Apple, Google Need Mobile Security Rethink

Threatpost interviews Mickey Boodaei, the CEO of Trusteer, about the state of mobile device security. Mobile
security issues have been getting more press recently – on Threatpost
and elsewhere. Partially, this is because they’re new, and because
mobile devices are proliferating both at home and in the workplace. As
with any new wrinkle in the security landscape, there’s a danger of
spreading FUD (fear, uncertainty and doubt) when talking about these
kinds of new threats. Blogs and mainstream media outlets can end up
hyping the danger of relatively obscure threats simply because they
happen to mark the intersection of two interesting trends, like malware
and mobility. 

Threatpost interviews Mickey Boodaei, the CEO of Trusteer, about the state of mobile device security. 

Mobile
security issues have been getting more press recently – on Threatpost
and elsewhere. Partially, this is because they’re new, and because
mobile devices are proliferating both at home and in the workplace. As
with any new wrinkle in the security landscape, there’s a danger of
spreading FUD (fear, uncertainty and doubt) when talking about these
kinds of new threats. Blogs and mainstream media outlets can end up
hyping the danger of relatively obscure threats simply because they
happen to mark the intersection of two interesting trends, like malware
and mobility. 

But
Mickey Boodaei, the CEO Of security firm Trusteer says that mobile
malware is no joke and, if anything, the growing threats to mobile
devices are being under reported – or at least not reported correctly.
In a conversation with Threatpost, Boodaei, whose firm sells software
that can protect individuals doing online banking from malicious
attacks, says that mobile application ecosystems maintained by Google,
Apple and others are the biggest source of insecurity and that, while
Apple’s AppStore clearly has some advantages when it comes to security,
neither platform is immune from attack. The threat landscape today is
fundamentally different from what it was even four or five years ago,
Boodaei argues, but few vendors or customers have adjusted to the
changes. 

Threatpost: Thanks for taking the time to speak with Threatpost. How would you sum up the state of mobile device security right now?

Mickey Boodaei:
Well, for (Google) Android, its pretty bad. Specifically because its
very easy right now to generate and publish malicious applications on
the Android Marketplace. There are no controls. I think the (Android)
operating system is very powerful, but that also allows developers to
build malicious and sophisticated applications and then push them to
market. But its not just the Android Marketplace that’s a problem. Yes,
there’s a lack of control over the Android Marketplace, but Android
users also have the ability to download applications from anywhere.
That’s as opposed to Apple, which restricts downloads to the (iTunes)
App Store. Apple does have a review process in the App Store and they
are capable of detecting most malicious software that’s trying to get on
their marketplace. The second threat vector is vulnerabilities and
exploits that could allow fraudsters to jailbreak an iPhone or Android
device. We saw a good example of that last week.

I
think this is going to be the main threat to iOS (Apple’s mobile device
operating system). I think you’re going to see fraudsters researching
iOS and you’ll start seeing vulnerabilities for iOS for sale on the
black market. 

Threatpost: Aren’t you seeing that already? 

Mickey Boodaei: What
we’ve seen over the last couple of years are a few different kinds of
zero day (exploits). But last week was a good example of what we’ll see
in the next 12 to 24 months. So – more remotely exploitable
vulnerabilities and some of them traded on the black market. 

Threatpost: The
conventional wisdom is that operating systems like Android and iOS are
much more resistant to attack than, say, Windows, because they’re modern
and were designed, from the ground up, with security in mind. So, for
example, on iOS you have application sand boxing and ASLR (Address Space
Layout Randomization) and DEP (Data Execution Protection). 

Mickey Boodaei:
In the end, these OS’s aren’t that different from other OSs. They’re
complex software that contain a lot of bugs and vulnerabilities. Its
only a matter of time before these start to be uncovered. We’re already
starting to see them. We’re already seeing fraudsters take advantage Of
these vulnerabilities. The tipping point is when you start to see mobile
exploits bundled with exploit kits like Black Hole, so that you’ll have
mobile users getting social engineered to click on a malicious link
sent through SMS or social media. 

Threatpost: And visiting
the Web site that’s running the exploit kit with their mobile browser
launches the mobile exploit for that platform, just like in the Windows
world now. 

Mickey Boodaei: That’s right. 

Threatpost: Are you seeing attacks like that now? 

