Cloud Security Alliance
Top Threats to
Mobile Computing
July 2012
CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing
v
SECTION 1: TABLE OF CONTENTS
SECTION 1: TABLE OF CONTENTS ...............................................................................................................................1
SECTION 2: CLOUD SECURITY ALLIANCE TOP THREATS TO MOBILE COMPUTING .....................................................2
2.1 Introduction ......................................................................................................................................................2
2.2 Project Timeline................................................................................................................................................2
2.3 Candidate List 4 ................................................................................................................................................2
2.4 Evil 8: Top Threats to Mobile ............................................................................................................................3
2.4.1 Insecure or Rogue Marketplaces ...............................................................................................................3
2.4.2 Data Loss from Stolen, Lost, or Decommissioned Devices ........................................................................4
2.4.3 Information Stealing Malware...................................................................................................................4
2.4.4 Insecure WIFI / Network Access / Rogue Access Points ............................................................................5
2.4.5 Insufficient Access to APIs, Management Tools, and Multi-Personas ......................................................5
2.4.6 Data Loss / Data Leaking Through Poorly Written Applications ...............................................................6
2.4.7 Vulnerabilities in Hardware, OS, Applications, 3rd-Party Apps ..................................................................6
2.4.8 NFC / Proximity-Based Hacking .................................................................................................................7
© Copyright 2012 Cloud Security Alliance. All rights reserved.
1
CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing
v
SECTION 2: CLOUD SECURITY ALLIANCE TOP THREATS TO MOBILE
COMPUTING
2.1 Introduction
Currently the Cloud Security Alliance (CSA) has a working group dedicated to tracking and reporting on the top X
threats to the cloud. That project is currently working on revision 3. When discussing version 3, there were
many cases around the use and integration of mobile devices into the cloud.
Subsequently CSA decided to add a new working group around mobility. Due to the adoption and immediate
connection to cloud computing we thought it was relevant to create a “Top Threats to Mobility” in addition to
the current “Top Threats to the Cloud.”
For this version, we are restricting the framework to devices that connect to the Internet that predominately
connected over cellular access networks such as 3 and 4G. We made a conscious decision to not include laptops
with cellular access, Chromebooks, or other similar devices. This may change in the future.
In this version we are focusing on smartphones and tablets. The audience is information security professionals.
2.2 Project Timeline
March 1: Project launch
April: Working group call for volunteers
May: Basecamp forum discussions
May 15: Version 1 draft request for comments
June 1: Version 2 draft
July 1: Final presentation due
July 15: Survey released
July 28: BlackHat public launch
2.3 Candidate List 4














Data Loss from lost, stolen, or decommissioned devices
Insecure or Rogue marketplaces
Information stealing mobile malware
Rogue access points
Insecure Wi-Fi and network access
Digital Wallet attacks
Insufficient management tools, capabilities, and access to API’s
Data Loss / Data Leakage through 3rd-party apps
Eavesdropping due to lack of encryption
Weak authentication protocols
Vulnerabilities within devices, OS, design, 3rd-party applications
Poorly written applications that do not properly secure critical data
Lack of persona controls may lead to data leakage, miss-configuration, or privileged access
Compromise of marketplace(s) resulting in mass infection
© Copyright 2012 Cloud Security Alliance. All rights reserved.
2
CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing
v
















Network bridging circumvents policy and security
Data Loss from lost, stolen, or decommissioned devices (1)
Insecure or Rogue marketplaces (2)
Information stealing mobile malware (3)
Rogue access points (4)
Insecure Wi-Fi and network access (4)
Digital Wallet attacks (5)
Insufficient management tools, capabilities, and access to API’s (6)
Data Loss / Data Leakage through 3rd party apps (7)
Eavesdropping due to lack of encryption (4)
Weak authentication protocols (8)
Vulnerabilities within devices, OS, design, 3rd-party applications (9)
Poorly written applications that do not properly secure critical data (7)
Lack of persona controls may lead to data leakage, miss-configuration, or privileged access (10)
Compromise of marketplace(s) resulting in mass infection (drop)
Network bridging circumvents policy and security (11 or perhaps 4)
2.4 Evil 8: Top Threats to Mobile








