{"captions":[{"content":"[Seminar] [Defending Behind the Device: Mobile Application Security]","startTime":0,"duration":2610,"startOfParagraph":false},{"content":"[Chris Wysopal] [Harvard University]","startTime":2610,"duration":1770,"startOfParagraph":false},{"content":"[This is CS50.] [CS50.TV]","startTime":4380,"duration":3450,"startOfParagraph":false},{"content":"Good afternoon. My name is Chris Wysopal.","startTime":7830,"duration":2530,"startOfParagraph":true},{"content":"I'm the CTO and co-founder of Veracode.","startTime":10360,"duration":3000,"startOfParagraph":false},{"content":"Veracode is an application security company.","startTime":13360,"duration":2520,"startOfParagraph":false},{"content":"We test all kinds of different applications,","startTime":15880,"duration":2350,"startOfParagraph":false},{"content":"and what I'm going to talk about today is mobile application security.","startTime":18230,"duration":6830,"startOfParagraph":false},{"content":"My background is I've been doing security research ","startTime":25060,"duration":3570,"startOfParagraph":false},{"content":"for a very long time, probably about as long as anybody.","startTime":28630,"duration":3340,"startOfParagraph":false},{"content":"I started in the mid 90s,","startTime":31970,"duration":3030,"startOfParagraph":false},{"content":"and it was a time that was pretty interesting because ","startTime":35000,"duration":2370,"startOfParagraph":false},{"content":"we had a paradigm change in the mid 90s.","startTime":37370,"duration":1850,"startOfParagraph":false},{"content":"All of a sudden everyone's computer was hooked up to the internet,","startTime":39220,"duration":4300,"startOfParagraph":false},{"content":"and then we had the beginnings of web applications,","startTime":43520,"duration":3030,"startOfParagraph":false},{"content":"and that's what I focused on a lot then.","startTime":46550,"duration":2780,"startOfParagraph":false},{"content":"It's interesting. ","startTime":49330,"duration":1830,"startOfParagraph":false},{"content":"Now we have another paradigm change happening with computing,","startTime":51160,"duration":2770,"startOfParagraph":false},{"content":"which is the shift to mobile applications.","startTime":53930,"duration":4780,"startOfParagraph":false},{"content":"I feel it's kind of a similar time then it was in the late 90s","startTime":58710,"duration":4970,"startOfParagraph":true},{"content":"when we were investigating web applications and finding defects like","startTime":63680,"duration":3970,"startOfParagraph":false},{"content":"session management errors and SQL injection","startTime":67650,"duration":4150,"startOfParagraph":false},{"content":"which really didn't exist before, and all of a sudden they were everywhere","startTime":71800,"duration":3140,"startOfParagraph":false},{"content":"in web applications, and now a lot of the time I spend","startTime":74940,"duration":4420,"startOfParagraph":false},{"content":"is looking at mobile applications and looking at what's going on out there in the wild.","startTime":79360,"duration":8590,"startOfParagraph":false},{"content":"Mobile applications are really going to be the dominant computing platform,","startTime":87950,"duration":4110,"startOfParagraph":false},{"content":"so we really need to spend a lot of time if you're in the security industry","startTime":92060,"duration":3000,"startOfParagraph":false},{"content":"focusing on web applications.","startTime":95060,"duration":4220,"startOfParagraph":false},{"content":"There were 29 billion mobile apps downloaded in 2011.","startTime":99280,"duration":4140,"startOfParagraph":false},{"content":"It's predicted to be 76 billion apps by 2014.","startTime":103420,"duration":4500,"startOfParagraph":false},{"content":"There's 686 million devices that are going to be purchased this year,","startTime":107920,"duration":6120,"startOfParagraph":false},{"content":"so this is where people are going to be doing","startTime":114040,"duration":3020,"startOfParagraph":false},{"content":" the majority of their client computing going forward.","startTime":117060,"duration":2540,"startOfParagraph":false},{"content":"I was talking to a vice president at Fidelity Investments","startTime":119600,"duration":4620,"startOfParagraph":true},{"content":"a couple months ago, and he said they just saw more traffic","startTime":124220,"duration":4560,"startOfParagraph":false},{"content":"doing financial transactions from their customer base","startTime":128780,"duration":3830,"startOfParagraph":false},{"content":"on their mobile application than on their website,","startTime":132610,"duration":3620,"startOfParagraph":false},{"content":"so a common use for the Web in the past has been","startTime":136230,"duration":4380,"startOfParagraph":false},{"content":"checking your stock quotes, managing your portfolio,","startTime":140610,"duration":3190,"startOfParagraph":false},{"content":"and we're actually seeing that in 2012 switch over","startTime":143800,"duration":4260,"startOfParagraph":false},{"content":"to be more dominant on the mobile platform.","startTime":148060,"duration":2900,"startOfParagraph":false},{"content":"Certainly if there's going to be any criminal activity,","startTime":150960,"duration":3570,"startOfParagraph":false},{"content":"any malicious activity, it's going to start to be focused on the mobile platform","startTime":154530,"duration":4370,"startOfParagraph":false},{"content":"over time as people switch over to that.","startTime":158900,"duration":5310,"startOfParagraph":false},{"content":"If you look at the mobile platform,","startTime":164210,"duration":4110,"startOfParagraph":false},{"content":"to look at the risks of the platform it's useful to break it down into the different layers,","startTime":168320,"duration":6060,"startOfParagraph":false},{"content":"just like you would do it on a desktop computer,","startTime":174380,"duration":4630,"startOfParagraph":false},{"content":"and you think about the different layers, software, operating system,","startTime":179010,"duration":3850,"startOfParagraph":false},{"content":"network layer, hardware layer, and of course, there's vulnerabilities on all those layers.","startTime":182860,"duration":4870,"startOfParagraph":false},{"content":"The same thing happens on mobile.","startTime":187730,"duration":2780,"startOfParagraph":true},{"content":"But mobile, it seems that some of those layers are worse off.","startTime":190510,"duration":4370,"startOfParagraph":false},{"content":"For one, the network layer is more problematic on mobile","startTime":194880,"duration":4960,"startOfParagraph":false},{"content":"because a lot of people have in their office or at home","startTime":199840,"duration":5810,"startOfParagraph":false},{"content":"wired connections or they have secure Wi-Fi