Mickey Boodaei:
We haven’t seen this yet, but we do know that all the building blocks
are there. You have the exploit kits, the remotely exploitable mobile
vulnerabilities are starting to pop up. Its now just a matter of
connecting the two or integrating the two and you’ll start to see the
drive by attacks. 

Threatpost: But will attacks on mobile
platforms be as successful as they have been on, say, Windows Systems?
Aren’t iOS and Android going to be harder nuts to crack? 

Mickey Boodaei:
Yes, but the threats have evolved, also. We’re not looking at the same
threats as we were three or four years ago. Its true that many of these
operating systems were designed with more security in mind. But the
threat has evolved so much so that it doesn’t matter. 

Threatpost: How so?

Mickey Boodaei: I
think the ability of fraudsters to uncover vulnerabilities in operating
systems has grown. Four or five years ago, there were only a few people
who knew how to uncover vulnerabilities in operating systems and most
of them were security researchers or people from security companies. You
didn’t have zero day attacks back then, because the fraudsters
generally did not have the capability to uncover the zero day
vulnerabilities. But we’re slowly starting to see them learn how to
reverse engineer fixes from Microsoft and understand the actual
vulnerability that was fixed. They’ve developed the capability of
finding their own vulnerabilities so that they can detect vulnerable
systems long before security researchers and vendors. When you see
attacks like those that have been launched against enterprises recently
and you realize the threat is different. One thing that worries me about
mobile platforms is that they don’t have an ability to react to
vulnerabilities. Look at Apple – they’ve been trying to develop a fix
for a zero day attack (a PDF-based exploit developed by Comex). And even
if the do develop a fix, they’re still going to need to go and update
your device by connecting it to your PC or your Mac and getting you to
install a new version of their operating system. That’s not a trivial
process. With Google and Android, its even more convoluted. You need the
fix to be developed and rolled into an update for iOS and then you need
to get the various hardware vendors – Motorola and Samsung – to
repackage that fix and distribute it to their customers. So its not a
very reactive solution given the type of threat.

Threatpost: We’ve recently seen a mobile banking Trojan that’s a variant of the Zeus Trojan and that targets out of band authentication. Are these common? 

Mickey Boodaei:
Those variants started with Symbian, Blackberry and Windows Mobile. Now
we’re seeing them move to Android. These attacks aren’t that common and
most that we’ve seen haven’t been successful, mainly because they’re
poorly executed. 

Threatpost: How so?

Mickey Boodaei:
They were poorly executed in the way that they asked customers or users
to download the application to their device. For the most recent
Android malware, for example, the user had to copy a URL from your PC to
your Android device – the (Zeus malware) just displayed the URL and you
had to type it in, so it was very clumsy. Then, if did download it to
your phone and it was, say, a Symbian device, it would fail. Customers
were suspicious and called the bank as it happened, so it allowed the
bank to detect the attack almost as soon as it was launched. 

Threatpost: So was this a real attack or more of a proof of concept? 

Mickey Boodaei: I
think it was more proof of concept. But I do think fraudsters did mean
to commit fraud through the attacks. But it was clearly more of an early
stage, proof of concept malware to see what fraudsters could actually
do. 

Threatpost: Do you see a replay of the troubles that
Microsoft had with Windows security, or are there steps that mobile
vendors can take now to avert that? 

Mickey Boodaei: There
are definitely steps they can take. I issued a warning two years ago to
Adobe when we started to see more vulnerabilities that exploited Flash
and Acrobat that they really had a poor update ability at that point.
Since then, they’ve improved it greatly, though its till not perfect.
Apple and Android are in bad shape now when it comes to updating, also,
and they need to fix that. Google, in particular, needs to introduce
more controls to the process of adding applications to the Android
Marketplace. I’m not saying Android needs to be a closed system like
Apple has, but there needs to be a process by which they review
applications. As it stands, they do have “take down” capabilities for
the Marketplace. If you do complain, they’ll look at an application and
remove it eventually. But why wait for people to complain about an
application? Why not do the review up front?

Also, you have a
very open access control architecture within Android that allows
applications to access text messages and voice and GPS and so on, as
long as the user says its OK. This is wrong. Google needs to build a few
profiles into its (Android) OS that are very restrictive. These
profiles would be configured so that applications aren’t allowed – for
example – to access text messages. Users would then have to go to
Settings on their phone to change the defaults. Steps like that would
minimize the threat considerably.

Suggested articles