Mobile App Security:
Who Else is on Your Device?
August 27, 2013
Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London
Generously sponsored by:
Welcome
Conference Moderator
Hari Pendyala
ISSA Fellow and Member, Chennai, Asia Pacific Chapter
ISSA Web Conference Committee
Agenda
Speakers
•
Aaron Brauer-Rieke
Attorney, Federal Trade Commission, Division of Privacy and Identity Protection
•
Heather Hillerman
Product Marketing Specialist, TRITON Mobile Security, Websense, Inc.
•
Sam Masiello
Head of Application Security, Groupon
Open Panel with Audience Q&A Closing Remarks
Assessing the Mobile
Security Landscape
Aaron Brauer-Rieke
Attorney, Federal Trade Commission, Division of Privacy and Identity Protection
The FTC’s Lens
Promoting and enforcing reasonable security practices.
“[U]nfair or deceptive acts or practices in or affecting
commerce[] are hereby declared unlawful.“
15 USC § 45
Recent Activity
Enforcement Actions
HTC (2013)
We alleged that HTC America failed to employ reasonable and appropriate security practices in the design and
customization of the software on its mobile devices Workshops
Mobile Security: Potential Threats and Solutions (2013)
http://www.ftc.gov/bcp/workshops/mobile-security/
Presentation Overview
• Ecosystem is complicated
– Handset makers, carriers, platform providers, app developers, etc.
• No silver bullets
• Key areas for discussion
– Gatekeeping
– Security design/features
– Updates/patching
Gatekeeping
Keep bad apps away from users.
• Platforms have seen some success here
• Not foolproof
– Code obfuscation
– Delayed malicious behavior
• Tensions of between security and choice/control
– Competition
– Permissions
Security Design, Features
Build a better OS.
• Sandboxing, access controls
– Permissions
– Trusted UIs
– Data usage intention strings
• Exploit mitigation
• Securing apps by default
– Preventing API abuse
– Encouraging use of security APIs
Updates and Patching
Keeping devices up-to-date.
• Security lifetimes, patch cycles
• OEMs and carriers
• Bug bounty programs
Reflections: where are we headed?
Question and Answer
Aaron Brauer-Rieke
Attorney, Federal Trade Commission, Division of Privacy and Identity Protection
27
Mobile – Web Security
Threats
Heather Hillerman
Product Marketing, Websense 5Mobile Growth
The Perfect Storm for Mobile Security
The Perfect Storm for Mobile Security
Mobile Growth Bring Your Own DeviceThe Perfect Storm for Mobile Security
Mobile Growth Bring Your Own Device Increased Mobile Threats• Over 6 billion active mobile devices
• Mobile Factbook predicts there will be
6.9 billion active mobile devices by the end of 2013
• 69.9% of the market is iOS or Android
• 32% increase in website traffic from mobile devices
Facts about mobile devices
http://googlemobileads.blogspot.com/2012/01/new-research-global-surge-in-smartphone.html
Information from: International Telecommunication Union and Mobile Factbook 2012
The percentage of
mobile workers
currently using their
personal smartphones
for work.
Most Used Smartphone Apps
• Malicious apps
• Ad malware
• Social engineering
• One click downloads
• Physical loss
Malicious App Numbers Rise
Malicious Android apps have increased by 350,000 during the first half of 2013.
More than a million malicious Android apps before the end of the year.
Source: Trend Micro TrendLabs 2Q 2013 Security Roundup Report
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt-2q-2013-trendlabs-security-roundup.pdf
Android Versions in Use
Android background
It has been calculated that there are
11,868
distinct Android devices.
•
Mobile friendly
– SMS
– Apps
•
Targeting the end user
– SMS spoofing
– Phishing
– Web/app exploits
– Bluetooth
Recent Headlines
Mobile Advertising Malware Downloader App builder includes adware, it asks for an update to mobile user, this enables malware download
Java Cryptography Architecture (JCA) installed into Android OS, has known flaws, exposes security risk to BitCoin wallets
Old World Patches…
Lasted patch release: August 13, 2013 For: Windows, Exchange, IE 8 bulletins 23 vulnerabilities
3of the bulletins are rated critical; 5 are rated
important.
