Mobile Security and Risk Review Second Edition v 1.5 | © 2016 MobileIron, Inc. 1 Mobile Security and Risk Review Executive Summary Welcome to the second edition of the Mobile Security and Risk Review. In this edition we update the mobile threat landscape, discuss emerging risks, report OS enterprise share, and list the top blacklisted consumer apps. We conclude with our recommendations for enterprises to protect their assets against mobile risks and threats. Several new mobile attacks have emerged that threaten enterprises. Most are re-using old tactics against mobile- specific services, such as SideStepper’s use of Man-In- the-Middle (MITM) against MDM, rather than employing new techniques or exploiting new vulnerabilities. However, when attacks against users are successful, they can result in the loss of both personal and business data. This quarter saw the following employee compliance incidents increase: • Devices with out-of-date policies • Missing devices • Devices where the EMM app was removed While the following risky behaviors decreased: • Compromised devices • Devices where the PIN was removed Other out-of-compliance events stayed largely flat. However, enterprises continue to fall short when it comes to protecting corporate data on mobile apps and devices, as illustrated by the very small number of companies using App Reputation or Mobile Threat Detection software or enforcing OS updates. 2 Mobile Security and Risk Review OS vendors continue to patch vulnerabilities As with any software, the longer it is in market, the more likely it is that vulnerabilities will be identified. Similarly, the more features that are added, the greater the chances that bugs will be introduced. Mobile operating systems are no exception. Apple and Google each released three 1 updates for their mobile OSes during the quarter. iOS updates included fixes for a number of issues mostly related to memory corruption and 2 potential data leakage, as well as some privilege escalation vulnerabilities. Android security updates released during the quarter addressed 20 critical and 36 high risk Common Vulnerabilities and Exposures (CVEs), many focused on privilege escalation or remote code execution. Also of note, Google continues to patch flaws in both libstagefright and the Android mediaserver libraries, both of which garnered attention in connection with the 3 Stagefright vulnerabilities identified by Zimperium researcher Joshua Drake last year. Mobile threat landscape Mobile devices and apps are becoming an increasingly attractive target. In many cases, a mobile device used for work purposes is often used for personal purposes as well. Mobile threats are as much a risk to enterprises as they are to consumers. Enterprise users are especially vulnerable to these attacks if they don’t have EMM security on their devices. Recent mobile attacks include: Android GMBot This spyware remotely controls infected devices in order to trick victims into providing their bank credentials. In December 2015, the source code was leaked online. Not only were cyber attackers able to access this code for free, but there was a tutorial and server-side instruction manual to make it easier to perpetrate attacks. Recommendation: The release of the source code likely means that more GMBot variants will appear. Because malware that successfully bypasses initial scans in the commercial app stores is often found and removed very quickly, the most common way for it to spread is via third-party stores or “side-loading.” To protect against the malware, monitor devices that allow installation from “Unknown Sources” or have “USB Debugging” enabled and take appropriate enforcement actions. 1 Apple officially release iOS 9.3.1 on March 31st, 2016 - the last day of Q1. 2 https://support.apple.com/en-us/HT206568, https://support.apple.com/en-us/HT206902 3 https://source.android.com/security/bulletin/2016-04-02.html https://source.android.com/security/bulletin/2016-05-01.html https://source.android.com/security/bulletin/2016-06-01.html 3 Mobile Security and Risk Review AceDeceiver iOS malware AceDeceiver malware is designed to steal a person’s Apple ID. This malware, which was disguised as wallpaper and uploaded to the App Store in late 2015, has been able to infect devices that do not have a compromised operating system. Nor does it rely on an enterprise certificate issued by Apple. The bogus wallpaper induces users to connect to a third-party app store where users are asked to enter their Apple IDs, which are then stolen and uploaded to a server. We include AceDeceiver in our list of Q2 threats because it abuses flaws in Apple DRM that allows it to reinstall the malware even after it has been removed from the store, so it can persist in a way that things haven’t been able to before. Recommendation: It’s important to note that only three apps containing the AceDeceiver malware were identified and, while they evaded initial detection, they were found and removed. It’s also important to reiterate