Eran Tromer Slides credit: Dan Boneh , Stanford course CS155, 2010
Mobile Device and Platform Security - Stanford...
Transcript of Mobile Device and Platform Security - Stanford...
![Page 1: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/1.jpg)
Mobile Device and Platform Security
John Mitchell
CS 155 Spring 2017
![Page 2: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/2.jpg)
2
Two lectures on mobile securityIntroduction: platforms and trendsThreat categoriesn Physical, platform malware, malicious apps
Defense against physical theftMalware threatsSystem architecture and defensesn Apple iOS security features and app security modeln Android security features and app security model
Security app developmentn WebView – secure app and web interface devn Device fragmentation
Tues
Thurs
![Page 3: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/3.jpg)
3
MOBILE COMPUTING
![Page 4: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/4.jpg)
4
Current devices have long history
Apple Newton, 1987
Palm Pilot, 1997
iPhone, 2007
![Page 5: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/5.jpg)
5
Mobile devices
Mainframe -> desktop/server -> mobile/cloudTrendsn Increasing reliance on person device
w Communication, personal data, banking, workw Data security, authentication increasingly important
n From enterprise perspective: BYODw Mobile device management (MDM) to protect enterprise
n Reliance on cloud: iCloud attack risks, etcn Progress from web use to mobile device UI
w Apps provide custom interface, but limited screen size…
System designs draw on best ideas of past
![Page 6: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/6.jpg)
6
Global smartphone market share
![Page 7: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/7.jpg)
7
Global smartphone market share
Gartner/Statista
![Page 8: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/8.jpg)
8
![Page 9: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/9.jpg)
9
US Mobile App Traffic
http://www.ironpaper.com/webintel/articles/web-design-statistics-2015/
![Page 10: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/10.jpg)
10
Comparison with laptop
http://www.ironpaper.com/webintel/articles/web-design-statistics-2017/
![Page 11: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/11.jpg)
11
Zillions of apps
![Page 12: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/12.jpg)
12
App Marketplace
Better protection, isolation than laptop installApp review before distributionn iOS: Apple manual and automated vettingn Android
w Easier to get app placed on marketw Transparent automated scanning, removal via Bouncer
App isolation and protectionn Sandboxing and restricted permissionn Android
w Permission modelw Defense against circumvention
![Page 13: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/13.jpg)
13
MOBILE THREATS
![Page 14: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/14.jpg)
14
What’s on your phone?
Contact list?Email, messaging, social networking?Banking, financial apps?Pictures, video, …?Music, movies, shows?Location information and history Access to cloud data and services?
What would happen if someone picked up your unlocked phone?
![Page 15: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/15.jpg)
15
Mobile platform threat models
Attacker with physical accessn Try to unlock phonen Exploit vulnerabilities to circumvent locking
System attacksn Exploit vulnerabilities in mobile platform via drive-
by web downloads, malformed data, etc.App attacksn Use malicious app to steal data, misuse system,
hijack other apps
![Page 16: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/16.jpg)
16
OWASP Mobile Top TenM1: Improper Platform UsageM2: Insecure DataM3: Insecure CommunicationM4: Insecure AuthenticationM5: Insufficient CryptographyM6: Insecure AuthorizationM7: Client Code Quality IssuesM8: Code TamperingM9: Reverse EngineeringM10: Extraneous Functionality
https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-2015_Scratchpad
![Page 17: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/17.jpg)
17
PROTECTION AGAINST PHYSICAL ATTACKER
![Page 18: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/18.jpg)
18
PROTECTION AGAINST PHYSICAL ATTACKER
Device locking and unlocking
![Page 19: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/19.jpg)
19
Today: PINs or PatternsNeed PIN or pattern to unlock devicen Once unlocked all apps are accessible
Twist: set a PIN or pattern per app (per photo, video)n Protect settings, market, Gmail even if phone unlocked.n Examples: App Protector Pro, Seal, Smart lock, …
Another twist: n Front camera takes picture when wrong PIN enteredn Example: GotYa
![Page 20: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/20.jpg)
20
Background: brute force pwd attack
Offline attackn Traditionally: steal pwd file, try all pwdn Unix pwd file has hashed passwordsn Cannot reverse hash, but can try dictionary
hash(pwd, salt) = pwd_file_entry
Online attackn Can you try all passwords at a web site?n What does this mean for phone pin attacks?
dictionary
![Page 21: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/21.jpg)
21
AttacksSmudge attacks [Aviv et al., 2010]n Entering pattern leaves smudge that
can be detected with proper lightingn Smudge survives incidental contact with clothing
Potential defense [Moxie 2011]n After entering pattern, require user to swipe across
Another problem: entropyn People choose simple patterns – few strokesn At most 1600 patterns with <5 strokes
12345
![Page 22: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/22.jpg)
22
Biometric unlocking
Biometric unlock:n Fingerprint (Morotola Atrix 4G)n Requires backup PIN⇒ no more secure than PIN
Android ICS: Face Unlockn Concerns about security
Standard biometric security concerns:n Not secret and cannot be changed.
