Mobile: Combating Malicious Apps
ENISA Says Vendors are Key to Smartphone SecurityBut financial institutions can only do so much. New security solutions aimed at mobile attacks will have to come from mobile vendors, says ENISA's Giles Hogben.
"In a sense ... it's been a message from vendors saying, 'Leave security to us,'" says Hogben, program manager for The European Network and Information Security Agency in Greece and author of a new report about mobile-app security. "But I think we're starting to see some pressure, especially from the business market, to allow more handles for third-party management products and things like [anti-virus]."
The risks that come from the increased usage of smartphones include what Hogben calls "loseability," the ease at which consumers lose their phones. Encryption is a major concern as well, since the data smartphones store aren't encrypted. "And the app security is a concern, since there are things that every app has access to, like the address book," he says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
And with so many apps being introduced and downloaded in the marketplace, it's difficult for mobile platforms to review each and every one. "What they need to be doing really is actually leveraging the work that can be done by third-party security testers," Hogben says.
During this interview, Hogben discusses:
- The challenges of detecting and blocking malicious apps on mobile devices;
- Conflicts between mobile operating systems and HTML permissions in mobile browsing;
- What the market can expect If HTML 5 becomes the standard.
Hogben has led numerous studies about network and information security, including those that touch on topics like smartphone security, cloud computing, social network security and European identity card privacy. Before joining ENISA, he was a researcher at the Joint Research Centre in Ispra, Italy, and led work on private credentials. He has a PhD in computer science from Gdansk University of Technology in Poland and graduated from Oxford University, U.K., in 1994 with degrees in physics and philosophy.
The Smartphone Market
TRACY KITTEN: ENISA notes that the increased use and penetration of smartphones were catalysts for the report about mobile application malware. Can you give us some idea about the size of the smartphone market and how much it's expected to grow within Europe, as well as globally, over the next 24 months?
GILES HOGBEN: Basically, hugely. The mobile market is growing faster than any technology has ever grown before, and that's pretty difficult to do. There are now more Internet-enabled phones than PCs. Just to give you some idea, Google recently announced that they're activating 500,000 Android devices every day. That's pretty amazing, I think. I collected a few stats together about this. In the U.K. for example, around 35 percent of mobile devices are now smartphones. ... Gartner puts the world-wide sales of smartphones in Q2 this year around 100,000,000 devices. It's huge and it's getting huger.
Mobile App Malware
KITTEN: As that market grows, the concern about security grows with it. In the 20-page report that ENISA has put out, mobile application malware is the focus. What specific security gaps do you see isolated to mobile apps that are for instance separate from mobile browsing risks?
HOGBEN: There are loads of really specific risks to mobile phones and smartphones in particular. The first one I would really highlight is what I call "loseability." Mobiles are much easier to lose than even a laptop or PC. Just to give you an idea, something like 100,000 mobile devices were left alone in taxis every year, whereas only around 12,000 laptops were left behind. Obviously, that in itself is not an information security risk, but [it's a risk] if we don't encrypt our data on the mobile device. It's actually extremely difficult to do disc encryption on a mobile device because you don't generally have USB sticks so you can put a key on. You're generally restricted to a pretty short PIN as your last line of defense. That becomes an information security risk as well.
Another very interesting area for me is the various ways in which data can leak out, which really has nothing to do with mobile browsing. It's really directly connected to the device itself and the apps. Just to give you a few examples, although you have a sandbox in the device, there is a number of what I call public API, things that every app can have access to. These are things like the image gallery, the accelerometer and the address book. There are attacks you can do on, for example, the accelerometer. I saw a really fascinating attack the other day where by looking at the way the phone wiggles when you press a different key on the soft keyboard of the phone, you can actually grab peoples' passwords from the accelerometer data. That's really a kind of app-specific attack.
Things like data can just leak out through things like the address book and the gallery. If I put an image in the gallery, quite often the location data gets appended to the image name, the file name by default. It's certainly not always the case on my device, and if you upload that image onto Facebook, or [whatever] social network, then your location can leap from your device onto a social network. There are some interesting kinds of dangers lurking there. There are a lot of apps which are kind of on the borderline between malware and just sloppy coding. They're actually collecting much more information than they need to. Instead of using a random identifier they might actually use your device identifier, which is much more identifying then a random number. Generally speaking, what we find is that the apps are not so good at doing session data and session management in a secure, private and respecting way. We kind of hope that as HTML5 becomes more mainstream, these kinds of problems might get better.
Addressing Security Risks
KITTEN: That's an interesting point because one of the questions that I had actually related to the difference between using mobile applications and actually browsing with a mobile device, and I would like to go ahead and pose that question now. One of the concerns with mobile apps is basically just surrounding the way they're designed. Mobile applications are basically isolated, or siloed, within the mobile platform, so one mobile app can't interfere with another mobile app. Anti-virus software or an application that might be possible that would provide anti-virus software on a mobile device, is it really possible at this point because one app can't screen another? What options do you see for addressing this problem? Can you explain the inherent weakness that this poses and why it's challenging for IT security experts to come up with a new way to scan and test for malicious software?
HOGBEN: That's a really interesting question because you do see a lot of AV products out there for mobile devices, but when you look at what they're actually able to do on the device, the apps are siloed and they can't do things like intercepting a system API calls or they're really very limited in terms of what they can actually do. In a sense I think up to now it's been a message from the vendors saying, "Leave security to us." They're not really encouraging the AV products. In an environment like that, I think there is really not a lot that can be done by third parties, but I think we're starting to see some pressure, especially from the business market to allow more handles for third-party management products and things like AV. I think that's going to change.
