mobile sec 1a

Question 1

Native code: Classic 3-Tier Architecture

Answer 1

: Native applications may be written in languages that
execute without the benefit of a VM or rigorous sandbox.
1. These applications may be written in unsafe languages (for instance,
Objective-C) and have increased access to other apps and resources as
compared to browser-based apps.
2. Even when mobile platforms implement app sandboxing, the user is quickly
coerced into granting broad and powerful permissions that easily bypass
much of the platform-provided controls.

Question 2

Classic 3-Tier Architecture

Answer 2

1. Native code:
   • 2. OS access
   • 3. Internet access

Question 3

OS access Classic 3-Tier Architecture

Answer 3

Software running in a browser has limited access to the underlying OS, its libraries, file system access, inter-process
communication, and its system calls.

Question 4

Internet access Classic 3-Tier Architecture

Answer 4

Whereas home PCs, and to an extent laptops, often
connect from a home network, mobile devices commonly use their
mobile carrier’s network and public WiFi to connect to the Internet.
These means of access may provide increased opportunity for manin-the-middle (MiTM) attacks from hackers! (esp free wifi spots
which normally has no password protection!)

Question 5

r manin-the-middle (MiTM)

Answer 5

Whereas home PCs, and to an extent laptops, often
connect from a home network, mobile devices commonly use their
mobile carrier’s network and public WiFi to connect to the Internet.
These means of access may provide increased opportunity for manin-the-middle (MiTM) attacks from hackers! (esp free wifi spots
which normally has no password protection!)

Question 6

Most threats against mobile apps are

Answer 6

variations on MiTM,
• whether it be MiTB (browser),
• MiTOS (operating system),
• or good old-fashioned MiTM (network).
• This is a natural consequence of the mobile model from the
app perspective—it’s surrounded by hostile (or at least
semitrusted) software.

Question 7

Attack Surfaces Specific to Mobile Devices

Answer 7

•Physical theft allows access to the user
interface, physical storage, the IO bus etc.
•The opportunity for a threat to gain access
to a physical device probably represents the
singular largest difference between mobile
devices and other client endpoints.
Attack Surfaces Specific to Mobile Devices
• App publication allows the threat to distribute either
• a Trojan horse app or
• other malware centrally with an appearance of legitimacy based on the
curator’s endorsement.
• The threat’s app may have relaxed access to
• OS resources,
• interprocess communication, and
• an unsandboxed environment with which to attack its victim,
depending on the state of the mobile platform (jailbroken/rooted),
• weak app permission configuration, end-users’ over-permissive
settings, and so on).

Question 8

Key to Security – Understand Risk Model

Answer 8

• The client-side threat model is much more aggressive, given the
promiscuous exposure to communications (wide area and close-in),
physical access, plus the usual software attack and exfiltration vectors
like email, mobile web, and apps.
• And the impact of compromise is much more “personal”: location,
camera/photos, instant messaging—there are plenty of embarrassed
public figures who can attest to this.

Question 9

Risks Area #1-Physical Risk

Answer 9

• Physical access to the device is impossible to defend against for very long.
• The whole rooting/jailbreaking phenomenon proves this.
• Neither Google nor Apple have yet to prevent this because it is very hard
and probably impossible.
• Experts say it’s hard to find a mobile app that they could not defeat given
physical access, including many rudimentary “anti-rooting” mechanisms
and even mobile device management (MDM) software.
• If your mobile risk model assumes that info can be securely stored
indefinitely on a mobile device, you are wrong and will have to relearn this
painful lesson the hard way if there is ever a breach.

Question 10

Risks Area #1-Physical Risk ELABORATE

Answer 10

• One often overlooked corollary of this principle is that close proximity
to a mobile device is effectively the equivalent of a physical attack.
• In other words, if an adversary can get close enough to you with a
rogue cellular base station, your phone will join his rogue cellular
network, and he now “owns” your device
• Remedy?
• Sorry, there is nothing you can do about this today, other than put
your device in Airplane Mode and use it like an expensive,
unconnected brick!

Question 11

Risks Area #2-Service Risk

Answer 11

• Next major area of risk arise in the mobile ecosystem?
• Naturally, most of the attention on mobile focuses on the mobile
device and associated client-side software.
• Contrary to this focus, experts observe more problems on the server
side in their consulting and research (2/3 bugs server side!)