fingerprintscanner
![Page 23: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/23.jpg)
23
iOS 4.0: PIN brute force attackAfter device is jail broken, can PIN be extracted?n [Needed to read encrypted data partition (later topic)]
iOS key management (abstract):
Testing 10,000 PINsn for each, derive and test class key ≈ 20 mins on iPhone 4
[Bedrune, Sigwald, 2011]
HW UID key(AES key unique to device,
cannot extract)
| 4 digit PIN | decryptstored key
class key(decrypts keychain)
(code.google.com/p/iphone-dataprotection)
![Page 24: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/24.jpg)
24
Better Device Unlocking
A more secure approach to unlocking:n Unlock phone using a security token on body
wrist watch, glasses, clothing
Requirementsn Cheap token, should not require charging
![Page 25: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/25.jpg)
25
Summary: locking and unlocking
Protect from thief via user authenticationn Commonly: pin, swipe, etc.n Future: Biometric? Token on body?n Can phone destroy itself if too many tries?
Physical access can allown Thief to jailbreak and crack password/pinn Subject phone to other attacks
Next defense: erase phone when stolen
![Page 26: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/26.jpg)
26
PROTECTION AGAINST PHYSICAL ATTACKERMobile device management (MDM)
![Page 27: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/27.jpg)
27
MDM:Mobile Device Management
Manage mobile devices across organizationn Consists of central server and client-side software
Functions:n Diagnostics, repair, and updaten Backup/restoren Policy enforcement (e.g. only allowed apps)n Remote lock and wipen GPS tracking
![Page 28: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/28.jpg)
28
MDM Sample Deployment
MDM enterprise
serverpolicy file
user’s phoneenrollment
push notification to request check in
HTTPS connection toreport status and
receive instructions
configure, query, lock, wipe, …
server cert
User consent
![Page 29: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/29.jpg)
29
Summary: mobile device mgmt
Protect stolen phone from thief n GPS: where’s my phone?n Device wipe
Preventing brute force attacksn Phone can “lock” if too many bad pin triesn Use MDM to reset to allow user pin
Backup, backup, backup!n Frequent backup makes auto-wipe possible
![Page 30: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/30.jpg)
30
MALWARE ATTACKS
![Page 31: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/31.jpg)
31
Mobile malware examplesDroidDream (Android)n Over 58 apps uploaded to Google app marketn Conducts data theft; send credentials to attackers
Ikee (iOS)n Worm capabilities (targeted default ssh pwd)n Worked only on jailbroken phones with ssh installed
Zitmo (Symbian,BlackBerry,Windows,Android)n Propagates via SMS; claims to install a “security certificate”n Captures info from SMS; aimed at defeating 2-factor authn Works with Zeus botnet; timed with user PC infection
![Page 32: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/32.jpg)
32
Android malware 2015
![Page 33: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/33.jpg)
33
Increasing Android app malware
https://blog.gdatasoftware.com/2017/04/29712-8-400-new-android-malware-samples-every-day
![Page 34: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/34.jpg)
34
Recent Android MalwareDescription
AccuTrackThis application turns an Android smartphone into a GPS tracker.AckpostsThis Trojan steals contact information from the compromised device and uploads them to a remote server.AcnetdoorThis Trojan opens a backdoor on the infected device and sends the IP address to a remote server.AdsmsThis is a Trojan which is allowed to send SMS messages. The distribution channel ... is through a SMS message containing the download link.Airpush/StopSMSAirpush is a very aggresive Ad-Network.…
BankBotThis malware tries to steal users’ confidential information and money from bank and mobile accounts associated with infected devices.
http://forensics.spreitzenbarth.de/android-malware/
![Page 35: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/35.jpg)
35
Brief history of iOS attacksFind and call (2012)n Accesses user’s contacts and spams friends
Jekyll-and-Hyde (2013): n Benign app that turns malicious after it passes Apple’s reviewn App can post tweets, take photos, send email and SMS, etc.
