About these ads

Archive

Posts Tagged ‘Mobile device management’

Looking Inside a Year of Android Malware

August 14, 2011 2 comments

As you will probably know my Birthday post for Android Malware has deserved a mention from Engadget and Wired. Easily predictable but not for me, the Engadget link has been flooded by comments posted by Android supporters and adversaries, with possible trolls’ infiltrations, up to the point that the editorial staff has decided to disable comments from the article. The effect has been so surprising that someone has also insinuated, among other things, that I have been paid to talk s**t on the Android.

Now let me get some rest from this August Italian Sun and let me try to explain why I decided to celebrate this strange malware birthday for the Android.

First of all I want to make a thing clear: I currently do own an Android Device, and convinced, where possible, all my relatives and friends to jump on the Android. Moreover I do consider the Google platform an inseparable companion for my professional and personal life.

So what’s wrong? If you scroll the malware list you may easily notice that the malware always require an explicit consent from the user, so at first glance the real risk is the extreme trust that users put in their mobile devices which are not considered “simple” phones (even if smart), but real extensions of their personal and professional life.

You might say that this happens also for traditional devices (such as laptops), but in case of mobile devices there is a huge social and cultural difference: users are not aware to bring on their pocket dual (very soon four) cores mini-PCs and are not used to apply the same attention deserved for their old world traditional devices. Their small display size also make these devices particularly vulnerable to phishing (consider for instance the malware Android.GGTracker).

If we focus on technology instead of culture (not limiting the landscape to mobile) it easy to verify that the activity of developing malware (which nowadays is essentially a cybercrime activity) is a trade off between different factors affecting the potential target which include, at least its level of diffusion and its value for the attacker (in a mobile scenario the value corresponds to the value of the information stored on the device). The intrinsic security model of the target is, at least in my opinion, a secondary factor since the effort to overtake it, is simply commensurate with the value of the potential plunder.

What does this mean in simple words? It means that Android devices are growing exponentially in terms of market shares and are increasingly being used also for business. As a consequence there is a greater audience for the attackers, a greater value for the information stored (belonging to the owner’s personal and professional sphere) and consequently the sum of these factors is inevitably attracting Cybercrooks towards this platform.

Have a look to the chart drawing Google OS Market share in the U.S. (ComScore Data) compared with the number of malware samples in this last year (Data pertaining Market Share for June and July are currently not available):

So far the impact of the threats is low, but what makes the Google Platform so prone to malware? For sure not vulnerabilities: everything with a line of code is vulnerable, and, at least for the moment, a recent study from Symantec has found only 18 vulnerabilities for Google OS against 300 found for iOS (please do no question on the different age of the two OSes I only want to show that vulnerabilities are common and in this context Android is comparable with its main competitor).

Going back to the initial question there are at least three factors which make Android different:

  1. The application permission model relies too heavily on the user,
  2. The security policy for the market has proven to be weak,
  3. The platform too easily allows to install applications from untrusted sources with the sideloading feature.

As far as the first point is concerned: some commenters correctly noticed that apps do not install themselves on their own, but need, at least for the first installation, the explicit user consent. Well I wonder: how many “casual users” in your opinion regularly check permissions during application installation? And, even worse, as far as business users are concerned, the likely targets of cybercrime who consider the device as a mere work tool: do you really think that business users check app permission during installation? Of course a serious organization should avoid the associated risks with a firm device management policy before considering a wide deployment of similar devices, most of all among CxOs; but unfortunately we live in an imperfect world and too much often fashion and trends are faster (and stronger) than Security Policies and also make the device to be used principally for other things than its business primary role, hugely increasing risks.

This point is a serious security concern, as a matter of fact many security vendors (in my opinion the security industry is in delay in this context) offer Device Management Solution aimed to complete the native Application Access Control model. Besides it is not a coincidence that some rumors claim that Google is going to modify (enhance) the app permission security process.

As far as the second point is concerned (Android Market security policy), after the DroidDream affair, (and the following fake security update), it is clear that the Android Market Publishing (and Security) model needs to be modified, making it more similar to the App Store. There are several proposals in this context, of course in this place is not my intention to question on them but only to stress that the issue is real.

Last but not least Sideloading is something that makes Android very different from other platforms (read Apple), Apple devices do not allow to install untrusted apps unless you do not Jailbreak the devices. Android simply needs the user to flag an option (By The Way many vendors are opening their Android devices to root or alternate ROMs, consider for instance LG which in Italy does not invalidate the Warranty for rooted devices) or HTC which, on May 27, stated they will no longer have been locking the bootloaders on their devices.

So definitively the three above factors (together with the growing market shares) make Android more appealing for malware developers and this is not due to an intrinsic weakness of the platform rather than a security platform model which is mainly driven by the user and not locked by Manufacturer as it happens in case of Cupertino.

About these ads

Mobile Security: Vulnerabilities and Risks

May 24, 2011 5 comments

Today I took part as speaker to an event organized by my Company concerning Cloud and Mobile security. For this occasion I prepared some slides summarizing some concepts spread all over my blogs.

In my vision (you should know if you follow my blog) mobile vulnerabilties are mainly due to:

  • False security perception by users: they consider their device as a “simple” phone, forgetting they bring a small dual-core in their pockets;
  • “Light” behaviour from users: Sideloading, Jailbreak and Rooting are not good security practices;
  • Consumerization of Devices: well known (partially abused) concept: some mobile devices come from the consumer world and hence do not natively offer enterprise class security or suffer from intrinsic vulnerabilities:
  • Consumerization of Users: many users think they have consumer device so they think they do not deserve enterprise class security measures.

And the risks are:

  • False Security Perception leads to high probabilities of theft or loss of the device, and most of all, of its data;
  • “Light” behaviour from users dramatically increases the probability to directly install malware or surf towards insecure shores…
  • Consumerization of Devices leads to vulnerabilities that may be exploited to access and steal sensitive data or authentication credentials;
  • Consumerization of Users leads the users themselves to adopt imprper habits not appropriate for an enterprise use, which in turn make the device even more vulnerable to malware (i.e. installing non business application, lending it to others, etc.).

How to mitigate the risks?

  • Educate users to avoid “promiscuous” behaviours (no root or sideloading or jaibreak, do not accept virtual candies from unkown virtual persons);
  • At an organizational Level, define security policy for managing (un)predictable events such as device thieft or loss;
  • Beware of risks hidden behind social Network;
  • Use (strong) Data Encryption;
  • Do not forget to use security software;
  • Enforce Strong Authentication;
  • Keep the device update.

This in turn corresponds to enforce a device management policy in which mobile devices are treated like “traditional” endpoints (but they will sone become tradional endpoints).

You may find the slides on SlideShare… They are mainly in Italian but if you want, ask me and I will provide an additional translated version.

Good Reading!

Follow

Get every new post delivered to your Inbox.

Join 3,200 other followers