Robert Morris University Mobile Forensics Celebrity Stalking Case Lab 2 Report

For this weeks lab, you will need to access the software through VM. Once you are in VM, go to the Start Menu, find Paraben and the click Device Seizure. Please note that some of the information in the videos deals with actual working with physical devices. Since this is an online class, you will be working only with images of devices. With that being said, you will need to download the image of the Palm Treo from Blackboard or download from Passouts

–

Paullet-Mobile, to your desktop. The image must ALWAYS be copied to the desktop in order to open it in the software. Once the image is on the desktop you can Click the image and it will open in Device Seizure or you can import the file by opening the software then clicking open case. Once the image is in the software you will need to click SORT from the top task bar. If you do not Sort the data you will not be able to analyze the image. For this weeks case you are only responsible for finding the answers to the questions being asked. You will need to explore the software to find the answers. Mobile forensics is very different than computer forensics. There is not a one size fits all for all phones.  The software that you are using currently supports over 26,000 devices. With each device you will see differences. In many ways  this is much different than computer forensics. Throughout the next few weeks you will see the file structures change from phone to phone. Please use the first couple of labs to become familiar with the tool. In addition to answering the questions in detail, you need to write a 1-page report.

Note:  The required Paraben Device Seizure case file is attached to this assignment.  The case file name is “Palm Treo Case File.ds”

Assignment Rubric ( 100 Points)Forensics analysis and written report80Writing Standards – APA format20-

–

–

https://youtu.be/VwtLHBbMj-s

GSMA Intelligence
January 2015
From feature phones to smartphones, the
road ahead
The increasing number of smartphone models priced under the $100 mark is the main driver of
consumer migration from basic and feature phones to smartphones. GSMA Intelligence
research shows that by 2020, around two thirds of all connections globally (excluding M2M) will
be smartphones, illustrating the rapid shift away from basic and feature phones, which
encompassed more than half of global connections in 2014. Data terminals (e.g, dongles,
tablets, routers) make up the remaining share of connections (at just below 10% in 2014).
Smartphones began as a developed world phenomenon …
In many developed markets, smartphone adoption is approaching the 70-80% ‘ceiling’ at which
growth tends to slow. Across the developed world, basic and feature phones represented only
around a quarter of all connections in 2014, while only a residual share of the market is
expected to run on these devices in 2020 as smartphones become ubiquitous.
While heavy operator subsidies have contributed significantly to this shift in device migration in
the developed region, the availability of smartphones at the same price as basic and feature
phones shows that the latter device category is rapidly becoming obsolete.
A study of Best Buy’s portfolio of ‘unlocked’ handsets in the US shows that the vast majority
(84%) of mobile phones offered in the country are smartphones (most of them running on
Android), with a number of them priced at the same level as that of the remaining basic and
feature phones – less than $100 (Average Selling Price, before discounts and subsidies). Around
half of smartphones on offer are priced below $200, while 29 smartphones are priced between
$47 and $80. Devices that form the portfolio of basic and feature phones on offer still hold a
slight pricing advantage, but this may not be the case for long.
Figure 1: Best Buy USA, online portfolio of ‘unlocked’ handsets, December 2014
Source: GSMA Intelligence
… but the focus is shifting to developing economies
In 2010, the global smartphone connections market was equally distributed between the
developed and developing regions. However, almost seven in every ten smartphone
connections were located in the developing world in 2014. We expect that the rate of
smartphone adoption will continue to increase over the coming years, driving the region to
encompass four in every five smartphone connections globally by 2020. The wider availability of
more affordable smartphones is an important factor behind this trend, however we expect that
the transition away from basic and feature phones in the region will take longer as the
availability of low-cost smartphones (below the $50 price point) is still limited.
As of 2014, less than a third of all connections in the developing region are smartphones,
showing the large prevalence of basic and feature phones currently. By 2020, we expect that
only around 30% of connections in the region will still be running on basic and feature phones.
Figure 2: % of regional total connections (excluding M2M)
Source: GSMA Intelligence
Our research shows that, while smartphone prices have declined since 2008 – by 30% in Asia,
25% in Latin America and 20% in Africa – the majority of smartphones in the developing world
are priced above the $100 mark, whereas the ‘sweet spot’ for these regions is considered to be
in the $25-$50 range.
Mozilla is one of the pioneers of low-cost smartphones, announcing a $25 smartphone design
at Mobile World Congress in 2014. The company’s COO, Li Gong, explained that Mozilla’s
success in driving down the cost of smartphones using its Firefox OS was down to optimising
its software for lower-cost hardware.
