The NIJ has published the test results for viaForensics’ AFLogical 1.4. Mobile Device Acquisition Tool. The report shows the results from testing the tool against the Smart Phone Tool Test Assertions and Test Plans.
|
||||
|
The FDIC included a pretty good article on mobile banking risks in their monthly report (and cited viaForensics’ Mobile App Security Study). The article identifies possible risks involved in mobile banking and suggests strategies for mitigating such risks.
viaForensics’ CIO Andrew Hoog was honored to be the first vendor interviewed for Eric Huber’s “A Fistful of Dongles” blog covering information security, cyber investigations and digital forensics. The interview covers not only viaForensics’ work in these areas, but also how viaForensics got started and some good advice for those looking to get started in mobile forensics. Here’s an excerpt from the interview:
Read the full interview at A Fistful of Dongles This article is part of a series where we publish "Common Questions" from our comprehensive Mobile Security Risk Report. The report features over 80 pages of expert risk assessment based on technical research and case experience. It includes both a high-level summary of key issues and in-depth technical analysis citing specific examples of risk areas. The answers to 10 important questions, from Chapter 4 of the report, will be released as articles on the viaForensics Web site to provide useful intelligence to our clients and interested readers. For the complete report, visitors can purchase the report here, or view the table of contents. Mobile Security Risk Report: Common Questions1. Is iOS secure enough for use in the enterprise? 2. Is Android secure enough for use in the enterprise? 3. How do iOS and Android compare to BlackBerry for security? 4. Does the device passcode prevent someone from accessing device data? 5. Does iOS encryption work, and does it protect all device data from being stolen? 6. How secure is the iOS keychain? 7. Which is more secure, iOS or Android? 8. Is it advisable to use iOS or Android for sensitive data? 9. If we are planning to deploy or already using iPhones, do we need an MDM system? Today’s Question: What is a strong enough passcode?For security purposes a 6 character alphanumeric passcode using both numbers and letters/special characters has a much greater security benefit compared to a simple numeric passcode. Specifically, on iOS the use of a longer, complex passcode protects against brute-force breaking of the passcode, recovery of Exchange data, and dumping the keychain. On Android, the use of a complex passcode can prevent any recovery of device data, with the exception of the SD Card, on some devices. Similar questions: For more questions use the links on the right, or view the report table of contents.
 December 20th, 2011 by tcannon
 1 commentI have been working at viaForensics as the Director of R&D for about 5 months now, and in that time I’ve been involved in some exciting research projects. I haven’t had the opportunity to blog on our company site yet so I thought I’d take a little time out and record a video to demonstrate an Android issue that is of interest to many of our clients. When talking with people and reading posts on the web I’ve often heard people say that the Android permission system protects their device such that apps without certain permissions are therefore safe to install. The permissions system on Android is a fantastic idea and generally well implemented, it gives apps just enough permissions or capabilities to perform the required functions without exposing capabilities that could be used in a dangerous way. It is a step up in protection when compared with a typical desktop system but this increased protection can give rise to a false sense of security. Putting aside the issue of users ignoring the permissions when installing apps, can we rely solely on permissions to decide if an app is safe? There are multiple controls in Android and its ecosystem that protect a user and their device, but one should not automatically assume that installing an app, even if it requires no permissions, is safe. To demonstrate this we’ve built an app which requires no permissions and yet is able to give an attacker a remote shell and allow them to execute commands on the device remotely from anywhere in the world. The functionality we are exploiting to do this is not new, it has been quietly pointed out for a number of years, and was explained in depth at Defcon 18 [1]. It is not a zero-day exploit or a root exploit. We are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel. This has been tested on Android versions ranging from 1.5 up to 4.0 Ice Cream Sandwich, and it works in a similar way on all platforms. Please see the video below with accompanying audio for further explanation. Link to video: Android No-permissions Reverse Shell I should also mention here a recent paper by Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang from NCSU who have developed a tool to detect capability leaks in Android devices. Using their tool they found a number of capability leaks, such as being able to send an SMS, in various Android applications usually added by OEMs. Malicious applications can call the vulnerable apps and exploit the lack of protection around permission/capability use and therefore do not need to request permissions themselves. In a similar way we’ve exploited the Android Web Browser, although we are not exploiting a vulnerability due to bad coding, but rather using the functionality it legitimately offers to other applications. In this demonstration Android’s power and flexibility were perhaps also its downfall. Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user. This power combined with the open nature of Android also facilitates the customisation of the system to meet bespoke security requirements. This is something we have even been involved in ourselves by implementing a proof of concept Loadable Kernel Module to pro-actively monitor and defend a client’s intellectual property as it passed through their devices. It is no surprise that we have seen adoption of Android research projects in the military and government as it can be enhanced and adapted for specific security requirements, perhaps like no other mobile platform before it. I hope this demo was of interest and that it generates some discussion around the best ways to select and use apps which offer the least risk to your device and data. Update 20-Dec-2011: As mentioned these issues are not new and have been discussed before. Updated to include a link to one such talk which does a good job of explaining some of the issues (thanks Tim): Good news for Nexus S users: Google is rolling out OTA upgrade to Ice Cream Sandwich. Early reviews are favorable.
