making enterprise ready - voxvox.veritas.com/legacyfs/online/veritasdata/2pm_1528_making andr… ·...
TRANSCRIPT
Making Android Enterprise Ready 1
Making Enterprise Ready
Sean Yarger Sr. Manager, Mobility and Identity
SYMANTEC VISION 2014
Enterprise Benefits of Android
Java-based, get up and running with ease
Open source, no license or royalties
Choice of distribution mechanisms
Inter-application and inter-process architectures for unified
applications (enhanced UX)
Low cost of entry
Embeds better
Others?
Making Android Enterprise Ready 2 @SeanYarger
SYMANTEC VISION 2014
Consumer
Making Android Enterprise Ready 3
69.7% 20.9%
@SeanYarger
SYMANTEC VISION 2014
Enterprise
Making Android Enterprise Ready 4
~77%
@SeanYarger
SYMANTEC VISION 2014 Making Android Enterprise Ready 5
Security Concerns: Fragmentation
@SeanYarger
SYMANTEC VISION 2014
OS Fragmentation Version Codename Distribution
2.2 Froyo 1.10%
2.3.3 - Gingerbread 17.80% 2.3.7
3.2 Honeycomb 0.10%
4.0.3 - Ice Cream Sandwich 14.30% 4.0.4
4.1.x Jelly Bean 34.40%
4.2.x 18.10%
4.3 8.90%
4.4 KitKat 5.30%
Making Android Enterprise Ready 6 @SeanYarger
Version Codename Distribution
2.2 Froyo 1.10%
2.3.3 - Gingerbread 17.80% 2.3.7
3.2 Honeycomb 0.10%
4.0.3 - Ice Cream Sandwich 14.30% 4.0.4
4.1.x Jelly Bean 34.40%
4.2.x 18.10%
4.3 8.90%
4.4 KitKat 5.30%
SYMANTEC VISION 2014
Device Fragmentation Source: OpenSignal
Making Android Enterprise Ready 7 @SeanYarger
SYMANTEC VISION 2014
Device Fragmentation Source: OpenSignal
Making Android Enterprise Ready 8 @SeanYarger
599 11,800+ Android
Manufacturers
Distinct Android
Devices
SYMANTEC VISION 2014
Android Screen Real Estate Source: OpenSignal
Making Android Enterprise Ready 9 @SeanYarger
SYMANTEC VISION 2014
iOS Screen Real Estate Source: OpenSignal
Making Android Enterprise Ready 10 @SeanYarger
SYMANTEC VISION 2014
Fragmentation
Manufacturers fall behind Google’s reference release due to their own changes
Carriers can take months or even years to update the OS on their offered devices
Vulnerabilities get left unpatched on older versions
To COPE or not to COPE?
Making Android Enterprise Ready 11 @SeanYarger
SYMANTEC VISION 2014 Making Android Enterprise Ready 12
Security Concerns: Marketplaces
@SeanYarger
SYMANTEC VISION 2014
Android
Making Android Enterprise Ready 13 @SeanYarger
SYMANTEC VISION 2014
Apple
Making Android Enterprise Ready 14 @SeanYarger
SYMANTEC VISION 2014
Marketplaces
Android is a truly open OS
Curation is based mainly on categorization
Security is loose or non-existent
Google Play is the king of malware
Users don’t pay attention to app permissions
Vulnerabilities can cause actual performance issues and data loss -- not just minor inconveniences
Making Android Enterprise Ready 15 @SeanYarger
SYMANTEC VISION 2014 Making Android Enterprise Ready 16
Security Concerns: Malware
@SeanYarger
17
Mobile Threats
Android remains the platform of choice for malware authors
18
Android
Symbian
Windows
Number of Threats
57
1
1
Percent of Threats
97%
2%
2%
0 0%
Platform
iOS
Mobile Threats: Malicious Code by Platform, 2013 Source: Symantec
Mobile Malware
Creation of new mobile
malware slowed as
malware authors focused
on improving existing
malware
Average number of
variants per family in
2012 was 1:38
Increased to 1:57 in 2013
19
Average Number of Variant Per Family
Average Number of Variant Per Family
1:38 1:57 2012 2013
Mobile Users at Risk
20
50%
38%
Source: 2013 Norton Report
Don’t use basic precautions such as passwords, security software or back up files for their mobile device
