security… is there an app for that? · december 1st 2011, ecp epn, the hague dr. marnix dekker,...
TRANSCRIPT
![Page 1: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/1.jpg)
www.enisa.europa.eu
Security… is there an app for that?
December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA
ENISA
![Page 2: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/2.jpg)
www.enisa.europa.eu
o 2010: Smartphone security: Risks, opportunities and recommendations
o 2011: OWASP Mobile security project (ongoing)
o 2011: Appstore security: 5 lines of defense
o 2011: Smart access to the cloud (ongoing)
ENISA’s work on Smartphone security
2
![Page 3: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/3.jpg)
www.enisa.europa.eu
3
Risks
![Page 4: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/4.jpg)
www.enisa.europa.eu 4
Zeus trojan
![Page 5: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/5.jpg)
www.enisa.europa.eu 5
Lulz Security
![Page 6: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/6.jpg)
www.enisa.europa.eu 6
![Page 7: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/7.jpg)
www.enisa.europa.eu
1.Device loss leading to data leakage
2.Improper decommissioning
3.Unintentional data disclosure
4.Phishing attacks
5.Spyware
6.Network spoofing attacks
7.Surveillance attacks
8.Diallerware
9.Financial malware
10.Network congestion
Risks for users
7
![Page 8: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/8.jpg)
www.enisa.europa.eu
1. Sandboxing and capabilities
2. Controlled software distribution
3. Remote application removal
4. Backup and recovery
5. Extra authentication options
6. Extra encryption options
7. Platform diversity
Security opportunities
8
![Page 9: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/9.jpg)
www.enisa.europa.eu
Sample recommendation
9
![Page 10: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/10.jpg)
www.enisa.europa.eu 10
![Page 11: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/11.jpg)
www.enisa.europa.eu 11
![Page 12: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/12.jpg)
www.enisa.europa.eu
o Smartphone is loaded with personal data, with sensors and network interfaces.
o Collecting meaningful consent is difficult
o Covert channels
o Photos may contain location data
o Address book may contain private data
o “I can stalk u” (smartphone version of “Please rob me”)
o Interface to privacy and security settings is not easy
2.Unintended disclosure of data
12
![Page 13: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/13.jpg)
www.enisa.europa.eu
Rootkit Keylogger on Smartphones
13
![Page 14: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/14.jpg)
www.enisa.europa.eu
![Page 15: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/15.jpg)
www.enisa.europa.eu 15
![Page 16: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/16.jpg)
www.enisa.europa.eu
o Malware disguised as popular apps (super guitar solo e.g.).
o 200.000 downloads within days.
o Google used the kill-switch
o Google’s security patches were re-posted with malware in them.
Droid Dream
16
![Page 17: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/17.jpg)
www.enisa.europa.eu
o Diallerware for Windows mobile
o Game demo on shareware site
o search for “3D anti terrorist dialler trojan”
o Trojan sleeps 31 days then calls 5 numbers
o Satelite line, antarctica, africa, south america
o International premium numbers (short-stopped)
o Attacker spends 1 ct, and receives 12 euro
Using diallerware
17
![Page 18: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/18.jpg)
www.enisa.europa.eu
o Using Zitmo (thx to S21sec)
o Attacker steals online username and password using a malware (ZeuS 2.x)
o Attacker infects the smartphone by sending an SMS with a link to Zitmo. The user must accept (‘Nokia update’).
o Attacker logs in with the stolen username and password, using the user's PC as a socks/proxy and performs a banking transaction.
o An SMS is sent to the smartphone with the authentication code. Zitmo forwards the SMS to the attacker.
o Attacker fills in the SMS code and completes transaction.
Using banking malware
18
![Page 19: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/19.jpg)
www.enisa.europa.eu
App-store security: 5 lines of defense
o Apple appstore
o Android market
o Amazon appstore
o Mozilla add ons
o Google chrome store
o Windows phone 7
o …
o Many new app stores are being set up, for enterprises, subscribers.
![Page 20: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/20.jpg)
www.enisa.europa.eu
STRIDE and attack trees
20
I1: App
developer
I2: App store
controller
Approval of app
D1: App store
App and metadata
P5: Publish
apps
P6: Publish
updates and
revocations
App descriptions
and reputations
D2: Local apps
App
I3: Device user
App
P9: Periodic
app check
P3: Revoke
app
Revocation of app
Comment or complaint
about app
P7: Accept
comments or
complaints
App ID
New app
Approval for installation,
update, uninstallation
Updated
app
App ID of revoked
or updated app
P4: Publish
description
and reputation
of apps
P1:
Acceptance
check
P2: Package
and store app
P10: Execute
app
P8: Install,
uninstall apps
App and metadata
App name
Exploit vulnerability in installed app
Prevent detection by device user
Prevent updates, app revocation
Sell/distribute malicious app in
appstore
Get malicious code on the user device
Keep malicious code on the user device
Create malicious app
Circumvent app review
Troll/falsify app reputation
Bypass the appstore
J D, A D A
R
D K, D
Lines of defence:
A App reviewR Reputation mechanismK App revocation (kill-switch)D Device securityJ Jails
![Page 21: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/21.jpg)
www.enisa.europa.eu
The 5 layers of defence
1. Device security (sandboxes, permissions, …)
2. App review
3. App reputation (security aspects)
4. App revocation (aka kill switches)
5. Jails
o Distributed reputation for apps and app developers, across app stores?
![Page 22: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/22.jpg)
www.enisa.europa.eu
![Page 23: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/23.jpg)
www.enisa.europa.eu
o Passwords are cumbersome to use and often insecure
o Authentication with smartphones (Google Authenticator, HOTP, OATH)
o Ongoing work with various industry players (OpenID, Kantara, Google, Blackberry, eBay, Intel, …)
o Comparing pros and cons of authentication schemes
o Password authentication
o Smartphone-based OTP
o Mobile PKI (AKA/GBA)
o App SSO (OAUTH)
o User-friendly, cheap, more secure, strong authentication?
Smart access to the cloud
23
![Page 24: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/24.jpg)
www.enisa.europa.eu 24
![Page 25: Security… is there an app for that? · December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA ENISA . o 2010: Smartphone security: Risks, opportunities and recommendations](https://reader035.vdocuments.net/reader035/viewer/2022081621/61222ed5ae9c8303232d0567/html5/thumbnails/25.jpg)
www.enisa.europa.eu
Marnix Dekker ([email protected])
Secure applications and services, ENISA
https://www.enisa.europa.eu/act/application-security
25