Gong noted that “sometimes the margin on the low-cost phones could be actually bigger than
higher cost hardware because it’s a question of what OS you put on and what optimisation you
can get from the OS. We heard lots of demand for lower prices — below $50, below $40
phones. And we hear loud and clear that the market for that sort of segment, where you convert
feature phone users to smartphone users, [is] a huge market for us”.
Last year, a number of smartphones priced between $25-$50 were introduced across the
developing region, with new models from several handset manufacturers. These launches only
mark the start of a price expansion trend towards low-cost levels that will spread to more
developing economies, contributing to the adoption of smartphones in the region – but this will
not happen overnight.
Last May, Ooredoo Group explained that in the markets it operates in, “not everyone has got a
smartphone. In fact, the majority have got feature phones or 2G phones […] certainly in the
developing market in Iraq and Indonesia and Algeria. The smartphone revolution is happening
but it is not there yet.”
GSMA Intelligence is run by GSMA Limited, a wholly owned subsidiary of GSMA
© 2015 GSMA Intelligence. GSMA, The Walbrook Building, 25 Walbrook, London EC4N 8AF
Lab #2
CELEBRITY STALKING CASE
Case Brief: The owner of a Palm Treo 650 Smart Phone was arrested for stalking outside of a
well-known celebrity’s home on the morning of May 14, 2009.
Investigators must determine if the phone contains evidence pertaining to the stalking of
______?
Case Questions
1. What is the owner’s name and address?
2. When was the device last “synched?”
3. Whose work phone number is 911?
4. What is the owner picking up before the BBQ at the beach?
5. Is there Internet history being stored on the device? If so, what sites were visited?
6. What is the Username associated with the device?
7. What is the phone number for voice mail?
8. When is “Baywatch Trivia Night?”
9. With what celebrity is the owner of the device obsessed?
10. Are there pictures of this celebrity on the device? If so, how many?
11. Write a 1-page report answering the below questions
a) Describe, in detail, three (3) functions used in Device Seizure to find the information
on the celebrity stalking case.
b) What is the importance of each function in conducting a forensics analysis on a mobile
device?
What is a SIM card?
A SIM card, also known as a subscriber identity module, is a subscriber identity
module application on a smartcard that stores data for GSM/CDMA Cellular telephone
subscribers. Such data includes user identity, network authorization data, personal
security keys, contact lists and stored text messages.
Security features include Authentication and encryption to protect data and prevent
eavesdropping.
The smartcard with Subscriber identity module application is generally known as
SIMCARD. But, In reality, the SIM is effectively a mass-market smartcard.
When the SIM is viewed as a smartcard, it opens up security possibilities that
resonate far beyond the mobile world.
By combining stored evidence of identity (such as a key) with personal information only
the user will know (a password, for example), it offers the same two-tier authorisation
provided by smartcards.
It is becoming clear that the SIM — a feature unique to the mobile world — has
applications far beyond those for which it was originally designed. The clue is in the
name — Subscriber Identity Module. It was created to remotely authenticate users to the
network and to the billing systems that allow operators to generate revenues from voice
traffic.
The GSM standards as specified by ETSI requires authentication of a mobile subscriber
through a secure device (the SIM card).
Functionality of the SIM card?
The SIM card performs the following valuable functions:
1) Identification of a subscriber: The IMSI programmed on the SIM card, is the
identity of a subscriber. Each IMSI is mapped to a mobile number and
provisioned on the HLR to allow a subscriber to be identified.
2) Authentication of a subscriber: This is a process, where, using the
authentication algorithm (COMP128V3 for 2/2.5 G GSM, CAVE for CDMA and
Milenage for 3G) on the SIM card, a unique response is provided by each
subscriber based on IMSI, Ki (stored on SIM) and RAND (provided by network).
By matching this response with values computed on the network a legal
subscriber is logged on to the network and he or she can now make use the
services of the mobile service provider.
3) Storage: To store phone numbers and SMS.
4) Applications: The SIM Tool Kit or GSM 11.14 standard allows creating
applications on the SIM to provide basic information on demand and other
applications for m-commerce, chatting, cell broadcast, phonebook backup,
location based services etc.
Subscriber information, such as the IMSI (International Mobile Subscriber Identity), is
stored in the Subscriber Identity Module (SIM).
The Subscriber Identity Module (SIM) can be used to store user-defined information
such as phonebook entries.
One of the advantages of the GSM architecture is that the SIM may be moved from one
Mobile Station to another. This makes upgrades very simple for the GSM telephone
user.