connections,","startTime":205650,"duration":5130,"startOfParagraph":false},{"content":"and with a lot of mobile devices you're obviously outside of the home","startTime":210780,"duration":5750,"startOfParagraph":false},{"content":"or outside of the office a lot, and if you're using Wi-Fi there","startTime":216530,"duration":3990,"startOfParagraph":false},{"content":"you might be using an insecure Wi-Fi connection, ","startTime":220520,"duration":2300,"startOfParagraph":false},{"content":"something that's a public Wi-Fi connection,","startTime":222820,"duration":2750,"startOfParagraph":false},{"content":"so when we think about mobile apps we have to take into account","startTime":225570,"duration":3270,"startOfParagraph":false},{"content":"that the network environment is riskier for those applications","startTime":228840,"duration":4930,"startOfParagraph":false},{"content":"when Wi-Fi is being used.","startTime":233770,"duration":3870,"startOfParagraph":false},{"content":"And when I get into more of the mobile application risks ","startTime":237640,"duration":4770,"startOfParagraph":false},{"content":"you'll see why that's more important.","startTime":242410,"duration":2500,"startOfParagraph":false},{"content":"There are risks at the hardware level on mobile devices.","startTime":244910,"duration":4800,"startOfParagraph":false},{"content":"This is an area of ongoing research.","startTime":249710,"duration":1960,"startOfParagraph":false},{"content":"People call these broadband attacks or baseband attacks","startTime":251670,"duration":4240,"startOfParagraph":false},{"content":"where you're attacking the firmware that's listening on the radio.","startTime":255910,"duration":5960,"startOfParagraph":false},{"content":"These are really scary attacks because ","startTime":261870,"duration":3560,"startOfParagraph":true},{"content":"the user doesn't have to do anything.","startTime":265430,"duration":1850,"startOfParagraph":false},{"content":"You can hit lots of devices within RF range","startTime":267280,"duration":3480,"startOfParagraph":false},{"content":"at once, and it seems like whenever this research bubbles up","startTime":270760,"duration":5930,"startOfParagraph":false},{"content":"it quickly gets classified where","startTime":276690,"duration":4060,"startOfParagraph":false},{"content":"people swoop in around and say, \"Here, tell us about that, and please stop talking about it.\"","startTime":280750,"duration":5850,"startOfParagraph":false},{"content":"There's some research going on in the broadband area,","startTime":286600,"duration":2860,"startOfParagraph":false},{"content":"but it seems to be very hush hush.","startTime":289460,"duration":2520,"startOfParagraph":false},{"content":"I think it's more of a nation state type of research that's going on.","startTime":291980,"duration":4930,"startOfParagraph":false},{"content":"An area of active research, though, is the operating system layer,","startTime":296910,"duration":5230,"startOfParagraph":false},{"content":"and again, this is different than in the desktop computing world","startTime":302140,"duration":6770,"startOfParagraph":false},{"content":"because in the mobile space you have these teams of people called jailbreakers,","startTime":308910,"duration":5930,"startOfParagraph":false},{"content":"and jailbreakers are different than regular vulnerability researchers.","startTime":314840,"duration":3830,"startOfParagraph":false},{"content":"They're trying to find vulnerabilities in the operating system,","startTime":318670,"duration":3300,"startOfParagraph":false},{"content":"but the reason they're trying to find the vulnerabilities is not to","startTime":321970,"duration":5030,"startOfParagraph":false},{"content":"break into someone else's machine and compromise it.","startTime":327000,"duration":4810,"startOfParagraph":false},{"content":"It's to break into their own computer.","startTime":331810,"duration":2470,"startOfParagraph":false},{"content":"They want to break into their own mobile, modify their own mobile's operating system","startTime":334280,"duration":4540,"startOfParagraph":true},{"content":"so that they can run the applications of their choice ","startTime":338820,"duration":2230,"startOfParagraph":false},{"content":"and change things with full administrative permissions,","startTime":341050,"duration":3460,"startOfParagraph":false},{"content":"and they don't want to tell the vendor about this.","startTime":344510,"duration":4540,"startOfParagraph":false},{"content":"They're not like a security researcher which is a white hat security researcher","startTime":349050,"duration":3910,"startOfParagraph":false},{"content":"which is going to do responsible disclosure and tell the vendor about it.","startTime":352960,"duration":3640,"startOfParagraph":false},{"content":"They want to do this research, and they want to actually publish it","startTime":356600,"duration":4670,"startOfParagraph":false},{"content":"in an exploit or a rootkit or a jailbreak code,","startTime":361270,"duration":5130,"startOfParagraph":false},{"content":"and they want to do it strategically, like right after ","startTime":366400,"duration":3610,"startOfParagraph":false},{"content":"the vendor ships the new operating system.","startTime":370010,"duration":3560,"startOfParagraph":false},{"content":"You have this adversarial relationship ","startTime":373570,"duration":2780,"startOfParagraph":false},{"content":"with OS-level vulnerabilities on the mobile, ","startTime":376350,"duration":2650,"startOfParagraph":false},{"content":"which I think is quite interesting, and one place we see it","startTime":379000,"duration":4150,"startOfParagraph":false},{"content":"is it makes it so that there's good published exploit code out there","startTime":383150,"duration":6060,"startOfParagraph":false},{"content":"for kernel-level vulnerabilities, ","startTime":389210,"duration":2540,"startOfParagraph":false},{"content":"and we've seen those actually be used by malware writers.","startTime":391750,"duration":3290,"startOfParagraph":false},{"content":"It's a little bit different than the PC world.","startTime":395040,"duration":3410,"startOfParagraph":false},{"content":"And then the final layer is the top layer, the application layer.","startTime":398450,"duration":4080,"startOfParagraph":false},{"content":"That's what I'm going to talk about today.","startTime":402530,"duration":2720,"startOfParagraph":false},{"content":"The other layers exist, and the other layers play into it,","startTime":405250,"duration":3720,"startOfParagraph":true},{"content":"but I'm mostly going to talk about what's going on at the application layer","startTime":408970,"duration":4340,"startOfParagraph":false},{"content":"where code is running in the sandbox.","startTime":413310,"duration":2250,"startOfParagraph":false},{"content":"It doesn't have administrative