Jeff Forristal / CTO

200:1 - Do You Trust Your

Mobile Security Odds?

Secure:

Trustable:

Statement of current security posture

Holistic statement of intent; forward-

looking & comprehensive

Secure

Insecure

Time

0day / Vulnerability found

Vendor pushes a patch

Vendor support EOL

You trust a system

will achieve & maintain

your security needs

sλ

goto fail;

goto fail;

Remember these vulnerabilities?

Heartbleed

Fake ID

iOS jailbreaks

Pangu

TowelRoot

Points in time where we know our mobile devices were insecure…

168

Circa Nov 2014; Data from Apple security advisories IOS 7.0.6, 7.1, 7.1.1, 7.1.2, 8, 8.1; Android collected from multiple sources

78 – Webkit/UIWebview

4 – SSL

5 – Kernel code exec

10 – System code exec

2014 Vulnerabilities Reported for iOS & Android

6238 – Lollipop changelog

~ 16 are unconfirmed

5 – Kernel code exec

3 – Bootloader code exec

~ 7 – System code exec

3 – SSL

20 – Chrome/webview

What / who are

we trusting?(and are they making good security choices on our behalf?)

Data from Google Play 11/11/2014 for API 10+; Apple developer portal

With so many devices, how do you know which meets your risk

management needs?

Listen to the webinar recording:

http://bit.ly/1xvjzlc

42

Data from Google Play 11/11/2014 for API 10+; Apple developer portal

Listen to the webinar recording:

http://bit.ly/1xvjzlcOver 7,200 active Android devices

running across the eco-system!

Who are the main third-parties we choose to put in our mobile circle of trust?

Hardware Manufacturers Operating Systems Device Manufacturers Carriers

Listen to the webinar recording:

http://bit.ly/1xvjzlc

The effectiveness of mobile risk

management is largely dependent on

lottery results …

Case Study: Samsung Note3 on AT&T

Listen to the webinar recording:

http://bit.ly/1xvjzlc

Samsung Note3 on AT&T: Third-parties included in the “circle of trust”

Device specific apps that are uniquely installed based on the carrier

…

312

45

151

apps pre-installed

are non-Samsung (3rd party)

pre-installed roots of trust

Samsung Note3 comes with …

54

86

1

apps have system-level privileges

apps have “dangerous” permissions

hard-coded open wifi profile

and …

54

86

1

apps have system-level privileges

hard-coded open wifi profile

Blackphone – how secure is it really?

Samsung Note3: Inherent Circle of Trust

Circle of trust grows with third parties: over 200 entities driving & effecting our

security and data on the device

Certificate authorities with Government/State

interest: pre-installed on Android

Pre-installed root certificates for

academic research: pre-installed on

Android

…

Pre-installed root certificates on iOS 8

236pre-installed roots of trust

(and no way to disable any of them)

iOS 8 includes…

Questioning the

Chain of Trust

Download whitepaper here:

https://bluebox.com/blog/technical/

122shared libraries

on apps

It’s not just about the device …

don’t forget about the apps

libremotedesktop_client.so

122shared libraries

on apps

189dylibs (including Swift)

Internal testing on IOS 8.1 iPod Touch, using hybrid Swift app

iOS 8 also includes…

“AttackSurface”

What version is your device

running on?

Sep Nov 2014 Mar May Jul Sep

Sprint

AT&T

US

Cellular

T-Mobile

Verizon

2013

4.3

4.3

4.3 4.3

4.3

4.3

4.4.2 4.4.2

4.3 4.4.2

4.4.2 4.4.2 4.4.2 4.4.2 4.4.2

4.4.4

4.4.2

4.3

4.4.4

4.4.2

4.4.2

4.4.2

Int’l/UK et al. 4.4.24.4.2 4.4.2 4.4.2 4.4.24.3 4.3 4.3 4.3

Data from sammobile.com, for SM-N900A/SM-N900P/SM-N900R4/SM-N900T/SM-N900V/SM-N9005, circa Oct 1 2014

Google4.4.2 4.4.3, 4.4.4

Analysis of Samsung Note3 Patch Updates by Major Carriers

So… are we really making

the best trust

choices?

With so many choices, how do

we pick the most trustable

device?

Can we measure something

as a basis for trust?

Quantify the trust of a device with “Trustable

by Bluebox” for Android

How users affect security and trust scores (you can improve!): Motorola example

Motorola out of the box Motorola w/ proactive security

Trustable by

Bluebox

Methodology and details available

as downloadable whitepaper

https://bluebox.com/trustable-by-

bluebox/

Samsung Note3 Trust Score

Call to Action: Mobile Risk Management

Recognize the realities(shortcomings) of

mobile security

Secure

Vulnerable

Secure

Vulnerable

Industry-wide security vulnerabilities

Secure

Vulnerable

Vendor patching variables with industry-wide security vulnerabilities…

some devices live in a mostly in-secure state!

Data from Bluebox Security Scanner, since public release; 250k installs

Bluebox Labs Research -

How long it took vendors to

patch Master Key and Fake

ID vulnerabilities:

~3 attempts and 9 months

to patch all vulnerabilities!

MK = Master Key

Sep Nov 2014 Mar May Jul Sep2013

iOS Releases7.0.6 7.1 7.1.1 7.1.2 8.0 8.17.0.47.0.37.0

evasi0n7

7.1 jailbreak

reports

Pangu (IOS7)

Nov

Pangu8

Secure

Vulnerable

iOS Jailbreaks

A note about

rooting/jailbreaking…

1. Exploit one or more vulnerabilities to escape the security

model & execute code in a system-privileged state

2. Make one or more modifications to the system to

generically persist control of the system-privileged state

3. Install user-convenience standard jailbreak utilities

(Substrate, Cydia, SuperSU, etc.)

Manage risk in

a hostile environment

Device security guides

https://bluebox.com/android-user-security-guide/

https://bluebox.com/ios-user-security-guide/

Device specific security

posture analysis is necessary for

Android

OS version (4.4.2 vs 4.4.3 vs. 4.4.4) may not be relevant

Example: Android Fake ID patch back-ported to 4.1.x, 4.2.x,

4.3.x, 4.4.x and released to ODMs

Example 2: Linux kernel futex vulnerability patched by ODMs

without changing the Android version

Go beyond traditional

rooting/jailbreak detection

System-level (non-root) compromises are still game-over

Malware can favor non-persistent roots/breaks

Consider the total circle of

trust

Trojan keyboards, trojan VPN clients, untrusted system CA

certs, accessibility agents, untrusted app extensions can

undermine device & app security operations

Look inwards into the app’s

sandbox

App anti-tampering & fortification to survive a

vulnerable/hostile device environment

Not just data-at-rest, etc. process space integrity

Keep apps & their transactions secure during the inevitable

periods of device insecurity

&AppDevice

Integrity

Questions?

jeff@bluebox.com

https://bluebox.com/trustable-by-bluebox/

https://bluebox.com/blog/

https://bluebox.com/ios-user-security-guide/

https://bluebox.com/android-user-security-guide/

https://play.google.com/store/apps/details?id=com.bluebox.trust