Why is the SIM card secure?
SIM card in reality is a mass market smartcard with a subscriber identity module
application. SIM Cloning can not be confused with smartcard cloning. It is not possible
to clone the smartcard and only data can be read when application allows the reading of
the data.(SIM Cloning is covered below)
Smartcard is very secure and provides
i)
ii)
iii)
the secure loading of the applications
Secure data storage for the application data and application cryptographic
keys
Secure Crypto operation support.
However, Application security depends on the application design and smartcard only
provides a secure platform for developing secure applications. The security of smart
card is similar to the security offered by HSM(Hardware security module).
Security of Subscriber Identity Module(SIM application)
The Presence of Cryptographic algorithm and secret key in SIM card makes the
SIM card secure.
The most sensitive information of SIM card is the cryptographic algorithm A3, A8, secret
Ki, PIN, PUK and Kc. A3, A8 algorithm were written into the SIM card in the producing
process, and most people could not read A3, A8 algorithm. HN code could be settled by
the phone owners. PUK code is held by the operator. Kc was derived in the process of
encryption from Ki.
The other factors which make the SIM secure are….
PIN and PUK:
PIN –Personal Identification Number
2 PINs exist (PIN 1 and PIN2)
Limited attempts on PIN access
PUK –PIN Unblocking Code
Resetting PUK, resets PIN and the attempt counter
Too many attempts on PUK blocks use permanently
Two ways of Storing Data in SIM
1. As GSM Files
The data used for Telco and GSM operation are all stored over the files.
Telco/operator can change the Data this file through RFM in a secure channel.
Only upon successful verification of file access condition a file can be read.
All files are protected by access conditions.
2. As application data within an STK application as instance data.
mChek stores all its secured encrypted information within application data. All the
information stored is in persistent objects. Only mChek Server can access these
data through mChek OTA platform.
Further, data on the SIM is protected by Administrative keys which are in hexadecimal
and it is proven, that to compromise the security of a SIM one requires physical access
to the SIM, enormous supercomputing ability and lots of time to crack one single card.
Till date there are no instances of COMP128V3 (GSM), CAVE (CDMA) or Milenage (3G)
being compromised.
The few reported cases in the media are of COMP128V1, which is phased out and it is
acknowledged that this version has been hacked and with physical access it is possible
to clone these cards.
The applications on the SIM(for GSMA)/RUIM(for CDMA) cards are protected by the
same set of administrative keys and are hence subject the same levels of security.
In addition, the messages transmitted from the SIM can be encrypted with DES/TDES
which are well accepted in banking industry as a secure encryption standard.
Additional security can be enforced by implementing more complex algorithms and
digital certificates (issued by CA).
M-banking applications have been implemented across the world from Latin America to
Europe to Asia.
What are the current SIM card capabilities in the Market Place ?
From the Year 2003, the SIM cards which were provided in the Market Place were Java
2.0, however, because there was no need of porting the application and due to
commercial implications this was discontinued for about 2 years and has again started to
be issued.
However, the market would have about 50% of the cards OTAC enabled
(Source: GemAlto).
Though this is the position in the market place, getting all the SIM cards which are OTAC
enabled application portable compliant there is a lot of work that needs to be done with
the customer’s SIM card and each individual SIM vendor.
Operationally this is absolutely not feasible.
However, in the past we have seen with the 8K to 32K migration keeping in mind the
kind of churn rate that we see in the Industry it will take about 3 years for all old SIM
cards to move to a new Portable SIM card which can house secure banking applications.
Also Telecom Operators (Bharti Airtel has already started the exercise) can provide new
secure applications in all new activations and also ensure that they are application
portable compliant.
What needs to be done to ensure that the SIM cards in the Market Place can house
safe banking based applications?
SIM(smartcard) provides the secure platform for developing a highly secure applications.
The banking application should be designed with out any security loop holes by utilizing
the secure storage and secure cryptographic operation provided by smartcard.
The Cryptographic keys used by the banking application can be loaded in to banking
application data storage on the smartcard.
The Global Platform standards can be adopted for the design and development of
Banking applications.
The SIM/RUIM is a device which is easy to distribute and cuts across the entire
subscriber base of a mobile service provider. Secure applications on a SIM/RUIM
address the entire base of a mobile service provider.
Conclusion
1. The current market scenario does not allow the SIM cards available in the market
place to be ported with applications over the air.
2. New SIM card seeding would be required for this activity which some Telco’s
have already started working on.
3. SIM card is extremely secure as a mode and is ideal for Banking Applications to
be ported on.