Xsser mRat (2014)n Steal information from jailbroken iOS devices
WireLurker (2014)n Infects iOS through USB to OSX machines
Xagent (2015)n Spyware. Steals texts, contacts, pictures, …
AceDeceiver (2016)n Infects by exploiting vulnerability in Fairplay (DRM)
![Page 36: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/36.jpg)
36
W
![Page 37: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/37.jpg)
37
![Page 38: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/38.jpg)
38
Based on FairPlay vulnerability
Requires malware on user PC, install of malicious app in App StoreContinues to work after app removed from store Silently installs app on phone
![Page 39: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/39.jpg)
39
IOS PLATFORM
![Page 40: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/40.jpg)
40
Apple iOS
From: iOS App Programming Guide
![Page 41: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/41.jpg)
41
Reference
https://www.apple.com/business/docs/iOS_Security_Guide.pdf
![Page 42: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/42.jpg)
42
Topics
System SecurityEncryption and Data Protection App Security Network Security Apple Pay Internet Services Device ControlsPrivacy ControlsApple Security Bounty
1 User-level security features
2Protecting mobile platform
3 App isolation and protection
![Page 43: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/43.jpg)
43
IOS DEVICE AND PRIVACY CONTROLS
![Page 44: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/44.jpg)
44
Device unlock
Passcode key: derived by hashingpasscode and device ID
Hashing uses secret UID on secure enclave⇒ deriving passcode key requires the secure enclaveSecure enclave enforces 80ms delay per evaluation:n 5.5 years to try all 6 digits pinsn 5 failed attempts ⇒ 1min delay, 9 failed attempts ⇒ 1 hour
delayn >10 failed attempts ⇒ erase phone. Counter on secure enclave.
Can attacker try all 6-digit passcodes?
![Page 45: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/45.jpg)
45
Unlocking with Touch ID
Passcode can always be used insteadn Passcode required after: Reboot, or
five unsuccessful Touch ID attempts, …
Other uses (beyond unlock):n Enable access to keychain itemsn Apple Payn Can be used by applications
![Page 46: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/46.jpg)
46
How does it work?Touch ID: sends fingerprint image to secure enclave (encrypted)n Enclave stores skeleton encrypted with secure enclave key
With Touch ID off, upon lock, class-key Complete is deleted⇒ no data access when device is locked
With Touch ID on: class-key is stored encrypted by secure enclaveDecrypted when authorized fingerprint is recognizedDeleted upon reboot, 48 hours of inactivity, or five failed attempts
![Page 47: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/47.jpg)
47
How secure is it?Easy to build a fake fingern Several demos on YouTuben About 20 mins of workn If you have a fingerprint
The problem: fingerprints are not secretn No way to reset once stolen
Convenient, but more secure solutions exist:n Unlock phone via bluetooth using a wearable device ⇒ phone locks as soon as device is out of range
n Enable support for both a passcode and a fingerprint
![Page 48: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/48.jpg)
48
iOS Privacy Controls
User can select which apps access location, microphone, a few other services
![Page 49: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/49.jpg)
49
IOS SYSTEM AND DATA SECURITY
![Page 50: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/50.jpg)
50
Apple iOS SecurityDevice securityn Prevent unauthorized use of device
Data securityn Protect data at rest; device may be
lost or stolenNetwork securityn Networking protocols and encryption
of data in transmission App securityn Secure platform foundation
https://www.apple.com/business/docs/iOS_Security_Guide.pdf
![Page 51: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/51.jpg)
51
Secure boot chain
Every layer ensures that the next layer is properly signedRoot of trust: boot ROM, installed during fabrication
Boot ROM
Apple Rootpublic-key
not updateable
Low levelboot-loader(LLB)
signature
iBoot
signature
iOS Kernel
signature
verifysignature
run if valid
verifysig.
verifysig.
![Page 52: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/52.jpg)
52
Secure boot chainEnsures only authorized iOS code can boot
Jailbreaking works by exploiting bugs in the chainn Disables verification down the line
Note: bugs in the boot ROM are especially damagingn Boot ROM cannot be updated
![Page 53: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/53.jpg)
53
Software update
All iOS software updates are signed by Applen Signature from Apple’s software update server covers:
hash of update code, device unique ID (ECID) and nonce from device
⇒ Apple keeps track of which devices (ECID) updated to what
Why sign nonce and device ID? (harder for Apple to distribute patch)n Cannot copy update across devices ⇒ Apple can track updatesn Nonce ensures device always gets latest version of update
![Page 54: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/54.jpg)
54
Jailbreak detectionJailbreaking: install apps outside 3rd party sandbox n Apps in /Applications (not in sandboxed “mobile” dir)
Jailbreak preventionn App wants to detect if device is jailbroken and not run if so,
e.g., banking apps Some methods:_dyld_get_image_name(): check names of loaded dynamic libs_dyld_get_image_header(): inspect location in memory
Can be easily bypassed – jailbreak detection is brittlen e.g., using Xcon tool (part of Cydia)
![Page 55: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/55.jpg)
55
App exploit mitigation: XN and ASLR
XN bit (eXecute Never): [a.k.a NX bit]n Mark stack and heap memory pages as non-
