mobile sec 2a

Question 1

• Since the launch of the App Store till 2013, over _ apps have
been released for purchase, with a total of over _apps having
been downloaded

Answer 1

800 thou, 40 bil

Question 2

• Initially Apple Phones not Built ________

Answer 2

for great security.

Question 3

ios As time passes, 3rd-party apps were executed under a less-privileged user
account named

Answer 3

mobile

Question 4

code signature verification

Answer 4

security method used in ios
• Apps installed had to be signed by Apple to allow their execution.
• Ultimately, code signature verification was implemented at both load time
(within code responsible for launching an executable) as well as at runtime
(to prevent new code from being added to memory and then executed).

Question 5

Today iOS has made great gains in terms of its security model ELABORATE

Answer 5

• In fact, the overall App Store–based app distribution process coupled
with the current set of security measures implemented in the
operating system have made iOS one of the most secure consumergrade operating systems available.
• This take on the OShas largely been validated by the relative absence
of known malicious attacks on the platform.
• With so many lines of code, of course iOS has weaknesses & still can
be hacked!

Question 6

• Apple has toiled at length to prevent their customers from gaining full
access to their own devices. ELABORATE

Answer 6

• Now tools (online-may be malicious!) provide you with the capability to
jailbreak the iPhone.
• Jailbreaking-process of taking full control of an iOS-based device.
• Can be done by using one of several tools available for free online
• End result of a successful jailbreak is that you can tweak your iPhone with
custom themes, install utility apps or extensions to apps, configure the
device to allow remote access via SSH or VNC, install other arbitrary
software, or even compile software directly on the device.

Question 7

Jailbreaking iPhones -Downsides

Answer 7

First - what jailbreak software does to a device.
• Jailbreak exploits a series of vulnerabilities to take over a device.
• During this process, an attacker could insert or modify something relatively
easily, without a user noticing.
• Fake jailbreak software was released that was designed to tempt eager
users looking to jailbreak versions of iOS for which no free/confirmedworking jailbreak had been released into installing the software.
• Jailbroken phones may also lose some functionality, as vendors have been
known to include checks in their apps that report errors or cause an app to
exit on startup (iBooks is an example of this).

Question 8

Jailbreaking iPhones -Downsides MORE

Answer 8

Another important aspect of jailbreaking is, as part of the process,
code signature validation is disabled.
• This is one of a series of changes required for users to be able to run
arbitrary code on their devices (one of the goals of jailbreaking).
• Downside - unsigned malicious code is also able to run, increasing the
risk to the user of just such a thing occurring.
• Otherwise, some potential exists for “bricking,” or rendering a device
unusable, during the jailbreak process, and as jailbreaking voids a
device’s warranty, there’s likely no way to bring the device back from
the dead if this happens.

Question 9

Jailbreaking iPhones -Downsides MORE MORE MORE

Answer 9

Jailbreaking iPhones -Downsides
• Many jailbroken iPhones are susceptible to worms, such as iKee.
• The iKee Worm was at its root only possible because of misconfigured
jailbroken iPhones being connected to the network.
• The first and most obvious countermeasure to an attack of this sort is:
don’t jailbreak your iPhone!

Question 10

Another important aspect of jailbreaking is, as part of the process,

Answer 10

code signature validation is disabled.

Question 11

Jailbreaking iPhones -Downsides ekie

Answer 11

• unsigned malicious code is also able to run, increasing the
  risk to the user of just such a thing occurring

Question 12

iKee

Answer 12

m was at its root only possible because of misconfigured

jailbroken iPhones being connected to the network

Question 13

MITM (Man In The Middle) Attack

Answer 13

In October 2011, at the McAfee FOCUS 11 conference held in Las
Vegas, Stuart McClure and the McAfee TRACE team demonstrated a
series of hacks that included the live hack of an iPad.
• The attack performed involved setting up a MacBook Pro laptop with
2 wireless network interfaces and then configuring one of the
interfaces to serve as a malicious wireless access point (WAP).
• The WAP was given an SSID similar to the SSID for the conference’s
legitimate WAP.
• They did this to show that users could easily be tricked into
connecting to the malicious WAP.

Question 14

MITM (Contermeasures

Answer 14

• Update your device and to keep it up to date, as outlined in “JBME3.0
Vulnerability Countermeasures.”
• Configure your iOS device to “Ask To Join Networks”, shown next pg
• Don’t connect to unknown wireless networks.
• The likelihood of anyone actually following that advice nowadays is,
of course, near zero (how else are you going to check Facebook while
at Starbucks?!?), but hey, we warned you!

Question 15

MITM-Don’t Connect to Untrusted Network

Answer 15

• The FOCUS 11 demo showed that by simply connecting to a wireless
network and browsing to a web page it was possible to take complete
control of a device.
• This was possible even over SSL!
• As such, users should know that this can happen and should judge
carefully what networks they connect to, to avoid putting their
devices or sensitive information at risk.