privileges.","startTime":415560,"duration":3110,"startOfParagraph":false},{"content":"It has to use the APIs of the device,","startTime":418670,"duration":3500,"startOfParagraph":false},{"content":"but still, a lot of malicious activity and a lot of risk can happen at that layer","startTime":422170,"duration":4800,"startOfParagraph":false},{"content":"because that's the layer where all the information is.","startTime":426970,"duration":2250,"startOfParagraph":false},{"content":"Apps can access all the information on the device","startTime":429220,"duration":3110,"startOfParagraph":false},{"content":"if they have the right permissions,","startTime":432330,"duration":3060,"startOfParagraph":false},{"content":"and they can access the different sensors on the device,","startTime":435390,"duration":2150,"startOfParagraph":false},{"content":"GPS sensor, microphone, camera, what have you.","startTime":437540,"duration":6410,"startOfParagraph":false},{"content":"Even though we're only talking about at the application layer","startTime":443950,"duration":3430,"startOfParagraph":false},{"content":"we have a lot of risk there.","startTime":447380,"duration":6320,"startOfParagraph":false},{"content":"The other thing that's different about the mobile environment","startTime":453700,"duration":4750,"startOfParagraph":false},{"content":"is all the operating system players, be it BlackBerry or Android ","startTime":458450,"duration":6610,"startOfParagraph":false},{"content":"or iOS or Windows mobile, they all have a fine grained permission model,","startTime":465060,"duration":8350,"startOfParagraph":false},{"content":"and this is one of the ways that they built into the operating system","startTime":473410,"duration":3580,"startOfParagraph":false},{"content":"the idea that it's not as risky as you think.","startTime":476990,"duration":4240,"startOfParagraph":false},{"content":"Even though you have all your contacts on there, all your personal information,","startTime":481230,"duration":3320,"startOfParagraph":false},{"content":"you have your photos, you have your location on there,","startTime":484550,"duration":4530,"startOfParagraph":false},{"content":"you're storing your bank pin for auto login on there, it's safe because ","startTime":489080,"duration":5740,"startOfParagraph":false},{"content":"apps have to have certain permissions to get at certain parts","startTime":494820,"duration":4610,"startOfParagraph":false},{"content":"of the information on the device, and the user has to be presented with","startTime":499430,"duration":5650,"startOfParagraph":false},{"content":"these permissions and say okay.","startTime":505080,"duration":4150,"startOfParagraph":false},{"content":"The problem with it is the user always says okay.","startTime":509230,"duration":3360,"startOfParagraph":true},{"content":"As a security person, I know you can prompt the user,","startTime":512590,"duration":2650,"startOfParagraph":false},{"content":"say something really bad is going to happen, do you want it to happen?","startTime":515240,"duration":4860,"startOfParagraph":false},{"content":"And if they're in a rush or there's something really enticing on the other side of that,","startTime":520100,"duration":4580,"startOfParagraph":false},{"content":"like a game is going to be installed that they've been waiting for,","startTime":524680,"duration":3080,"startOfParagraph":false},{"content":"they're going to click okay.","startTime":527760,"duration":3100,"startOfParagraph":false},{"content":"That's why I say on my slide here just let me fling birds at pigs already,","startTime":530860,"duration":5770,"startOfParagraph":false},{"content":"and you can see on the slide here there's examples of a BlackBerry permission box.","startTime":536630,"duration":6520,"startOfParagraph":false},{"content":"It says \"Please set the BlackBerry Travel application permissions","startTime":543150,"duration":2840,"startOfParagraph":false},{"content":"after clicking button below,\" and basically the user is just going to say ","startTime":545990,"duration":3730,"startOfParagraph":false},{"content":"set the permissions and save.","startTime":549720,"duration":2520,"startOfParagraph":false},{"content":"Here's an Android prompt where it shows things,","startTime":552240,"duration":5770,"startOfParagraph":false},{"content":"and it actually puts something that almost looks like a warning.","startTime":558010,"duration":2250,"startOfParagraph":false},{"content":"It's got a sort of yield sign there saying network communication, phone call,","startTime":560260,"duration":4830,"startOfParagraph":false},{"content":"but the user is going to click install, right?","startTime":565090,"duration":3030,"startOfParagraph":false},{"content":"And then the Apple one is completely innocuous.","startTime":568120,"duration":4820,"startOfParagraph":false},{"content":"It doesn't give any kind of warning.","startTime":572940,"duration":1360,"startOfParagraph":false},{"content":"It's just Apple would like to use your current location.","startTime":574300,"duration":3080,"startOfParagraph":false},{"content":"Of course you're going to click okay.","startTime":577380,"duration":2290,"startOfParagraph":false},{"content":"There is this fine-grained permission model,","startTime":579670,"duration":2590,"startOfParagraph":true},{"content":"and apps have to have a manifest file where they declare","startTime":582260,"duration":3630,"startOfParagraph":false},{"content":"the permissions they need, and that will get displayed to the user,","startTime":585890,"duration":3520,"startOfParagraph":false},{"content":"and the user will have to say I grant these permissions.","startTime":589410,"duration":4070,"startOfParagraph":false},{"content":"But let's be honest.","startTime":593480,"duration":1600,"startOfParagraph":false},{"content":"Users are just going to always say okay.","startTime":595080,"duration":3320,"startOfParagraph":false},{"content":"Let's take a quick look at the permissions that these apps are asking for","startTime":598400,"duration":6060,"startOfParagraph":false},{"content":"and some of the permissions that are there.","startTime":604460,"duration":2390,"startOfParagraph":false},{"content":"This company  Praetorian did a survey last year","startTime":606850,"duration":3100,"startOfParagraph":false},{"content":"of 53,000 applications analyzed in the Android market and 3rd party markets,","startTime":609950,"duration":4220,"startOfParagraph":false},{"content":"so this is all Android.","startTime":614170,"duration":2600,"startOfParagraph":false},{"content":"And the average app requested 3 permissions.","startTime":616770,"duration":2900,"startOfParagraph":false},{"content":"Some apps requested 117 permissions,","startTime":619670,"duration":3700,"startOfParagraph":false},{"content":"so obviously these are