android 8 oreo and ios 11 security updates: what you need to know
TRANSCRIPT
Android 8 “Oreo” & iOS 11 security updates:What you need to know
8X FASTER3X DEEPER
MOST TRUSTED© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure #MobSec5Weekly mobile security news update
SUBSCRIBE NOW:www.nowsecure.com/go/subscribe
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
AGENDA + SPEAKERS
Android 8 (“Oreo”)▪ Google Play Protect▪ App permissions changes▪ WebViews security enhancements▪ Other Android 8 security quick hits
iOS 11 - available Sept. 19
▪ Password AutoFill▪ FileProvider▪ New barriers to unlocking phones▪ Other iOS 11 security quick hits
Tony RamirezMobile Security Analyst
Michael KruegerMobile Security Analyst
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
Android 8 “Oreo”Security Highlights
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Google Play Protect
Malware scanning▪ Scans and reports on apps on the device▪ Will also scan unknown/side-loaded apps
SafetyNet Verify Apps API▪ An app can query apps on a device
prior to executing▪ And refuse to run if known malicious
app is found
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Noteworthy app permissions changes
Install unknown apps (side-loaded apps)▪ Replaces “Allow unknown sources”▪ Required for sources other than trusted stores▪ Defense against “hostile downloaders”
TYPE_APPLICATION_OVERLAY▪ Stops apps from over-laying critical windows▪ Fights against overlay malware
More granular granting of app permissions▪ Entire permission groups no longer granted▪ Automatically-grants subsequent requests for
additional permissions within the same groupExample unknown
app alert
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WebView security enhancements
Multi Process mode▪ Isolates WebView from app▪ Prevents malicious content from accessing the app▪ Good for security, but won’t fix every issue
Safe Browsing API▪ Protection against known bad websites▪ WebViews are easy to re-direct and use
for executing phishing attacks
ExampleSafe Browsing alert
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
PROJECT TREBLE
▪Creates vendor interface in Android
▪Makes the OS more modular
▪Purpose is to make OEM updates faster & easier
▪Hardware Abstraction Layers (HAL) limit media framework access to kernel
Other Android 8 Security Quick Hits
8
NETWORK SECURITY
▪HttpsURLConnection will not fall back to insecure versions of SSL/TLS
▪Drops support for SSLv3
OS DOWNGRADE PROTECTION
▪Prevents downgrading a device to a more vulnerable version of Android
DEVELOPER OPTIONS - PASSWORD
▪Now requires password for access
▪Privileged access (e.g., debug mode, bootloader, developer tools)
SECCOMP FILTER
▪Secure Computing (SECCOMP) filter applied to all apps
▪System calls can expose the kernel to attack
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
iOS 11Security Highlights
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Password AutoFill
Features▪ Existing iCloud Keychain & Safari AutoFill passwords
available on the QuickType bar within apps▪ Button on right authenticates with TouchID
Security▪ Only presents credentials associated with the app▪ Website associations stored in app entitlements▪ The JSON file apple-app-site-association on
the server-side points to the allowed apps
Example password autofill implementation
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
FileProvider Enhancements (new Files App)
▪ Organizes, shares, and opens documents connected to cloud storage via the Document Browser
▪ “On My <iPad/iPhone>” FileProvider• Only local FileProvider• Apps use it to expose local documents to other apps
▪ Data saved and what apps can save data will be important
▪ Testing should evaluate data stored and accessFile Providers
DocumentBrowser UI
Documentbased app
Cloud backend
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
New barriers to unlocking phones
Emergency SOS Mode▪ Activated by pressing the lock button 5 times
• Phone enters emergency mode• SOS button• Alerts emergency contacts to location• Can auto-call emergency services
▪ Also locks down device• Disables TouchID (passcode required)• Does NOT require you to actually call
emergency services
“...handy if you're being mugged or arrested and don't want to be compelled to unlock your device.”http://www.macworld.co.uk/how-to/iphone/how-use-sos-mode-on-iphone-3663371/
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
Other iOS 11 security quick hits
13
FACE RECOGNITION - IPHONE X
▪Protected by secure enclave
▪Requires user attention to unlock
▪Photo alone won’t work to bypass
▪Questions about privacy of data
OFFLOAD UNUSED APPS
▪Delete an app from your phone, but save the data▪Data’s still there, will it be protected?
TLS CONNECTIONS
▪Preliminary TLSv1.3 support▪TLSv1.2 now default▪ 3DES no longer an approved cipher▪SHA1 no longer accepted▪RSA keys must be at least 2048 bits
LOCATION SERVICES
▪More granularity about when apps can use them▪Blue bar displays when in use
SAFARI - TRACKING PREVENTION
▪ Intelligent tracking prevention (ITP)▪Cookies for tracking and re-targeting disabled after 24 hours & purged after 30 days
NATIVE SCREEN RECORDING
▪Where will screen recordings reside?▪Malicious use of screen recordings
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
In action: Keeping up with the latest OS updates
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
BEST PRACTICE RECOMMENDATIONS
1. Recognize that every new OS release - big or small - can introduce new gaps and risks
2. Find a reputable source you can count on to keep you up to date
a. Sign up for Nowsecure #MobSec5 at www.nowsecure.com/go/subscribe.
b. Read our blog at www.nowsecure.com/blog
3. Test existing apps on new OS versions to identify potential risks and gaps
4. Re-test apps when update take advantage of new OS features to identify potential risks and gaps
5. Add a mobile app security testing platform to your app factory to test custom and 3rd party apps
Case study:Global Entertainment Brand
● PAIN: Staying current on Android/iOS updates
● Mobile app security requirements service
● Continually updated BPs to account for latest threats and versions of Android and iOS
“By the time we finished a draft of requirements specific to one version of iOS, Apple released the next one. We couldn’t keep up with the changes in iOS and also do the same for Android.”
— Security Engineer, Multi-billion Dollar Global Brand
As a global leader in high quality entertainment delivered through an array of channels, this brand harnessed the power of mobile technology early.
https://www.nowsecure.com/case-studies/mobile-app-security-program-for-global-entertainment-brand/
GlobalEntertainment
Brand
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NowSecure INTELLIGENCEAlwaysOn AppStore Cloud Analysis
for EMM & Security teams
NowSecure AUTOMATEDOnDemand Fast Cloud Analysis
for Dev, QA & Security teams
NowSecure WORKSTATION
Deep Pen Testing Analysisfor Security Analysts
NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING
NowSecure SERVICESExpert Pen Testing, Training & Programs
for App Owners & Security teams
17
8X FASTER – 3X DEEPER – MOST TRUSTED