Mobile Security and Risk Review Second Edition
Mobile Security and Risk Review Second Edition
v 1.5 | © 2016 MobileIron, Inc. 1 Mobile Security and Risk Review Executive Summary Welcome to the second edition of the Mobile Security and Risk Review. In this edition we update the mobile threat landscape, discuss emerging risks, report OS enterprise share, and list the top blacklisted consumer apps. We conclude with our recommendations for enterprises to protect their assets against mobile risks and threats.
Several new mobile attacks have emerged that threaten enterprises. Most are re-using old tactics against mobile- specific services, such as SideStepper’s use of Man-In- the-Middle (MITM) against MDM, rather than employing new techniques or exploiting new vulnerabilities. However, when attacks against users are successful, they can result in the loss of both personal and business data.
This quarter saw the following employee compliance incidents increase:
• Devices with out-of-date policies • Missing devices • Devices where the EMM app was removed
While the following risky behaviors decreased:
• Compromised devices • Devices where the PIN was removed
Other out-of-compliance events stayed largely flat. However, enterprises continue to fall short when it comes to protecting corporate data on mobile apps and devices, as illustrated by the very small number of companies using App Reputation or Mobile Threat Detection software or enforcing OS updates.
2 Mobile Security and Risk Review OS vendors continue to patch vulnerabilities As with any software, the longer it is in market, the more likely it is that vulnerabilities will be identified. Similarly, the more features that are added, the greater the chances that bugs will be introduced. Mobile operating systems are no exception. Apple and Google each released three 1 updates for their mobile OSes during the quarter. iOS updates included fixes for a number of issues mostly related to memory corruption and 2 potential data leakage, as well as some privilege escalation vulnerabilities.
Android security updates released during the quarter addressed 20 critical and 36 high risk Common Vulnerabilities and Exposures (CVEs), many focused on privilege escalation or remote code execution. Also of note, Google continues to patch flaws in both libstagefright and the Android mediaserver libraries, both of which garnered attention in connection with the 3 Stagefright vulnerabilities identified by Zimperium researcher Joshua Drake last year.
Mobile threat landscape Mobile devices and apps are becoming an increasingly attractive target. In many cases, a mobile device used for work purposes is often used for personal purposes as well. Mobile threats are as much a risk to enterprises as they are to consumers. Enterprise users are especially vulnerable to these attacks if they don’t have EMM security on their devices.
Recent mobile attacks include:
Android GMBot
This spyware remotely controls infected devices in order to trick victims into providing their bank credentials. In December 2015, the source code was leaked online. Not only were cyber attackers able to access this code for free, but there was a tutorial and server-side instruction manual to make it easier to perpetrate attacks.
Recommendation: The release of the source code likely means that more GMBot variants will appear. Because malware that successfully bypasses initial scans in the commercial app stores is often found and removed very quickly, the most common way for it to spread is via third-party stores or “side-loading.” To protect against the malware, monitor devices that allow installation from “Unknown Sources” or have “USB Debugging” enabled and take appropriate enforcement actions.
1 Apple officially release iOS 9.3.1 on March 31st, 2016 - the last day of Q1. 2 https://support.apple.com/en-us/HT206568, https://support.apple.com/en-us/HT206902 3 https://source.android.com/security/bulletin/2016-04-02.html https://source.android.com/security/bulletin/2016-05-01.html https://source.android.com/security/bulletin/2016-06-01.html
3 Mobile Security and Risk Review AceDeceiver iOS malware
AceDeceiver malware is designed to steal a person’s Apple ID. This malware, which was disguised as wallpaper and uploaded to the App Store in late 2015, has been able to infect devices that do not have a compromised operating system. Nor does it rely on an enterprise certificate issued by Apple. The bogus wallpaper induces users to connect to a third-party app store where users are asked to enter their Apple IDs, which are then stolen and uploaded to a server. We include AceDeceiver in our list of Q2 threats because it abuses flaws in Apple DRM that allows it to reinstall the malware even after it has been removed from the store, so it can persist in a way that things haven’t been able to before.
Recommendation: It’s important to note that only three apps containing the AceDeceiver malware were identified and, while they evaded initial detection, they were found and removed. It’s also important to reiterate that AceDeceiver can re-install itself on Apple iOS devices using separate malware on a PC. Somewhat ironically, the best way to protect against AceDeceiver is to use traditional PC anti-virus/anti-malware solutions to prevent PCs from being infected with the utility that is used to re-load AceDeceiver.
SideStepper iOS “vulnerability”
In March 2016, security researchers at Check Point again underscored the risks of MITM attacks, using the technique to intercept and manipulate traffic between an MDM server and a managed device, specifically targeting MDM-initiated app installation commands to install apps that could “side-step” normal app approval processes. The SideStepper attack requires the end user to be tricked into installing a malicious configuration profile, usually the result of a phishing attack. The user must confirm the installation of the profile and also confirm additional prompts to install any malicious applications.
