There was a wide spectrum of experts – from hackers to security communities – at the annual Black Hat conference in Las Vegas, concluding last week. The conference always provides a great perspective on the state of security today through technical briefings and hacking workshops, led by the premier minds in the field.
While Apple and Android’s models are working fairly well for the user communities they are targeting, it’s clear that there continue to be significant vulnerabilities in enterprise mobile app development. Developing secure mobile apps that protect companies from external threats and ensure that data privacy, security and regulatory demands are met is not an easy task.
The plane of vulnerability across corporate data extends significantly as soon as you include mobile in your portfolio. One of the most critical threats to enterprises comes from within – the mishandling and misappropriation of sensitive corporate data by employees. While Apple and Android continue to provide valuable tools and processes to help with security, it is ultimately up to the designers and developers of the apps and supporting infrastructure to understand, appreciate and code to the security and compliance standards set forth by the community at large.
In this slideshow, Robert McCarthy, technical advisor at Mobiquity, outlines five takeaways from this year’s Black Hat 2015, particularly focusing on the differences in Apple and Android’s security models – and how you should address them.
The State of Mobile Security
Click through for five mobile security takeaways from Black Hat 2015, provided by Robert McCarthy, technical advisor at Mobiquity.
Apple Security Model
Apple has nailed the security model for mobile apps so far.
The differences in attack surfaces between Android and Apple are imminently clear. During his first day of boot camp at Black Hat, McCarthy was among a group of attendees who were tasked with hacking into various apps using tried and true methods and tools once reserved only for the “Black Hat” hackers. Where Android works in the open-source arena, allowing an abundance of hacking tools and processes to proliferate, Apple’s walled garden approach to app development and distribution makes it really difficult to crack into an iOS device. Apple controls the development tools, the hardware, the OS, the patching and upgrade process, the app review and approval process, and the distribution channel.
While it can be a cumbersome process for developers to follow, this closed eco-system makes it extremely difficult to construct any kind of mobile-targeted attack at scale. Essentially, without possessing the physical device and jailbreaking it to expose some degree of access, the level of difficulty to do anything malicious to an Apple device makes it an unlikely target for most hackers.
Apple’s Push for Competitive Functionality
However, Apple’s push for competitive functionality may open vulnerabilities in the near future.
As demand for new features and services continues to grow, Apple has had to make some concessions to their super-strict security model, and this may open up new opportunities for exploitation in the near future. As an example, in order to solve the problem of inter-app communication – something Android does really well – Apple had to add “App Extensions” to their latest release. This opens a similar vulnerability to Android’s “Intents,” which act as declarations of how and with what information apps are able to communicate and share information.
Intents have been identified in a number of Android vulnerabilities, and this may eventually prove to be the case with Apple’s App Extensions. At the very least, these extensions will add more strain, and likely more latency, to an already onerous approval process for Apple apps.
Android in Context
Android vulnerabilities abound, but everything should be taken in context.
Android’s eco-system is almost the polar opposite of Apple’s, with its OEM and distribution partnerships, open-source code projects, and third-party tool vendors. Android’s open strategy relies on the power of the community to drive toward a more secure and stable product.
While this may happen at some point in the distant future, for now this strategy means that a lot of responsible parties, including the user, are involved in ensuring apps and devices are secure. This can make for a nightmare scenario of coordination when it comes to educating and evaluating developers on secure coding best practices, organizing OEMs around rapid responses to security patching, and providing the proper set of tools and warnings to the user to ensure they are fully aware of any steps they take that may affect their security or privacy posture. In the hacking session McCarthy attended, he was amazed at the speed and ease with which he was able to unwrap an app, analyze its manifest, run it in an emulator, execute his own code, and even rewrite code and repackage it for distribution. All of this provides incredibly meaningful insight for any smart and determined hacker to build a complete profile of the vulnerabilities available within an app, and within the OS itself.
Taking a Stand Again Hackers
Thought-leaders are taking a stand against malicious hackers.
Android, along with its partners and thought-leaders in the community, continue to make significant strides to protect against malicious hackers. At Android’s very transparent “State of the Union” Black Hat presentation, Google’s Adrian Ludwig outlined a series of steps Android has taken over the past few years to build their layered security model and increase their overall security posture. This included some significant data analysis to identify where so many potentially harmful apps (PHA) exist globally, what devices they run on, and even what types of signatures they give off that may be reused by other malicious apps. This has resulted in, amongst other things, a rapid deployment and upgrade in the security of Android developer and user services such as Google Play, Verify Apps and SafetyNet.
Overall, by leveraging the developer community and the power of a billion or so devices deployed worldwide, with the capability to harvest certain performance and security data from those devices, Android can continue to mature their shared security model and increase the overall security posture of their eco-system.
Mobile App Insecurity – Fail
For all of the hype, true mobile app insecurity fails to deliver.
Because mobile devices are so ingrained in the lives of almost everyone with access to news and the Internet, every new exploit on mobile generates its own hype cycle, complete with the “fear, uncertainty and dread” that this exploit will be the one that buries one vendor or another. The truth is, while there continue to be definite and identifiable vulnerabilities in mobile apps and operating systems, the level of fright surrounding a new vulnerability release consistently overshoots the actual impact the vulnerability has on the real world. Vulnerabilities are all over the place, but actual mobile breaches of any magnitude continue to be rare.
There was a lot of buzz at Black Hat surrounding the latest exploit to Android by the name of “StageFright,” a bug within the executing code of the Android operating system distributed to over 95 percent of its user base. However, during the presentation by StageFright’s discoverer, Joshua Drake, Zimperium’s vice president of platform research and exploitation, it was clear that Android’s cooperation and rapid response to the vulnerability proved out the OS’s model of shared security and community involvement. While the headlines scream ‘950,000,000 devices affected,’ the fact is that there have been, to date, exactly zero known real-world exploits using this technique.
Conclusion: Taking Charge
While Apple caters to those who want absolute security and are willing to sacrifice some functionality, Android caters to those who embrace the freedom of a more open eco-system and the choice of multiple hardware and service providers. Basically, they are willing to work within Android’s risk model.
As enterprise IT teams focus more attention on mobile, it’ll be most important to ensure that users themselves are concerned and motivated enough to individually secure data at their workplace. A recent Mobile Privacy IQ study conducted by Lookout surveyed smartphone owners in the U.S. to determine user perceptions toward privacy and data on mobile devices. While 76 percent of respondents claimed they would take extra steps to secure their personal data, only 5 percent felt the same about securing data for their workplace.
However, despite increased security threats, the mobile world is maturing and so is the thinking around layered security. Furthermore, the cooperation between OS vendors, third-party app developers, and security “bug hunters” is evolving. There is significant value to being an attacker, either as a White Hat like Joshua Drake and so many others who diligently work through vulnerabilities and report on them for the benefit of the ecosystem, or as a Black Hat warrior who will steal your data, crash your services, or highjack your application for blackmail money. It is therefore critical to enumerate the superset of possible threats to your solution, create models for each of them, design counter-measures to mitigate the risk, and continuously monitor both your solution and the changes in the outside threat landscape. Without doing this, you could be a feature presentation at BlackHat2016.