...continued from Part 1
The threat model
Malicious mobile device hackers have a variety of goals. Foremost is monetary gain, but retribution, anarchy, curiosity and perceived public good can all be part of the motivation. The attackers can be grouped by resource levels and goals, as illustrated in table 1.
Table 1: An example of how mobile security attackers can be categorised by resources and goals.
Understanding the motivation of a hacker highlights that a good mobile security strategy must not only defend both against specific mobile threats, but also more generic threats such as reputational or ethical attacks. These could have an increased prevalence on the dynamic mobile market as end users must 'trust' that their mobile services will operate securely and without risk, personal corruption / financial loss or impact on civil rights and privacy.
By identifying potential threats, it is clear that attacks involving direct physical contact - the theft and borrowing of a mobile device - are limited due to lack of scalability and ease of 'blocking' the phone.
Understanding the ecosystem
With iOS and Android releasing updates roughly every six and 12 weeks respectively, it is important to appreciate the drivers and rate of software and hardware platform changes within the smartphone industry.
- OS vendors release new versions to:
- Close security loopholes that allow users to install unapproved software.
- Correct bugs or performance issues.
- Add new features to be innovative or match competition.
- Phone manufacturers advance technology to:
- Bring new handset models to market.
- Deliver more powerful CPU/GFX to the platform for gaming.
- Offer application programming interface (API) and OS updates.
Given this natural rate of flux and unpredictability, it is perfectly reasonable to expect app security updates several times a year. Mobile phone app stores ensure that users are sufficiently reminded and motivated to install updates by promoting new features and fixing issues related to new OS versions.
Detecting and managing attacks
Once an app service is launched, the appropriate measurement techniques need to be implemented to ensure a malware attack is detectable, as illustrated in figure 1.
Figure 1: Techniques for monitoring mobile app attacks.
A key benefit of this industry is the digital records that are automatically created. This means that if a malicious app is downloaded that uses privilege escalation from an app store, the store provider can share a list of all users who have downloaded both the authentic app and the malicious app. This enables a targeted security warning to be issued.
Malware infecting an OS via a browser drive-by attack (where the user is infected automatically upon visiting a website due to a browser vulnerability) will not be as easy to contain, but should be less frequent as it requires two exploits together: one to seize control through the web browser, and a second to exploit root privileges. A root exploit is a process that allows an attacker to attain full administrative control of an OS subsystem by circumventing the security policies set by the OS manufacturer. Root exploits require countermeasures to be deployed to limit the ability of the malware to steal credentials until the OS vendor can amend the vulnerability and affected users can recover their phones.
Developing a mobile security defence strategy
The mobile and app developer community is investing resources to advance new hardware-backed security features. For example, the Trusted Platform Modules (TMP) developed by the Trusted Computing Group, or GlobalPlatform's TEE architecture, which may also comprise the use of secure elements (SEs), a tamper-resistant platform capable of securely hosting apps and their confidential and cryptographic data (e.g. key management). There are also proprietary crypto processors, such as those found in the iPhone.
While security measures take advantage of these emerging technologies, it is important to recognise two caveats.
- Shared risk. By adopting a security technology that is used by other apps on the mobile platform, all parties must also use and abide to the same security framework. There needs to be a level of industry compromise as not everyone will have exactly the same needs. Yet, if one element of the mobile services framework is undermined, the whole mobile secure services offering will come under jeopardy - including all apps that share the security infrastructure. The overall risk of this platform is shared.
- Negotiating access. A smartphone will have some secure capabilities, such as an SE, but access to these areas to load and host an app requires cooperation of both handset manufacturers and mobile network operators. This is particularly relevant to those creating payment or transaction authentication apps as other access-granting companies may demand payment in the form of a transaction fee. For technology to be considered there needs to be a credible route for it to become widely available; no-one wants to get locked-in to an expensive, proprietary agreement.
So, how can app security be effectively managed today and in the future?
All developers need to ensure that an app offers a sufficient level of protection against malware, borrowed phones and reputational attacks on all supported platforms including, but not limited to, iOS and Android, which are very different in design.
To achieve this they need to:
- Build a secure yet convenient registration workflow.
- Implement reverse engineering resistance and introduce techniques such as anti-debugging, anti-tampering (modifying the app to patch out protections), anti-jail breaking and emulation detection.
- Preserve multi-channel security and ensure that apps and browsers run on different devices to mitigate risks.
- Store in a secure manner user credentials and sensitive key material.
- Be able to uniquely identify devices and implement some device fingerprinting techniques that cannot be reverse engineered easily.
- Establish a trustworthy connection to the backend to be able to exchange data and ultimately sign transactions.
Based on the above points, Cryptomathic assists its clients in developing evolutionary mobile security strategies and provides tailored solutions to enhance app security and support future technologies, without the need to invest time and costs redeveloping apps to support changing requirements. This ensures that mobile apps and their security framework remains future-proofed and requires fewer resources to manage long-term.
See full Cryptomathic article in eID Credentials or download the Secure Mobile Transactions white paper.