2016 NowSecure
Mobile Security Report
TA B L E O F C O N T E N T S
I.
Introduction: Security in a mobile world 2
II.
Mobile security requires new methods 4
III.
Mobile security snapshot 5
A. System issues 6
1. Google Android 6
2. Apple iOS 7
B.
Configuration issues
C. App issues
8
1. Leaky apps and social engineering
9
2. A note on app containerization
9
D. Network issues
IV.
8
9
Detailed app vulnerability findings 10
A. Methodology 10
Overview of app security weaknesses
12
C. Security weaknesses by app category
14
B.
1. Business 14
2. Finance
15
3. Games (aggregated)
16
4. Shopping 17
5. Social
V.
1
© 2016 NowSecure. All rights reserved.
Conclusion
18
19
I. Introduction: Security in
a mobile world
87%
of time spent using mobile
devices is spent using apps
IT and security professionals who manage and secure personal and corporate-owned mobile
devices for enterprises have a difficult job. People want to use a wide range of different
devices and mobile apps to access enterprise assets, interact with corporate data, and
collaborate with their colleagues. Because mobile began as a consumer technology, many
74%
devices lack the security and administrative functions that IT and security teams use to
of organizations allow, or
manage traditional endpoints such as laptops and desktops.
plan to allow, employees
The speed, volume, and variety of devices coming online is incredible. Benedict Evans, an
analyst at Andreessen Horowitz, summed it up well when he titled a presentation, “Mobile is
to use their personal
mobile devices for work
eating the world.”1
Consider the following:
•
The number of mobile devices on Earth has surpassed the number of people
living on it2
•
In 2015 more Google searches occurred on mobile devices than on computers
in 10 countries3
•
87 percent of time spent using mobile devices is spent using apps4
•
An average of 53,309 mobile apps were released on the Apple App Store each
month in 20155
•
Forrester predicted people would download more than 226 billion apps in 20156
The mobile tidal wave will not subside any time soon, and enterprises need to prepare
themselves. In 2015, Tech Pro Research reported that 74 percent of organizations allow, or
plan to allow, employees to use their personal mobile devices for work.7 Employees want to
use their own devices, and enterprises want to realize the benefits of increased productivity
that come with the bring-your-own-device (BYOD) approach.
In discussion around BYOD, an important point is often overlooked. More important than
who owns the device is how it is used and how it is secured. Enterprise risk is increasing as
a greater variety of devices running more apps from untrusted sources connect and process
sensitive data. Tightly controlling all devices and limiting apps to a small whitelist is simply
not viable for all scenarios.
Connect with us:
2
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
A B O UT THIS REPORT
We present this report, gleaned from our database of mobile security intelligence, to help
IT and security pros make informed decisions about managing and securing mobile devices,
mobile apps, and their enterprises’ mobile ecosystem.
35%
of communications sent
by mobile devices are
unencypted
Some of our eye-opening statistics regarding mobile insecurity include:
•
24.7 percent of mobile apps include at least one high risk security flaw
•
The average device connects to 160 unique IP addresses every day
•
35 percent of communications sent by mobile devices are unencrypted
•
Business apps are three times more likely to leak login credentials than the
average app
•
Games are one-and-a-half times more likely to include a high risk
vulnerability than the average app
Enterprise IT and security teams should take data points such as these into consideration as
they develop and manage their mobile security strategies.
Connect with us:
3
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
II. Mobile security requires
new methods
The traditional, malwarefocused approach to
network security does not
translate to mobile.
Mobile endpoints differ from traditional endpoints in a number of ways:
•
Lack of administrative, or “root,” access
•
Complex, drawn-out patching cycles for device updates
•
Operating system (OS) access-control that limits the functionality of security
apps
•
Constant connectivity, frequently traversing insecure and untrusted networks
•
A broad attack surface spanning devices, apps, and back-end services and
infrastructure
The traditional, malware-focused approach to network security does not translate to mobile.
According to Verizon’s 2015 Data Breach Investigations Report, only “an average of 0.03
percent of smartphones per week—out of tens of millions of mobile devices on the Verizon
network—were infected with ‘higher-grade’ malicious code.”8 Focusing on malicious apps
leaves out too many important aspects of mobile security.
We founded NowSecure on a different approach to mobile security, which we call the SCAN
Principle. SCAN stands for System, Configuration, Apps and Network. System vulnerabilities
include security flaws in mobile operating systems. Configuration vulnerabilities include,
for example, a device that does not require a passcode for access or is jailbroken. App
vulnerabilities consist of risky apps prone to man-in-the-middle attacks or apps that store
sensitive information insecurely or send data unencrypted. Finally, network vulnerabilities
include insecure Wi-Fi connections that might allow an attacker to intercept traffic from a
device.