that AceDeceiver can re-install itself on Apple iOS devices using separate malware on a PC. Somewhat ironically, the best way to protect against AceDeceiver is to use traditional PC anti-virus/anti-malware solutions to prevent PCs from being infected with the utility that is used to re-load AceDeceiver. SideStepper iOS “vulnerability” In March 2016, security researchers at Check Point again underscored the risks of MITM attacks, using the technique to intercept and manipulate traffic between an MDM server and a managed device, specifically targeting MDM-initiated app installation commands to install apps that could “side-step” normal app approval processes. The SideStepper attack requires the end user to be tricked into installing a malicious configuration profile, usually the result of a phishing attack. The user must confirm the installation of the profile and also confirm additional prompts to install any malicious applications. Recommendation: The risk from SideStepper stems primarily from a successful execution of a MITM attack. To protect against these kind of attacks, configure iOS Restrictions to prevent users from accepting untrusted SSL certificates and installation of configuration profiles. For MobileIron customers with more stringent security policies, consider enabling FIPS Mode. 4 Mobile Security and Risk Review High-severity OpenSSL issues 4 In May 2016, OpenSSL disclosed two flaws. One of the flaws, CVE-2016-2107, opens the door to a padding Oracle attack that can allow for the decryption of traffic if the connection uses an AES CBC cipher and the server supports AES-NI. The second issue is a memory corruption vulnerability in the ASN.1 encoder used in OpenSSL. These vulnerabilities can potentially impact large numbers of applications and services, which could ultimately jeopardize enterprise data-in-motion. Recommendation: The high-severity OpenSSL issues are not limited in scope to mobile. We highlight them here because they are representative of a new class of risks created by the use of open source and shared components. Vulnerabilities in these types of components can create widespread exposures, due to their ubiquity. Protecting against these types of vulnerabilities requires cataloging the open source components that may be in use in your environment and performing source code analysis of the applications and services that use these components. Marcher Android malware Since it first appeared in 2013, Marcher has evolved to mimic bank web pages that trick users into entering their login information through e-commerce web sites. Recommendation: Here again, we have malware that is fairly old and, not only continues to persist, but expands its targets. We mention Marcher in this report because it has begun to target additional banks over the last quarter. The recommendations to protect against Marcher are the same as those outlined for GMBot: monitor devices that allow installation from “Unknown Sources” or have “USB Debugging” enabled and take appropriate enforcement actions. 4 https://threatpost.com/openssl-patches-two-high-severity-vulnerabilities/117792/ 5 Mobile security risks and costs on the rise Security incidents are often the precursor to a breach because they leave a device or app vulnerable and that can put enterprise data at risk. A mobile device that is compromised or out of compliance increases an enterprise’s vulnerability and data breaches are getting more expensive. In 2016 the Ponemon Institute conducted a survey of 383 companies in 12 countries. The results showed that the average total cost of a data breach is $4 million — an increase of 5 29% since 2013. Employee compliance incidents increased Missing Devices A missing device is defined as one that is out of contact for an extended period. It could be lost, stolen, not in use, or turned off. Forty percent of companies had missing devices, up from 33% in Q4 2015. German companies were the most likely to have missing devices (50%) and Spanish companies were the least likely (25%). Recommendation: In cases of missing devices, it’s important to “close the loop” with the end user to determine the actual state of a device that appears to be missing. In addition to quarantining the device to prevent access to enterprise resources, organizations should leverage automated notification mechanisms to alert both end users and IT to the condition so that the state of the device can be determined and, if necessary, additional action can be taken. Out-of-date policies Out-of-date policies occur when the mobile IT administrator has changed a policy on the console but that change has not propagated to all devices under management. Companies with out-of-date policies increased from 20% in Q4 2015 to 27% in Q2 2016. U.S. companies were the most likely to have out-of-date policies (33%) and Spanish companies were the least likely (20%). Recommendation: Like missing devices, out-of-date policies require action on the part of IT, and potentially, the end user.