This article is part of a series where we publish "Common Questions" from our comprehensive Mobile Security Risk Report. The report features over 80 pages of expert risk assessment based on technical research and case experience. It includes both a high-level summary of key issues and in-depth technical analysis citing specific examples of risk areas. The answers to 10 important questions, from Chapter 4 of the report, will be released as articles on the viaForensics Web site to provide useful intelligence to our clients and interested readers. For the complete report, visitors can purchase the report here, or view the table of contents. Mobile Security Risk Report: Common Questions1. Is iOS secure enough for use in the enterprise? 2. Is Android secure enough for use in the enterprise? 3. How do iOS and Android compare to BlackBerry for security? 4. Does the device passcode prevent someone from accessing device data? 5. Does iOS encryption work, and does it protect all device data from being stolen? 6. How secure is the iOS keychain? 7. Which is more secure, iOS or Android? 8. Is it advisable to use iOS or Android for sensitive data? 9. If we are planning to deploy or already using iPhones, do we need an MDM system? Today’s Question: If we are planning to deploy or already using iPhones, do we need an MDM system?The features of MDM systems are currently limited by APIs provided in each platform, and do not yet offer extensive security beyond what can be achieved with Microsoft Exchange ActiveSync controls. The security and reliability of the MDM apps and device controls requires further investigation, as analysis to date has found potential vulnerabilities and relatively simple evasion of controls. MDMs do offer streamlined over-the-air (OTA) device provisioning and monitoring capabilities, as well as features such as corporate app stores and app deployment. Corporations should evaluate the specific features provided and consider that many may be available without MDM. If deployed, auditing any MDM solution for functionality and security after implementation is recommended. It is also important to distinguish MDM from secure messaging, which adds an additional layer of security especially on the endpoint. When properly developed and configured, secure messaging can significantly improve the protection of corporate data on the consumer device. For more questions use the links on the right, or view the report table of contents.
For Immediate Release New Secure Mobile App Developer Credential Planned by CompTIA and viaForensics Chicago and Downers Grove, Ill., December 15, 2011 – A new credential intended for mobile applications developers is being created by CompTIA, the non-profit association for the information technology (IT) industry, and viaForensics, a leading digital forensics and security firm, the two organizations announced today. “The mobile app development world is a vast arena for innovation, but too often security has been a secondary concern in the rush to bring new apps to the market,” said Todd Thibodeaux, president and chief executive office, CompTIA. “Because mobile devices typically combine both personal and corporate data, they’re a rich target for cybercriminals and hackers. CompTIA and viaForensics intend to elevate the level of security awareness among mobile app developers.” The secure mobile application developer credential and corresponding testing services – scheduled for availability in the first half of 2012 – are intended to meet the growing needs of software application vendors in their pursuit of qualified professionals to work in the fast-growing mobile apps market. Research firm IDC estimates that the number of annual mobile app downloads will grow from 10.7 billion in 2010 to nearly 183 billion by 2015. Other industry observers predict similarly epic numbers of users of these handy, but potentially risky applications. “Over 45 million smartphones are in use, not only by U.S. consumers, but at companies and government agencies across the nation,” said Andrew Hoog, chief investigative officer, viaForensics. “Vulnerabilities found in these mobile devices place their owners, companies and our country at risk.” viaForensics and CompTIA intend to offer secure mobile application developer credentials and testing services for both the iOS and Android operating environments. This collaborative effort combines CompTIA’s standing as the leading provider of vendor-neutral skills certifications for IT professionals with ViaForensics’ industry leading appSecure service, appWatchdog and a wealth of mobile security intelligence. “CompTIA’s global distribution and partnering programs will provide scale and access for the programs, while the depth of viaForensics secured applications expertise will afford user access to industry best services,” said Terry Erdle, executive vice president, skills certification, CompTIA. Today’s announcement is part of CompTIA’s broader initiative to address issues impacting companies doing business in the mobility marketplace. CompTIA is developing a new mobility curriculum, consisting of educational programs, workshops, how-to guides and other resources, to meet the specific needs of IT channel companies. In early 2012, CompTIA is scheduled to publish new research on mobility, telecommuting and remote workforce trends.
