Managing Mobile Risk
Data-Driven Conditional Access
David Richardson, Director of Products | May, 2017
Who am I?
• Engineer/Hacker/Product Manager
• Currently run enterprise products at Lookout
• Employee #10 at Lookout (now 450 employees)
• Have discovered and revealed mobile 0-days at Black Hat and Defcon
• 20+ patents granted related to mobile security
Why Do Mobile Risks Matter?
Your mobile device is a gold mine for hackers
ENTERPRISE EMAIL
ENTERPRISE NETWORKVPN, WiFi
ENTERPRISE APPSSaaS, Custom Apps
CREDENTIALSStored, Soft Tokens
PHOTO ALBUMWhiteboard Screenshots, IDs
SENSORSGPS, Microphone, Camera
“Today, mobile malware costs organizations $16.3M
per year, or $9,485 per infected device.”
Ponemon
The Consequences are real
Mobile Risks
• Vulnerabilities
• OS vulnerabilities
• App vulnerabilities
• Risky Behaviors
• Leaky apps
• Misconfigured devices (no passcode, no encryption, debugging enabled)
• Threats
• Mass market malware
• Targeted malware
• Man-in-the-Middle attacks
Vulnerabilities
• Android Security Patch Level –April 2017 & May 2017
• 219 vulnerabilities patched
• 96 allow arbitrary code execution
• 98 allow privilege escalation to
kernel or root privileges
• 18 allow remote code execution
• iOS 10.3.1 and 10.3
• 92 vulnerabilities patched
• 33 allow arbitrary code execution
• 10 allow privilege escalation to
kernel or root privileges
• 22 are WebKit vulnerabilities
(remotely exploitable)
8
Vulnerabilities patched in the last 6 weeks
9
4+ years of Android OS version history 10 months of iOS version history
On Android, 50% of active devices are running
the latest version 1 year after release.
On iOS, 50% of active devices are running
the latest version 1 month after release.
Risky App Behaviors
Key trends of mobile apps
*Source: Forrester
When apps are
free, sensitive
data becomes
the currency.
Employees source
the majority of
mobile apps they
need on
their own*.
Mobile apps
are assembled
from libraries,
not written.
Exhibits no sensitive
behaviors
Exhibits one or more sensitive
behaviors
Exhibits malicious
behaviors
App behavior risk spectrum
Apps that exhibit sensitive behaviors
Access to sensitive data
Apps that access sensitive
corporate or employee data,
including PII
Data exfiltration
Apps that upload sensitive data
to external servers
Data sovereignty violation
Apps that violate data sovereignty
regulations or send data to risky
geographies
Use of cloud services
Apps that access cloud storage
providers, social networking services,
or peer-to-peer networks
Insecure data handling
Apps that don’t use proper encryption when storing or sending data
Vulnerabilities
Applications with known
vulnerabilities
Threats
xRanger
Allows third party to send large # of
ads to the device. Sends device
information to a third party, causing
unexpected data usage
A banking trojan that steals banking
credentials & intercepts text messages
Acecard
Mapin
Hazardous adware trojan. Its goal is to
gain benefits from pay -per click policy
by redirecting you to commercial
websites.
Mayis
Clicks background advertisements in
order to defraud ad networks. May result
in overages of user’s data plan and unexpected bill charges
InstaAgent
Sends your Instagram credentials to
an unknown third party. This may
result in privacy loss
LevelDropper
Auto-rooting trojan that silently
installs apps on a victim’s device
210 Lookout-discovered threats in the Google Play Store (2016)
April 8 April 25 May 9 May 30 June 7 June 8
3 1 2 6 1 1
= Discovered by Lookout in Play Store and subsequently removed by Google.
BouncerBounce
Malware that works around Google’s review process to plant malicious
apps in Play Store.
Spyware targeting foreign travelers
searching for Embassy locations.
Steals contact and location data
OverSeer
DressCode
Can make the device a proxy for
network traffic on corporate
networks
DressCode
We discovered more apps on Play
injected with this trojan.
TcemuiPhoto
Uploader
Lookout discovered this malware
family in fake versions of popular
apps on Play.
XRanger
167 apps in Play infected with
this app dropper.
July 15 Aug 4Sep 7 Oct 19 Oct-Nov June 8
4 13 2 1671 3
Sep 30
1
WakefulApp
Download
Malware hidden in "File Explorer" app
that had gotten into Play, downloads
and launches additional apps.