Insecure or Rogue marketplaces
Data Loss from lost, stolen, or decommissioned devices
Information stealing mobile malware
Insecure Wi-Fi, network access, and rogue access points
Insufficient management tools, capabilities, and access to API’s
(includes persona’s)
Data Loss / Data Leakage through poorly written 3rd-party apps
NFC and proximity based hacking
Vulnerabilities within devices, OS, design, 3rd-party applications
2.4.1 Insecure or Rogue Marketplaces
2.4.1.1 Overview of Threat
Android devices in particular have many options for application
downloads and installations. Unlike Apple iDevices, which need to be
jail broken, users of Android devices can easily select to download and
install apps from 3rd-party market places other than the official one
supplied by Google. To date, the majority of malicious code distributed
for Android has been distributed in these 3rd-party app stores,
predominantly in Asia. Additionally there have been illegitimate sites
that appear like app stores which unfortunately are not.
2.4.1.2 Threat Example
© Copyright 2012 Cloud Security Alliance. All rights reserved.
3
CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing
v
TigerBot is a bot that is designed to gather confidential data from the phone and uses SMS to control the BOT
that is installed. This has been discovered on several market places in Asia.
2.4.1.3 Threat Level
High: Android malware in particular is being distributed through these market places more and more frequently.
2.4.2 Data Loss from Stolen, Lost, or
Decommissioned Devices
2.4.2.1 Overview of Threat
Mobile devices are with us wherever we go and are getting
more powerful and smarter over time. With that, users can
lose them or have them taken from them without them
knowing it too late. Additionally, weak password access, no
passwords, and little/no encryption could lead to data leakage
on the devices. Additionally, users may sell or throw out
devices not understanding the risk of the data being taken.
2.4.2.2 Threat Example
1.96 percent of lost smartphones were accessed by the finders of the devices; 2.89 percent of devices were
accessed for personal related apps and information; 3.83 percent of devices were accessed for corporate related
apps and information; 4.70 percent of devices were accessed for both business and personal related apps and
information; 5.50 percent of smartphone finders contacted the owner and provided contact information.
2.4.2.3 Threat Level
Current threat happens frequently as is a top concern across
executives and IT admins.
2.4.3 Information Stealing Malware
2.4.3.1 Overview of Threat
Android devices in particular have many options for application
downloads and installations. Unlike Apple iDevices, which need
to be jail broken, users of Android devices can easily select to
download and install apps from 3rd-party market places other
than the official one supplied by Google. To date, the majority
of malicious code distributed for Android has been distributed in
these 3rd-party app stores, predominantly in Asia. Additionally,
there have been illegitimate sites that appear like app stores
which unfortunately are not.
© Copyright 2012 Cloud Security Alliance. All rights reserved.
4
CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing
v
2.4.3.2 Threat Example
One of the most prevalent pieces of malicious code for Android is called “Zitmo.” This is a mobile version of the
Zeuss malware which is designed to steal information from the device.
2.4.3.3 Threat Level
High: Android malware in particular is becoming a more popular attack surface for criminals who traditionally
have used PCs as their platforms.
2.4.4 Insecure WIFI / Network Access / Rogue Access Points
2.4.4.1 Overview of Threat
Insecure Wi-Fi has been around for years.
However, as more users are mobile and
data plans become more limited users will
increasingly use Wi-Fi in public locations.
The number of locations that provide WiFi, in particular free Wi-Fi, has exploded
over the last few years. This has increased the attack surface for users who connect to these. There have been
hotel hacks, open rogue access points installed, and eavesdropping cases throughout the last year.
2.4.4.2 Threat Example
Firesheep, Hotel Hacking, Airport hacks, etc.
2.4.4.3 Threat Level
High: Firesheep was a perfect example of how one could gain access to data through public in-secured Wi-Fi.
2.4.5 Insufficient Access to APIs, Management Tools, and Multi-Personas
2.4.5.1 Overview of Threat
Giving users and developers access to some of the low level functions of devices is a double edged sword as
attackers, in theory, could also have that access. However, a lack of access to system level functions to trusted
developers could lead to insufficient security. Additionally with most smartphone and tablet operating systems
today there is little, if any, guest access or user status. This means that all usage is in the context of the admin
so there is too much access.
2.4.5.2 Threat Example
Anti-virus vendor may not have the ability to read programs in memory for real-time protection leading to
malicious code being run. Additionally, a user may simply leave their phone unlocked which allows someone
with access to read and modify all information on the phone including configuration settings.
© Copyright 2012 Cloud Security Alliance. All rights reserved.
5
CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing
v
2.4.5.3 Threat Level
Medium
2.4.6 Data Loss / Data Leaking Through Poorly Written Applications
2.4.6.1 Overview of Threat
Applications for smartphones
and tablets have grown
exponentially on iOS and
Android. Although the main
marketplaces have security
checks, it can be a numbers and
certain features may be
subjective. Unfortunately, all too often the applications either ask for too much access to data or simply gather
more data than they need or otherwise are advertised.
2.4.6.2 Threat Example
Recently LinkedIn got in some hot water over privileged access to calendar data within their iPad app.
2.4.6.3 Threat Level
Medium: Although this can and has happened across both iDevices and Android devices, it has been in small
numbers. Additionally high profile cases are helping more checks and providing caution to developers and app
stores alike.
2.4.7 Vulnerabilities in Hardware, OS, Applications, 3rd-Party Apps
2.4.7.1 Overview of Threat
Mobile hardware, OS, applications and 3rdparty apps contain defects (vulnerabilities)
and are susceptible to exfiltration and/or
© Copyright 2012 Cloud Security Alliance. All rights reserved.
6
CLOUD SECURITY ALLIANCE Top Threats to Mobile Computing
v
injection of data and/or malicious code
(exploits).
2.4.7.2 Threat Example
Exponential growth in mobile malware,
hardware that sends data back to manufacturer,
weak coding techniques easy to exploit by
criminals (unsafe sensitive data
storage/transmission, hardcoded
password/keys, data leakage) in 3rd-party apps
and most likely in applications
2.4.7.3 Threat Level
Medium: Although the threat is high, the number of exploits in the wild is still not.
2.4.8 NFC / Proximity-Based Hacking
2.4.8.1 Overview of Threat
Near field communications (NFC) are being built directly into phones predominately as a means to make
payment. Due to the information value being transmitted, this is likely to be a target of attackers in the future.
2.4.8.2 Threat Example
Drive-by payment whereas
based on your physical
location the attacker can
receive currency from your
smart phone (also known as a
digital wallet)
2.4.8.3 Threat Level
Low: Still proof of concept.
© Copyright 2012 Cloud Security Alliance. All rights reserved.
7