Card Forum and Expo – Ensuring Security on Mobile Devices – May 2012
The following presentation was delivered by Ted Eull at the 24th Annual Card Forum and Expo in Orlando, FL on May 11, 2012. For more information about the UK Channel 4 News Special regarding contactless credit cards, please visit the following blog entry.
Slide List
Ensuring Security on Mobile Devices It is possible… right?
Topics
About viaForensics Why mobile security matters Types of security breaches and fraud Anticipated evolution of attacks Common mistakes that developers make How to anticipate and prevent security flaws Conclusion
About viaForensics
I’m not Andrew Hoog Mobile security, forensics researchers Key tech leaders: Hoog, Cannon, Zdziarski Books, trainings, research papers, news, congressional staff briefing Key products and services: appSecure, liveForensics, AFLogical, viaExtract, and Santoku
Why Mobile Device Security Matters
Necessity of security – given Importance and growth of mobile • Fed study: 20% used mobile banking in 2011, up to 30% will use mobile banking by 2013 (Source.)
Why Mobile Device Security Matters
Problems in mobile security to date • Rapid growth with little security • Trojan/malicious apps, phishing/smishing • Perception – many consumers unsure Potential for much greater harm • Worm or one-click exploit, widespread infection • Rapid increased adoption + platforms in flux • Potential for pervasive, undetected theft of data
Near-field Data Heist
Contactless Credit Cards Contactless Credit Cards Problem Stories from Channel 4, BBC Watchdog Card info used to make purchases from Amazon UK Not a new problem, but mobiles facilitate exploit Illustrates how ease of use can introduce security risk
Google Wallet Problems
Google Wallet leverages NFC on some devices Connects to credit, prepaid cards Leverages “secure element” on device Significant growing pains so far: • viaForensics found excess private data stored • Zvelo cracked user PIN • Thesmartphonechamp found prepaid card problem
Mobiles as a Target of Attack
Mobile is different • NAND Memory • New mobile OS’s, frequent updates • Traverse more networks, install more apps Mobile devices are a target • Rich target handling banking, email, GPS, PII, PHI • Both personal and corporate data • Highly connected and can store large datasets • Security standards, tools still emerging
Anatomy of a Mobile Attack / Categories of cyber attacks /Types of breaches
Lost or stolen device Phishing/Smishing Clickjacking Trojan or Malicious apps Man-in-the-middle Man-in-the-mobile Worm
Security Breach Accounting
2012 DBIR, Verizon with USSS and foreign LE
Evolution of Attacks
Platforms have been compromised repeatedly The quantity and value of information stored and transacted on mobiles is rapidly increasing Attacks follow the money Experts anticipate growth in both broad and targeted attacks on mobile
Reality Check
It’s about the DATA • Most data is handled by apps • Ergo, it’s about the APPS App security is mobile security Don’t we trust device passcodes and encryption? » no
Device Security?
viaForensics’ Mobile Security Risk Report First line of defense • Complex passcodes • Keychain data protection • Remote wipe But secure sensitive data at app level, and assume a hostile environment Do not rely solely on platform security
Apps: Common Problems
Authentication: Authentication bypass, lack of multi-factor, session state vulnerability, Insecure data on device: Caching, logging, stored without encryption, improper encryption, iOS keychain Network Issues: Improper SSL or storage encryption, MITM vulnerability, SSLstrip Service/Server Vulnerability: Brute force susceptible, server resource exposure, lack of server-side validation Code vulnerabilities: Reverse engineering, debugging
Widespread iOS Infection Demo
Demonstrates risk to apps on iOS platform • Discovered by Jonathan Zdziarski • Not a way to infect; but steal important data from many apps • iOS foundation classes hijacked • Most apps’ sensitive data vulnerable One attack could steal credentials and more Potential for pervasive data theft across apps
Secure Mobile App Development
Yes, there is such a thing Takes more time, skill and money than the alternative Focus on security before, during and after development • Education is Key • Testing is Key
Recommendations
Integrate security from design phase Maintain traditional security controls Attack your apps • Test like black hat • Test after updates (platform, app) • Use latest mobile techniques and tools
Anticipate and Prevent
Anticipate attacks • Expect your app to be reverse engineered • Expect your back-end services to be attacked • Expect your users to be targeted & devices compromised Prevent damage • Prevent your data from being exposed • Prevent your app from being compromised • Prevent attackers from gaining elevated access
Education Resources
Secure mobile development resources are increasing Industry technical training • viaForensics/CompTIA certification • OWASP Resources Mobile Security Books • Zdziarski, Hoog, others
Secure Mobile Dev: 42+ Best Practices
FREE Report: https://viaforensics.com/42bp Avoid insecure data caching Avoid simple logic Be aware of the keyboard cache Properly validate SSL/TLS iOS-specific issues Android-specific issues
Testing Resources
Internal • Train existing security engineers • Santoku Linux Project External • Specialized mobile app security assessment • viaForensics appSecure • Find mobile expertise Expert, red team mobile assessment
Back to that Fed Study
Consumers’ perception that mobile banking and mobile payments are insecure is currently one of the primary impediments to adoption. If consumers’ perception of security issues changes—whether due to actual or perceived improvements—adoption rates may significantly increase.
Conclusion
There is great benefit in mobile for enterprises and consumers, but • Mobile attacks are likely to increase • Mobile security has been bumpy • Consumer trust of mobile security is not strong Secure mobile development is key • Education and Testing • Anticipate and Prevent • Raise the standard and assure consumers