very fine grained and way too complex for a user to understand","startTime":623370,"duration":4110,"startOfParagraph":false},{"content":"if they're presented with this app that needs these 117 permissions.","startTime":627480,"duration":4120,"startOfParagraph":false},{"content":"It's like the end user license agreement that's 45 pages long.","startTime":631600,"duration":5670,"startOfParagraph":false},{"content":"Maybe soon they'll have an option where it's like ","startTime":637270,"duration":2970,"startOfParagraph":false},{"content":"print the permissions and send me an email.","startTime":640240,"duration":2860,"startOfParagraph":false},{"content":"But if you look at some of the top interesting permissions","startTime":643100,"duration":2380,"startOfParagraph":true},{"content":"24% of the apps that they downloaded out of the 53,000","startTime":645480,"duration":5360,"startOfParagraph":false},{"content":"requested GPS information from the device.","startTime":650840,"duration":6390,"startOfParagraph":false},{"content":"8% read the contacts.","startTime":657230,"duration":2580,"startOfParagraph":false},{"content":"4% sent SMS, and 3% received SMS.","startTime":659810,"duration":3960,"startOfParagraph":false},{"content":"2% recorded audio.","startTime":663770,"duration":3960,"startOfParagraph":false},{"content":"1% processed outgoing calls.","startTime":667730,"duration":3480,"startOfParagraph":false},{"content":"I don't know. ","startTime":671210,"duration":1930,"startOfParagraph":false},{"content":"I don't think 4% of the apps in the app store really need to send SMS text messages,","startTime":673140,"duration":4380,"startOfParagraph":false},{"content":"so I think that's a hint that something untoward is going on.","startTime":677520,"duration":3890,"startOfParagraph":false},{"content":"8% of the apps need to read your contacts list.","startTime":681410,"duration":2940,"startOfParagraph":false},{"content":"It's probably not necessary.","startTime":684350,"duration":2160,"startOfParagraph":false},{"content":"One of the other interesting things about permissions is","startTime":686510,"duration":4480,"startOfParagraph":false},{"content":"if you link in shared libraries into your application","startTime":690990,"duration":5750,"startOfParagraph":false},{"content":"those inherit the permissions of the application,","startTime":696740,"duration":3040,"startOfParagraph":false},{"content":"so if your app needs the contact list or needs the GPS location to function ","startTime":699780,"duration":6790,"startOfParagraph":false},{"content":"and you link in an advertising library, for instance,","startTime":706570,"duration":3370,"startOfParagraph":false},{"content":"that ad library will also be able to access the contacts","startTime":709940,"duration":3230,"startOfParagraph":false},{"content":"and also be able to access the GPS location,","startTime":713170,"duration":4460,"startOfParagraph":false},{"content":"and the developer of the app knows nothing about the code that's running in the ad library.","startTime":717630,"duration":4360,"startOfParagraph":false},{"content":"They're just linking that in because they want to monetize their app.","startTime":721990,"duration":3380,"startOfParagraph":false},{"content":"This is where—and I'll talk about some examples of this with ","startTime":725370,"duration":4450,"startOfParagraph":true},{"content":"an application called Pandora where an application developer","startTime":729820,"duration":4110,"startOfParagraph":false},{"content":"might unwittingly be leaking information","startTime":733930,"duration":4980,"startOfParagraph":false},{"content":"from their users because of libraries they've linked in.","startTime":738910,"duration":5670,"startOfParagraph":false},{"content":"Surveying the landscape out there, looking at all the different apps","startTime":744580,"duration":5530,"startOfParagraph":false},{"content":"that have been reported in the news as malicious or doing something users didn't want","startTime":750110,"duration":4200,"startOfParagraph":false},{"content":"and then inspecting a lot of apps—we do a lot of static binary analysis on mobile apps,","startTime":754310,"duration":5050,"startOfParagraph":false},{"content":"so we've inspected them and looked at the code itself—","startTime":759360,"duration":2650,"startOfParagraph":false},{"content":"we came up with what we call our top 10 list of risky behaviors in applications.","startTime":762010,"duration":7630,"startOfParagraph":false},{"content":"And it's broken down into 2 sections, malicious code,","startTime":769640,"duration":4540,"startOfParagraph":false},{"content":"so these are bad things that the apps might be doing that","startTime":774180,"duration":3420,"startOfParagraph":false},{"content":"are likely to be something that a malicious individual","startTime":777600,"duration":8920,"startOfParagraph":false},{"content":"has specifically put in the application, but it's a little bit fuzzy.","startTime":786520,"duration":3540,"startOfParagraph":false},{"content":"It could be something that a developer thinks is fine,","startTime":790060,"duration":3240,"startOfParagraph":false},{"content":"but it ends up being thought of as malicious by the user.","startTime":793300,"duration":3050,"startOfParagraph":false},{"content":"And then the second section is what we call coding vulnerabilities,","startTime":796350,"duration":3480,"startOfParagraph":true},{"content":"and these are things where the developer basically is making mistakes","startTime":799830,"duration":4770,"startOfParagraph":false},{"content":"or just doesn't understand how to write the app securely,","startTime":804600,"duration":2600,"startOfParagraph":false},{"content":" and that's putting the app user at risk.","startTime":807200,"duration":3060,"startOfParagraph":false},{"content":"I'm going to go through these in detail and give some examples.","startTime":810260,"duration":3800,"startOfParagraph":false},{"content":"For reference, I wanted to put up the OWASP mobile top 10 list.","startTime":814060,"duration":5560,"startOfParagraph":false},{"content":"These are the 10 issues that a group at OWASP, ","startTime":819620,"duration":3970,"startOfParagraph":false},{"content":"the Open Web Application Security Project, they have a working group","startTime":823590,"duration":5310,"startOfParagraph":false},{"content":"working on a mobile top 10 list.","startTime":828900,"duration":1720,"startOfParagraph":false},{"content":"They have a very famous web top 10 list, which are the top 10","startTime":830620,"duration":3980,"startOfParagraph":false},{"content":"riskiest things you can have in a web application.","startTime":834600,"duration":2580,"startOfParagraph":false},{"content":"They're doing the same thing for mobile,","startTime":837180,"duration":1910,"startOfParagraph":false},{"content":"and