The explosive trends of the increasing number of mobile devices and apps get us in trouble despite the benefits they give. Run through the common threats faced. Tackle them with a strategy to better secure our mobile device and apps against these emerging threats.
If you will make a choice on what you cannot live without, I would bet your mobile device or smartphone will be on your top list. Since internet's successful invasion into our daily life, a mobile device is the next pervasive need that we are heavily dependent on. It gets us connected online anytime and anywhere. However, convenience does not come without a cost. Cyber criminals or attackers become easier to reach out closer to the victim.
Identify common mobile threats
There are OWASP’s top ten major security risks that summarise nicely a good list of application based vulnerabilities but I like to take another step to look at the device and apps collectively. To identify the threats, we can start by looking into the multiple layers from the apps that we interact with, all the way down into the device hardware that we possess and have physical contact. Each of these layer faces different threats - see overview.
The Mobile DNA layers
Application Layer - This is no different from any other software as in, poor code practices create an opportunity for attackers to exploit such weaknesses and vulnerability. Fake mobile apps is another scheme that misplaced users trust.
Middleware & Service Layer - What makes apps explosive is their simplicity to get ready the code quickly by leveraging on available development middleware packages and leaving the device to be as lightweight with all the hot number crunching processing at the backend services. Apps development is about speed to deliver. Security is often an afterthought. The application backend server is the weakest link.
- Security patching on apps libraries and the backend services are always in an arms race to keep the attacker at bay. For example, incident due to the unintentional weak configuration can expose internal staging servers to attacker brute force to gain administrative access.
Operation System Layer - The most common mobile OS remains with Android and Apples IOS, though Windows 10 mobile is upcoming as the new kid on the block. Besides the mobile apps patching woes discussed earlier, mobile devices have their own issue - they often do not use security software. Mobile devices are seldom preinstalled with security software (or just comes with free time-limited ones) and that opens up a "can of worms".
- Malicious applications including fake ones,
- Spyware that leaks information and plants backdoor to allow stealthy infiltration,
- Malware-based attacks that spoof victim to make an unauthorized online transaction,
- A trojan that can intercept SMS one-time passwords sent to the device and then send it back to an attacker.
What makes this a worse off situation for users is the OS can be weakened as it can be easily be rooted (Android) or jailbroken (IOS). Tools and steps are publicly available. It was estimated that between 50% and 90% of users opt to jailbreak or root their devices to enable them to install pirated games or apps without restriction. It is not hard to imagine those devices may already be infected and the user is not aware at all - false sense of security.
Firmware & Hardware Layer - It is not surprising security patches or fixes for mobile devices' OS are not always installed on mobile devices in a timely manner and especially for this layer, it gets even rarer since firmware does not even get upgraded or patched very frequently.
- Mobile device OEMs can make false claims, misrepresent patch is available but not - this is a patch gap.
- Available tool (for Android) can check for a missing patch to check firmware installed and identify missing Android security patches. This is available to attackers too.
- Phone model changes fast. Most manufacturers stop their support as soon as 12 to 18 months after their new model is released to keep pace with competitors and introduce more features that may not be well understood and of hidden risk to the user.
More challenges are expected when the phone critical hardware is found vulnerable. For example, phone's baseband components that take care of its whole device communication stack is flawed and subject to attacker exploitation and eventually take control of your phone's call and SMS communication unbeknownst to you.
Put up and review the defense strategy
Address the threats fast otherwise, the aftermath damages are going to be very costly. Cases of allowing personal devices need to balance the risk as it needs segregation off from unrestricted access to your official work in the same device. For such a BYOD scenario, enterprises are at her highest risk for cyber attacks. Manage the risk and develop an enterprise-wide mobile security strategy to improve and beef up each mobile layer discussed earlier.
1. Application Layer - Adopt Secure Code Development guidelines
Ensure the app on the mobile device is shielded from unnecessary risk of hijacking and manipulation
Key focus - Defensive coding
- Use existing security flags to make the code located in a random location to deter attackers and increase their work factor to exploit e.g. use of Position-Independent Code (PIC) and Address Space Layout Randomisation (ASLR).
- Use only trusted code that is always open for any validation when needed. Watch out for proprietary source codes which will face an evaluation issue when the authorities request for checks.