Question 12

Risks Area #2-Service Risk ELABORATE

Answer 12

Another often overlooked aspect of modern Internet-based
applications risks is customer support.
• By design, support helps people regain access to their valuable stuff—
a hacker’s dream come true!
• Experts have seen devastating vulnerabilities in over 20 years of their
experience has resulted from support-related issues like customer
self-help password reset;
• if you make a mistake here, the consequences can have a huge impact.
• Imagine a flaw that allowed anonymous attackers to reset account passwords
via the self-help web portal— get the picture?

Question 13

Risks Area #2-Service Risk ELABORATE MORE

Answer 13

• For a real-world example of what can go wrong with these
interrelationships, see Wired reporter Mat Honan’s nightmare story
about how hackers from Lulz leveraged customer-support trickery to
• social engineer their way into his Gmail account and
• then pivoted through his Amazon data;
• remotely erased all of the data on his iPhone, iPad, and MacBook; and
• hijacked his Twitter account (see wired.com/gadgetlab/2012/08/appleamazon-mat-honan-hacking/).

Question 14

say another issue that happened with service risk

Answer 14

• This is such a recurring and important problem, see another realworld example of a horrible customer support vulnerability, see
• The Verge’s (theverge.com) March 2013 report on a serious vulnerability in
Apple’s iForgot self-help password reset tool that allowed anyone with your
email address and date of birth to reset your password.

Question 15

what is a silver lining with service risk

Answer 15

• 1 silver lining on the service-side, the good ol’ security gateway still
performs well to protect Internet-facing services.
• Products like the Vordel Application Gateway (vordel.com) effectively
protect mobile service XML endpoints from skilled penetration
testers.
• You should definitely consider products like Vordel as part of your
mobile application security architecture.

Question 16

App Risks

Answer 16

Apps (interacting with platform
features) are the primary attack
surface on the mobile client.
• After all, the apps and the mobile OS are the primary touch points for
end users and other software, so this is where all the trouble occurs.

Question 17

primary attack

surface on the mobile client

Answer 17

Apps (interacting with platform

features)

Question 18

App Risks ELABORATE

Answer 18

• The centrality of apps in today’s mobile risk model mirrors the
evolution of security on platforms like the desktop PC:
• early attacks focused on the network layer and then
• migrated to the OS (and especially Microsoft Windows).
• Recently, we’ve seen larger numbers of published exploits in desktop
applications, like web browsers, Adobe Acrobat, and Microsoft Office.
• At the pinnacle of this evolution, we see attacks against “Layer 8,” in other
words, the human beings operating the technology.
• Socially driven attacks like phishing represent this trend.

Question 19

Layer 8

Answer 19

human beings operating the technology

Question 20

App Risks - Fragmentation

Answer 20

• One security fundamental we’ve learned over the years:
• quickly patching vulnerable systems usually reduces risk from easy
compromise by folks trolling the Internet with home-grown malware that
exploits unpatched, well-known vulnerabilities.
• Unfortunately, patching your mobile software is challenging owing to one of
the key features of the current market: fragmentation.
• Fragmentation results from one of the age-old debates in tech
industry: open versus closed platforms.
• We are seeing this play out again in the mobile device space between
today’s two biggest competitors, Google and Apple.

Question 21

App Risks - Fragmentation GIVE AN EXAMPLE

Answer 21

In 2003, even renowned mobile hacker Charlie Miller are admitting
that Apple iOS is much tougher to victimize because of the rigid
controls built into the platform:
• code must be signed by Apple in order to run, address space layout
randomization (ASLR), better code sandbox, no shell, and so on.

Question 22

how is android when it comes to fragmentation

Answer 22

Android - the need to develop custom OS versions for each device
manufacturer creates fragmentation that leads to negative security
consequences.
• For example, upgrading to the newest version of Android depends on
collaboration between the device’s hardware vendor and the mobile network
operator (MNO) and makes distributing security patches and other important
updates that much harder.

Question 23

why are consumers idiots

Answer 23

Consumers tend to be more
accepting of bleeding-edge features
and faults, and security is an
afterthought!
• The fact that many Android and iOS users root/jailbreak their phones
is a prime example of the immaturity that persists in the market.

