security… is there an app for that? · december 1st 2011, ecp epn, the hague dr. marnix dekker,...
TRANSCRIPT
www.enisa.europa.eu
Security… is there an app for that?
December 1st 2011, ECP EPN, The Hague Dr. Marnix Dekker, CISA
ENISA
www.enisa.europa.eu
o 2010: Smartphone security: Risks, opportunities and recommendations
o 2011: OWASP Mobile security project (ongoing)
o 2011: Appstore security: 5 lines of defense
o 2011: Smart access to the cloud (ongoing)
ENISA’s work on Smartphone security
2
www.enisa.europa.eu
3
Risks
www.enisa.europa.eu 4
Zeus trojan
www.enisa.europa.eu 5
Lulz Security
www.enisa.europa.eu 6
www.enisa.europa.eu
1.Device loss leading to data leakage
2.Improper decommissioning
3.Unintentional data disclosure
4.Phishing attacks
5.Spyware
6.Network spoofing attacks
7.Surveillance attacks
8.Diallerware
9.Financial malware
10.Network congestion
Risks for users
7
www.enisa.europa.eu
1. Sandboxing and capabilities
2. Controlled software distribution
3. Remote application removal
4. Backup and recovery
5. Extra authentication options
6. Extra encryption options
7. Platform diversity
Security opportunities
8
www.enisa.europa.eu
Sample recommendation
9
www.enisa.europa.eu 10
www.enisa.europa.eu 11
www.enisa.europa.eu
o Smartphone is loaded with personal data, with sensors and network interfaces.
o Collecting meaningful consent is difficult
o Covert channels
o Photos may contain location data
o Address book may contain private data
o “I can stalk u” (smartphone version of “Please rob me”)
o Interface to privacy and security settings is not easy
2.Unintended disclosure of data
12
www.enisa.europa.eu
Rootkit Keylogger on Smartphones
13
www.enisa.europa.eu
www.enisa.europa.eu 15
www.enisa.europa.eu
o Malware disguised as popular apps (super guitar solo e.g.).
o 200.000 downloads within days.
o Google used the kill-switch
o Google’s security patches were re-posted with malware in them.
Droid Dream
16
www.enisa.europa.eu
o Diallerware for Windows mobile
o Game demo on shareware site
o search for “3D anti terrorist dialler trojan”
o Trojan sleeps 31 days then calls 5 numbers
o Satelite line, antarctica, africa, south america
o International premium numbers (short-stopped)
o Attacker spends 1 ct, and receives 12 euro
Using diallerware
17
www.enisa.europa.eu
o Using Zitmo (thx to S21sec)
o Attacker steals online username and password using a malware (ZeuS 2.x)
o Attacker infects the smartphone by sending an SMS with a link to Zitmo. The user must accept (‘Nokia update’).
o Attacker logs in with the stolen username and password, using the user's PC as a socks/proxy and performs a banking transaction.
o An SMS is sent to the smartphone with the authentication code. Zitmo forwards the SMS to the attacker.
o Attacker fills in the SMS code and completes transaction.
Using banking malware
18
www.enisa.europa.eu
App-store security: 5 lines of defense
o Apple appstore
o Android market
o Amazon appstore
o Mozilla add ons
o Google chrome store
o Windows phone 7
o …
o Many new app stores are being set up, for enterprises, subscribers.
www.enisa.europa.eu
STRIDE and attack trees
20
I1: App
developer
I2: App store
controller
Approval of app
D1: App store
App and metadata
P5: Publish
apps
P6: Publish
updates and
revocations
App descriptions
and reputations
D2: Local apps
App
I3: Device user
App
P9: Periodic
app check
P3: Revoke
app
Revocation of app
Comment or complaint
about app
P7: Accept
comments or
complaints
App ID
New app
Approval for installation,
update, uninstallation
Updated
app
App ID of revoked
or updated app
P4: Publish
description
and reputation
of apps
P1:
Acceptance
check
P2: Package
and store app
P10: Execute
app
P8: Install,
uninstall apps
App and metadata
App name
Exploit vulnerability in installed app
Prevent detection by device user
Prevent updates, app revocation
Sell/distribute malicious app in
appstore
Get malicious code on the user device
Keep malicious code on the user device
Create malicious app
Circumvent app review
Troll/falsify app reputation
Bypass the appstore
J D, A D A
R
D K, D
Lines of defence:
A App reviewR Reputation mechanismK App revocation (kill-switch)D Device securityJ Jails
www.enisa.europa.eu
The 5 layers of defence
1. Device security (sandboxes, permissions, …)
2. App review
3. App reputation (security aspects)
4. App revocation (aka kill switches)
5. Jails
o Distributed reputation for apps and app developers, across app stores?
www.enisa.europa.eu
www.enisa.europa.eu
o Passwords are cumbersome to use and often insecure
o Authentication with smartphones (Google Authenticator, HOTP, OATH)
o Ongoing work with various industry players (OpenID, Kantara, Google, Blackberry, eBay, Intel, …)
o Comparing pros and cons of authentication schemes
o Password authentication
o Smartphone-based OTP
o Mobile PKI (AKA/GBA)
o App SSO (OAUTH)
o User-friendly, cheap, more secure, strong authentication?
Smart access to the cloud
23
www.enisa.europa.eu 24
www.enisa.europa.eu
Marnix Dekker ([email protected])
Secure applications and services, ENISA
https://www.enisa.europa.eu/act/application-security
25