The mobile security model is broken: V-Key

Mobile applications trust in their operating system to ensure that security is not compromised, but when the operating system itself can be easily broken, the entire mobile security model simply doesn't hold up.

More malware is appearing on mobile devices themselves, and despite security measures such as full-device encryption, they can steal information regardless of the roadblocks that businesses put in their way, according to V-Key CTO Joseph Gan.

Joseph Gan
Joseph Gan. Image: Michael Lee/ZDNet

Speaking at the RSA Conference Asia Pacific in Singapore on Wednesday, Gan said that while the main concern among enterprises used to be the loss of data when a device goes missing or is stolen, businesses now have to deal with hidden malware that evades most controls put in place.

"If your employee loses his mobile device ... you can make sure that your customer lists and all that aren't lost; that your backups aren't lost. But the challenge that we're seeing is that because the applications that use data move on to the device, the threats actually are moving on to the mobile device as well."

Gan said that attackers are also not simply restricting themselves to retrieving data, with some malware sitting on devices and accessing data while the user is actively running applications.

The root of the problem lies with the operating system, Gan said, even when full-device encryption is used.

"The operating system has access to all this 'encrypted' data, and, in the end, the application has to have access to all this data. Once the application is running ... the application is able to access the data within the mobile application within the operating system, whether that's the keychain, or their documents folder, or your preferences," he said.

"Essentially, your whole security model of confidentiality is entirety broken. The root cause is because the application has to trust the underlying operating system."

Similarly, once the operating system is compromised, it provides hackers with the ability to defeat SSL encryption by replacing certificates with their own in order to conduct man-in-the-middle attacks.

While many businesses simply reduce their risk profile by enforcing a policy that devices connected to their networks must not be rooted, Gan said that there are a multitude of ways that attackers can hide the telltale signs that it has been rooted. In addition, he said that going to the application layer and reverse engineering the checks for root-enabled devices is simple.

"There was a penetration test I did for a banking application once, and they had a check which basically tried to determine if it was running on a jailbroken iPhone, and, if it was, it popped up an alert dialog box saying 'You cannot run this on a jailbroken phone'."

From there, Gan simply decompiled the application and searched for the string in the dialog box to determine where the check was being performed.

"[I] changed the branch instruction to essentially bypass the check, and I patched it, literally modifying one byte in the application."

Gan did acknowledge that hardware-based security measures, such as the secure element method used for mobile payments, de-couple secure storage directly from the operating system. However, it still has an innate flaw in that information still needs to be processed by the operating system at some stage.

"We saw that with Google Wallet shortly after it came out. The attack wasn't in the Google Wallet itself, but it was actually on the access, because the user enters the PIN within the operating system in the application, and attackers could extract out the PIN because it's happening within software."

Gan didn't have an answer for how to secure the operating system completely, but he did offer some advice that might help slow attackers down. For hidden services that attackers have installed, such as an SSH daemon, administrators could search for any applications or ports that have been opened or owned by the root user.

When dealing with applications that may have been modified and repackaged by an attacker, Gan said the integrity of them could be tested by computing a checksum hash and checking for signed code, but admitted that this would likely only slow down an attacker.

Taking an older, signature-based approach, which Gan quickly admitted wouldn't slow attackers down by very much, admins could look to see what libraries are loaded, such as well-known keylogging libraries. This could also be used in combination with looking at which API calls are being intercepted.

Gan pointed to the example of keylogging application iKeyGuard. The application intercepts the UIKeyboard notification, enabling a rogue application to log information every time the user presses a key.

"You are able to verify to when these functions have been 'hooked'. It's not that difficult; you just need to figure out what they're hooking."

Michael Lee travelled to Singapore as a guest of RSA.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All