smart phone security ios system
DESCRIPTION
Apple iOS Platform Weakness & Some Tips to Great DefenseTRANSCRIPT
Smart Phone Security Apple iOS Platform Weakness
& Some Tips to Great Defense Jamil S. Alagha
Agenda
Introduction
Apple insufficiency (iOS Platform)
IOS Weaknesses Allow Attacks via Trojan Chargers
Apple acknowledges battery life issue
Jailbreaking
Related work
IPhone Smartphone Security
IPhone and iPod Location Spoofing
Apple developer digital signature
Attack Mitigation (View of Writer)
Applications
2 ©Jamil S. Alagha 2013
Introduction
Smartphones offer many more functions than traditional mobile
phones.
Such as iOS, Android, or Windows Mobile.
Most smartphones support Multimedia Message Service(MMS)
and include embedded sensors such as GPS, gyroscopes, and
accelerometers.
Smartphones and tablets, have been increasingly used for personal
and business purposes in recent years.
3 ©Jamil S. Alagha 2013
Introduction.
By Jan 2013, 500 millions of iOS devices had been
sold worldwide.
Apple’s iTunes App Store contained over 800,000
iOS third-party applications.
Apps had been downloaded for more than 40 billion
times.
4 ©Jamil S. Alagha 2013
IOS Weaknesses Allow Attacks via Trojan Chargers
Prototype of the malicious charger.
Mobile device will automatically begin the pairing process with the embedded computer within the charger.
It takes less than five seconds to install our payload, but installing the actual Trojan can take up to a minute depending on its size.
5 ©Jamil S. Alagha 2013
IOS Weaknesses Allow Attacks via Trojan Chargers
Attacks will become more difficult with Apple's coming update, iOS 7
Development versions of the operating system have asked the user for permission before syncing to another computer over USB
6 ©Jamil S. Alagha 2013
Apple acknowledges battery life issue
A manufacturing issue affecting “a very limited number” of its new flagship iPhone 5S handsets, Apple said.
Means some users will be experiencing longer-than-usual charge times or reduced battery life.
Suggesting the problem may have occurred during the assembly of the device rather than there being an issue with any of its various parts.
7 ©Jamil S. Alagha 2013
Apple acknowledges battery life issue
A user on Apple’s support pages
“When I go to sleep I put alarm on, close all apps, switch off the
sound, and put the device in airplane mode. When I wake up,
8h, the battery drains 10% or more,”
The user explained. “On the iPhone 4 this wasn’t an issue, max
1-2 percent….Why is this battery draining that fast with nothing
running”
8 ©Jamil S. Alagha 2013
Jailbreaking
("Jailbreaking") : unauthorized modifications to iOS bypass security features and can cause numerous issues to the hacked iPhone, iPad, or iPod touch.
9 ©Jamil S. Alagha 2013
Jailbreaking
("Jailbreaking") :
unauthorized modifications to iOS bypass security features and can cause numerous issues to the hacked iPhone, iPad, or iPod touch.
Security vulnerabilities :
Jailbreaking your device -> eliminates security layers.
Instability :
Frequent and unexpected crashes of the device, crashes and freezes of built-in apps and third-party apps .
Shortened battery life :
caused an accelerated battery drain that shortens the operation
10 ©Jamil S. Alagha 2013
Jailbreaking
Unreliable voice and data :
Dropped calls, slow or unreliable data connections, and delayed or inaccurate location data.
Disruption of services :
Third-party apps that use the Apple Push Notification Service have had difficulty receiving notifications
Inability to apply future software updates :
Some unauthorized modifications have caused damage to iOS that is not repairable
11 ©Jamil S. Alagha 2013
Related Work
IPhone Smartphone Security
IPhone and iPod Location Spoofing
Apple developer digital signature
12 ©Jamil S. Alagha 2013
IPhone and iPod Location Spoofing
Wi-Fi positioning system (WPS) from Skyhook, available for PCs (as a plugin)
13 ©Jamil S. Alagha 2013
Apple developer digital signature
Code signing is a security technology.
Benefits
when a piece of code has been signed, it is possible to determine reliably whether the code has been modified by someone other than the signer. The system can detect such alternation whether it was intentional (by a malicious attacker , for example) or accidental (as when a file gets corrupted).
14 ©Jamil S. Alagha 2013
Apple developer digital signature
Role in Code Signing: Trust
Trust is determined by policy . A security trust policy determines whether a particular identity should be accepted for allowing something, such as access to a resource or service.
15 ©Jamil S. Alagha 2013
Recommendation for Mitigation Of Attack
Apple’s current vetting and sandbox mechanisms have weaknesses which can be exploited by third-party applications to escalate their privileges and perform serious attacks on iOS users
User must management iPhone carefully when dealing with privacy .
On location service, apple’s user must turn of the location service like foursquare, find my iPhone and photo location.
In web browser, should be careful when dealing with pdf and image files, that may be contain a recall to another function API’s to alter user content.
16 ©Jamil S. Alagha 2013
Don’t Allow Jailbreaking
Bypasses the passcode in some cases
Removes some built-in security features
Can leave you vulnerable to third-party applications not vetted by Apple
Ensure third-party MDM solutions prevent Jailbreaking
For some reason Apple disabled the Jailbreak check API in iOS > 4.2 (mostly for liability reasons)
Address this in your mobile device policy
17 ©Jamil S. Alagha 2013
Applications
You might want to ensure some applications don’t get installed
• “Cloud” data storage applications
– DropBox
– Evernote
– Microsoft OneNote
What about iCloud?
Could your corporate data be floating in the cloud?
Do you have polices and procedures to address this?
18 ©Jamil S. Alagha 2013
Applications – third Party
19 ©Jamil S. Alagha 2013
Enable Remote Management
Enable FindMyPhone (MobileMe) at a minimum
– For very small deployments this could work
For true Enterprise level management you must use a third-party MDM
– Decide which type of enrollment is best for you
– Whitelist approach may be best
Allow only devices you have authorized (corporate owned?)
20 ©Jamil S. Alagha 2013
Keep iOS Up To Date
Always update and use the latest Apple iOS firmware
Many vulnerabilities are fixed
Security always is improving
21 ©Jamil S. Alagha 2013
Thanks for Your Time Questions ? E-mail me