Question 16

Another Threat: Malicious Apps

Answer 16

Hackers have to trick user into installing a malicious app onto his device.
• Challenge is not only limited to tricking the user, but also involves working
around Apple’s app distribution model!
• All apps must be signed by Apple and can only be distributed and
downloaded from the official App Store.
• For an app to be made available on the App Store, it must first be
submitted to Apple for review.
• If issues are found during review process, the submission is rejected, after
which point it’s simply not possible to distribute the app.
• But How effective is their Review process?

Question 17

• All apps must be signed by Apple and can only be distributed and
downloaded from the official App Store.

Answer 17

• For an app to be made available on the App Store, it must first be
submitted to Apple for review.
• If issues are found during review process, the submission is rejected, after
which point it’s simply not possible to distribute the app.
• But How effective is their Review process?

Question 18

• In Sept2011, well-known iOS hacker Charlie Miller submitted an malicious
app named InstaStock to Apple for review.

Answer 18

• App was reviewed, approved & posted to App Store for download.
• InstaStock allowed users to track stock tickers in real time and was
reportedly downloaded by several hundred users.
• Hidden within InstaStock- a logic designed to exploit a 0-day vulnerability
in iOS that allowed the app to load and execute unsigned code.
• Owing to iOS’s runtime code signature validation, this should not have been possible. However, with iOS 4.3, Apple introduced the functionality required for InstaStock to work its magic. In effect, Apple introduced the ability for unsigned code to be executed under a very limited set of
circumstances.
• Apple App Review can be tricked!

Question 19

How To protect Against Malicious app

Answer 19

• Unfortunately few tools have been developed for iOS security in general,,
owing to the low number of incidents and the complexity of successfully
integrating such products into the iOS “ecosystem.”
• This means that, you CAN’T protect yourself from malicious apps hosted on
the Apple App Store, apart from careful consideration (eg reputation) when
purchasing and installing apps.
• For users who store highly sensitive data on their devices, recommended
that apps be installed only when truly necessary, and only from
trustworthy vendors, to whatever degree possible.
• Otherwise, install the latest firmware when possible, as new firmware
versions often resolve issues that could be used by malware to gain
elevated privileges on a device.

Question 20

why Unfortunately few tools have been developed for iOS security in general

Answer 20

owing to the low number of incidents and the complexity of successfully
integrating such products into the iOS “ecosystem.”

Question 21

you CAN’T protect yourself from malicious apps

Answer 21

s hosted on
the Apple App Store, apart from careful consideration (eg reputation) when
purchasing and installing apps

Question 22

• For users who store highly sensitive data on their devices, recommended
that

Answer 22

t apps be installed only when truly necessary, and only from

trustworthy vendors, to whatever degree possible.

Question 23

• Otherwise, install the latest firmware when possible

Answer 23

as new firmware
versions often resolve issues that could be used by malware to gain
elevated privileges on a device.

Question 24

• In Sept 2011, a cross-site scripting vulnerability

Answer 24

y was reported as affecting
the Skype app, versions 3.0.1 and below.
• This vulnerability made it possible for an attacker to access the file system
of Skype app users by embedding JavaScript code into the “Full Name” field
of messages sent to users.
• Upon receipt of message, the embedded JavaScript was executed, allowed
an attacker to grab files, such as the contacts database, and upload them to
a remote system.
• This vulnerability is of particular interest because it is one of the first
examples of a third-party app vulnerability that could be exploited
remotely, without requiring local network or physical access to a device.

Question 25

Physical access Risks

Answer 25

• Once device falls into an attacker’s hands, it takes only a few minutes to gain access to the device’s file system and then to the sensitive data stored
on the device.
• Demo produced by the researchers at the Fraunhofer Inst for Secure IT:
• Their Staff published paper in Feb2011 outlining the steps required to gain access to sensitive passwords stored on an iPhone.
• The process from end-to-end takes about six minutes! and involves using a boot-based jailbreak to take control of a device in order to gain access to the file system, followed by installation of an SSH server.
• Once access is gained via SSH, a script is uploaded that, using only values obtained from the device, can be executed in order to dump passwords
stored in the device’s keychain

Question 26

Physical access Risks ELABORATE

Answer 26

As the keychain is used to store passwords for many important
applications, such as the built-in email client, this attack allows an
attacker to recover an initial set of credentials that he or she can then
use to gain further access to assets belonging to the device’s owner.
• Specific values that can be obtained from the device depend, in large
part, on the version of iOS installed.
• This method continues to serve as a good example of what can be
done when an attacker has physical access to an iPhone.

Question 27

Physical access Risk WHATS A TWISTY ONE

Answer 27

• One last approach that might prove to be easiest of all, depending on
iOS version, is to simply hack around the iOS screen lock.
• In January 2013, a technique was published for bypassing the screen
lock in iOS 6.0.1 through 6.1.
• The technique described involved a variety of button presses and
screen swipes that ultimately result in access being granted to the
phone app.
• From this screen, an attacker can review contacts, call history, and
place calls!

