Attendees of our webinar Security in a BYOD Era: Can Forensics Make the Case? submitted some great questions during the presentation, only a few of which were addressed in the time allotted.
Here is the Q/A for those who attended, or interested in the topic:
Q: Will the presentation be available for download? How about the webinar itself? A: Yes, you can view and download the presentation here.
And Good Technology posted the Webinar online here (requires registration).
Q: You’ve focused on the device itself but what can be done to secure backups, such as those automatically created by iTunes for instance? The backup can contain a great deal of information and, even if encryption is applied, the backup is subject to cracking. Interested in your thoughts. Great information here.
A: Securing local iTunes backups is challenging. As you mentioned, the backups can be cracked using brute force and while a complex passcode can increase the time it takes, we often find it fairly trivial. With the advancements in consumer GPU technology, the effectiveness of brute force is increasing greatly. And a significant drawback is that if an iTunes backup is encrypted, iOS actually decrypts the keychain to simplify moving credentials to a new device. While the rationale is that the iTunes backup is encrypted, the reality is some of your most sensitive data could be at even greater risk.
So, in general, we recommend that corporate devices should not be allowed to do local iTunes backups. If you decide to allow backups, we would recommend storing them on a corporate server and not allow (even if just by policy) employees to backup data at home.
There are other options individuals or small groups might consider (such as storing the iTunes backup in a TrueCrypt volume) however these solutions typically do not scale to the enterprise.
So, the most secure approach is to avoid local backups.
Q: In general, I’d like details on security weaknesses on BYOD’s. Thanks. A: As discussed in the presentation, the primary security issue with BYOD centers around corporation losing control of their data. There are many solutions being heavily marketed however we have found that often they do not provide sufficient security controls
We recommend first understanding what data will reside on the device, mapping out a threat model (see our Anatomy of a Mobile Attack for reference – ) and then deciding on the scenarios you must protect against.
Recognize that software solutions which focus on management and reporting will likely not offer significant data security protection. Also, solutions which claim they can 100% detect jailbreaking or rooting are not providing you the full picture. While they can likely detect many common scenarios, it is not possible to 100% detect these events based on our testing. In fact, in one case where you would need it the most – advanced attack – it will likely not detect.
Container-based approaches to mobile security offer compelling advantages because they can carve out secure storage on the device and manage it through the software. This allows complex passcodes, expiration of data and other security controls. However, to date this has been as the expense of use experience and end users often complain about such approaches.
One important threat vector to consider is the other apps installed on the device. If your employees re-uses passwords (and who doesn’t?) then compromising an insecure and poorly written app might provide an attacker access to passwords for your network.
Finally, we always recommend auditing any solution you decide to implement. If you identified the threat model and determined what data you are concerned about, a skilled assessment can determine whether your BYOD solution successfully repels the attacked.
We have done work in this area and wrote a Mobile Security Risk Report, which gives a solid overview of device security issues on Android and iOS.
This report will be made available to webinar attendees upon request by registering on our website and indicating your interest in the comment section: https://viaforensics.com/register/
Q: Is the F/OSS Lantern toolkit still applicable with the latest iOS? I thought that vulnerability had been resolved. A: Lantern Lite relies on exploits found by iOS hackers to gain privileged access to the device. As you probably know, there is a constant “cat and mouse” game between Apple and the iOS hacking community. If new exploits are found and published, Lantern Lite should eventually be capable of imaging those devices.
If you are interested, I would suggest downloading the software from github and testing it. You can also directly follow folks such as the iPhone Dev team to keep up on iOS jailbreaks and exploits.
Q: What would viaForensics consider to be a strong passcode? A: For security purposes a 6 character alphanumeric passcode using both numbers and letters/special characters has a much greater security benefit compared to a simple numeric passcode.
Specifically, on iOS the use of a longer, complex passcode protects against brute-force breaking of the passcode, recovery of Exchange data, and dumping the keychain. On Android, the use of a complex passcode can prevent any recovery of device data, with the exception of the SD Card, on devices that do not have an alternative means of accessing the data (such as a boot loader attack).
Q: Has vF attempted to attack any 3rd-party protected apps (i.e. written against Good Dynamics)? A: viaForensics has done extensive testing of mobile apps, many of which fall under NDAs. We have not publically addressed any Good Dynamics apps as of yet. If you would like to see some of the free testing we have done or companies that publically post their appSecure certifications, please check out appWatchdog.
You may also find our analysis of Google Wallet interesting:
Q: Hello, my question is related to Android and ability to crack the passcode, is it possible to crack the passcode if using Android Ice Cream Sandwich’s full device encryption feature? A: All encryption is potentially vulnerable to a brute force attack, but by choosing a strong encryption algorithm, managing keys properly and choosing a strong passcode, the risk is mitigated.
We have not completed our investigation of the encryption in ICS yet. From our initial look, it appears to be using AES128 which should be sufficient, however many newer systems today choose to use AES256 instead. It is encouraging that the ICS encryption requires the user to input their passcode as the system is booting which allows for full disk encryption (the partitions and SD Card(s) which store user data) without storing the passcode anywhere. That is how encryption should work.