Connect with us:
4
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
III. Mobile security snapshot
400,000
apps were tested for
We’ve structured our report to highlight our findings across each domain of NowSecure’s
vulnerabilities using our
SCAN Principle for mobile security. Much of the data comes from our proprietary collection
dynamic analysis system
of mobile security data, statistics and trends. Our NowSecure Intelligence database gathers
and correlates more than 140 million data points each day from users of our NowSecure
Protect app in more than 180 countries. The app performs anonymous, non-invasive
security assessments of the mobile device on which it’s installed. This trove of data
highlights device health trends, mobile device security across regions, operating systems in
use, vulnerability prevalence, and the IP addresses to which devices connect with or without
permission.9
In section IV, “Detailed app findings,” we dive deep into an analysis of vulnerabilities in more
than 400,000 apps available on the Google Play app store. We tested these apps using
our own dynamic analysis system that performs automated analysis of iOS and Android
applications at scale.10
Connect with us:
5
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
SYSTE M ISSUE S
1.4 BILLION
Google Android
Google leads the development of Android, an open source software stack for mobile
devices. Last year, Google CEO Sundar Pichai announced that 1.4 billion people now use
Android.11 Android 6.0 Marshmallow is the most recent version of the platform, following
people now use Android,
says Google CEO Sundar
Pichai
Android 5.0 Lollipop.
The following Android statistics give you a sense of just how many people use the OS:
82%
•
8 out of every 10 phones in the world use the Android operating system12
•
Android currently has an estimated 1.6 million apps available on Google Play13
•
Only 43.8 percent of Android users have adopted Android Lollipop according to
by the Vulnerability
NowSecure mobile security intelligence
Test Suite for Android
of Android devices tested
had at least one of 25
vulnerabilities
Data collected from users of the NowSecure
Protect app in January 2016.
Security issues persist within the Android OS. Statistics from our open-source app that checks
a device for recent OS vulnerabilities, Vulnerability Test Suite (VTS) for Android, show that 82
percent of Android devices were vulnerable to at least one of 25 OS flaws for which VTS tests.
Those devices could be prone to hundreds more vulnerabilities that the app doesn’t assess.
Unfortunately, a significant amount of time can pass between when a vulnerability is found
to when it’s actually patched. Once a patch is developed, it must be passed through original
equipment manufacturers (OEMs) and wireless carriers like Verizon, AT&T and T-Mobile.
Patches can take many months or more than a year to make their way to users’ devices. Even
then, OEMs or carriers sometimes choose not to patch devices. Such a lengthy patch lifecycle,
or the altogether absence of a patch, leaves users exposed to attacks and data theft.
Connect with us:
6
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
Apple iOS
Apple iOS represents the other major mobile OS platform. Based on our mobile security
82.8%
intelligence, 82.8 percent of iOS users have adopted iOS 9 and subsequent updates. This
of iOS users have updated
data point does not ensure that a particular version of iOS is secure – but shows the rate of
to iOS 9
updates is measurably faster.
Data collected from users of the NowSecure
Protect app in January 2016.
Vulnerabilities still exist on iOS devices. According to an analysis of data from CVE Details,
a free security vulnerability database, Apple iOS had the most vulnerabilities in 2015 with
375.14 That’s nearly three times more than Android, which had 130. While the overall
number of CVEs was higher for iOS, that statistic does not necessarily account for the risk
level of each vulnerability.
In November 2015, security researcher Charlie Miller released a malicious app onto the
Apple App Store to demonstrate that risks still exist within the iOS ecosystem.15 While
Apple later suspended him from its developer program, the experiment emphasizes that a
developer could sneak a malicious app past Apple’s security checks.
Overall, security flaws in mobile operating systems coupled with the difficulties posed by
fragmentation and patch schedules on both Android and iOS must be taken into account
when securing your mobile ecosystem.
Connect with us:
7
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
CO N FIG URATION ISSUES
Users and how they configure their devices can also threaten the security of enterprises.
A user can compromise security, compounding risk when insecure apps are involved. For
example, we find that 43 percent of mobile users do not use a passcode, PIN, or pattern lock
on their device. If a user doesn’t enable one of these security features and someone steals
43%
of mobile users do not use
a passcode, PIN, or pattern
lock on their device
or finds the device, they would have mostly unfettered access to the data on the device,
including SMS messages, emails, geo-location data, and photos. Most security features on a
mobile device, including encryption and remote wipe, is ultimately dependent on having set
a user passcode.