About CompTIA CompTIA is the voice of the world’s information technology (IT) industry. Its members are the companies at the forefront of innovation; and the professionals responsible for maximizing the benefits organizations receive from their investments in technology. CompTIA is dedicated to advancing industry growth through its educational programs, market research, networking events, professional certifications, and public policy advocacy. For more information, visit www.comptia.org or follow CompTIA on Twitter at http://twitter.com/comptia. About viaForensics viaForensics is a leading digital forensics and security firm whose clients include Fortune 500 companies, large financial institutions, law firms, the U.S. Government and domestic and foreign law enforcement agencies. Areas of focus include mobile app security, computer and mobile forensics, enterprise security, and forensics training. viaForensics is the leading expert on Android and iPhone forensics and has developed a suite of unique services to meet today’s mobile and enterprise security needs. For more information, visit http://viaforensics.com/.
Contacts:
This article is part of a series where we publish "Common Questions" from our comprehensive Mobile Security Risk Report. The report features over 80 pages of expert risk assessment based on technical research and case experience. It includes both a high-level summary of key issues and in-depth technical analysis citing specific examples of risk areas. The answers to 10 important questions, from Chapter 4 of the report, will be released as articles on the viaForensics Web site to provide useful intelligence to our clients and interested readers. For the complete report, visitors can purchase the report here, or view the table of contents. Mobile Security Risk Report: Common Questions1. Is iOS secure enough for use in the enterprise? 2. Is Android secure enough for use in the enterprise? 3. How do iOS and Android compare to BlackBerry for security? 4. Does the device passcode prevent someone from accessing device data? 5. Does iOS encryption work, and does it protect all device data from being stolen? 6. How secure is the iOS keychain? 7. Which is more secure, iOS or Android? 8. Is it advisable to use iOS or Android for sensitive data? 9. If we are planning to deploy or already using iPhones, do we need an MDM system? Today’s Question: Is it advisable to use iOS or Android for sensitive data?The data sensitivity classification and risk of exposure/loss will vary from corporation to corporation. Due to the techniques available to evade the passcode and recover data on both Android and iOS, we do not recommend storing highly sensitive data on consumer mobile devices. For more questions use the links on the right, or view the report table of contents.
This article is part of a series where we publish "Common Questions" from our comprehensive Mobile Security Risk Report. The report features over 80 pages of expert risk assessment based on technical research and case experience. It includes both a high-level summary of key issues and in-depth technical analysis citing specific examples of risk areas. The answers to 10 important questions, from Chapter 4 of the report, will be released as articles on the viaForensics Web site to provide useful intelligence to our clients and interested readers. For the complete report, visitors can purchase the report here, or view the table of contents. Mobile Security Risk Report: Common Questions1. Is iOS secure enough for use in the enterprise? 2. Is Android secure enough for use in the enterprise? 3. How do iOS and Android compare to BlackBerry for security? 4. Does the device passcode prevent someone from accessing device data? 5. Does iOS encryption work, and does it protect all device data from being stolen? 6. How secure is the iOS keychain? 7. Which is more secure, iOS or Android? 8. Is it advisable to use iOS or Android for sensitive data? 9. If we are planning to deploy or already using iPhones, do we need an MDM system? Today’s Question: Which is more secure, iOS or Android?While the answer to this question just six months ago (summer 2011) would clearly find that iOS is more secure, advancements in Android have removed most of this distinctions. These advancements are only realized on the newer versions of Android and on certain devices. However the same situation exists with iOS devices. Since the passcode can be circumvented on all current iOS devices but only some Android devices, this may place a slight advantaged to Android. Furthermore, nearly all files encrypted on iOS are recoverable thus bringing further challenges to iOS. In the next three to six months, we expect a clear answer to this question. While iOS initially provided more focus and features for enterprise security, the gap has been quick closed by Android and at this time, Android is positioned to provide higher security in the near future. If iOS can address the passcode and encryption issues, then the platforms will both likely provide sufficient security. Similar questions: For more questions use the links on the right, or view the report table of contents.
|
 |
|||
|
|
||||