I spent the last two weeks talking with CISOs, application developers, mobility experts and IoT thought leaders like SRI’s Dr. Ulf Lindqvist. One thing was for certain – mobile is receiving a lot of attention from the enterprise.
Considerations voiced ranged from device and application management to security of mobile apps and IoT devices. EMM, MAM and MDM were talked about as a part of the solution. But security solutions were generally perceived as lacking. Just a few years ago, few people thought that these mobile, consumer devices would be so powerful, pervasive and change enterprise security so fundamentally.
Now mobility professionals are working cooperatively with security professionals much like the way WAF brought together web application developers and security professionals. Just as with WAF there can be a steep cooperation curve in many organizations trying to bring these two disparate groups together. A lack of symbiotic mutualism often leads to poorly secured applications that are developed in-house and poor security around third-party applications, both of which are being implemented for internal enterprise use and for customer-facing solutions.
From a security perspective there are growing concerns around areas like pharming and malware. Protection of data at rest and data in transit are also familiar considerations as are session hijacking protection, man in the middle protection and anti-debugging. But one item that came up time and time again was phishing and the fact that phishing is a bit different for mobile juxtaposed to traditional browser and email-based phishing.
Phishing is a well-known and well-understood attack predicated on social engineering that simply works year after year. For example, a malicious individual may want to craft a mechanism by which they can retrieve data such as personal, financial or credit card. To do this they might use an email, social media post, etc. to lure a victim to a fake website. For example, instead of going to MySafeBank.com the victim unintentionally goes to the attacker’s carefully crafted EvilBank.com and where the victim happily enters all their information for the attacker.
With mobile phishing it’s different. Sure mobile devices can still receive malicious emails and go to fake websites. But in the mobile world it’s less likely for a user to enter their bank with the mobile device’s web browser and more likely to be a mobile device with a purpose-built banking app. Enter phishing through malicious apps or malicious behavior within friendly apps.
A mobile application is a self-contained entity. But there are still two primary ways for a malicious party to create that same false sense of trust used in traditional phishing.
Option one, a nefarious application masquerading as the legitimate application. That iOS .ipa or Android .apk app might look legit but beware. While not isolated to Android, especially if you include iPhones that are jailbroken, this is generally an issue for Android because users may choose to download apps from alternatives to Google Play because of cost, extra features, etc.
A malicious individual can obtain the original app, craft an alternative app to look and operate like the original but add some special features. For example, record fields like user name, password, account number, Social Security number, etc. The attacker can distribute this malicious app through various app stores so it will be easy to search for and install.
- Mobile pharming
- Mobile malware
- Mobile encryption
- Mobile reversing and tampering
- Man in the middle attacks on mobile apps
Option two, tampering with or modifying the content that an application is showing. Many mobile apps will display web-based content via an internal browser. Because of that web-based content, exploits like man-in-the-middle can be leveraged to modify the content that is being shown.
Once an attacker can influence web-based content, they have great control and can trick the user into “verifying” their user name and password for example. This information gets recorded even though the app itself wasn’t compromised and never intended to show the malicious web content.
Phishing is just one example of how a traditional attack can be adapted to the mobile platform. It’s a newer category for security professionals to consider in their ever evolving fight.