Question 28

Physical access Risks-Countermeasures

Answer 28

• The primary defense –encrypt all sensitive data!
• Advertisement time: Take Crypto course next semester!
• In addition, devices that store sensitive information should have a
passcode of at least six digits in length set and in use at all times
• Installation of software that can be used to remotely track the
location of a device or to remotely wipe sensitive data.

Question 29

Android Malware: DroidDream

Answer 29

• Although most Android malware is distributed by third-party
application marketplaces or requires the user to download and install
it manually, the DroidDream family of malware was primarily
distributed by the Google Play store.
• Various legitimate applications from the Play store were repackaged
to include DroidDream and then put back in the Play store.
• Users downloaded this software believing it to be safe since it came
from a trusted source.
• An app repackaged to include DroidDream requires a large number of
dangerous permissions!

Question 30

Android Malware: NickiSpy

Answer 30

• NickiSpy app literally spy on their victims.
• Like other mobile malware, NickiSpy is commonly packaged into other
popular software.
• Once victim installs it, NickiSpy stays dormant, waiting to receive
the android.intent.action.BOOT_COMPLETED broadcast,
meaning malware does not activate until the device has been rebooted.
• Upon rebooting, malware sends an SMS to a hardcoded C&C number along
with device’s IMEI number. The variant described here (referred to as
NickiSpy.B) then immediately begins gathering info about the victim.
• The malware then waits to receive additional commands via SMS.

Question 31

iOS Malware 1

Answer 31

• While Google has been plagued with much malware in both Google
Play and third-party Android markets, Apple has so far been relatively
unscathed.
• Only a handful of notable malware affecting iOS devices and most of
the malware to date has targeted jailbroken devices.
• The first malware discovered on iOS devices was discovered in June
2009 and disguised itself as “iPhone firmware 1.1.3 prep” software.
• It stated that it was “an important system update.
• Install this before updating to the new 1.1.3 firmware.”

Question 32

iOS Malware 2

Answer 32

After uninstalling this firmware “prep” software, a number of
common utilities installed on jailbroken devices would stop working
properly, such as Doom, Launcher, Erica’s Utilities, and SSH, which
caused users a minor annoyance by forcing them to reinstall these
utilities.

Question 33

iOS Malware iKee

Answer 33

• The first worm to hit iPhones, named iKee, appeared in Nov2009, and
its purpose was to “rickroll” victims by changing their background
image to an image of Rick Astley and to disable their SSH daemons.
• An Australian teenager admitted to creating the worm
• Given the fact that the worm only affected jailbroken devices with an
unchanged root password and running SSH daemon, it is surprising
that the worm was able to infect 17,000 to 25,000 devices in a short
period of time.
• Local law enforcement took no interest in pursuing criminal charges,
and the malware author even got a job offer as an iOS developer
owing to the notoriety shortly after the release of the worm.

Question 34

: App Review Process-Google

Answer 34

After paying a one-time developer registration fee of 25 USD (2013),
anyone can upload an Android app to Google Play.
• Within 15 to 60 minutes, the Android app appears in the Google Play store.
• Google relies on an automated malware detection system named Bouncer
to detect & remove malicious app after submission into Google Play.
• Many researchers have questioned the effectiveness of Bouncer and, in
some cases, have published research illustrating potential deficiencies, but
we doubt anyone would be surprised by the conclusions that an automated
malware analysis system can be defeated by a dedicated malicious actor

Question 35

App Review Process-Apple

Answer 35

• Apple performs an automated review via static analysis tools to
detect improper API usage AND performs a manual review of
submitted apps, so the approval process usually takes about a week.
• Additionally, developers (2013) pay a 99 USD annual developer fee,
thus creating a slightly higher barrier to entry.
• We could argue that Apple’s more stringent registration and review
process reduces the amount of malware found in its application store,
but the thoroughness of their review in relation to identifying
vulnerable or malicious code in submitted iOS applications is
unknown.

Question 36

Support for 3rd Party App - Google

Answer 36

• Android devices support installing apps from unknown sources, which
means that users can install software from third-party app stores and
users can be tricked into installing malware from a hostile website.
• The ability to install software from unknown sources is not enabled
by default, but many users enable this setting and users can also be
tricked into changing their security settings.
• Although Android will not install unsigned APKs, Android does not
actually care who signs the application—so Google, or some other
trusted party, does not need to sign the Android application.

Question 37

Support for 3rd Party App - Apple

Answer 37

• Apple, on the other hand, only allows users to install iOS applications
from its App Store or an enterprise application store.
• The iOS kernel enforces this restriction by only executing code signed
by an approved party.
• One reason why less malicious app in Apple
• Users must jailbreak their iOS device to install software from a thirdparty application store.
• Undoubtedly, malicious actors could attempt to trick users into
jailbreaking their iOS device and then installing malware, but this step
is unnecessary on Android devices.