Lasted patch release: June 18, 2013
For:
40 new security fixes 37 of which are remotely exploitable without authentication
Lasted patch release: July 9, 2013
For: Flash
3 CVEs which are all rated a impact and exploitability score of 10
The Threat Landscape has Changed
Advanced Threats Signature Based High Volume Mass Distribution Zero Day Targeted / Low Volume Trusted Entry THEN NOWAdvanced Threats Data Theft Signature Based High Volume Mass Distribution Zero Day Targeted / Low Volume Trusted Entry Goal: Damage Inbound focus was enough Data was easily identifiable Goal: Financial gain Assume holes in security Theft can easily be hidden
THEN NOW THEN NOW
Advanced Threats Data Theft Attack & Malware Forensics Signature Based High Volume Mass Distribution Zero Day Targeted / Low Volume Trusted Entry Goal: Damage Inbound focus was enough Data was easily identifiable Goal: Financial gain Assume holes in security Theft can easily be hidden Hands-Off Reactive Focus on intrusion prevention Hands-on Proactive Holistic View
THEN NOW THEN NOW THEN NOW
Recon Lure Redirect Exploit Kit
Dropper
File Home Call Theft Data
AWARENESS REAL-TIME ANALYSIS INLINE DEFENSES CONTAIN-MENT
• Password Protect
• Protect Data-on-Device
• App Permissions and Availability
• Mobile Web Security Layer
• Mobile Email DLP Layer
• Mobile AUP
Question and Answer
Heather Hillerman
Product Marketing, Websense27 38
Mobile App Security
Who Else is on Your Device?
Sam Masiello
Head of Application Security Groupon
Alternate Title:
The Other Devil in Your Pants
About Groupon
• Currently in about 50 countries
• Over 12,000 employees – very mobile workforce
• Significant percentage of revenue coming from purchases made on mobile devices
• Looking at mobile security both from the end user and the employee PoV
Consumerization of IT is Real
Mobile Threat Landscape is Growing
By the numbers
44
Still Like Comparing…
App Marketplaces the Primary Catalyst
• Started in 2007 when Apple opened up its API to third party devs
• Both a blessing and a curse
• That blessing also makes these marketplaces attractive targets
• Competing business models
Tighter Control != Security
• No system is 100% fool-proof
• Jekyll Apps
It Isn’t Just About The Marketplaces
Jailbreak as a Service
• Jailbreakme.com
• Disclaimer: No longer being maintained.
• “Untethered” jailbreak
• Exploited various OS level vulnerabilities
• Powerful Proof of Concept
It’s All About the Money?
Other Key Enterprise Security Threats
• Public WiFi Hotspots
• Data Exfiltration (Email, Dropbox-like sites, web browser uploads)
Why You Need Enterprise Mobile Security
• Enterprise data loss caused by device loss/theft
• Malware
• Users – need I say more?
• Lack of IT control
• Lack of a formal mobile security strategy
(
Not so?) Bold predictions for the future
• The mobile landscape will continue to get more complex
• Companies will constantly be playing catch up
• The mobile threat landscape will continue to become more complex
• Data leaks and breaches from mobile devices will become more commonplace
Takeaways
• You can’t stop it. You can only hope to contain it
• Eyes wide open!
• Be an enabler
Thank You!
Sam Masiello Head of Application Security Groupon
Email: [email protected] Twitter: @smasiello
Question and Answer
Sam Masiello
Head of Application Security Groupon
Open Panel with Audience Q&A
•
Aaron Brauer-Rieke
Attorney, Federal Trade Commission, Division of
Privacy and Identity Protection
•
Heather Hillerman
Product Marketing Specialist, TRITON Mobile
Security, Websense, Inc.
•
Sam Masiello
Head of Application Security, Groupon
58
Closing Remarks
Online Meetings Made Easy
