mobile security how smart are
play

Mobile Security: how smart are mobile phones today? Prof. Alessio - PowerPoint PPT Presentation

Oct 22, 2023 •322 likes •952 views

Mobile Security: how smart are mobile phones today? Prof. Alessio Merlo DIBRIS University of Genoa 1 Before starting . Take you time to answer these question, w.r.t. your everyday use of smartphones and tablets: 1. How long do you

  1. Mobile Security: how smart are mobile phones today? Prof. Alessio Merlo DIBRIS – University of Genoa 1

  2. Before starting …. • Take you time to answer these question, w.r.t. your everyday use of smartphones and tablets: 1. How long do you use a smartphone? 2. Does the kind of activities that you carry out on your smartphone changed during time? 3. What kind of applications do you commonly use? 4. Do you TRUST your smartphone? To which extent? 2

  3. Some important key concepts • Asset : An asset is what we’re trying to protect. • Vulnerability : A vulnerability is a weakness or gap in our protection efforts. • Threat : A threat is what we’re trying to protect against. • Risk : Risk is the intersection of assets, threats, and vulnerabilities. • If your system has a vulnerability, a malicious entity can try to exploit it (attack). • All systems have vulnerabilities. 3

  4. Mobile Apps • Steady growth of number of mobile apps • Apps are getting more and more sophisticated (and hence complex) • Most users • grant security-critical permissions without hesitation • use apps for security-critical operations (e- health, mobile banking, …) • Little/no confidence on apps even if they come from official stores • Trust? • Security? We focus on Android in this talk but no… ioS is not more secure than Android  4 Let’s start with some (very) basics on Android Security.

  5. Application Packages (APK) • Contains: • Compiled sources of the application (Classes.dex) • Resources (images, videos,…) • Native libraries (C/C++ shared libraries) • META-INF (application certificate and package manifest) 6

  6. Security Benefits • Integrity check (APK cannot be modified after its initial packaging) • Same origin policy • Update only possible with packages signed with the same developer key BUT: • Google allows self-signed certificates • Authenticity of developer not ensured! 9

  7. Sandboxing 10

  8. Sandboxing Each application (and its resources) is confined in a single Linux process. Each application owns a private data folder. The sandbox specifies which system resources the application is allowed to access and how can interact with other applications. 11

  9. Application Sandbox • The isolation is enforced at the Kernel level. • Each application has a unique UID and GID. 12

  10. Application Sandbox • BUT • The DVM Sandbox is not a security boundary! • Easily circumvented with native code • Problems with some native Linux operations !!! 13

  11. Permissions and Least Privilege 14

  12. Android Permission System • Required to gain access to: • System Resources (e.g. battery, driver) • Sensitive data (e.g. SMS, contacts) • System interfaces (e.g. Internet, send SMS,..) • Assigned to UIDs • Applications can define their own permission to protect app interfaces 15

  13. Android Permission Example 16

  14. Android App Installation • During installation user was prompted for required permissions ( now “at runtime”) • All-or-nothing approach • User decides on his own if an app requires proper permission 17

  15. Android Insecurity Are the previous security mechanisms enough? Android is the most used operating system in mobile devices HOWEVER It is the most targeted by malwares 18

  16. Fonte: http://www.zdnet.com/ 19

  17. Fonte: http://www.zdnet.com/ 20

  18. Fonte: http://www.zdnet.com/ 21

  19. Fonte: http://www.zdnet.com/ 22

  20. Fonte: http://www.zdnet.com/ 23

  21. Fonte: http://www.zdnet.com/ 24

  22. Android Vulnerabilities 25

  23. Android Vulnerabilities • Android is affected by both System and Application vulnerabilites. • Example of System Vulnerability: Zygote Vulnerability • Example of Application vulnerability: Android Master Key exploit. 26

  24. Android Master Key Vulnerability • Android verifies the apk signature before its installation. • Apk modifications after the signing phase are not allowed. 29