execute, enforced by CPU
ASLR (address space layout randomization):n At app startup: randomize location of executable,
heap, stackn At boot time: randomize location of shared libs
Harder to exploit memory corruption vulns
![Page 56: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/56.jpg)
56
Data protection: protecting application data
Application files written to Flash are encrypted:• Per-file key: encrypts all file contents (AES-XTS)
• Class key: encrypts per-file key (ciphertext stored in metadata)
• File-system key: encrypts file metadata
Resetting device deletes file-system key
All key enc/dec takes place inside the secure enclave⇒ key never visible to apps
![Page 57: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/57.jpg)
57
Secure enclave (Apple A7 and later)
Coprocessor fabricated in the Apple A7, A8, …All writes to memory and disk are encrypted with a random key generated in the enclaveUsed for device unlock, ApplePay, … (more on this later)
application processor Secure enclave
HW-RNGshared
memory
UIDiOS
app
app
app
app
keys
A9
![Page 58: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/58.jpg)
58
Backup to iCloud
Data backupn Encrypted data sent from device to iCloudn But not applied to data of class NoProtectionn Class keys backed up protected by “iCloud keys”
(for device migration)Keychain class keys:n Non-migratory class keys
wrapped with a UID-derived key ⇒ Can only be restored on current device
n App-created items: not synced to iCloud by default [dict secObject:kCFBooleanTrue forKey:kSecAttrSynchronizable];
![Page 59: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/59.jpg)
59
IOS APP DEVELOPMENT AND SECURITY
![Page 60: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/60.jpg)
60
iOS Application Development
Apps developed in Objective-C using Apple SDKEvent-handling model based on touch eventsFoundation and UIKit frameworks provide key services used by apps
![Page 61: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/61.jpg)
61
iOS Platform
Cocoa Touch Foundation framework
n OO support for collections, file mgmt, network; UIKitMedia layern 2D and 3D drawing, audio, video
Core OS and Core Services: n APIs for files, network, SQLite, POSIX threads, UNIX sockets
Kernel: based on Mach kernel like Mac OS X
Implemented in C and Objective-C
![Page 62: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/62.jpg)
62
App Security
Runtime protectionn System resources, kernel shielded from user appsn App “sandbox” prevents access to other app’s data n Inter-app communication only through iOS APIs n Code generation prevented
Mandatory code signingn All apps must be signed using Apple-issued certificate
Application data protectionn Apps can leverage built-in hardware encryption
![Page 63: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/63.jpg)
63
Limit app’s access to files, preferences, network, other resourcesEach app has own sandbox directoryLimits consequences of attacksSame privileges for each app
iOS Sandbox
![Page 64: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/64.jpg)
64
Runtime process security
All 3rd party apps are sandboxed:run as the non-privileged user “mobile”
n access limited by underlying OS access controlEach app has a unique home directory for its files randomly assigned when the app is installedAccessing other info only through mediated services provided by iOS
![Page 65: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/65.jpg)
65
File encryption
The content of a file is encrypted with a per-file key, which is wrapped with a class key and stored in a file’s metadata, which is in turn encrypted with the file system key. n When a file is opened, its metadata is decrypted with the file system key,
revealing the wrapped per-file key and a notation on which class protects it n The per-file key is unwrapped with the class key, then supplied to the
hardware AES engine, decrypting the file as it is read from flash memoryThe metadata of all files is encrypted with a random key. Since it’s stored on the device, used only for quick erased on demand.
![Page 66: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/66.jpg)
66
App code signingAll executable code must be signed by Apple certificate, includingn Native appsn 3rd party apps (signed after Apple review)n Dynamic libraries
w App can link against any dynamic library with the same TeamID (10-char string)
w Example: an ad network library
Not perfect: Charlie Miller’s InstaStock appn stock ticker program: passed Apple reviewn After launch: downloads “data” from remote site, stores it
in non-XN region, executes it ⇒ app becomes maliciousn Why is there a non-XN region? Needed for Safari JIT.
![Page 67: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/67.jpg)
67
“Masque Attack”iOS app installed using enterprise/ad-hoc provisioning could replace genuine app installed through the App Store, if both apps have same bundle identifierThis vulnerability existed because iOS didn't enforce matching certificates for apps with the same bundle identifier
Several attacks occurred in 2015
![Page 68: Mobile Device and Platform Security - Stanford Universitycrypto.stanford.edu/cs155/lectures/17-mobile-platforms.… · · 2017-05-30Mobile Device and Platform Security John Mitchell](https://reader035.fdocuments.us/reader035/viewer/2022062600/5aae4ccd7f8b9a25088c18fe/html5/thumbnails/68.jpg)
68
Two lectures on mobile securityIntroduction: platforms and trendsThreat categoriesn Physical, platform malware, malicious apps
Defense against physical theftMalware threatsSystem architecture anddefensesn Apple iOS security features and app security modeln Android security features and app security model
Security app developmentn WebView – secure app and web interface devn Device fragmentation
Tues
Thurs