Recommendation: The risk from SideStepper stems primarily from a successful execution of a MITM attack. To protect against these kind of attacks, configure iOS Restrictions to prevent users from accepting untrusted SSL certificates and installation of configuration profiles. For MobileIron customers with more stringent security policies, consider enabling FIPS Mode.
4 Mobile Security and Risk Review High-severity OpenSSL issues
4 In May 2016, OpenSSL disclosed two flaws. One of the flaws, CVE-2016-2107, opens the door to a padding Oracle attack that can allow for the decryption of traffic if the connection uses an AES CBC cipher and the server supports AES-NI. The second issue is a memory corruption vulnerability in the ASN.1 encoder used in OpenSSL. These vulnerabilities can potentially impact large numbers of applications and services, which could ultimately jeopardize enterprise data-in-motion.
Recommendation: The high-severity OpenSSL issues are not limited in scope to mobile. We highlight them here because they are representative of a new class of risks created by the use of open source and shared components. Vulnerabilities in these types of components can create widespread exposures, due to their ubiquity. Protecting against these types of vulnerabilities requires cataloging the open source components that may be in use in your environment and performing source code analysis of the applications and services that use these components.
Marcher Android malware
Since it first appeared in 2013, Marcher has evolved to mimic bank web pages that trick users into entering their login information through e-commerce web sites.
Recommendation: Here again, we have malware that is fairly old and, not only continues to persist, but expands its targets. We mention Marcher in this report because it has begun to target additional banks over the last quarter. The recommendations to protect against Marcher are the same as those outlined for GMBot: monitor devices that allow installation from “Unknown Sources” or have “USB Debugging” enabled and take appropriate enforcement actions.
4 https://threatpost.com/openssl-patches-two-high-severity-vulnerabilities/117792/
5 Mobile security risks and costs on the rise Security incidents are often the precursor to a breach because they leave a device or app vulnerable and that can put enterprise data at risk. A mobile device that is compromised or out of compliance increases an enterprise’s vulnerability and data breaches are getting more expensive. In 2016 the Ponemon Institute conducted a survey of 383 companies in 12 countries. The results showed that the average total cost of a data breach is $4 million — an increase of 5 29% since 2013.
Employee compliance incidents increased Missing Devices
A missing device is defined as one that is out of contact for an extended period. It could be lost, stolen, not in use, or turned off. Forty percent of companies had missing devices, up from 33% in Q4 2015. German companies were the most likely to have missing devices (50%) and Spanish companies were the least likely (25%).
Recommendation: In cases of missing devices, it’s important to “close the loop” with the end user to determine the actual state of a device that appears to be missing. In addition to quarantining the device to prevent access to enterprise resources, organizations should leverage automated notification mechanisms to alert both end users and IT to the condition so that the state of the device can be determined and, if necessary, additional action can be taken.
Out-of-date policies
Out-of-date policies occur when the mobile IT administrator has changed a policy on the console but that change has not propagated to all devices under management. Companies with out-of-date policies increased from 20% in Q4 2015 to 27% in Q2 2016. U.S. companies were the most likely to have out-of-date policies (33%) and Spanish companies were the least likely (20%).
Recommendation: Like missing devices, out-of-date policies require action on the part of IT, and potentially, the end user. Because devices with out-of-date policies, by definition, do not conform to the current configuration standard, IT and end users should be notified, and access to enterprise resources should be restricted while the issue is diagnosed and resolved.
5 http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03094WWEN
6 Mobile Security and Risk Review Devices where EMM profile is removed
This compliance field can be triggered by a variety of activities. We believe that the majority of cases occur when an employee switches to a new device and deactivates the old one or an employee does a factory reset on their device. However, there are also cases where the employee has deliberately removed the EMM profile because they no longer want to use that device for work because of privacy concerns.
The percentage of companies in which the EMM app was removed from one or more mobile devices increased from 5% in Q4 2015 to 26%. While less than 1% of devices fell into this category, they were spread across more companies. The reason for this increase is not known. Nevertheless, the trend is puzzling given general awareness that even a single compromised device increases the attack surface and can introduce malware into the corporate network or enable the theft of sensitive corporate data that resides behind the firewall. U.S. companies were the most likely to have unmanaged EMM devices (30%) and UK companies were the least likely (17%).
Recommendation: Employees have expectations around the privacy of the personal data on their device. Companies need to communicate to employees in a simple way what they can and cannot see on a device, what actions they can take, and why they need this visibility. While an organization may require a formal Terms of Service contract, employee communications about privacy should be made separately, using clear language that all employees can understand. A best practice is to present this information when employees are most likely to be thinking about it, for example, when they activate the EMM solution and set up their device. This could mean showing a pop- up screen similar to the experience of popular productivity apps such as Evernote and Dropbox or putting the information in an easy-to-find place such as a corporate intranet.