their list is a little different than ours.","startTime":839090,"duration":2660,"startOfParagraph":false},{"content":"6 out of the 10 are the same.","startTime":841750,"duration":1920,"startOfParagraph":false},{"content":"They have 4 that are different.","startTime":843670,"duration":2350,"startOfParagraph":false},{"content":"I think they have a little bit of a different take on ","startTime":846020,"duration":4530,"startOfParagraph":false},{"content":"risk in mobile apps where a lot of their issues","startTime":850550,"duration":3940,"startOfParagraph":false},{"content":"are really how the application is communicating to a back-end server","startTime":854490,"duration":6000,"startOfParagraph":false},{"content":"or what's going on on the back-end server,","startTime":860490,"duration":2610,"startOfParagraph":false},{"content":"not so much apps that have risky behavior that are just straightforward client apps.","startTime":863100,"duration":6120,"startOfParagraph":false},{"content":"The ones in red here are the differences between the 2 lists.","startTime":869220,"duration":7420,"startOfParagraph":true},{"content":"And some of my research team has actually contributed to this project,","startTime":876640,"duration":4100,"startOfParagraph":false},{"content":"so we'll see what happens over time, but I think the takeaway here is","startTime":880740,"duration":3830,"startOfParagraph":false},{"content":"we don't really know what the top 10 list is in mobile apps because ","startTime":884570,"duration":2980,"startOfParagraph":false},{"content":"they've really only been around for 2 or 3 years now,","startTime":887550,"duration":2960,"startOfParagraph":false},{"content":"and there hasn't been enough time to really research the operating systems","startTime":890510,"duration":7240,"startOfParagraph":false},{"content":"and what they're capable of, and there hasn't been enough time","startTime":897750,"duration":2700,"startOfParagraph":false},{"content":"for the malicious community, if you will, to have spent enough time","startTime":900450,"duration":6420,"startOfParagraph":false},{"content":"trying to attack users through mobile apps, so I expect these lists to change a little bit.","startTime":906870,"duration":6040,"startOfParagraph":false},{"content":"But for now, these are the top 10 things to worry about.","startTime":912910,"duration":5810,"startOfParagraph":false},{"content":"You might wonder on the mobile side where does the malicious mobile code—","startTime":918720,"duration":5430,"startOfParagraph":false},{"content":"how does it get on to the device?","startTime":924150,"duration":4730,"startOfParagraph":false},{"content":"North Carolina State has a project called the Mobile Malware Genome Project","startTime":928880,"duration":6330,"startOfParagraph":false},{"content":"where they are collecting as much mobile malware as they can and analyzing it,","startTime":935210,"duration":4310,"startOfParagraph":false},{"content":"and they've broken down the injection vectors that the mobile malware uses,","startTime":939520,"duration":5750,"startOfParagraph":false},{"content":"and 86% use a technique called repackaging,","startTime":945270,"duration":6220,"startOfParagraph":false},{"content":"and this is only on the Android platform","startTime":951490,"duration":2670,"startOfParagraph":false},{"content":"can you really do this repackaging.","startTime":954160,"duration":2560,"startOfParagraph":false},{"content":"The reason is Android code is built with","startTime":956720,"duration":6380,"startOfParagraph":true},{"content":"a Java byte code called Dalvik which is easily decompilable.","startTime":963100,"duration":5030,"startOfParagraph":false},{"content":"What the bad guy can do is ","startTime":968130,"duration":4330,"startOfParagraph":false},{"content":"take an Android application, decompile it,","startTime":972460,"duration":4130,"startOfParagraph":false},{"content":"insert their malicious code, recompile it,","startTime":976590,"duration":3530,"startOfParagraph":false},{"content":"and then put it up in the app store purporting to be a new version of that application,","startTime":980120,"duration":7950,"startOfParagraph":false},{"content":"or just maybe changing the name of the application.","startTime":988070,"duration":2260,"startOfParagraph":false},{"content":"If it was some sort of game, change the name slightly,","startTime":990330,"duration":4810,"startOfParagraph":false},{"content":"and so this repackaging is how 86% of mobile malware gets distributed.","startTime":995140,"duration":7720,"startOfParagraph":false},{"content":"There's another technique called update which is","startTime":1002860,"duration":2950,"startOfParagraph":false},{"content":"very similar to repackaging, but you actually don't put the malicious code in.","startTime":1005810,"duration":4220,"startOfParagraph":false},{"content":"What you do is you put in a small update mechanism.","startTime":1010030,"duration":2840,"startOfParagraph":false},{"content":"You decompile, you put in an update mechanism, and you recompile it,","startTime":1012870,"duration":3790,"startOfParagraph":false},{"content":"and then when the app is running it pulls down the malware onto the device.","startTime":1016660,"duration":5700,"startOfParagraph":false},{"content":"By far the majority are those 2 techniques.","startTime":1022360,"duration":3940,"startOfParagraph":true},{"content":"There isn't really much download drive-bys or drive-by downloads on mobiles,","startTime":1026300,"duration":6410,"startOfParagraph":false},{"content":"which could be like a phishing attack.","startTime":1032710,"duration":3180,"startOfParagraph":false},{"content":"Hey, check out this really cool website, ","startTime":1035890,"duration":2310,"startOfParagraph":false},{"content":"or you need to go to this website and fill out this form","startTime":1038200,"duration":2820,"startOfParagraph":false},{"content":"to keep continuing doing something.","startTime":1041020,"duration":3400,"startOfParagraph":false},{"content":"Those are phishing attacks.","startTime":1044420,"duration":1810,"startOfParagraph":false},{"content":"The same thing can happen on the mobile platform where they","startTime":1046230,"duration":1930,"startOfParagraph":false},{"content":"point to a mobile app to download, say \"Hi, this is Bank of America.\"","startTime":1048160,"duration":5670,"startOfParagraph":false},{"content":"\"We see you're using this application.\"","startTime":1053830,"duration":2240,"startOfParagraph":false},{"content":"\"You should download this other application.