200:1 - do you trust your mobile security odds?
DESCRIPTION
On Wednesday, November 12, Bluebox Security hosted a webinar titled, “200:1 – Do You Trust Your Mobile Security Odds?” Jeff Forristal, CTO of Bluebox, shares real-life iOS and Android case studies revealing the amount of implicit trust, risk and insecurity found in today’s mobile devices, and what users can do about it. Watch the recorded webinar in it’s entirety here: http://offers.bluebox.com/webinar-trust-security-odds.htmlTRANSCRIPT
![Page 1: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/1.jpg)
Jeff Forristal / CTO
200:1 - Do You Trust Your
Mobile Security Odds?
![Page 2: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/2.jpg)
![Page 3: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/3.jpg)
Secure:
Trustable:
Statement of current security posture
Holistic statement of intent; forward-
looking & comprehensive
![Page 4: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/4.jpg)
Secure
Insecure
Time
0day / Vulnerability found
Vendor pushes a patch
Vendor support EOL
![Page 5: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/5.jpg)
You trust a system
will achieve & maintain
your security needs
![Page 6: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/6.jpg)
sλ
goto fail;
goto fail;
Remember these vulnerabilities?
Heartbleed
Fake ID
iOS jailbreaks
Pangu
TowelRoot
Points in time where we know our mobile devices were insecure…
![Page 7: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/7.jpg)
168
Circa Nov 2014; Data from Apple security advisories IOS 7.0.6, 7.1, 7.1.1, 7.1.2, 8, 8.1; Android collected from multiple sources
78 – Webkit/UIWebview
4 – SSL
5 – Kernel code exec
10 – System code exec
2014 Vulnerabilities Reported for iOS & Android
6238 – Lollipop changelog
~ 16 are unconfirmed
5 – Kernel code exec
3 – Bootloader code exec
~ 7 – System code exec
3 – SSL
20 – Chrome/webview
![Page 8: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/8.jpg)
What / who are
we trusting?(and are they making good security choices on our behalf?)
![Page 9: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/9.jpg)
Data from Google Play 11/11/2014 for API 10+; Apple developer portal
With so many devices, how do you know which meets your risk
management needs?
Listen to the webinar recording:
http://bit.ly/1xvjzlc
![Page 10: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/10.jpg)
42
Data from Google Play 11/11/2014 for API 10+; Apple developer portal
Listen to the webinar recording:
http://bit.ly/1xvjzlcOver 7,200 active Android devices
running across the eco-system!
![Page 11: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/11.jpg)
Who are the main third-parties we choose to put in our mobile circle of trust?
Hardware Manufacturers Operating Systems Device Manufacturers Carriers
![Page 12: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/12.jpg)
Listen to the webinar recording:
http://bit.ly/1xvjzlc
The effectiveness of mobile risk
management is largely dependent on
lottery results …
![Page 13: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/13.jpg)
Case Study: Samsung Note3 on AT&T
![Page 14: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/14.jpg)
Listen to the webinar recording:
http://bit.ly/1xvjzlc
Samsung Note3 on AT&T: Third-parties included in the “circle of trust”
![Page 15: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/15.jpg)
Device specific apps that are uniquely installed based on the carrier
…
![Page 16: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/16.jpg)
312
45
151
apps pre-installed
are non-Samsung (3rd party)
pre-installed roots of trust
Samsung Note3 comes with …
![Page 17: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/17.jpg)
54
86
1
apps have system-level privileges
apps have “dangerous” permissions
hard-coded open wifi profile
and …
![Page 18: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/18.jpg)
54
86
1
apps have system-level privileges
hard-coded open wifi profile
Blackphone – how secure is it really?
![Page 19: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/19.jpg)
Samsung Note3: Inherent Circle of Trust
![Page 20: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/20.jpg)
Circle of trust grows with third parties: over 200 entities driving & effecting our
security and data on the device
![Page 21: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/21.jpg)
Certificate authorities with Government/State
interest: pre-installed on Android
![Page 22: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/22.jpg)
Pre-installed root certificates for
academic research: pre-installed on
Android
![Page 23: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/23.jpg)
…
Pre-installed root certificates on iOS 8
![Page 24: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/24.jpg)
236pre-installed roots of trust
(and no way to disable any of them)
iOS 8 includes…
![Page 25: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/25.jpg)
Questioning the
Chain of Trust
Download whitepaper here:
https://bluebox.com/blog/technical/
![Page 26: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/26.jpg)
122shared libraries
on apps
It’s not just about the device …
don’t forget about the apps
![Page 27: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/27.jpg)
libremotedesktop_client.so
122shared libraries
on apps
![Page 28: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/28.jpg)
189dylibs (including Swift)
Internal testing on IOS 8.1 iPod Touch, using hybrid Swift app
iOS 8 also includes…
![Page 29: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/29.jpg)
“AttackSurface”
![Page 30: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/30.jpg)
What version is your device
running on?
