Passwords are cumbersome to use and often insecure

o Authentication with smartphones (Google Authenticator, HOTP, OATH)

o Ongoing work with various industry players (OpenID, Kantara, Google, Blackberry, eBay, Intel, …)

o Comparing pros and cons of authentication schemes

o Password authentication

o Smartphone-based OTP

o Mobile PKI (AKA/GBA)

o App SSO (OAUTH)

o User-friendly, cheap, more secure, strong authentication?

Smart access to the cloud

23

www.enisa.europa.eu 24

www.enisa.europa.eu

Marnix Dekker (marnix.dekker@enisa.europa.eu)

Secure applications and services, ENISA

https://www.enisa.europa.eu/act/application-security

25