\"","startTime":1056070,"duration":2470,"startOfParagraph":false},{"content":"Theoretically, that could work.","startTime":1058540,"duration":2630,"startOfParagraph":false},{"content":"Maybe it just isn't being used enough to determine whether it's successful or not,","startTime":1061170,"duration":7440,"startOfParagraph":false},{"content":"but they found that less than 1% of the time that technique is used.","startTime":1068610,"duration":3070,"startOfParagraph":false},{"content":"The majority of the time it's really a repackaged code.","startTime":1071680,"duration":4450,"startOfParagraph":false},{"content":"There's another category called standalone","startTime":1076130,"duration":2580,"startOfParagraph":true},{"content":"where someone just builds a brand-new application.","startTime":1078710,"duration":2710,"startOfParagraph":false},{"content":"They build an application that purports to be something.","startTime":1081420,"duration":2600,"startOfParagraph":false},{"content":"It's not a repackaging of something else, and that has the malicious code.","startTime":1084020,"duration":3340,"startOfParagraph":false},{"content":"That's used 14% of the time.","startTime":1087360,"duration":3870,"startOfParagraph":false},{"content":"Now I want to talk about what is the malicious code doing?","startTime":1091230,"duration":6650,"startOfParagraph":false},{"content":"One of the first malware out there","startTime":1097880,"duration":5190,"startOfParagraph":false},{"content":"you could consider a spyware.","startTime":1103070,"duration":2420,"startOfParagraph":false},{"content":"It basically spies on the user.","startTime":1105490,"duration":2130,"startOfParagraph":false},{"content":"It collects emails, SMS messages.","startTime":1107620,"duration":2850,"startOfParagraph":false},{"content":"It turns on the microphone.","startTime":1110470,"duration":1870,"startOfParagraph":false},{"content":"It harvests the contact book, and it sends it off to someone else.","startTime":1112340,"duration":4990,"startOfParagraph":false},{"content":"This type of spyware exists on the PC,","startTime":1117330,"duration":3540,"startOfParagraph":false},{"content":"so it makes perfect sense for people to try to do this on mobile devices.","startTime":1120870,"duration":5330,"startOfParagraph":false},{"content":"One of the first examples of this was a program called Secret SMS Replicator.","startTime":1126200,"duration":7030,"startOfParagraph":true},{"content":"It was in the Android Marketplace a couple of years ago,","startTime":1133230,"duration":3020,"startOfParagraph":false},{"content":"and the idea was if you had access to someone's Android phone ","startTime":1136250,"duration":3710,"startOfParagraph":false},{"content":"that you wanted to spy on, so maybe it's your spouse","startTime":1139960,"duration":3490,"startOfParagraph":false},{"content":"or your significant other and you want to spy on their text messaging,","startTime":1143450,"duration":4150,"startOfParagraph":false},{"content":"you could download this app and install it and configure it","startTime":1147600,"duration":3600,"startOfParagraph":false},{"content":"to send an SMS text message to you with a copy","startTime":1151200,"duration":5340,"startOfParagraph":false},{"content":"of every SMS text message they got.","startTime":1156540,"duration":5170,"startOfParagraph":false},{"content":"This obviously is in violations of the app store terms of service,","startTime":1161710,"duration":5510,"startOfParagraph":false},{"content":"and this was removed from the Android Marketplace within 18 hours of it being there,","startTime":1167220,"duration":4820,"startOfParagraph":false},{"content":"so a very small number of people were at risk because of this.","startTime":1172040,"duration":4720,"startOfParagraph":false},{"content":"Now, I think if the program was called something maybe a little less provocative","startTime":1176760,"duration":5750,"startOfParagraph":false},{"content":"like Secret SMS Replicator it probably would have worked a lot better.","startTime":1182510,"duration":6180,"startOfParagraph":false},{"content":"But it was kind of obvious.","startTime":1188690,"duration":4180,"startOfParagraph":false},{"content":"One of the things we can do to determine if apps have this behavior that we don't want","startTime":1192870,"duration":5810,"startOfParagraph":true},{"content":"is to inspect the code.","startTime":1198680,"duration":2730,"startOfParagraph":false},{"content":"This is actually really easy to do on Android because we can decompile the apps.","startTime":1201410,"duration":4840,"startOfParagraph":false},{"content":"On iOS you can use a disassembler like IDA Pro","startTime":1206250,"duration":4800,"startOfParagraph":false},{"content":"to look at what APIs the app is calling and what it's doing.","startTime":1211050,"duration":6140,"startOfParagraph":false},{"content":"We wrote our own binary static analyzer for our code","startTime":1217190,"duration":3490,"startOfParagraph":false},{"content":"and we do this, and so what you could do is you could say ","startTime":1220680,"duration":4260,"startOfParagraph":false},{"content":"does the device do anything that is basically spying on me or tracking me?","startTime":1224940,"duration":5550,"startOfParagraph":false},{"content":"And I have some examples here on the iPhone.","startTime":1230490,"duration":2870,"startOfParagraph":false},{"content":"This first example is how to access the UUID on the phone.","startTime":1233360,"duration":8080,"startOfParagraph":false},{"content":"This is actually something that Apple has just banned for new applications,","startTime":1241440,"duration":5620,"startOfParagraph":false},{"content":"but old applications that you might have running on your phone can still do this,","startTime":1247060,"duration":5480,"startOfParagraph":false},{"content":"and so that unique identifier can be used to track you ","startTime":1252540,"duration":3960,"startOfParagraph":false},{"content":"across many different applications.","startTime":1256500,"duration":3940,"startOfParagraph":false},{"content":"On the Android, I have an example here of getting the device's location.","startTime":1260440,"duration":6740,"startOfParagraph":true},{"content":"You can see that if that API call is there that app is tracking,","startTime":1267180,"duration":3130,"startOfParagraph":false},{"content":"and you can see whether it's getting fine location or coarse location.","startTime":1270310,"duration":4690,"startOfParagraph":false},{"content":"And then on the bottom here, I have an example of how on the BlackBerry","startTime":1275000,"duration":3860,"startOfParagraph":false},{"content":"an application might access the email messages in your inbox.","startTime":1278860,"duration":6270,"startOfParagraph":false},{"content":"These are the kind of things you can inspect to see ","startTime":1285130,"duration":2530,"startOfParagraph":false},{"content":"if the app is doing those things.","startTime":1287660,"duration":4700,"startOfParagraph":false},{"content":"The