  25. Android Master Key Vulnerability Android verifies only the first file with the same name. BUT installs the second file in the list! The vulnerability is due to the use of two different libraries for verification and installation. 30

  26. More Info 31

  27. More Info Jeff Forristal Android Master Key Exploit – Uncovering Android Master Key That Makes 99% of Devices Vulnerable https://bluebox.com/technical/uncovering-android- master-key-that-makes-99-of-devices-vulnerable/ 32

  28. Android Malware • Most of malwares affect unlocked devices. • Android is vulnerable to privilege escalation attacks : • System-level -> Root Exploits • Application-level -> Confused Deputy attacks, collusion attacks 33

  29. System-level: Root Exploits • Used for unlocking root privileges on a mobile device. BUT A ROOT USER CAN: 1. Inherently holds all privileges 2. Can silently install new apps 3. Has full storage access 4. Can execute low-level security sensitive operations 34

  30. Example: GingerBreak Root Exploit • Attacker can deliberately cause a fail in setUID of newly created process by Zygote. • New process continues executing with root privileges. • Loading an apk in such a new process cause its code to run with all privileges. 35

  31. Application-level Privilege Escalation Attacks 36

  32. Confused Deputy attacks • A privilege app (i.e. has permission to access resources) is fooled into misusing its privilege on behalf of a malicious unprivileged app. 37

  33. Example: Exploit browser permission A. Lineberry , D. L. Richardson, and T. Wyatt, “These aren’t the permissions you’re looking for.” http://dtors.files.wordpress.com/2010/08/blackhat-2010-slides.pdf, 2010. DefCon 18. 38

  34. Confused Deputies by OEMs • Samsung introduces several confused deputies in its device firmware • E.g. An application that can be used as a root shell by others. A. Moulo , “Android OEM’s applications (in)security and backdoors without permission.” http://www.quarkslab.com/dl/Android-OEM-applications-insecurity-and-backdoors- without-permission.pdf. 39

  35. Collusion Attacks • Malicious application can collude to merge their respective permissions. • They can communicate using Intents or Covert channels 40

  36. SoundComber • In USA credit companies allow financial transaction through phone calls. • User is invited to give his credit card number. • Soundcomber is a colluded application malware that can steal this number and sends it to an external server. • Soundcomber relies on Android OS volume settings for data transmission. R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia, and X. Wang, “ Soundcomber: A stealthy and context-aware sound trojan for smartphones ,” in Proc. 18th Annual Network and Distributed System Security Symposium (NDSS ’11), The Internet Society, 2011 41

  37. SoundComber 42

  38. SoundComber 43

  39. SoundComber 44

  40. SoundComber 45

  41. SoundComber 46

  42. Covert Channels • Malwares identifies other channels for data exchange: • Light state • Active process or threads • Sound settings (Sondcomber is an example) • The stealtier the channels is, the less data can be sent. 47

  43. Example: Audio & Light Covert Channels Some research discovers new channels to trigger malware: - Surround music - Light of a monitor/tv In their experiments they are able to activate a malware from 55 meters away in a crowded Starbucks using music. Hasan, Ragib, et al. "Sensing-enabled channels for hard-to- detect command and control of mobile devices." Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security . ACM, 2013. 48

  44. Considerations • Ok but Android evolves, new versions are released so…. AREN’T WE MORE SECURE NOW? • Fixing discovered vulnerabilities implies that such vulnerabilities disappear  RIGHT • Android is fixed and new versions are more evolved  ARE THERE ALSO MORE SECURE THAN PREVIOUS ONE? NO !!! Why? Usability vs. Security dilemma. 49

  45. Recent Android versions • The latest Android version ( Android 8 , Oreo) introduced two features in the name of convenience («Usability»): • Autofill Framework • Instant Apps Do they streghten the reliability of Android? Can they be abused? Considerations: The Autofill Framework in some ways violates sandboxing Instant Apps mechanism allows to execute remote code 50