Other configuration issues can impact device security, including encryption settings, the
enablement of USB debugging, and apps installed from unknown sources. Altogether the
configuration plays a key part in activating the security capabilities of the mobile OS.
Legitimate apps can leak
your location, device
identifiers, personal
contacts, and more
A P P ISSUE S
Here we provide a high-level summary of the security of mobile apps, based on our in-depth
app vulnerability findings which are explained in the “Detailed App Vulnerability Findings”
section of this report.
We define leaky apps as mobile applications that transmit or store private user information
in an insecure manner. Security failures might include man-in-the-middle vulnerabilities and
insecure data transmission or storage. Intentionally or not, legitimate apps can collect and
transmit location, device identifiers, personal contacts, and more.
We define high risk security flaws as issues that expose data that a malicious individual
could use to gather private, sensitive information and/or monitor a user’s activity.
In our analysis of more than 400,000 apps available from the Google Play store:
•
10.8 percent of all apps leak sensitive data over the network
•
24.7 percent of mobile applications have at least one high risk security flaw
•
50.0 percent of popular apps send data to an ad network including but not
limited to phone numbers, IMEI number (a unique identifier assigned to cellular
devices), call logs, location coordinates, and more
Connect with us:
8
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
Leaky apps and social engineering
Any piece of personal data leaked by a mobile app should concern us all because it’s an
invasion of privacy. However, the information that a mobile app might leak can prove
valuable to attackers in multiple ways. Personal data leaked by multiple apps can be used
as reconnaissance information to be used in social engineering schemes. For example, if
A secure container on
an insecure mobile
device yields an insecure
container
the user is targeted, credentials leaked by a productivity app might grant an attacker access
to a cache of sensitive information. A hacker can potentially obtain a username and GPS
location, allowing them to unlock other sensitive information about a user.
A note on app containerization
App containerization involves storing encrypted data on a mobile device within an
encrypted storage “container” separate from other data and apps on the device. Access to
Half of all mobile devices
connect to unsecured
Wi-Fi each month
the container requires authentication making it inaccessible without valid credentials. IT
teams can then control business data separate from personal data on employee devices.
Containerization also has benefits beyond control of data: organizations can wipe container
data, revoke access to specific data, fulfill industry and regulatory compliance requirements,
manage multiple types of devices and platforms, and increase employee access to important
data.
App containerization alone should not be counted on to protect mobile endpoints,
however, as it’s only one piece of a secure mobile ecosystem. Containerization software has
substantial costs to install and maintain, and requires users to go through additional steps
to access needed data, which can result in a poor user experiences and abandonment. In
addition, app containerization, if relied upon alone, can serve as a single point of failure:
a secure container on an insecure mobile device yields an insecure container. For more
information about app containerization and where it might fit into your mobile security
strategy, see the NowSecure whitepaper, “Four Myths of Containerization.”16
N E TWO RK ISSUES
One of mobile’s most beneficial aspects, continual connectivity, is also one of its greatest
weaknesses. Our data shows that half of mobile devices connect to unsecured Wi-Fi each
month, which exposes devices to data loss and manipulation. Even if a device connects
to the Internet using a secure connection, it’s astonishing to note all of the connections
devices and apps make with servers around the world. The average mobile device connects
to approximately 160 unique servers every day. Any one of those connections could expose
your enterprise to risk. In addition, 35 percent of the data transmitted via those connections
is unencrypted.
Connect with us:
9
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
IV. Detailed app
vulnerability findings
M E TH O DO LO GY
High risk security flaws
expose data a malicious
individual could use to
gather private, sensitive
information or monitor a
user’s activity
Our detailed app findings come from the analysis of more than 400,000 apps published
on the Google Play store. We evaluated these apps using NowSecure’s automated app
security testing system. The scalable system allows us to test mobile applications for high
risk security and privacy problems including the sending of sensitive data without proper
encryption. Each app is automatically tested on a physical device to reduce false positives
and avoid instances where an app avoids executing functions because it detects that it is
running on an emulator.
As part of our data-gathering and analysis, we have recorded distinct issues for each
application. We classify these issues as high risk security flaws as they all expose data a
malicious individual could use to gather private, sensitive information or monitor a user’s
activity. Data leaks include information an attacker could obtain either over the network or
directly from the device itself.
The following chart details the issues evaluated as part of this app security testing study.
Connect with us:
10
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
SE N SITIVE DATA ISSU ES:
Email leak
The app leaks the user’s email address.
Username leak
The app leaks the user’s username associated with that application.