Nov 25
210 Lookout-discovered threats in the Google Play Store (2016)
iOS Research and Report
Sep 2015 Aug 2016 Sep 2016 Nov 2016
XcodeGhost
XcodeGhost-infected apps can steal
data and potentially trick people into
providing personally identifiable
information. Dozens of XcodeGhost
apps were found in the App Store.
Trident – Kernel(1)*
A kernel base mapping vulnerability that allows attacker to calculate the kernel’s location in memory (CVE-2016-4655)
Trident – Kernel(2)*
iOS kernel-level vulnerabilities that allow the
attacker to silently jailbreak the device and
install surveillance software (CVE-2016-4656)
Trident – Safari OS*A vulnerability in the Safari WebKit that allows
the attacker to compromise the device when
the user clicks on a link (CVE-2016-4657)
Pegasus Surveillance
Malware*The most sophisticated attack we’ve seen on any endpoint. A full take of data off the iOS
device and device’s surroundings.
Dribbble – App
that jailbreaks
iPhone
Lookout discovered the Dribble
client that can jailbreak your iPhone,
on apple store. It appears that the
app had been in the App Store since
July 30th.
Fake retail apps
in App Store
Fraudsters were able to get fake
retail apps into the App Store.
Victims were subject to ID and
sensitive data theft, including credit
card and home address details. In
media reports, including Good
Morning America, Lookout
researchers provided advice to
users.
* Discovered and analyzed by Lookout along with Citizen Lab
InstaAgent
Sends your Instagram credentials to
an unknown third party. This may
result in privacy loss
Why Lookout?
• Founded in 2007
• Focused exclusively on securing mobility
• Security for organizations and consumers
• Worldwide distribution and support
OUR PARTNERS
World’s largest mobile sensor networks117M+ mobile sensors in more than 100 countries
1MSENSORS
37MSENSORS
100MSENSORS
70MSENSORS
12MSENSORS
117MSENSORS
Web Crawlers
Dynamic Analysis
Binary SimilarityStatic
Analysis
22
So we can approach mobile security as a big data problem
App store APIs
Malware Assessment
Capability Assessment
Exploit Assessment
Mobile Sensors
Reputation Analysis
Binary Similarity
117M+ Sensors
90K+ new apps per day 40M+ apps analyzed ~5K new threats per day
OS Apps
Network
Mobile risks Lookout addresses
• Malicious apps
• Non-compliant apps
• App vulnerability exploits
• Data leakage
• Malicious MitM attacks
• Anomalous Root CA
End user jailbreak/root •
Malicious jailbreak/root •
OS vulnerabilities exploitation •
Conditional Access w/ EMS
Seamless enrollment
Signs in using AAD credentials
User installsCompany Portal app
Goes through enrollment process
Now must make sure device is compliant
Compliance requires Lookout
Mobile productivity enabled
Lookout for Work is not installed
Tap the required app notification in the
notification area
How to resolve this
User must install Lookout
Seamless installation and enrollment using AAD credentials
Device is now compliant
LOOKOUT MTP CONSOLE
INTUNE CONSOLE
ALERT
MALWARE DETECTED
MALWARE DETECTED
CONDITIONAL
ACCESS
CONDITIONAL ACCESS
STOP EMAIL ACCESS
LOCK MANAGED APPS
APP-BASED THREAT TRIGGERS CONDITIONAL ACCESS TO O365
ALERTCONDITIONAL
ACCESS
APP-BASED THREAT TRIGGERS CONDITIONAL ACCESS TO O365
LOOKOUT MTP CONSOLE
INTUNE CONSOLE
MALWARE DETECTED
MALWARE DETECTED
CONDITIONAL ACCESS
STOP EMAIL ACCESS
LOCK MANAGED APPS
USER REMEDIATIONCONDITIONAL
ACCESS
THREAT REMEDIATED
THREAT REMEDIATED
Key Takeaways
• You can’t ignore mobile risks• Mobile is your single point of failure (MFA token + SMS + passwords + sensors)
• Attackers will find the weak links in your security
• There are hundreds of (unpatched) holes in your mobile devices
• Invest in visibility and protection from mobile risks across the whole spectrum
• Threats
• Vulnerabilities
• Risky Behaviors
• MDM/MAM is management, not security
• Integrate mobile security into existing workflows for onboarding and conditional
access
THANK YOU
Top Related