On Wednesday, November 12, Bluebox Security hosted a webinar titled, “200:1 – Do You Trust Your Mobile Security Odds?” Jeff Forristal, CTO of Bluebox, shares real-life iOS and Android case studies revealing the amount of implicit trust, risk and insecurity found in today’s mobile devices, and what users can do about it. Watch the recorded webinar in it’s entirety here: http://offers.bluebox.com/webinar-trust-security-odds.html

1. 200:1 - Do You Trust Your
Mobile Security Odds?
Jeff Forristal / CTO

3. Secure:
Statement of current security posture
Trustable:
Holistic statement of intent; forward-looking
& comprehensive

4. Secure
Insecure
Time
0day / Vulnerability found
Vendor pushes a patch
Vendor support EOL

5. You trust a system
will achieve & maintain
your security needs

6. Remember these vulnerabilities?
s λ
goto fail;
goto fail;
Heartbleed
Fake ID
iOS jailbreaks
Pangu
TowelRoot
Points in time where we know our mobile devices were insecure…

7. 2014 Vulnerabilities Reported for iOS & Android
168
78 – Webkit/UIWebview
4 – SSL
5 – Kernel code exec
10 – System code exec
62
38 – Lollipop changelog
~ 16 are unconfirmed
5 – Kernel code exec
3 – Bootloader code exec
~ 7 – System code exec
3 – SSL
20 – Chrome/webview
Circa Nov 2014; Data from Apple security advisories IOS 7.0.6, 7.1, 7.1.1, 7.1.2, 8, 8.1; Android collected from multiple sources

8. What / who are
we trusting?
(and are they making good security choices on our behalf?)

9. With so many devices, how do you know which meets your risk
management needs?
Listen to the webinar recording:
http://bit.ly/1xvjzlc
Data from Google Play 11/11/2014 for API 10+; Apple developer portal

10. Over 7,200 active Android devices http://bit.ly/1xvjzlc
running across the eco-system!
42
Listen to the webinar recording:
Data from Google Play 11/11/2014 for API 10+; Apple developer portal

11. Who are the main third-parties we choose to put in our mobile circle of trust?
Hardware Manufacturers Operating Systems Device Manufacturers Carriers

12. The effectiveness of mobile risk
management is largely dependent on
lottery results …
Listen to the webinar recording:
http://bit.ly/1xvjzlc

13. Case Study: Samsung Note3 on AT&T

14. Samsung Note3 on AT&T: Third-parties included in the “circle of trust”
Listen to the webinar recording:
http://bit.ly/1xvjzlc

15. Device specific apps that are uniquely installed based on the carrier
…

16. Samsung Note3 comes with …
312
45
151
apps pre-installed
are non-Samsung (3rd party)
pre-installed roots of trust

17. 54
86
1
apps have system-level privileges
apps have “dangerous” permissions
hard-coded open wifi profile
and…

18. Blackphone– how secure is it really?
54
86
1
apps have system-level privileges
hard-coded open wifi profile

19. Samsung Note3: Inherent Circle of Trust

20. Circle of trust grows with third parties: over 200 entities driving & effecting our
security and data on the device

21. Certificate authorities with Government/State
interest: pre-installed on Android

22. Pre-installed root certificates for
academic research: pre-installed on
Android

23. Pre-installed root certificates on iOS 8
…

24. iOS 8 includes…
236
pre-installed roots of trust
(and no way to disable any of them)

25. Questioning the
Chain of Trust
Download whitepaper here:
https://bluebox.com/blog/technical/

26. It’s not just about the device …
don’t forget about the apps
122
shared libraries
on apps

27. libremotedesktop_client.so
122
shared libraries
on apps

28. 189
dylibs (including Swift)
Internal testing on IOS 8.1 iPod Touch, using hybrid Swift app
iOS 8 also includes…

29. “Attack
Surface”