Risky behaviors decreased Compromised devices
Often referred to as being jailbroken or rooted, a device is compromised when the operating system has been tampered with and the fundamental security of the OS has been bypassed. This can include granting users root or “superuser” privileges or removal of application sandboxing restrictions, etc. Compromised devices decreased slightly from 10% of companies reporting at least one compromised device in Q4 2015 to 9% in Q2 2016. Belgian companies are most likely to have compromised devices accessing corporate data (12%) and companies in the UK are the least likely (4%).
7 Mobile Security and Risk Review Security practices remain flat Out of compliance devices
This category reflects the aggregate of all policy violations observed in our data. Non- compliance will have different meanings in different companies but in all cases it means that the device is doing something the organization does not want it to do. Not only do non-compliant devices potentially jeopardize enterprise data, but they could also expose companies to regulatory violations. More than 50% of companies had at least one device out of compliance with policies in Q2 2016. This is flat from Q4 2015. German companies are the most likely to have at least one device out of compliance (66%). Companies in the UK are the least likely to have a device out of compliance (39%).
Recommendation: Organizations will need to gauge the severity and importance of the different facets of their mobile security policies, and configure appropriate actions. Whereas it may be appropriate to simply notify users when a policy or configuration setting is out date, quarantining or selectively wiping devices is more appropriate for devices that have compromised OSes or have had MDM controls disabled. It is critical that organizations align their risk appetites with different types of policy violations, and configure appropriate controls to provide automated responses and remediation.
Enforcing OS Updates
EMM policies can enforce a minimum OS version in order to encourage users to upgrade and thus patch their devices. Eight percent of companies were enforcing OS updates, which was comparable to Q4 2015. Belgian companies are nearly twice as likely to enforce OS updates than companies from any other region (15%). Japanese companies are the least likely to enforce them (2%).
EMM software can alert IT to incidents, giving them a critical window of opportunity to seal any security gaps and ensure that the mobile devices in their organization are adequately protected. The recommendations in this report outline actions that companies can take to protect themselves from mobile attacks such as the ones listed above.
Recommendation: As noted earlier in this report, mobile OS vendors are taking security seriously and delivering regular updates to address security issues. Organizations should always review the security content of OS updates and should enforce minimum OS versions to ensure that their mobile fleets are sufficiently protected.
8 Mobile Security and Risk Review App Reputation/Mobile Threat Detection (MTD)
App Reputation and MTD software give organizations greater visibility into the behavior of applications running in their environments. These tools can help organizations defend against malware and, perhaps more importantly, can be used to monitor specific app behaviors and create “profiles” of acceptable and unacceptable characteristics (e.g., whether or not apps connect to cloud- based file sync and share services). Less than 5% of companies deployed app reputation software, which was comparable to Q4 2015 and remained consistent across regions.
Recommendation: Manual blacklisting is simply not a scalable approach to managing risks from mobile applications. Organizations should instead take advantage of App Reputation and MTD products to focus on generic behaviors and capabilities rather than trying to manually manage lists of software packages.
9 Mobile Security and Risk Review Companies with compromised (i.e., jailbroken or rooted) devices accessing corporate data
Global Belgium France Germany Japan Spain UK US Govt.
% of Companies with compromised devices:
9% 12% 12.0% 6.0% 4% 10% 4% 11% 8%
Companies enforcing OS updates
Global Belgium France Germany Japan Spain UK US Govt.
% companies enforcing OS updates: 8% 15% 5% 10% 2% 6% 5% 9% 9%
10 Mobile Security and Risk Review Companies with devices out of compliance
Global Belgium France Germany Japan Spain UK US Govt.
% companies with devices out of compliance:
53% 62% 55% 66% 53% 40% 39% 58% 61%
Companies with missing devices (out of compliance for an extended time)
Global Belgium France Germany Japan Spain UK US Govt.
% companies with missing devices:
40% 46% 38% 50% 32% 24% 30% 46% 48%
11 Mobile Security and Risk Review Companies that had users remove MDM
Global Belgium France Germany Japan Spain UK US Govt.
% companies that had users remove MDM:
26% 30% 24% 26% 24% 20% 17% 30% 28%
Companies with old policies
Global Belgium France Germany Japan Spain UK US Govt.
% companies with old policies:
27% 23% 22% 26% 25% 20% 21% 33% 33.8%
12 Mobile Security and Risk Review Evernote and Line Join the List of Most Blacklisted Consumer Apps
The top 10 unmanaged consumer apps most often blacklisted by enterprises changed between Q4 2015 and Q2 2016. New entrants to the top 10 list include Line and Evernote. Line, a free Japanese voice and messaging app, was most frequently blacklisted in Japan, followed by the UK and US. Facebook rose from #3 to #2. Skype rose from #9 to #4. OneDrive dropped from #4 to #7. Google Drive dropped from #5 to #8. Twitter dropped from #8 to #9.
