SecurityWatch Summit on mobile device security

Last week, I attended PC Magazine's SecurityWatch Summit about mobile device security. These are some random notes and thoughts from the meeting.

 

One reason that iOS is safer than Android is that bug fixes to the operating system are rolled out faster. Dan Guido, CEO and Co-Founder of security firm Trail of Bits, was, for example, impressed with the rollout of the 5.1 update to iOS 5. By and large, he said, Android fails miserably in this regard. 

   

Although it didn't come up at the meeting there is a free app that reports on known, un-patched, privilege escalation flaws in the Android OS. The app is X-Ray from Duo Security. The screen shot below indicates there were no vulnerabilities on the tested device. 

 

 

I ran X-Ray a few months back. The installation is non-standard and, at the time, the instructions were far from ideal. Still, it's a Defensive Computing thing to do.

 

In a recent blog, Jon Oberheide of Duo Security, wrote that anyone on Android 4.0.4 or later, should not have any of the flaws X-Ray looks for. He also noted that they were soon going to detect additional bugs. 

 

Based on a sample of over 20,000 Android devices, Duo Security recently reported that about half contain known flaws. Sadly, there's nothing users can do, if a patch is not available, other than gripe about it.  

   

Guido also pointed out that malicious Android apps that jailbreak a phone in order to break out of their sandbox, have all used old known bugs in the OS. 

 

Gary Davis, VP of Global Consumer Marketing at McAfee said that they are starting to see ransomware on smartphones. They also see bad guys re-directing incoming SMS messages such that the victim never sees them. Later in the panel, it came out that this sort of thing is not possible on Apple devices because there is no available API for apps to get at SMS messages. 

 

Davis also noted that malware can see the phone number being dialed and if its one for a credit card helpline, then it will record the call and listen for a sequence of numbers. After a demo of Wi-Fi hacking, he pointed out that Bluetooth is also vulnerable and advised turning off Bluetooth when you don't need it. 

 

Renato Delatorre, the Director of Network Technology & Security at Verizon Wireless, reported that Verizon just released a free security app for Android called Verizon Mobile Security. The app contains two components from McAfee's Mobile Security product, antivirus and siteadvisor. A more full-featured version costs $2/month. The software is only available on Verizon phones. 

 

Keith Gordon, SVP of Security, Identity and Fraud at Bank of America, said that online banking is safer on mobile. I wonder if he's played with a Chromebook?

 

For Internet access while traveling, you are safer using a 3G/4G mobile data network as opposed to Wi-Fi. I suspect there are multiple reasons for this but the only one offered at the meeting was that the equipment bad guys would need is more expensive.  

 

On a related note, I use the mobile hotspot feature of my 3G Verizon Android phone as an occasional Internet provider for assorted Wi-Fi only devices. While it defaults to the strong WPA2 (AES) encryption, the SSID and password should both be changed from the defaults. Verizon offers no guidance about this when you sign up for the service (it costs $20/month for 3G phones), but these Wi-Fi parameters are easily configured from the main settings menu.  

 

Guido pointed out that malicious software, so far, has gotten onto mobile devices via an app, rather than using the browser as its point of entry. 

 

Speaking of apps, he also came down fairly hard on Google in a couple regards.  

 

For one thing, because of the way Google validates apps, prior to their being made available in the Play Store, it is possible for an app to detect that it's being tested. Thus, an app to be well behaved when Google is watching and then be malicious after its installed. For more on this see Google Play: Android's Bouncer can be pwned. 

 

Finally, in what I found to be the most important point of the night, there is almost no malware on iOS devices, in large part, because Apple knows who their developers are, whereas Google does not.

 

Bad guys, like roaches, like to hide in corners, and Apple makes that all but impossible. I spoke to Guido about this after the panel and he said that Apple demands incorporation papers for companies and a drivers license for an individual. 

 

In an April article at Threatpost.com, Guido was quoted as saying: "Accountability, not superior technology, has kept Apple's iOS ecosystem free of viruses, even as the competing Android platform strains under the weight of repeated malicious code outbreaks ... It's not like there are fewer vulnerabilities in iOS." 

 

Bad guys that submit malicous apps to Apple have to consider that there may be "real world punishment" in Guido's words. Contrasting this to the Play Store (formerly known as the Android market), he says that developers of Android apps

 ... must pay a small ($25) fee and agree to abide by the company's Developer Distribution Agreement to begin publishing. That's a low bar that makes it easy for malicious authors to get their wares out to hundreds of millions of Android users ... You can upload dozens of applications at once. If any get banned, you can just resign, sign up under a new identity and resubmit them ..."

For more on the meeting see Key takeaways from the SecurityWatch Summit 2012.