  46. Automated Vulnerability Assessment of Mobile Apps 52

  47. APPROVER: Automatic mobile app security analysis 53

  48. Permission Analysis ● Detection of permissions abuse & misuse by in-depth inspection of actual code 54

  49. Malware Analysis ● Signature-based malware detection ● Leverages 30+ anti-malware engines 55

  50. Vulnerability Analysis ● 50+ known code vulnerability patterns ● Pointers for quick review and inspection ● Description, guidelines and countermeasures 56

  51. Policy Checker ● Checks apps against behavioral patterns (aka policies) ● Predefined policy from OWASP Mobile Top 10 57

  52. Risk Analysis ● Summarizes the application security assessment ● Provides fast-to-read overall score 58

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device Security 2013 Boston, MA Presen sented ted by: Francis Brown & Joe DeMesy Bishop Fox www.bishopfox.com Introductions VERY QUICKLY

3.77k views • 83 slides
APPLYING SMART CARDS FOR SECURITY CRITICAL MOBILE APPLICATIONS Michael Hlzl Institut of

APPLYING SMART CARDS FOR SECURITY CRITICAL MOBILE APPLICATIONS Michael Hlzl Institut of

APPLYING SMART CARDS FOR SECURITY CRITICAL MOBILE APPLICATIONS Michael Hlzl Institut of Networks and Security, JKU Linz PhD defense 2 nd of March 2018 14:15-15:45, Science Park 3 Room S3 218 MOTIVATION Trend towards security and

541 views • 28 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
Mobile networks security Markus Peuhkuri 2005-03-08 Lecture topics Historical background

Mobile networks security Markus Peuhkuri 2005-03-08 Lecture topics Historical background

Mobile networks security Markus Peuhkuri 2005-03-08 Lecture topics Historical background Structure of security Smart cards GSM UMTS History of mobile phones Radio-telephone (0G)

379 views • 9 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides
Smart Contract Security Assessing Solidity smart contracts About Me Evangelos Deirmentzoglou

Smart Contract Security Assessing Solidity smart contracts About Me Evangelos Deirmentzoglou

Smart Contract Security Assessing Solidity smart contracts About Me Evangelos Deirmentzoglou Security Consultant Smart contract audits Nmap/Ncrack contributor Certs: OSCE, OSCP, OSWP Blockchain Basics Front Running

642 views • 30 slides
Mobile Health Monitoring health and well-being using mobile devices, wearable sensors, and smart

Mobile Health Monitoring health and well-being using mobile devices, wearable sensors, and smart

6.808: Mobile and Sensor Computing aka IoT Systems Lecture 11: Mobile Health Mobile Health Monitoring health and well-being using mobile devices, wearable sensors, and smart environments Applications: What do we want to measure? And why?

1.09k views • 73 slides
Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction Statistics of Mobile Usage Current State of Mobile Security Recent Attacks Various Mobile Threats Security & Privacy

1.03k views • 57 slides
Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues. Mobile access is expected to become the main access method. Services and mobile commerce (mCommerce) are expected to become a major business.

818 views • 20 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Announcement Course Evaluations Now online Will be available from Friday, Dec 7 Will also allow students to do

864 views • 50 slides
Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
Mobile Systems Thierry Sans History of mobile OSes Early "smart" devices are PDAs

Mobile Systems Thierry Sans History of mobile OSes Early "smart" devices are PDAs

Mobile Systems Thierry Sans History of mobile OSes Early "smart" devices are PDAs (touchscreen, Internet) Symbian, first modern mobile OS released in 2000 run in Ericsson R380, the first "smartphone" (mobile phone

633 views • 24 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
IoT SECURITY Enabling Trust and Digital Future LIM SOON CHIA DIR(TECHNOLOGY) CYBER SECURITY

IoT SECURITY Enabling Trust and Digital Future LIM SOON CHIA DIR(TECHNOLOGY) CYBER SECURITY