Password leak
The app exposes the user’s password for that application.
IMEI leak
IMEI stands for International Mobile Station Equipment Identity and is used by a GSM digital cellular network to
identify valid devices.
Name leak
The app leaks the user’s first and/or last name.
GPS leak
The app leaks GPS data potentially allowing for the tracking of a user’s location.
MAC address leak
The app exposes the device’s media access control (MAC) address, which is a unique identifier assigned to network
interfaces for communications on the device.
N E TWOR K ISSU ES:
Improper TLS usage
Improper validation of TLS can result in partial or complete degradation of a connection’s privacy and authenticity.
This can result in leaking sensitive data such as credit card information and increasing the attack surface significantly
(i.e., code considered by the server to be secure could be manipulated).
.Zip files
.Zip files refer to an app that allows the installation of a .zip file. Unvalidated .zip files might allow for the modifying of
code or app parameters (e.g., altering the IP address to which communications are sent).
FILE SYST EM ISSU ES:
World-readable files
A file with world-readable permissions enabled would allow anyone to read that file’s contents.
World-writable files
A file with world-writeable permissions enabled would allow anyone to overwrite that file’s contents, which can lead
to arbitrary code execution.
OTHE R ISSU ES:
Arbitrary code execution
This allows an attacker with write-only permissions to execute code in the context of the victim app.
Directory traversal content providers
Apps share content that is exported by default and allows other apps on the device to request and obtain sensitive
information.
Running superuser (SU)
The app attempts to run as superuser (SU), potentially enabling root access on your device.
11
© 2016 NowSecure. All rights reserved.
Our automated app security testing system also allows us to gather metadata about an app
including its category and number of downloads, which allowed us to filter and group the
information as we have below.
We identified at least one
high risk issue in almost
one in four mobile apps
OV E RVIE W OF A PP SECU RIT Y WEA K NES S ES
We examined the results of security testing 400,000 mobile apps and recorded the
following prevalence of high risk security issues in those apps.
We identified at least one high risk issue in almost one in four mobile apps. Out of all the
mobile apps we tested, 13.3 percent had file system issues. The prevalence of sensitive data
leak and network issues in all mobile apps were lower than other issues at 10.7 percent and
3.8 percent respectively.
Connect with us:
12
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
The chart below illustrates the quantity of issues found by type for the most popular apps
on the Google Play store. We’ve defined popular apps as those with more than 1 million
16,036
downloads. In total, we found 16,036 high risk issues among these popular applications.
high risk issues were found
in the most popular apps
This chart illustrates that mobile apps continue to leak usernames, passwords, and email
addresses. This is particularly concerning because many users reuse the same username
and password for different applications. The compromise of a user’s credentials for one app
could easily lead to the compromise of another app or web account.
Connect with us:
13
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
SECURITY WE AK NESSES BY A PP CAT EG O RY
Business apps are 3
We examined the results of security testing 400,000 mobile apps and recorded the
times more likely to leak
following prevalence of high risk security issues in those apps.
usernames and passwords
Business
than the average app
Apps in the Business category improve productivity and perform business functions such
as scanning documents, sharing and storing files, recording financial transactions, managing
schedules, and other business tasks.
We tested 5,104 apps within the Business category. Users install an average of 1.6 business
apps on their mobile devices. We found at least one high-risk vulnerability in 27.6 percent
of business apps, which is 2.8 percent higher than in the average app. Looking at specific
issues, business apps are three times more likely to leak usernames and passwords than the
average app.
Connect with us:
14
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
Finance
Apps in the Finance category include banking applications, payment apps, and insurance
apps. These apps might store credit card information, allow for sending currency, and save
personal banking information.
Finance apps were more
secure than the average
app, only showing one
high risk vulnerability
in 16.9 percent of
applications, 7.8 percent
lower than the average
app
We tested 5,201 apps within Google Play’s Finance category. We find that users install
an average of 1.8 finance apps on their device. Finance apps were more secure than the
average app illustrated by our finding at least one high risk vulnerability in only 16.9 percent
of them, which is 7.8 percent lower than in the average app. We identified file system issues
in only 10.1 percent of finance apps, 3.3 percent less than the average app. Only 4.2 percent
of the finance apps we tested leaked sensitive data, which is 6.6 percent less than the
average.