second big category of malicious behavior, and this is probably the biggest category now,","startTime":1292360,"duration":5960,"startOfParagraph":false},{"content":"is unauthorized dialing, unauthorized premium SMS text messages","startTime":1298320,"duration":5630,"startOfParagraph":false},{"content":"or unauthorized payments.","startTime":1303950,"duration":2130,"startOfParagraph":false},{"content":"Another thing that's unique about the phone","startTime":1306080,"duration":2850,"startOfParagraph":false},{"content":"is the device is hooked to a billing account,","startTime":1308930,"duration":3770,"startOfParagraph":false},{"content":"and when activities happen on the phone","startTime":1312700,"duration":3260,"startOfParagraph":false},{"content":"it can create charges.","startTime":1315960,"duration":2550,"startOfParagraph":false},{"content":"You can purchase things over the phone,","startTime":1318510,"duration":2190,"startOfParagraph":false},{"content":"and when you send a premium SMS text message you're actually giving money","startTime":1320700,"duration":3690,"startOfParagraph":false},{"content":"to the account holder of the phone number on the other side.","startTime":1324390,"duration":7200,"startOfParagraph":false},{"content":"These were set up to get stock quotes or get your daily horoscope or other things,","startTime":1331590,"duration":5830,"startOfParagraph":false},{"content":"but they can be set up to order a product by sending an SMS text.","startTime":1337420,"duration":4260,"startOfParagraph":false},{"content":"People give money to the Red Cross by sending a text message.","startTime":1341680,"duration":5290,"startOfParagraph":false},{"content":"You can give $10 that way.","startTime":1346970,"duration":3680,"startOfParagraph":false},{"content":"The attackers, what they've done is they set up","startTime":1350650,"duration":3540,"startOfParagraph":true},{"content":"accounts in foreign countries, and they embed in the malware","startTime":1354190,"duration":4560,"startOfParagraph":false},{"content":"that the phone will send a premium SMS text message,","startTime":1358750,"duration":4090,"startOfParagraph":false},{"content":"say, a few times a day, and at the end of the month you realize you've spent","startTime":1362840,"duration":4860,"startOfParagraph":false},{"content":"tens or maybe even hundreds of dollars, and they walk away with the money.","startTime":1367700,"duration":4390,"startOfParagraph":false},{"content":"This got so bad that this was the very first thing that the Android ","startTime":1372090,"duration":5190,"startOfParagraph":false},{"content":"Marketplace or the Google place—it was the Android Marketplace at the time,","startTime":1377280,"duration":3480,"startOfParagraph":false},{"content":"and it's now Google Play—the first thing that Google started checking for.","startTime":1380760,"duration":3670,"startOfParagraph":false},{"content":"When Google started distributing Android apps in their app store","startTime":1384430,"duration":4270,"startOfParagraph":false},{"content":"they said they were not going to check for anything.","startTime":1388700,"duration":2650,"startOfParagraph":false},{"content":"We'll pull apps once we've been notified they've broken our terms of service,","startTime":1391350,"duration":4280,"startOfParagraph":false},{"content":"but we're not going to check for anything.","startTime":1395630,"duration":1890,"startOfParagraph":false},{"content":"Well, about a year ago it got so bad with this premium SMS text message malware","startTime":1397520,"duration":6830,"startOfParagraph":false},{"content":"that this is the very first thing they started checking for.","startTime":1404350,"duration":3680,"startOfParagraph":false},{"content":"If an app can send SMS text messages","startTime":1408030,"duration":3740,"startOfParagraph":false},{"content":"they further manually scrutinize that application.","startTime":1411770,"duration":2980,"startOfParagraph":false},{"content":"They look for the APIs that call this,","startTime":1414750,"duration":4020,"startOfParagraph":false},{"content":"and now since then Google has expanded, ","startTime":1418770,"duration":1810,"startOfParagraph":false},{"content":"but this was the first thing that they started looking for.","startTime":1420580,"duration":6320,"startOfParagraph":false},{"content":"Some other apps that did some SMS text messages,","startTime":1426900,"duration":3790,"startOfParagraph":true},{"content":"this Android Qicsomos, I guess it is called.","startTime":1430690,"duration":6290,"startOfParagraph":false},{"content":"There was this current event on the mobile where this CarrierIQ came out","startTime":1436980,"duration":5690,"startOfParagraph":false},{"content":"as spyware put on the device by the carriers,","startTime":1442670,"duration":5050,"startOfParagraph":false},{"content":"so people wanted to know if their phone was vulnerable to this,","startTime":1447720,"duration":3100,"startOfParagraph":false},{"content":"and this was a free app that tested that.","startTime":1450820,"duration":3070,"startOfParagraph":false},{"content":"Well, of course, what this app did was it sent premium SMS text messages,","startTime":1453890,"duration":3630,"startOfParagraph":false},{"content":"so by testing to see if you're infected with spyware","startTime":1457520,"duration":2570,"startOfParagraph":false},{"content":"you loaded malware onto your device.","startTime":1460090,"duration":4840,"startOfParagraph":false},{"content":"We saw the same thing happen at the last Super Bowl. ","startTime":1464930,"duration":2380,"startOfParagraph":false},{"content":"There was a bogus version of the Madden football game","startTime":1467310,"duration":5870,"startOfParagraph":false},{"content":"that sent premium SMS text messages.","startTime":1473180,"duration":5140,"startOfParagraph":false},{"content":"It actually tried to create a bot network too on the device.","startTime":1478320,"duration":7430,"startOfParagraph":false},{"content":"Here I have some examples.","startTime":1485750,"duration":2340,"startOfParagraph":false},{"content":"Interestingly enough, Apple was pretty smart,","startTime":1488090,"duration":4550,"startOfParagraph":false},{"content":"and they don't allow applications to send SMS text messages at all.","startTime":1492640,"duration":5830,"startOfParagraph":false},{"content":"No app can do it. ","startTime":1498470,"duration":1880,"startOfParagraph":false},{"content":"That's a great way of getting rid of a whole class of vulnerability,","startTime":1500350,"duration":3180,"startOfParagraph":false},{"content":"but on Android you can do it, and of course, on BlackBerry you can do it too.","startTime":1503530,"duration":5510,"startOfParagraph":false},{"content":"It's interesting that on the BlackBerry all you need is internet