Question 24

• App marketplaces

Answer 24

These centralized app delivery mechanisms are driven
• not by security,
• but by the desire to control the user experience,
• attract developers with simple distribution models,
• and monetize software downloads to devices
• 99USD for Apple, 25USD for Google (as of 2013)

Question 25

One BIG difference between today’s fragmented mobile software market
and yesteryear’s battle between Microsoft and Apple is

Answer 25

• the numerous mobile device manufacturers still dominant today and
• the diverse Android customizations as a result.

Question 26

• This diversity of devices can introduce vulnerabilities to specific devices that cannot be fixed centrally by Google GIVE AN EXAMPLE

Answer 26

: Samsung’s TouchWiz interface overlay for Android was vulnerable to a single line
of code in a malicious web page that could wipe the device without user interaction
in their Galaxy (see androidcentral.com/major-security-vulnerability-samsung- phones-could-trigger-factory-reset-web-browser).
• Customers had to wait for Samsung to issue new firmware, and many older
devices are probably still left vulnerable.

Question 27

Sensitive Data Leak

Answer 27

• Sensitive data leakage is one big risk on mobile because all data is
inherently at greater risk while on a mobile device.
• Unfortunately, many mechanisms are designed to squirrel data away
in various nooks on mobile devices. Experts have seen:
• Authentication PINs to Google system logs in debug builds
• Session identifiers and credentials cached in WebView
• Inappropriate data stored in local SQLite databases
• iOS app snapshots record screens with sensitive data when app is suspended
• Sensitive credentials like appl PINs being logged to the iOS keyboard cache

Question 28

Also, remember the “transitive” nature of app sandboxing (aka
permission redelegation)

Answer 28

which occurs when an app with permissions
performs a privileged task for an app without permissions. Example:
• if Good App X has permissions to read the Android system logs,
• Bad App Y may ask X to call the log API on its behalf (without user interaction)
• thus able to see things the developer of X did not expect.
• Eg: The Carrier IQ – HTC keystroke logging incident of late 2011

Question 29

“Secure” on-Device Storage

Answer 29

Continuing our list of key mobile application risks, as we’ve noted
several times already, thinking secrets can be stored safely in mobile
software is deeply flawed.
• Experts have pulled everything from hardcoded passwords to AES
keys out of software on mobile devices.
• The risk is high on the device because (let’s all sing along now)
attacker physical access = high probability = game over.
• Use existing secure storage facilities if you have to: don’t roll your
own.

Question 30

MDM

Answer 30

• Mobile device management (MDM) is frequently considered a Band- Aid for the mobile security problem.
• It works as well as a Band-Aid in most instances, which is to say for
simple vulnerabilities only.
• During testing of one major MDM vendors, attaching a debugger to
the mobile device allowed “us” to trivially bypass screen lock.
• Again, defending against physical attacks is very hard, and you should
not expect MDM to “solve” the problem, only alleviate some of the
symptoms.
• Don’t over-sell MDM as a panacea.

Question 31

FOR MOBILE APP DEVELOPER:

Answer 31

• Architecture and design
• Align your architecture with the value of assets in play, for example, “remote
control/no client-side data” versus “all data cached client-side.”
• Input/output validation
• Injection attacks remain the bane of application security; take control of
what’s coming and going.
• Cache-ing and Logging
• Understand the mobile platforms you develop for and the many ways in
which they can record snippets of your valuable data; disable and/or mitigate
these as appropriate according to the sensitivity of data you are handling

Question 32

Architecture and design

Answer 32

Align your architecture with the value of assets in play, for example, “remote
control/no client-side data” versus “all data cached client-side.”

Question 33

• Input/output validation

Answer 33

• Injection attacks remain the bane of application security; take control of
what’s coming and going.

Question 34

• Cache-ing and Logging

Answer 34

• Understand the mobile platforms you develop for and the many ways in
which they can record snippets of your valuable data; disable and/or mitigate
these as appropriate according to the sensitivity of data you are handling.

Question 35

Error handling

Answer 35

Mobile scenarios may have lower tolerance for “fail closed” design, but that
doesn’t mean it’s impossible if you can create a compelling recovery story.

Question 36

• Device loss or capture

Answer 36

Make sure your design incorporates last-resort controls: remote wipe of your data

Question 37

• Server-side strength

Answer 37

Server-side data and processing remain the central-most valuable assets in
modern, cloud-centric threat models. Implement strong controls here,
including application-level protections, and pay strict attention to oftenabused support interfaces like self-help password reset