The blacklist illustrates the tension between IT and employees. Employees want to use the the consumer apps they like when they are at work. Fortunately, enterprise versions of apps like Box, Dropbox and Evernote are available enabling enterprises can give their employees the experience they want while protecting corporate data.
Q4 2015 Q2 2016:
1 Dropbox Dropbox
2 Angry Birds Facebook
3 Facebook Angry Birds
4 OneDrive Skype
5 Google Drive Line
6 Box Box
7 WhatsApp OneDrive
8 Twitter Google Drive
9 Skype Twitter
10 SugarSync Evernote
13 Mobile Security and Risk Review Industry Spotlight: Government Government organizations have some of the most stringent security requirements, which can challenge agencies to keep up with the changing pace of mobile technologies. Approval processes can be lengthy and extensive forcing agencies to use old technology that leaves them vulnerable to modern threats.
At at a time when regulation is increasing, our data shows that government organizations around the world face more risk than the other enterprises in this survey.
• 61% of government organizations have at least one non-compliant device, compared to the global average of 53%. • 48% of government organizations have missing devices, compared to the global average of 40%. • 34% of government organizations had out-of-date policies, compared to the global average of 27%. • 28% of government organizations had users remove the EMM app from their devices, compared to the global average of 27%. iOS Remains Dominant in the Enterprise The share of iOS devices grew from 78% in Q4 2015 to 81% in Q2 2016. The share of Android devices remained flat at about 18% during this timeframe.
New this quarter is the regional breakout of OS adoption. Spain has the highest share of Android devices and the lowest share of iOS devices. Conversely, Japan has the highest share of iOS devices and the lowest share of Android devices.
OS share by country
Global Belgium France Germany Japan Spain UK US Govt.
81% 84% 50% 85% 92% 33% 83% 86% 82%
18% 15% 50% 14% 5% 66% 16% 14% 18%
14 Mobile Security and Risk Review Summary Mobility is now a fact of life in every global enterprise, and employees expect anytime, anywhere access to corporate apps and data. Enabling this access enhances productivity and enables a more flexible work-life balance for employees. But mobile access is not without risk, and IT organizations can no longer afford to overlook these risks.
EMM solutions, such as MobileIron’s platform, provide the fundamental tools to mitigate these risks while empowering an increasingly mobile workforce. Moreover, they are designed to do so while protecting the sanctity of employee personal data (photos, texts, personal emails) on the mobile device. Yet, despite the availability of EMM solutions, we see an increasing number of security lapses.
It’s important to note that these security lapses are not due to EMM weaknesses. Rather, it appears from our data, that many IT organizations have simply failed to prioritize mobile security — even organizations that currently use EMM. As noted in our recommendations below, organizations can prioritize mobile security while maintaining productivity and respect for employee privacy.
15 Mobile Security and Risk Review Recommendations In every budget-conscious IT organization the big question is, “That sounds great, but how much is all of this going to cost?” The ongoing effort to secure mobile data and apps may seem expensive at first, but the most cost-effective approach is one heard time and again: “An ounce of prevention is worth a pound of cure.” The cost of preventing a mobile attack is far less than the $4 million cost of cleaning up after one.
The good news is, these recommendations can help IT organizations capitalize on the resources they already have in place but may not be using to their full potential.
1. Protect everything. Enterprises typically manage only a fraction of mobile devices through EMM. Every unmanaged device is an opportunity for attackers to steal company data. IT must ensure mobile security controls are deployed and enforced on every device used to access corporate data and apps. 2. Enforce mobile security. Gaining user trust is the first step to maintaining EMM controls on mobile devices, but IT should not put enterprise security exclusively in the hands of end users. That means employees should not be allowed to remove EMM security controls without the approval of IT. Moving forward, IT should consider deploying all corporate-liable devices using the Apple Device Enrollment Program (DEP), Samsung KNOX, or Android for Work Device Owner, all of which are now widely available. These capabilities prevent users from deleting or sidestepping corporate security policies on these devices.
For most enterprises, mobile security awareness and enforcement are still maturing. By reviewing the current research on mobile threats and vulnerabilities in mobile devices, apps, networks, and user behavior, IT can continually refine security tactics to protect enterprise data wherever it resides. Enterprises with an EMM solution such as MobileIron’s platform already have many of the tools they need; they just need to activate them.
Methodology:
This data in this report is normalized, anonymous data collected between April 1 and June 30, 2016. We believe this is the largest set of enterprise-specific mobile device security analytics across the three most popular mobile operating systems: Android, iOS, and Windows.
16 Mobile Security and Risk Review 17 Mobile Security and Risk Review