- Leverage on the native sandboxing capability to isolate apps from other prying apps installed on the same device. Personal apps and enterprise apps must not share data in any sharing channels.
- Debugs are removed from production codes. Means to impede attempt of reverse engineering and data tamper through code replacement or override are blocked - e.g. apps stop running when a device is rooted.
- Obfuscation of codes to deter and increase the complexity in automatically reading the interpreted apps bytecodes using other forms of automated analysis tools or scripts.
2. Middleware Layer - Enforce Operational policy for consistent Architecture & Hosting guidelines
Ensure there guidelines and instruction established for compliance across the enterprise deployment.
Key focus - Identity & Access Control
- Employ a managed device approach so that they are managed by the enterprise mobile device management (MDM) and for apps, managed by the enterprise mobile apps management
- Adopt a need to know basis and design the access matrix using role-based and least privileged principle
- Protect the single truth of the source (can be de-centralized from a large site) overseeing the identity used for accessing the device and apps
- Make sure all data used in device and apps are clearly defined and all authorized managed device are inventoried. E.g. app can account for all login activities, with a list of devices granted for each non-blacklisted user.
3. Services Layer - Conduct risk assessment and make sure closure on all identified risks
Ensure any residual risks are adequately managed and any risk acceptance is by the appropriate stakeholder.
Key focus - Authentication & Session management
- Secure all remote access for remote user and administrator using multi-factor authentication
- Use multi-factor for authentication instead of relying on one factor such as password
- Study the use of biometric authentication as it can be incurred high false positives hence high error rate
- Terminate remote access session after the stipulated time threshold so as to reduce stale session being hijacked
4. OS Layer - Adopt a continuous data confidentiality & privacy controls
Ensure sensitive (personal) and operational data are also prevented from data leakage.
Key focus - Audit trail & Log activity monitoring
- Make sure no sensitive data is written to the apps log unnecessarily.
- Record all privileged access for administration to the servers and data access by third parties
- Monitor for anomalous activity e.g. processes searching for keyboard caches, secret keys in memory etc
- Checks for aggressive or abnormal events that delete and wipe away activity logs and critical data
- Review violation and system error generated by the apps and device OS as it may indicate vulnerable components been attempted for exploitation.
5. Firmware Layer - Maintain a consistent Cryptography standard use in deployment
Ensure the use of this standard to maintain high integrity on the apps and device posture.
Key focus - Security Validation
- Identify ill practices e.g. hardcoded cryptographic keys, plain passwords, embedded internal URLs in apps configuration files and use of self-signed certified (instead of the available official trusted authority issuer)
- Check the coverage of the apps digital signature or checksum. Look out for missing or excluded files.
- Use only proven standard primitives for symmetric, asymmetric, signatures and key exchanges
- Check any secret or crypto key generated not using a secure random generator
- Verify the entire device/key lifecycle are in place such that end to end from key generation till device decommission. Proper recording and documentation for disposal is important as verifiable evidence.
6. Hardware Layer - Establish contractual support in areas of supply chain
Ensure the use of strategic partner as reliable providers and their affiliated downstream supplier.
Key focus - Secure Platform & Network communication
- Verify all exchanges with the supplier and network communication implemented in a device and apps are secured e.g. TLS and proven to have no backdoors.
- Identify trusted identity issued for all patches that will be digitally signed by these trusted entities.
- Contract binding requires clauses to write out action required for any failure of obligation signed off.
- Incident response is required and covers damage control and contingency plan to address window of exposure till root cause is satisfactorily resolved and accepted by a user.
On Reflection - What's more ...
The list does not end here. It will be an ongoing effort to beef it up to suit your mobile DNA.
- Keep a constant watch out on the mobile threat
- Revise the strategy and guidelines regularly.
- Garner strong management support. Keep them apprised on the policy and strategy effort.
- Grow mobile security defense plans further by aligning and supporting the business use cases.
Word of advice - Always learn and adopt good practices from the community. Engage and network actively.
They are the wisdom of the crowd and I benefited hence the writing of this article - look out for reputed bodies such as OWASP and National Cyber Security center, NCSC.NL.
Have a smooth journey in securing your mobile device and apps!