Connect with us:
15
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
Games (aggregated)
The Google Play store includes 17 distinct games categories. We’ve aggregated our findings
32.8%
across those categories into a single Games category here. Game apps feature in-app
of apps in the Games
purchases, present ads to users, and save user information as a profile for playing
category leak sensitive
specific games.
data, which is three times
as much as the average
mobile app
We tested 56,964 apps within the Games category. We find that 5.2 games apps are
installed on the average device. Our findings show that game apps are 1.5 times more likely
to have at least one high risk vulnerability than the average app. File system issues are
present in 17.1 percent of games apps compared to 13.3 percent in all apps.
What concerns us most about the game apps is that 32.8 percent of apps in the category
leak sensitive data, which is three times as much as the average mobile app. Game apps are
also nine times more likely than the average app to have a network issue.
Connect with us:
16
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
Shopping
Apps in the Shopping category include apps from retailers used to purchase goods, services,
and more. You can use these apps to browse items, submit reviews, make purchases, or
create and save a user profile for future shopping.
Apps in the Shopping
category are 1.5 times
more likely to have at least
one high risk vulnerability
compared to the average
app
We tested 2,947 apps in the Shopping category. Our research shows that the average
device has two shopping apps installed. Shopping apps are 1.5 times more likely to have at
least one high risk vulnerability compared to the average app. In addition, 24.8 percent of
the shopping apps we tested possessed file system issues, which is 1.9 times higher than
the average app.
Connect with us:
17
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
Social
Apps that allow users to participate in social media make up the Social category. These
applications share messages, photos, videos, and other media through popular social media
platforms.
Social apps are 4.1 times
more likely to leak a
username, 3.8 times more
likely to leak a password,
and 4.7 times more likely
to leak a user’s email
address
We tested 4,503 apps within Google Play’s Social category. Users install an average of
3.7 social apps on their mobile device. We found at least one high risk vulnerability in
30.5 percent of social apps – 5.8 percent more than in the average app. Compared to apps
overall, social apps are 4.1 times more likely to leak a username, 3.8 times more likely to
leak a password, and 4.7 times more likely to leak a user’s email address.
Connect with us:
18
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
V. Conclusion
We founded NowSecure focused solely on mobile security. Our company mission is to
secure mobile devices and apps and protect the people that use them. Our mobile app
testing, device monitoring, forensics and security intelligence capabilities provide us with a
unique set of mobile security data.
Leaky apps that store or
transmit sensitive personal
and corporate data in an
insecure manner are of
far greater concern than
malware
We published this report to share some of that data and the resulting insights with the
public. We also aim to help enterprises manage and secure the mobile devices and apps
that connect with their corporate assets each day. IT and security teams should take the
following key points away from the 2016 NowSecure Mobile Security Report:
•
Mobile security requires a different approach not focused on malware.
Leaky apps that store or transmit sensitive personal and corporate data in
an insecure manner are of far greater concern at this point in time.
•
Even legitimate apps without intentionally malicious functionality that are
downloaded from official app marketplaces can include high risk security
issues.
•
Mobile security requires identifying and remediating security issues in
device OSs and configurations, the apps installed on those devices, and the
network connections those devices make each day.
Connect with us:
19
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com
SO U RCE S
1
http://a16z.com/2014/10/28/mobile-is-eating-the-world/
2
http://www.independent.co.uk/life-style/gadgets-and-tech/news/there-are-officiallymore-mobile-devices-than-people-in-the-world-9780518.html
3
http://adwords.blogspot.com/2015/05/building-for-next-moment.html
4
https://www.comscore.com/Insights/Presentations-and-Whitepapers/2015/The-2015US-Mobile-App-Report
5
http://www.pocketgamer.biz/metrics/app-store/app-count/
6
http://blogs.forrester.com/satish_meena/15-06-22-consumers_will_download_more_
than_226_billion_apps_in_2015
7
http://www.zdnet.com/article/research-74-percent-using-or-adopting-byod/
8
http://www.verizonenterprise.com/DBIR/2015/
9
https://www.nowsecure.com/intelligence/
10 https://www.nowsecure.com/blog/2015/12/17/finding-mobile-vulnerabilities-atscale/
11 http://www.ubergizmo.com/2015/09/over-1-4-billion-people-are-now-using-android/
12 http://www.cnet.com/news/google-io-by-the-numbers-1b-android-users-900m-ongmail/
13 http://www.statista.com/statistics/266210/number-of-available-applications-in-thegoogle-play-store/
14 http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015mac-os-x-ios-and-flash/
15 http://www.zdnet.com/article/after-latest-iphone-hack-charlie-miller-kicked-out-ofios-dev-program/
16 https://info.nowsecure.com/containerization-four-myths/
Connect with us:
20
www.nowsecure.com
© 2016 NowSecure. All rights reserved.
info@nowsecure.com