Lesson 9 C Troubleshoot Mobile OS and App Security Flashcards
Users who want to avoid the restrictions that some OS vendors, handset OEMs, and telecom providers put on the devices must use some type of privilege escalation:
In iOS and Android, the user account created during setup is able to install apps and configure settings, but it is restricted from making any system-level changes. Users who want to avoid the restrictions that some OS vendors, handset OEMs, and telecom providers put on the devices must use some type of privilege escalation:
- Root access
- Jailbreak
Root access
This term is associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their device. For some devices it is necessary to exploit a vulnerability or use custom firmware. Custom firmware is essentially a new Android OS image applied to the device. This can also be referred to as a custom ROM, after the term for the read-only memory chips that used to hold firmware.
Jailbreak
iOS is more restrictive than Android, so the term “jailbreaking” became popular for exploits that enabled the user to obtain root privileges, sideload apps, change or add carriers, and customize the interface. iOS jailbreaking is accomplished by booting the device with a patched kernel. For most exploits, this can only be done when the device is attached to a computer while it boots (tethered jailbreak).
Rooting or jailbreaking mobile devices involves
subverting the security controls built into the OS to gain unrestricted system-level access. This also has the side effect of leaving many security measures permanently disabled. If the user has root permissions, then essentially any management agent software running on the device is compromised. If the user has applied a custom firmware image, they could have removed the protections that enforce segmentation of corporate workspaces. The device can no longer be assumed to run a trusted OS.
Mobile-device management (MDM)
suites have routines to detect a rooted or jailbroken device or custom firmware with no valid developer code signature and prevent access to an enterprise app, network, or workspace. Containerization and enterprise workspaces can use cryptography to protect the workspace in a way that is much harder to compromise than a local agent, even from a rooted/jailbroken device.
Developer mode
Additionally, it is possible to put a device into developer mode . This makes advanced configuration settings and diagnostic/log data available. Developer mode should not necessarily weaken the security configuration, but equally, it should be used only for actual app development work and not enabled routinely. It can purposefully be misused to install bootleg apps. MDM can typically be configured to block devices that have developer mode enabled.
A trusted app source is one that is managed by
a service provider. The service provider authenticates and authorizes valid developers, issuing them with a certificate to use to sign their apps and warrant them as trusted. It may also analyze code submitted to ensure that it does not pose a security or privacy risk to its customers (or remove apps that are discovered to pose such a risk). It may apply other policies that developers must meet, such as not allowing apps with adult content or apps that duplicate the function of core OS apps.
App Spoofing
While this type of walled garden app store model is generally robust, it is still a target for rogue developers trying to publish malicious apps that will function as spyware if installed. A malicious app will typically spoof a legitimate app by using a very similar name and use fake reviews and automated downloads to boost its apparent popularity. VPN, fake antivirus/ad blockers, and dating apps are some of the most common targets for malicious developers. Even when using an approved store, users should apply caution when selecting and installing a new app, especially if the app requests permissions that are not related to its function.
Enterprise Apps and APK Sideloading
The mobile OS defaults to restricting app installations to the linked store (App Store for iOS and Play for Android). Most consumers are happy with this model, but it does not always work so well for enterprises. It might not be appropriate to deliver a custom corporate app via a public store, where anyone could download it. Apple operates enterprise developer and distribution programs to solve this problem, allowing private app distribution via Apple Business Manager. Google’s Play store has a private channel option called Managed Google Play. Both these options allow an MDM suite to push apps from the private channel to the device.
Unlike iOS, Android allows for selection of different stores and installation of untrusted apps from any third party if this option is enabled by the user. With unknown sources enabled, untrusted apps can be downloaded from a website and installed using the APK file format. This is referred to as sideloading. Enabling this option obviously weakens the device’s security. It is imperative to use other methods to ensure that only legitimate enterprise apps are sideloaded and that the device be monitored closely to detect unauthorized apps.
Conversely, MDM might be used to prevent the use of third-party stores or sideloading and block unapproved app sources.
Bootleg App
A bootleg app is one that pirates or very closely mimics a legitimate app. Users might be tempted to enable unknown sources and install apps by sideloading or by accessing them from a bootleg store as a way of pirating popular apps without paying for them. As well as infringing licensing and copyrights, this exposes the device to risks from malware. Under iOS, using the developer tools can be a means of installing apps from outside the App Store without having to jailbreak the device.
general symptoms of malware for OSs
- High number of ads—Free apps are all supported by advertising revenue, so a high level of ads is not necessarily a sign of an actively malicious app. However, if ads are unexpected, display in the browser, open pop-ups that are hard to close, or exhibit a high degree of personalization that the user has not authorized, this might indicate some type of tracking or spyware activity.