30. What version is your device
running on?

31. Analysis of Samsung Note3 Patch Updates by Major Carriers
4.4.4
Google 4.4.2 4.4.3, 4.4.4
4.3 4.3 4.3 4.3 4.4.2 4.4.2 4.4.2 4.4.2
Sep Nov 2014 Mar May Jul Sep
AT&T
Sprint
Verizon
T-Mobile
US
Cellular
2013
4.3
4.3
4.3 4.3
4.3
4.3
4.4.2 4.4.2
4.3 4.4.2
4.4.2 4.4.2 4.4.2 4.4.2 4.4.2
4.4.2
4.3
4.4.4
4.4.2
4.4.2
4.4.2
Int’l/UK et al. 4.4.2
Data from sammobile.com, for SM-N900A/SM-N900P/SM-N900R4/SM-N900T/SM-N900V/SM-N9005, circa Oct 1 2014

32. So… are we really making
the best trust
choices?

33. With so many choices, how do
we pick the most trustable
device?

34. Can we measure something
as a basis for trust?

35. Quantify the trust of a device with “Trustable
by Bluebox” for Android

36. How users affect security and trust scores (you can improve!): Motorola example
Motorola out of the box Motorola w/ proactive security

37. Trustable by
Bluebox
Methodology and details available
as downloadable whitepaper
https://bluebox.com/trustable-by-bluebox/

38. Samsung Note3 Trust Score

39. Call to Action: Mobile Risk Management

40. Recognize the realities
(shortcomings) of
mobile security

41. Secure
Vulnerable
Secure
Vulnerable
Industry-wide security vulnerabilities
Secure
Vulnerable
Vendor patching variables with industry-wide security vulnerabilities…
some devices live in a mostly in-secure state!

42. Bluebox Labs Research -
How long it took vendors to
patch Master Key and Fake
ID vulnerabilities:
~3 attempts and 9 months
to patch all vulnerabilities!
Data from Bluebox Security Scanner, since public release; 250k installs
MK = Master Key

43. 2013 Sep Nov 2014 Mar May Jul Sep
iOS Releases
7.0 7.0.3 7.0.4 7.0.6 7.1 7.1.1 7.1.2 8.0 8.1
evasi0n7
7.1 jailbreak
reports
Pangu (IOS7)
Nov
Pangu8
Secure
Vulnerable
iOS Jailbreaks

44. A note about
rooting/jailbreaking…

45. 1. Exploit one or more vulnerabilities to escape the security
model & execute code in a system-privileged state
2. Make one or more modifications to the system to
generically persist control of the system-privileged state
3. Install user-convenience standard jailbreak utilities
(Substrate, Cydia, SuperSU, etc.)

46. Manage risk in
a hostile environment

47. Device security guides
https://bluebox.com/android-user-security-guide/
https://bluebox.com/ios-user-security-guide/

48. Device specific security
posture analysis is necessary for
Android
OS version (4.4.2 vs 4.4.3 vs. 4.4.4) may not be relevant
Example: Android Fake ID patch back-ported to 4.1.x, 4.2.x,
4.3.x, 4.4.x and released to ODMs
Example 2: Linux kernel futex vulnerability patched by ODMs
without changing the Android version

49. Go beyond traditional
rooting/jailbreak detection
System-level (non-root) compromises are still game-over
Malware can favor non-persistent roots/breaks

50. Consider the total circle of
trust
Trojan keyboards, trojan VPN clients, untrusted system CA
certs, accessibility agents, untrusted app extensions can
undermine device & app security operations

51. Look inwards into the app’s
sandbox
App anti-tampering & fortification to survive a
vulnerable/hostile device environment
Not just data-at-rest, etc.  process space integrity
Keep apps & their transactions secure during the inevitable
periods of device insecurity

52. & App
Device
Integrity

53. jeff@bluebox.com
Questions?
https://bluebox.com/trustable-by-bluebox/
https://bluebox.com/blog/
https://bluebox.com/ios-user-security-guide/
https://bluebox.com/android-user-security-guide/
https://play.google.com/store/apps/details?id=com.bluebox.trust