IoT SECURITY Enabling Trust and Digital Future LIM SOON CHIA DIR(TECHNOLOGY) CYBER SECURITY AGENCY 1 of 14 The Great Digital Convergence Smart Mobility Smart Payment Smart Health 3 of 17 Office Smart Mobility MRT Station Bus Stop

577 views • 14 slides
Mobile Communications Mobile Communications Confidentiality Security No access to information

Mobile Communications Mobile Communications Confidentiality Security No access to information

Security Requirements Authorization Which objects are accessible by whom? Authentication Reliable identification of users identity . Mobile Communications Mobile Communications Confidentiality Security No access to information for

577 views • 11 slides
Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices Presented by Michael Harris [MS, CISSP, WAPT] Systems Security Analyst University of Missouri Overview What data needs to be protected, what

407 views • 18 slides
PL-LAB: Polish initiative to develop laboratory infrastructure for testing Future Internet

PL-LAB: Polish initiative to develop laboratory infrastructure for testing Future Internet

PL-LAB: Polish initiative to develop laboratory infrastructure for testing Future Internet solutions J. Sliwinski, J. Mongay Batalla (National Institute of Telecommunication) W.Burakowski, A.Beben, H.Tarasiuk (Warsaw University of Technology)

641 views • 27 slides
Charity Tax Group (CTG) Charity Members Virtual Meeting 22 September 2020 @CharityTaxGroup

Charity Tax Group (CTG) Charity Members Virtual Meeting 22 September 2020 @CharityTaxGroup

Charity Tax Group (CTG) Charity Members Virtual Meeting 22 September 2020 @CharityTaxGroup #charitytax The voice of charities on Tax VAT updates CTG research project to quantify the value of VAT reliefs for charities VAT implications of

235 views • 19 slides
Libraries on Virtualized InfiniBand Clusters Keynote Talk at VisorHPC (January 2017) by

Libraries on Virtualized InfiniBand Clusters Keynote Talk at VisorHPC (January 2017) by

HPC Meets Cloud: Opportunities and Challenges in Designing High-Performance MPI and Big Data Libraries on Virtualized InfiniBand Clusters Keynote Talk at VisorHPC (January 2017) by Dhabaleswar K. (DK) Panda The Ohio State University E-mail:

1k views • 70 slides
Webinar will be recorded Supporting slides will be sent directly to all attendees and go

Webinar will be recorded Supporting slides will be sent directly to all attendees and go

Reliant on our IT please turn off your video cameras Webinar will be recorded Supporting slides will be sent directly to all attendees and go out on our social media and website for sharing Please put all questions in the chat

339 views • 31 slides
IP Mobility: IP Mobility: Threat Models and Security Requirements Threat Models and Security

IP Mobility: IP Mobility: Threat Models and Security Requirements Threat Models and Security

IP Mobility: IP Mobility: Threat Models and Security Requirements Threat Models and Security Requirements Vidya Narayanan (vidyan@qualcomm.com vidyan@qualcomm.com) ) Vidya Narayanan ( Lakshminath Dondeti (ldondeti@qualcomm.com

413 views • 37 slides
Securing Internet Communication CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta

Securing Internet Communication CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta

Securing Internet Communication CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ March 31, 2011 Todays Lecture Applying crypto technology in

695 views • 51 slides
Source Framework for Io IoT Greg Zaverucha Microsoft Real World Cryptography Conference 2016

Source Framework for Io IoT Greg Zaverucha Microsoft Real World Cryptography Conference 2016

Cry ryptography in in AllJ llJoyn, an Open Source Framework for Io IoT Greg Zaverucha Microsoft Real World Cryptography Conference 2016 Internet of Things Things are devices that have one or more sensors/functions and network connectivity

937 views • 32 slides
Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense e Quan Jia, Huangxin Wang, Dan Fleck, Fei Li, Angelos Stavrou, Walter Powell Presented by Surya Mani Content u Motivation u Related Work u

262 views • 23 slides

More recommend