Also, I think one of the things that we came up with in our paper is the app store review process. They're really kind of swamped with that. I mean there are billions of downloads a year, and the chance that they can actually review every single app is pretty small. What they need to be doing really is actually leveraging the work that can be done by third-party security testers. Some of the platform providers have actually told us that they want to make bulk downloads of apps possible so that security testers can also learn and do testing. It's a really interesting point. Thanks for raising that.
Comparing Mobile Platforms
KITTEN: I wanted to ask a little bit about the mobile applications specifically. We all know that mobile app stores create their own risks, especially if these applications are created for an open-source platform such as Android, and you've noted Google. Can you tell us about the different levels of security among the different mobile applications that are designed for various mobile platforms? Is there a difference in the level of security for instance that is applied to apps design for Windows versus Apple or Google?
HOGBEN: That's kind of a tricky question for me, because at ENISA we don't want to make commercial judgments. But what I will say is there are these five lines of defense that we identify. There is app-review, reputation, kill switches, device security and jails. Each of the different platforms that you mentioned kind of emphasizes a different line of defense. For example, Android tends to really focus on the ability to revoke applications once their security problem is found, where as IOS actually puts more energy into the review process before they're actually published. Another interesting difference is some of the platforms like Windows OS. Windows Phone 7 doesn't actually give so much opportunity for enterprise device management, so they all implement these five lines of defense to a greater or lesser degree, and you can see if you look at the statistics how that's actually affecting the amount of malware on the devices.
The decision about how much effort to put into each of those lines of defense is very much a risk-based decision on the part of those platform providers. It may be that they decide that putting too much clarity in terms of reviewing apps is actually bad for their business model, and therefore they decide to put more effort into the ex-post security measures. You can see how that has affected the market in a way. Things like the Blackberry system - the RIM operating system - they will be putting more effort into the remote device management capabilities, things like remote care and reputation of apps.
KITTEN: It's just a different way of looking at it I guess. Each platform has its own way of handling security, and until the market is more mature that's what we can expect.
HOGBEN: They all have made different decisions about where to draw the line and how much risk they are willing to take in a way. Putting the differences aside, I think all of the app stores have these to some degree, and one of the biggest drawbacks of an app store is that you have this review process which is great, but also when you update an app, when you put a patch into the app store, that has to be reviewed as well. That can really slow down the patching process and I think that's one of the kinds of weaknesses in the model.
Also, you have these reputation systems and it can be easy for some apps to kind of piggy back on the reputation of others, and we saw that recently in some apps which were put into one of the market places which were made to look very similar to well-known and well-liked apps. It's quite difficult to spot those apps which kind of look like existing apps in an automated way. That makes it very difficult to block them at the review process. There are also various ways of circumventing the app store review process, things like dropping in code after the app has actually been passed through the review process and just generally asking for more permission than you really need, and relying on the fact that users really get fed up with giving permission for things.
If you allow users to download apps outside of the app store, which has been happening in some platforms, then you open them up to the Wild West in a way. We would point out the dangers that are inherent in say opening your phone to other app stores. Somebody should really know what they're doing if they decide to do that.
Mobile Browsing Risks
KITTEN: What about some of the mobile browsing risks? Your paper addresses app malware, but could you talk briefly about some of the security concerns that surround browsing?
HOGBEN: I focus a little bit on browsing on the smartphone because mobile general browsing is just another huge area which I don't think we have time for. A browser on a smartphone is really just another app, but there are some kinds of peculiarities. For example, it's much harder to give warnings when you're dealing with something like security certificates. It's already hard enough in a normal browser to give the user the right kind of warnings about SSL certificates. On a smartphone it gets even harder and it's kind of easier to get by those security measures. We've been looking at HTML5 and the standards around that, and they start giving the browser access to the sensors on the device, things like the GPS data. Once the browser starts getting access to the GPS or accelerometer, then you have a whole load of new issues which come up. Not least of which you then have two completely separate permission systems. You've got the device OS permissions and the kind of HTML5 layer of permission, and there may be conflicts between those permissions. Another interesting area is fingerprinting. If you look at the headers coming from a browser to say identifying people to a certain degree based on what kind of browser they are, and smartphone browsers tend to be quite particular in the kind of headers that they transmit. It may be easier to identify somebody from the browser fingerprint. In general, mobile browsers in a way have some advantages in that they're running in a pretty well-designed sandbox. It's not all bad news.
KITTEN: Which is good to hear because we do hear about so many risks surrounding mobile browsing. Before we close, what final or general thoughts would you like to leave our audience with, regarding the state of mobile security generally?
HOGBEN: Basically, don't panic because mobile security is actually still much better than other areas of security. If you look at the number of malware samples it's something around 1,000 times less than the number of samples which are there on PCs. We have in a way learned a lot of lessons from the last ten years on the web. We have a head start, so in a way a lot of the work that we've been trying to do in ENISA is to identify what are the opportunities we have, based on that head start we have in terms of security. And how can we really automate them to make sure that we keep that head start? Another interesting thought I would like to share is what's going to happen if HTML5 becomes the standard that is used for apps. That's one possible scenario. Will there be conflicts between the HTML5 security model and the app-store security model? I think that's a very interesting trend to watch out for.