200:1 - Do You Trust Your
Mobile Security Odds?
Jeff Forristal / CTO

Secure:
Statement of current security posture
Trustable:
Holistic statement of intent; forward-looking
& comprehensive

Secure
Insecure
Time
0day / Vulnerability found
Vendor pushes a patch
Vendor support EOL

You trust a system
will achieve & maintain
your security needs

Remember these vulnerabilities?
s λ
goto fail;
goto fail;
Heartbleed
Fake ID
iOS jailbreaks
Pangu
TowelRoot
Points in time where we know our mobile devices were insecure…

2014 Vulnerabilities Reported for iOS & Android
168
78 – Webkit/UIWebview
4 – SSL
5 – Kernel code exec
10 – System code exec
62
38 – Lollipop changelog
~ 16 are unconfirmed
5 – Kernel code exec
3 – Bootloader code exec
~ 7 – System code exec
3 – SSL
20 – Chrome/webview
Circa Nov 2014; Data from Apple security advisories IOS 7.0.6, 7.1, 7.1.1, 7.1.2, 8, 8.1; Android collected from multiple sources

What / who are
we trusting?
(and are they making good security choices on our behalf?)

With so many devices, how do you know which meets your risk
management needs?
Listen to the webinar recording:
http://bit.ly/1xvjzlc
Data from Google Play 11/11/2014 for API 10+; Apple developer portal

Over 7,200 active Android devices http://bit.ly/1xvjzlc
running across the eco-system!
42
Listen to the webinar recording:
Data from Google Play 11/11/2014 for API 10+; Apple developer portal

Who are the main third-parties we choose to put in our mobile circle of trust?
Hardware Manufacturers Operating Systems Device Manufacturers Carriers

The effectiveness of mobile risk
management is largely dependent on
lottery results …
Listen to the webinar recording:
http://bit.ly/1xvjzlc

Case Study: Samsung Note3 on AT&T

Samsung Note3 on AT&T: Third-parties included in the “circle of trust”
Listen to the webinar recording:
http://bit.ly/1xvjzlc

Device specific apps that are uniquely installed based on the carrier
…

Samsung Note3 comes with …
312
45
151
apps pre-installed
are non-Samsung (3rd party)
pre-installed roots of trust

54
86
1
apps have system-level privileges
apps have “dangerous” permissions
hard-coded open wifi profile
and…

Blackphone– how secure is it really?
54
86
1
apps have system-level privileges
hard-coded open wifi profile

Samsung Note3: Inherent Circle of Trust

Circle of trust grows with third parties: over 200 entities driving & effecting our
security and data on the device

Certificate authorities with Government/State
interest: pre-installed on Android

Pre-installed root certificates for
academic research: pre-installed on
Android

Pre-installed root certificates on iOS 8
…

iOS 8 includes…
236
pre-installed roots of trust
(and no way to disable any of them)

Questioning the
Chain of Trust
Download whitepaper here:
https://bluebox.com/blog/technical/

It’s not just about the device …
don’t forget about the apps
122
shared libraries
on apps

libremotedesktop_client.so
122
shared libraries
on apps

189
dylibs (including Swift)
Internal testing on IOS 8.1 iPod Touch, using hybrid Swift app
iOS 8 also includes…

“Attack
Surface”

What version is your device
running on?

Analysis of Samsung Note3 Patch Updates by Major Carriers
4.4.4
Google 4.4.2 4.4.3, 4.4.4
4.3 4.3 4.3 4.3 4.4.2 4.4.2 4.4.2 4.4.2
Sep Nov 2014 Mar May Jul Sep
AT&T
Sprint
Verizon
T-Mobile
US
Cellular
2013
4.3
4.3
4.3 4.3
4.3
4.3
4.4.2 4.4.2
4.3 4.4.2
4.4.2 4.4.2 4.4.2 4.4.2 4.4.2
4.4.2
4.3
4.4.4
4.4.2
4.4.2
4.4.2
Int’l/UK et al. 4.4.2
Data from sammobile.com, for SM-N900A/SM-N900P/SM-N900R4/SM-N900T/SM-N900V/SM-N9005, circa Oct 1 2014

So… are we really making
the best trust
choices?

With so many choices, how do
we pick the most trustable
device?

Can we measure something
as a basis for trust?

Quantify the trust of a device with “Trustable
by Bluebox” for Android

How users affect security and trust scores (you can improve!): Motorola example
Motorola out of the box Motorola w/ proactive security

Trustable by
Bluebox
Methodology and details available
as downloadable whitepaper
https://bluebox.com/trustable-by-bluebox/

Samsung Note3 Trust Score

Call to Action: Mobile Risk Management

Recognize the realities
(shortcomings) of
mobile security

Secure
Vulnerable
Secure
Vulnerable
Industry-wide security vulnerabilities
Secure
Vulnerable
Vendor patching variables with industry-wide security vulnerabilities…
some devices live in a mostly in-secure state!

Bluebox Labs Research -
How long it took vendors to
patch Master Key and Fake
ID vulnerabilities:
~3 attempts and 9 months
to patch all vulnerabilities!
Data from Bluebox Security Scanner, since public release; 250k installs
MK = Master Key

2013 Sep Nov 2014 Mar May Jul Sep
iOS Releases
7.0 7.0.3 7.0.4 7.0.6 7.1 7.1.1 7.1.2 8.0 8.1
evasi0n7
7.1 jailbreak
reports
Pangu (IOS7)
Nov
Pangu8
Secure
Vulnerable
iOS Jailbreaks

A note about
rooting/jailbreaking…

1. Exploit one or more vulnerabilities to escape the security
model & execute code in a system-privileged state
2. Make one or more modifications to the system to
generically persist control of the system-privileged state
3. Install user-convenience standard jailbreak utilities
(Substrate, Cydia, SuperSU, etc.)

Manage risk in
a hostile environment

Device security guides
https://bluebox.com/android-user-security-guide/
https://bluebox.com/ios-user-security-guide/

Device specific security
posture analysis is necessary for
Android
OS version (4.4.2 vs 4.4.3 vs. 4.4.4) may not be relevant
Example: Android Fake ID patch back-ported to 4.1.x, 4.2.x,
4.3.x, 4.4.x and released to ODMs
Example 2: Linux kernel futex vulnerability patched by ODMs
without changing the Android version

Go beyond traditional
rooting/jailbreak detection
System-level (non-root) compromises are still game-over
Malware can favor non-persistent roots/breaks

Consider the total circle of
trust
Trojan keyboards, trojan VPN clients, untrusted system CA
certs, accessibility agents, untrusted app extensions can
undermine device & app security operations

Look inwards into the app’s
sandbox
App anti-tampering & fortification to survive a
vulnerable/hostile device environment
Not just data-at-rest, etc.  process space integrity
Keep apps & their transactions secure during the inevitable
periods of device insecurity

& App
Device
Integrity

jeff@bluebox.com
Questions?
https://bluebox.com/trustable-by-bluebox/
https://bluebox.com/blog/
https://bluebox.com/ios-user-security-guide/
https://bluebox.com/android-user-security-guide/
https://play.google.com/store/apps/details?id=com.bluebox.trust