Of smartphone users have experienced mobile cybercrime in past 12 months
72% 90%
78%
56% 48% 33%
DELETE SUSPICIOUS EMAILS FROM PEOPLE
THEY DON’T KNOW
HAVE AT LEAST A BASIC FREE ANTIVIRUS
SOLUTION
AVOID STORING SENSITIVE FILES
ONLINE
Mobile Security IQ
21
Source: 2013 Norton Report
Mobile: A Dangerous Mix
1. Prevalence of mobile devices
2. Maturing of mobile malware
3. Mixing of work and personal information on devices
4. User’s lack of smart smartphone risk awareness
22
Mitigating Mobile Attacks
23
Application Management • Secure data in corporate applications regardless of device ownership
Device Management • Remotely wipe devices in case of theft or loss, control password policies
• Update devices with applications as needed without physical access
Device Security • Guard mobile device against malware
• Prevent the device from becoming a vulnerability
Identity & Access Control • Provide strong authentication and authorization for access to enterprise
applications and resources
• Ensure safe access to enterprise resources from right devices with right postures
Secure File Sharing • Enable encrypted file sharing to ensure security as users share information
SYMANTEC VISION 2014 Making Android Enterprise Ready 24
Mitigation: Device Management
@SeanYarger
SYMANTEC VISION 2014 25
• Diminished user privacy
• Managing personal devices = more overhead
• Cannot take targeted remediation; whole device or nothing
• “All or nothing” policies (ex: block Airdrop & iCloud)
• User experience is impacted
MDM being used to solve broader mobile challenges can bring unplanned challenges
Why MDM [Alone] Doesn’t Solve the Problem
Making Android Enterprise Ready @SeanYarger
SYMANTEC VISION 2014 Making Android Enterprise Ready 26
Mitigation: Identity & Access Control
@SeanYarger
SYMANTEC VISION 2014
Identity & Access Control
• Extend enterprise directories to Mobile (via SAML)
• Integrate CAs where applicable (devices, email, WiFi)
• Per-app VPNs
• 2FA
Making Android Enterprise Ready 27
“We want to prove the user is who they say they are, and then give
them access to business resources.”
@SeanYarger
SYMANTEC VISION 2014 Making Android Enterprise Ready 28
Mitigation: Device Security
@SeanYarger
SYMANTEC VISION 2014
Advice About Android Threats
• An automated system for generating intelligence about mobile applications
– Security
• Identifying malware and goodware (trusted apps)
– Greyware Risks / Potentially Unwanted Apps (PUAs)
• Identifying privacy risks and annoyances (e.g. aggressive advertisements) in apps
– Performance
• Identifying how apps impact battery life and use cellular data
Making Android Enterprise Ready 29 @SeanYarger
SYMANTEC VISION 2014
Scale
Making Android Enterprise Ready 30
3 million+ Android apps
10 thousand new apps processed every 24 hours
2 hundred thousand malicious apps identified
1.5 million apps identified with greyware/PUA risks
200+ app stores crawled continuously
@SeanYarger
SYMANTEC VISION 2014
Android Threats - Ratings
• Security Ratings
• Greyware Ratings (potentially unwanted app behaviors)
• Performance Ratings
Making Android Enterprise Ready 31
Score >= 100 Known Good (Trusted App)
Score >= 75 High-Confidence Good (Trusted App)
Score >= 50 Medium-Confidence Good
Score >= 1 Low-Confidence Good
Score <= -1 Low-Confidence Bad
Score <= -25 Medium-Confidence Bad
Score <= -75 High-Confidence Bad
Score <=- 100 Known Bad
@SeanYarger
SYMANTEC VISION 2014
Sample Ratings (Example #1)
Making Android Enterprise Ready 32
com.rovio.angrybirds v. 3.0.0 SHA256: 89EE8ADD0221029E609D…