- Fake security warnings—These are used by scareware to persuade users to install an app or give a Trojan app additional permissions.
- Sluggish response time—Malware is likely to try to collect data in the background or perform processing such as cryptomining. Such apps might cause excessive power drain and high resource utilization and cause other apps to perform slowly.
- Limited/no Internet connectivity—Malware is likely to corrupt the DNS and/or search provider to perform redirection attacks and force users to spoofed sites. This might disrupt access to legitimate sites, generate certificate warnings, and cause slow network performance.
Unexpected Application Behavior
A bootleg or spoofed app acts like a Trojan. While it might implement the game or VPN functionality the user expects, in the background it will function as spyware to harvest whatever it can from the device. This unexpected application behavior might manifest as requests for permissions or as use of camera/microphone devices. If the app is copying files from the device, this might manifest as high network traffic . Excessive bandwidth utilization might also be a sign that the device has been compromised with a bot and is being used for DDoS, mass mailing, or cryptomining. The app might also attempt to use premium-rate call services. Most devices have an option to monitor data usage and have limit triggers to notify the user when the limit has been reached. This protects from large data bills but should also prompt the user to check the amount of data used by each application to monitor its legitimacy.
Leaked Personal Files/Data
MOBILE SECURITY SYMPTOMS
Antivirus software for mobile OSs is available but is not always that reliable. You should be alert to general symptoms of malware. Many of these symptoms are like those experienced on a PC OS:
High number of ads—Free apps are all supported by advertising revenue, so a high level of ads is not necessarily a sign of an actively malicious app. However, if ads are unexpected, display in the browser, open pop-ups that are hard to close, or exhibit a high degree of personalization that the user has not authorized, this might indicate some type of tracking or spyware activity.
Fake security warnings—These are used by scareware to persuade users to install an app or give a Trojan app additional permissions.
Sluggish response time—Malware is likely to try to collect data in the background or perform processing such as cryptomining. Such apps might cause excessive power drain and high resource utilization and cause other apps to perform slowly.
Limited/no Internet connectivity—Malware is likely to corrupt the DNS and/or search provider to perform redirection attacks and force users to spoofed sites. This might disrupt access to legitimate sites, generate certificate warnings, and cause slow network performance.
Unexpected Application Behavior
A bootleg or spoofed app acts like a Trojan. While it might implement the game or VPN functionality the user expects, in the background it will function as spyware to harvest whatever it can from the device. This unexpected application behavior might manifest as requests for permissions or as use of camera/microphone devices. If the app is copying files from the device, this might manifest as high network traffic . Excessive bandwidth utilization might also be a sign that the device has been compromised with a bot and is being used for DDoS, mass mailing, or cryptomining. The app might also attempt to use premium-rate call services. Most devices have an option to monitor data usage and have limit triggers to notify the user when the limit has been reached. This protects from large data bills but should also prompt the user to check the amount of data used by each application to monitor its legitimacy.
Leaked Personal Files/Data
If a device has been compromised, files or personal data might be sold and eventually find their way to forums and file sharing sites. If any personal or corporate data is leaked, each device that could have been a source for the files must be quarantined and investigated as a possible source of the breach.
Users should also be alert to 2-step verification notifications that new devices have attempted to access an account and/or unexpected password changes have occurred. Various data breaches have provided hackers with mountains of authentication credentials and personal information that could be used to access email accounts. Once an email account is compromised, the hacker can typically access any other online account that is not protected by secondary authentication via a different email account or device.
Whenever a website or service suffers a data breach and leaks personal files/data, it should notify users at the earliest opportunity. There are also various breach notification services that can be used to alert misuse of email addresses and account details. Users need to be alert to the possibility of the theft of their personal information and deploy good security practices, such as not using the same password for two different accounts.
Unauthorized location tracking can give away too much sensitive information to third parties. Many apps collect location data; not many explain clearly what they do with it. Most app developers will just want information they can use for targeted advertising, but a rogue app could use location data to facilitate other crimes, such as domestic burglary.