However, until the encryption implementation has been more fully tested, we cannot determine how effective it is. Writing encryption that works is difficult. For example, a recent vulnerability in Apple’s FileVault encryption was discovered and posted online: http://cryptome.org/2012/05/apple-filevault-hole.htm
Encryption is great, when it is implemented properly. If you are relying on a technology to protect your most sensitive data, we recommend a security assessment to test the effectiveness of the controls.
Q: How secure is iCloud? A: iCloud is, as the name implies, hosted on servers on the Internet. This can add benefits (e.g. a dedicated, trained team supporting the service) and drawbacks (e.g. a compromise on the core system might expose all user data).
Generally speaking, whenever sensitive data is moved outside of your control, certain risks are incurred. A brief review of recent security news will reveal a nearly constant stream of services falling prey to attacks. As such, storing sensitive corporate data on iCloud will likely result in a reduction of security.
Recently, Russian security firm Elcomsoft announced an update to their Phone Password Breaker software which enables data extraction from iCloud. If an attacker has the Apple username and password for an iDevice, the data backed up on iCloud can be extracted in an unencrypted format. While obtaining the password is not necessarily easy, there are way to do this.
Q: Is there way I can get in touch with a representative at viaForensics? A: Yes, we’d love to hear from you. [contact-us-link linktext=”Please contact us”] using any means that is convenient for you and we’ll follow up shortly.
Q: What do you think about tamper-proofing tools like Arxan (post-compilation tool)? A: Leveraging technologies that make it more difficult for attackers to reverse your binaries or tinker with your app can certainly help with securing an application.
In the mobile space, we always recommend that developers at least run their app through ProGuard. More advanced commercial solutions exist, such as Arxan, the one you mentioned. We have not specifically tested the effectiveness of these solutions, though.
In the end, motivated attackers are often successful in circumventing controls. So, we recommend a multi-layers approach that protects the data, source code/binaries, and back-end systems. If an attacker is successful in circumventing one control, they will have others to address before compromising your data. If you make the task daunting enough for them, it is simply not worth their effort except in very rare cases.
Q: Is there a large demand, currently, for mobile device forensics in the market today? and what types of cases are these usually associated with? A: The demand certainly exists and is growing. While legacy feature phones stored some data which could be recovered, the new iOS and Android smart phones store significantly more. As such, an entire industry has developed providing services to recover this data.
viaForensics has released a number of free/open source tools which can help people who are interested in this field, including:
- Development of Santoku Linux, a Linux distro focused on mobile security, malware and forensics
- Free demo of viaExtract, our mobile forensics solution
- Forensic utilities: https://viaforensics.com/products/tools/
- AFLogical (law-enforcement only)
- AFLogical Open Source Edition
You might also find our recent books on iOS and Android forensics helpful as well as a host of free presentations and reports we post online.
Regarding the types of cases, they cover a broad spectrum. Some of the most frequent requests include:
- Intellectual property/data theft, often insiders
- Recovery of delete data for various investigations
- Criminal cases
- Data recovery for individuals
- Expert witness cases involving mobile devices If you are personally interested in these topics and would like to learn more, please [contact-us-link].
Q: Are there vulnerabilities associated with a BYOD security container when data generated and stored by apps inside the container are all encrypted (AES256)? A: As covered in our presentation, there are a number of areas where a BYOD security container might be vulnerable to attack.
First and most obvious is simply the weakness in the implementation of the security container. As we’ve discussed, properly implementing encryption is difficult and as more features are added, there is greater complexity and potentially vulnerabilities. If you are relying on a secure container or any other security mechanism, we would strongly advise that you hire a third party to assess the effectiveness of the solution.
Beyond that, we covered several other areas that BYOD secure container solutions may be vulnerable to, including:
- If attacker has escalated privileges, can simply install key logger, etc.
- If apps in the container leak data into other parts of the system (clip board, leave unprotected in RAM, call insecure apps outside container), data can be compromised
- Platform/standards issues
- Trusting SSL
- Using fundamentally vulnerable mobile OS libraries (read this article for an example)
Other vulnerabilities certainly could exist but a good mobile security firm could help in the identification and mitigation of risks.
Q: Do you see many companies writing/buying custom mobile apps for in-house use? If so, do they tend to be more or less secure than public-app-store apps? A: We are witness rapid growth in the development of mobile app, both in-house and publically available. We also see a mix of companies that develop the application with in-house staff and those that use third party developers.
Regardless, we often see common issues on the apps because there is limited information for developers on how to develop secure mobile apps. Given our vantage point, we have developed an extensive list of best practices and released a free report titled Secure Mobile Development: 42+ Best Practices.
viaForensics has also partnered with CompTIA to create two much needed certifications:
- Secure Android Application Development
- Secure iOS Application Development
These certifications will be available in the coming months and will establish a baseline needed for developers to write secure mobile apps.
Finally, if you are interested in these topics and want to tinker with some of the technologies viaForensics has developed or uses in our assessment, please check out Santoku Linux. Santoku is a Linux distro focused on mobile security, malware and forensics. The project is open source and a commercial platform will be available which includes more advanced tools, a graphical user interface, advanced training and documentation, a “mobile lab in a box” and more. You can follow Santoku Linux online at: https://santoku-linux.com/
Note: There were many questions, and we left those directly oriented to the Good Technology product for their team to respond. If you feel a question you asked was not addressed please feel free to [contact-us-link].