Brian Jackson - Fotolia

DEF CON 23: Digital certificates key to mobile security, says researcher

Traditional security does not always work for mobile as mobile operating systems are different to those on PCs, says MobileIron's Mike Raggo

Digital certificates are key to any mobile security strategy, according to Mike Raggo, director of security research at enterprise mobility management firm MobileIron.

“Many companies are still trying to apply traditional security policies to mobile devices, but they do not always work because mobile operating systems are fundamentally different to those on PCs, laptops and servers,” he told attendees of the DEF CON 23 hacker conference in Las Vegas.

Mobile operating systems, he said, have a sandboxing type of approach in how they handle apps and data, while operating systems on PCs and the data of apps is typically shared across all apps.

“On a mobile device, you also have user capabilities that allow you to share data and do things like open an email attachment and open it in a secondary app, edit it, and then upload it to Dropbox and things like that,” he said.

Raggo added that with the explosion of social media, cloud and mobile, “data lives everywhere”, which means traditional firewalls have “vapourised”. Additionally, with the advent of bring your own device (BYOD), users are supplying and configuring their own devices for use a work independently of IT.

“All of these factors have to be taken into account from a mobile security point of view,” he said. 

Mobile threats

MobileIron research has identified four main categories of mobile threats, said Raggo, starting with jailbreaking of Apple devices to bypass restrictions on what can be installed on the devices.

“We refer to this more broadly as operating system (OS) compromise because there are lots of different ways a device can be compromised,” he said.

Next, Raggo said there is a lot of focus on mobile malware, but added that while this is a legitimate concern, there are also a lot of risks associated with legitimate apps and internal apps that should not be overlooked.

“Statistics show that of the top 400 apps in Apple App Store and the top 400 apps in Google Play, roughly 80% have some kind of risky behaviour that could expose personally identifiable information (PII) such as GPS data, contacts, email addresses and hardware information,” he said.

Internal apps, he added, should also be validated independently before they are pushed out to enterprise users to test for intentional or inadvertent vulnerabilities.

The next area of risk, said Raggo, is related to the fact that mobile devices update all the time because they are always connected. “Every time a new version of the OS or app comes out, it introduces potential attack or threat vectors that change the landscape every time.

Fourth, he said, it the issue of man-in-the-middle (MITM) attacks because people are using devices with access to enterprise data to connect to open Wi-Fi which can be intercepted and decrypted by attackers using fake wireless access points.

In addition, Raggo said as more people start using smartwatches, these devices are introducing a whole new set of risks to enterprise data.

“Some of the smartwatches we tested recently had no PIN or passcode capability, while others provided no encryption capability for the data on the device, while the pairing app for a Chinese smartwatch was communicating with a random IP address,” he said.

Malicious apps and content

An important general trend in the mobile space, said Raggo, is that attackers are starting to focus their attention on creating malicious apps or injecting malicious content into legitimate apps.

“In reality, malware makes up less than 0.4% of all mobile threats, which means the greatest risk is from the risky behaviours of legitimate apps people are using every day,” he said.

According to Raggo, research shows that another important general trend is that there is a growing number of mobile threats that do not require a compromise of the actual device.

“For example, FireEye has done some good research around the Masque attack, that happened around the same time as WireLurker, in which malware was embedded in an app update that enabled attackers to steal credentials and data,” he said.

Raggo said enterprises can use tools like the APK Tool to identify the capabilities of an Android app and verify whether it is properly displaying all its capabilities when it is downloaded and installed.

“This tool can show if an app has the capability to write to external storage, to modify data on the SD-card, open and close internet access, or monitor the VPN [virtual private network], which may not be disclosed by the app when it is downloaded and installed,” he said.

Analysis of apps has also revealed that while some claim to encrypt all data in motion, when passwords are changed, this information is sent in clear text over the network.

“Having that level of intelligence is key, but it is quite difficult if you are managing an enterprise and all those apps across all those mobile devices to have that level of visibility, it is not scalable, which is why is affirmation services have emerged that analyse apps when they are downloaded and cross-reference it with all known risky apps,” said Raggo.

Adding to the complexity of the challenge, he said, is that there are several different ways Apple devices can be jailbroken, there are tools that can hide the fact that devices are jailbroken from enterprise management systems, and there have been cases of brand-new Android devices that have been found to be rooted.

“In addition, there are custom ROMs and there is a variety of backup software that loosens up the capabilities on the device or loosens the security posture that can lead to a lot of data exposure, so having defence-in-depth to identify all that stuff is essential,” said Raggo.

Using client certificates

It is also worth noting, he said, that typical enterprise mobility management systems are made up of a management console and an app on the device, and while that app may be identifying malicious behaviours, it is not always communicating back to the console.

“Usually communication with the console is only on a periodic basis, which means that as a result, there is a window of compromise between the device being compromised and the console receiving notification of that fact and being able to selectively wipe the enterprise data,” said Raggo.

Read more about mobile security

For this reason, he said, it is important for enterprise security to have the ability to do something locally on the device to identify a compromise and selectively wipe enterprise data as well as block that device’s access to the corporate network.

“People are traditionally using VPN for access to the corporate network, bit Apple’s iOS natively supports per-app VPN which enable you to be selective about what apps on the device can access the internal network and create a whitelist of all the validated apps, blocking all others,” said Raggo.

In the face of all these mobile threats, he said MobileIron commonly recommends the use of client certificates facilitated by the SSL/TLS protocol.

“This means enterprises can push down a profile for things like email and Wi-Fi with a cert instead of username and password to avoid brute force attacks, and add user and device authentication to prevent MITM attacks pro-actively,” said Raggo.

In terms of defence strategies, he said there is also a growing trend towards file-level security, which means that instead of blocking employees from uploading corporate data to personal cloud-based storage services, they can use new technologies to encrypt the files.

“This means employees can share files with other people inside the organisation using cloud-based services, but the data is protected from access by unauthorised users outside the organisation,” Raggo said.  

Read more on Endpoint security