Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom...
Transcript of Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom...
![Page 1: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/1.jpg)
Side Channel Leaksin Mobile Applications
6th Infocom Mobile World Conference 2016
Ioannis Stais, IT Security [email protected]
www.census-labs.com
![Page 2: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/2.jpg)
> INTRO
![Page 3: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/3.jpg)
> SIDE CHANNEL LEAKS - WHAT? WHY?
• Mobile App unintentionally exposes sensitive data through a side channel
• Arises as a side effect from the underlying mobile platform
• Commonly related to features that enhance app performance & to poorly implemented functionalities
• Leads to significant impact:– Violates User Privacy
– Creates Legal, regulatory, and financial risks
– Affects Corporate Reputation & Brand Image
![Page 4: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/4.jpg)
> COMMON SIDE CHANNEL LEAK VULNERABILITIES
![Page 5: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/5.jpg)
> CUSTOM KEYBOARD
![Page 6: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/6.jpg)
> LEAKING ACTIVITY COMPONENTS
![Page 7: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/7.jpg)
> PASTEBOARD LEAKS
![Page 8: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/8.jpg)
> DEBUG LOG LEAKS
![Page 9: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/9.jpg)
> URL CACHING & WEBVIEW OBJECTS
![Page 10: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/10.jpg)
> ANALYTICS DATA LEAKS
![Page 11: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/11.jpg)
> EXPLOITING ACCESSIBILITY
![Page 12: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/12.jpg)
> CONCLUSIONS
![Page 13: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/13.jpg)
> CONCLUSIONS
• Risk Mitigation
– Practice Privacy By Design: Be proactive
– Perform Security Assessments
– Communicate Openly & Effectively
– Make Your Privacy Policy Easily Accessible
– Empower users: Provide Choices & Controls
– Enforce Accountability
![Page 14: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/14.jpg)
> CONCLUSIONS
• Limit Data Collection & Retention
– Don’t access or collect user data
– Shorten the life cycle of sensitive data
– Establish a data retention policy
– Delete user data promptly following the deletion of an account
• Mobile App internal processes may need to be examined, and re-engineered
![Page 15: Side Channel Leaks in Mobile ApplicationsSide Channel Leaks in Mobile Applications 6th Infocom Mobile World Conference 2016 Ioannis Stais, IT Security Consultant ... Android Keyboard](https://reader033.fdocuments.us/reader033/viewer/2022052016/602efc2e8d3272007345f517/html5/thumbnails/15.jpg)