Security Rating
Score +80 (Trusted App)
Application First Seen: 2009-03-05 Popularity: Millions of downloads
Signer (Publisher)
First Seen: 2009-03-05 Popularity: Millions of downloads
Greyware Risks
Exports IMEI to www.cooguo.com
Exports device info to www.cooguo.com
Exports settings info to data.flurry.com
Displays ads in the app (AdMob, Burstly, InMobi)
Collects location coordinates (InMobi)
Performance Rating
Foreground 50 (Moderate Usage)
Background 18 (Low Usage)
Cellular Bandwidth Usage
50 (Average)
@SeanYarger
SYMANTEC VISION 2014
Sample Ratings (Example #2)
Making Android Enterprise Ready 33
com.tcn_app_newstype v1.1 SHA256: C2701E8F35F1F52801351…
Security Rating
Score +10 (Low-Confidence Good)
Application First Seen: 2011-05-04 Popularity: 100s of downloads
Signer (Publisher)
First Seen: 2011-05-04 Popularity: 100s of downloads
Greyware Risks
Exports call logs to 124.243.125.55
Exports contacts to 124.243.125.55
Exports location to 124.243.125.55
Can export phone number
Can export IMEI
Performance Rating
Foreground 20 (Low Usage)
Background 50 (Medium Usage)
Cellular Bandwidth Usage
70 (Higher than Average)
@SeanYarger
SYMANTEC VISION 2014
Sample Ratings (Example #3)
Making Android Enterprise Ready 34
net.oking.newcommon v1.0 SHA256: 8476A358C3EB393E86AB…
Security Rating
Score -110 (High-Confidence Malware)
Application First Seen: 2010-03-15 Popularity: 50,000 – 250,000
Signer (Publisher)
First Seen: 2010-03-15 Popularity: 50,000 – 250,000
Attributes Uses an exploit Uses premium services
Greyware Risks
Sends SMS messages
Exports settings info to androids-market.ru
Exports SMS message history
Performance Rating
N/A
@SeanYarger
SYMANTEC VISION 2014 Making Android Enterprise Ready 35
Mitigation: Application Management
@SeanYarger
SYMANTEC VISION 2014
Containerization and Wrapping
Making Android Enterprise Ready 36
• Done in one of three ways:
1. Encrypted Sandbox
2. Hypervisor
3. Wrapping
• Isolates and encrypts
• Per app container
• Allows/disallows OS or app access in/out of the container
• Most require code edits
• Important!
– Solution re-signs app w/out code change
– No rooting or jailbreaking required
– Integrated access control
• Containerization • App Wrapping
@SeanYarger
SYMANTEC VISION 2014
Containerization and Wrapping
Making Android Enterprise Ready 37
• Done in one of three ways:
1. Encrypted Sandbox
2. Hypervisor
3. Wrapping
– Authentication Required (SSO)
– Allow Local Storage
– Offline Access
– Run on rooted?
– Copy/paste
– Restrict network
• Containerization • App Wrapping
@SeanYarger
SYMANTEC VISION 2014
Android App Stores
Making Android Enterprise Ready 38 @SeanYarger
SYMANTEC VISION 2014
Apple
Making Android Enterprise Ready 39 @SeanYarger
SYMANTEC VISION 2014
Enterprise App Store
Making Android Enterprise Ready 40 @SeanYarger
SYMANTEC VISION 2014 Making Android Enterprise Ready 41
Mitigation: Secure File Sharing
@SeanYarger
SYMANTEC VISION 2014
Share Files Securely Anytime, Anywhere
Making Android Enterprise Ready 42 @SeanYarger
SYMANTEC VISION 2014
Secure File Sharing (no really)
Making Android Enterprise Ready 43
Encryption Management
Secure Authentication • SAML support provides
strong, certificate-based authentication
• Single Sign-On (SSO) avoids having separate login credentials
• Multiblind Key Encryption (MBKE) • Companies manage their own keys
@SeanYarger
SYMANTEC VISION 2014 Making Android Enterprise Ready 44 @SeanYarger
Application Management
Device Management
Device Security
Identity & Access Control
Secure File Sharing