Contenu connexe Similaire à Praetorian Veracode Webinar - Mobile Privacy Similaire à Praetorian Veracode Webinar - Mobile Privacy (20) Plus de Tyler Shields (20) Praetorian Veracode Webinar - Mobile Privacy6. OWASP Mobile Top 10 List
1. Insecure or unnecessary client-side data storage
2. Lack of data protection in transit
3. Personal data leakage
4. Failure to protect resources with strong authentication
5. Failure to implement least privilege authorization policy
6. Client-side injection
7. Client-side DOS
8. Malicious third-party code
9. Client-side buffer overflow
10. Failure to apply server-side controls
9. Static Analysis
Analysis of software performed
without actually executing the
program
Full coverage of the entire source or
binary
In theory, having full application
knowledge can reveal a wider range
of bugs and vulnerabilities than the
“trial and error” of dynamic analysis
Impossible to identify vulnerabilities
based on system configuration that
exist only in the deployment
environment
10. Entire contents © 2011 Praetorian. All rights reserved. | Information Security Provider and Research Center | www.praetorian.com
11. Pervasive Permissions:
Where They Come From &
Why Users Accept Them
Ryan W Smith
Senior Security Researcher
11 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
12. Android’s Open App Model
• Low barrier to entry
• Apps hosted and installed
from anywhere
• All apps are created equal
• No distinction between core
apps and 3rd party apps
• Accept apps based on:
1. Trust of the source
2. Permissions requested
12 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
13. Examples of Android Malware
SMS Trojan
– SMS based propagation
– Link to site hosting rogue app for “free movie player”
– Sends 2 Premium SMS messages to a Kazakhstan number
(about $5 per message)
Gemeni
– Repackaged apps in Chinese market
– Sex positions and MonkeyJump2 are known examples
– Bot-like capabilities, with unknown impact or purpose
Droid Dream
– Approx. 50 Malicious apps in official market
– Contained several sensitive exhilaration capabilities
13 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
14. Praetorian’s Mobile Analyst Project (MAP)
Phase 1: Scalable Tailored
App Analysis Framework (STAAF)
Goal: To aide an analyst’s investigation
of a large number of applications
Current Capabilities:
Extract permissions and other attributes
Analyze the application’s code using
several methods
Gather high level trends, patterns, and
statistics from extracted data
14 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
15. Initial Results :: Permissions Requests
53,000 Applications Analyzed
Android Market: ~48,000
3rd Party Markets: ~5,000
Permissions Requested
Average: 3
Most Requested: 117
Top “Interesting” Permissions
GPS information: 24% (11,929)
Read Contacts: 8% (3,626)
Send SMS: 4% (1,693)
Receive SMS: 3% (1262)
Record Audio: 2% (1100)
Read SMS: 2% (832)
Process Outgoing Calls: 1% (323)
Use Credentials : 0.5% (248)
15 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
16. Who Wants to Know?
Ad/Marketing Networks
Social Gaming Networks
16 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
17. Initial Results :: Shared Libraries
52,000 Applications Analyzed
Android Market: ~48,000
3rd Party Markets: ~5,000
Third Party Libraries
Total Third Party Libraries: ~83,000
Top Shared Libraries
com.admob 38% (18,426 apps )
org.apache 8% ( 3,684 apps )
com.google.android 6% ( 2,838 apps )
com.google.ads 6% ( 2,779 apps )
com.flurry 6% ( 2,762 apps )
com.mobclix 4% ( 2,055 apps )
com.millennialmedia 4% ( 1,758 apps)
com.facebook 4% ( 1,707 apps)
17 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
18. Do You User, Take Thee Permissions?
YOUR PERSONAL INFORMATION
READ CONTACT DATA
NETWORK COMMUNICATION
FULL INTERNET ACCESS
NETWORK COMMUNICATION
VIEW NETWORK STATE
SYSTEM TOOLS
PREVENT DEVICE FROM SLEEPING
PHONE CALLS
READ PHONE STATE AND IDENTITY
HARDWARE CONTROLS
CONTROL VIBRATOR
SERVICES THAT COST YOU MONEY
SEND SMS MESSAGES
18 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
19. What Really Happens?
“Given a choice
between dancing pigs
and security, users will
pick dancing pigs every
time.”
- Bruce Schneier
19 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
20. Numbers Can Be Deceiving
zsones
&
Droid Dream
SMS Replicator Fake Security Tool Gemeni
SMS Trojan
20 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
21. If You See Something, Say Something!
Recommendations going forward
1. Carefully review the app, the permissions
requested, the author, and be judicious
2. Support third party initiatives to monitor
app markets proactively
3. Run security monitoring applications on
your Android device
4. Visit Praetorian.com for more information
on mobile security services
21 Entire contents © 2011 Praetorian. All rights reserved. Your World, Secured
23. Whitelisting
• Conduct static analysis of candidate applications
• Create a whitelist
• Use an unbiased 3rd party
• Enforcement via mobile policy