![Page 31: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/31.jpg)
Sep Nov 2014 Mar May Jul Sep
Sprint
AT&T
US
Cellular
T-Mobile
Verizon
2013
4.3
4.3
4.3 4.3
4.3
4.3
4.4.2 4.4.2
4.3 4.4.2
4.4.2 4.4.2 4.4.2 4.4.2 4.4.2
4.4.4
4.4.2
4.3
4.4.4
4.4.2
4.4.2
4.4.2
Int’l/UK et al. 4.4.24.4.2 4.4.2 4.4.2 4.4.24.3 4.3 4.3 4.3
Data from sammobile.com, for SM-N900A/SM-N900P/SM-N900R4/SM-N900T/SM-N900V/SM-N9005, circa Oct 1 2014
Google4.4.2 4.4.3, 4.4.4
Analysis of Samsung Note3 Patch Updates by Major Carriers
![Page 32: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/32.jpg)
So… are we really making
the best trust
choices?
![Page 33: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/33.jpg)
With so many choices, how do
we pick the most trustable
device?
![Page 34: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/34.jpg)
Can we measure something
as a basis for trust?
![Page 35: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/35.jpg)
Quantify the trust of a device with “Trustable
by Bluebox” for Android
![Page 36: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/36.jpg)
How users affect security and trust scores (you can improve!): Motorola example
Motorola out of the box Motorola w/ proactive security
![Page 37: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/37.jpg)
Trustable by
Bluebox
Methodology and details available
as downloadable whitepaper
https://bluebox.com/trustable-by-
bluebox/
![Page 38: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/38.jpg)
Samsung Note3 Trust Score
![Page 39: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/39.jpg)
Call to Action: Mobile Risk Management
![Page 40: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/40.jpg)
Recognize the realities(shortcomings) of
mobile security
![Page 41: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/41.jpg)
Secure
Vulnerable
Secure
Vulnerable
Industry-wide security vulnerabilities
Secure
Vulnerable
Vendor patching variables with industry-wide security vulnerabilities…
some devices live in a mostly in-secure state!
![Page 42: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/42.jpg)
Data from Bluebox Security Scanner, since public release; 250k installs
Bluebox Labs Research -
How long it took vendors to
patch Master Key and Fake
ID vulnerabilities:
~3 attempts and 9 months
to patch all vulnerabilities!
MK = Master Key
![Page 43: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/43.jpg)
Sep Nov 2014 Mar May Jul Sep2013
iOS Releases7.0.6 7.1 7.1.1 7.1.2 8.0 8.17.0.47.0.37.0
evasi0n7
7.1 jailbreak
reports
Pangu (IOS7)
Nov
Pangu8
Secure
Vulnerable
iOS Jailbreaks
![Page 44: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/44.jpg)
A note about
rooting/jailbreaking…
![Page 45: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/45.jpg)
1. Exploit one or more vulnerabilities to escape the security
model & execute code in a system-privileged state
2. Make one or more modifications to the system to
generically persist control of the system-privileged state
3. Install user-convenience standard jailbreak utilities
(Substrate, Cydia, SuperSU, etc.)
![Page 46: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/46.jpg)
Manage risk in
a hostile environment
![Page 47: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/47.jpg)
Device security guides
https://bluebox.com/android-user-security-guide/
https://bluebox.com/ios-user-security-guide/
![Page 48: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/48.jpg)
Device specific security
posture analysis is necessary for
Android
OS version (4.4.2 vs 4.4.3 vs. 4.4.4) may not be relevant
Example: Android Fake ID patch back-ported to 4.1.x, 4.2.x,
4.3.x, 4.4.x and released to ODMs
Example 2: Linux kernel futex vulnerability patched by ODMs
without changing the Android version
![Page 49: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/49.jpg)
Go beyond traditional
rooting/jailbreak detection
System-level (non-root) compromises are still game-over
Malware can favor non-persistent roots/breaks
![Page 50: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/50.jpg)
Consider the total circle of
trust
Trojan keyboards, trojan VPN clients, untrusted system CA
certs, accessibility agents, untrusted app extensions can
undermine device & app security operations
![Page 51: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/51.jpg)
Look inwards into the app’s
sandbox
App anti-tampering & fortification to survive a
vulnerable/hostile device environment
Not just data-at-rest, etc. process space integrity
Keep apps & their transactions secure during the inevitable
periods of device insecurity
![Page 52: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/52.jpg)
&AppDevice
Integrity
![Page 53: 200:1 - Do You Trust Your Mobile Security Odds?](https://reader033.vdocuments.pub/reader033/viewer/2022060202/559bfa5a1a28ab4e668b458a/html5/thumbnails/53.jpg)
Questions?
https://bluebox.com/trustable-by-bluebox/
https://bluebox.com/blog/
https://bluebox.com/ios-user-security-guide/
https://bluebox.com/android-user-security-guide/
https://play.google.com/store/apps/details?id=com.bluebox.trust