permissions","startTime":1509040,"duration":4020,"startOfParagraph":false},{"content":"to send an SMS text message.","startTime":1513060,"duration":5310,"startOfParagraph":false},{"content":"The other thing really that we look for","startTime":1518370,"duration":3210,"startOfParagraph":true},{"content":"when we're looking to see if something is malicious is just any kind of ","startTime":1521580,"duration":3200,"startOfParagraph":false},{"content":"unauthorized network activity, like look at the network activity ","startTime":1524780,"duration":3320,"startOfParagraph":false},{"content":"the app is supposed to have to have its functionality,","startTime":1528100,"duration":3470,"startOfParagraph":false},{"content":"and look at this other network activity.","startTime":1531570,"duration":3810,"startOfParagraph":false},{"content":"Perhaps an app, to work, has to get data over HTTP,","startTime":1535380,"duration":8000,"startOfParagraph":false},{"content":"but if it's doing things over email or SMS or Bluetooth or something like that","startTime":1543380,"duration":4120,"startOfParagraph":false},{"content":"now that app could potentially be malicious, so this is another thing you can inspect for.","startTime":1547500,"duration":5390,"startOfParagraph":false},{"content":"And on this slide here I have some examples of that.","startTime":1552890,"duration":7540,"startOfParagraph":false},{"content":"Another interesting thing we saw with malware happened back in 2009,","startTime":1560430,"duration":5520,"startOfParagraph":false},{"content":"and it happened in a big way.","startTime":1565950,"duration":1650,"startOfParagraph":false},{"content":"I don't know if it's happened so much since then, but it was an app","startTime":1567600,"duration":3790,"startOfParagraph":false},{"content":"that impersonated another application.","startTime":1571390,"duration":3750,"startOfParagraph":false},{"content":"There was a set of apps, and it was dubbed the 09Droid attack,","startTime":1575140,"duration":6560,"startOfParagraph":false},{"content":"and someone decided that there were a lot of small, regional, midsize banks","startTime":1581700,"duration":8070,"startOfParagraph":false},{"content":"that didn't have online banking applications,","startTime":1589770,"duration":2490,"startOfParagraph":false},{"content":"so what they did was they built about 50 online banking applications","startTime":1592260,"duration":4610,"startOfParagraph":false},{"content":"that all they did was take the user name and password","startTime":1596870,"duration":2540,"startOfParagraph":false},{"content":"and redirect you to the website.","startTime":1599410,"duration":2780,"startOfParagraph":false},{"content":"And so they put these all up in the Google Marketplace,","startTime":1602190,"duration":5280,"startOfParagraph":false},{"content":"in the Android Marketplace, and when someone searched to see if their bank","startTime":1607470,"duration":4060,"startOfParagraph":false},{"content":"had an application they would find the bogus application,","startTime":1611530,"duration":4470,"startOfParagraph":false},{"content":"which collected their credentials and then redirected them to their website.","startTime":1616000,"duration":5230,"startOfParagraph":false},{"content":"The way that this actually became—the apps were up there for a few weeks,","startTime":1621230,"duration":5410,"startOfParagraph":false},{"content":"and there were thousands and thousands of downloads.","startTime":1626640,"duration":2410,"startOfParagraph":false},{"content":"The way this came to light was someone was having a problem ","startTime":1629050,"duration":3860,"startOfParagraph":true},{"content":"with one of the applications, and they called their bank,","startTime":1632910,"duration":2830,"startOfParagraph":false},{"content":"and they called their bank's customer support line and said,","startTime":1635740,"duration":2650,"startOfParagraph":false},{"content":"\"I'm having a problem with your mobile banking application.\"","startTime":1638390,"duration":2790,"startOfParagraph":false},{"content":"\"Can you help me out?\"","startTime":1641180,"duration":2280,"startOfParagraph":false},{"content":"And they said, \"We don't have a mobile banking application.\"","startTime":1643460,"duration":3080,"startOfParagraph":false},{"content":"That started the investigation.","startTime":1646540,"duration":1580,"startOfParagraph":false},{"content":"That bank called Google, and then Google looked and said,","startTime":1648120,"duration":3080,"startOfParagraph":false},{"content":"\"Wow, the same author has written 50 bank applications,\" and took them all down.","startTime":1651200,"duration":6020,"startOfParagraph":false},{"content":"But certainly this could happen again.","startTime":1657220,"duration":6190,"startOfParagraph":false},{"content":"There's the list of all the different banks here","startTime":1663410,"duration":8380,"startOfParagraph":false},{"content":"that were part of this scam.","startTime":1671790,"duration":4080,"startOfParagraph":false},{"content":"The other thing an app can do is present the UI of another application.","startTime":1675870,"duration":6180,"startOfParagraph":false},{"content":"While it's running it could pop up the Facebook UI.","startTime":1682050,"duration":4380,"startOfParagraph":false},{"content":"It says you have to put in your user name and password to continue","startTime":1686430,"duration":3110,"startOfParagraph":false},{"content":"or put up any user name and password UI for a website","startTime":1689540,"duration":5550,"startOfParagraph":false},{"content":"that maybe the user uses just to try to trick the user","startTime":1695090,"duration":3330,"startOfParagraph":false},{"content":"into putting their credentials in.","startTime":1698420,"duration":2920,"startOfParagraph":false},{"content":"This is really a straight parallel of the email phishing attacks","startTime":1701340,"duration":4250,"startOfParagraph":false},{"content":"where someone sends you an email message","startTime":1705590,"duration":2620,"startOfParagraph":false},{"content":"and gives you basically a fake UI for a website","startTime":1708210,"duration":4840,"startOfParagraph":false},{"content":"that you have access to.","startTime":1713050,"duration":4270,"startOfParagraph":false},{"content":"The other thing we look for in malicious code is system modification.","startTime":1717320,"duration":4270,"startOfParagraph":true},{"content":"You can look for all the API calls that require root privilege","startTime":1721590,"duration":6570,"startOfParagraph":false},{"content":"to execute correctly.","startTime":1728160,"duration":2710,"startOfParagraph":false},{"content":"Changing the device's web proxy would be something that an application ","startTime":1730870,"duration":5290,"startOfParagraph":false},{"content":"shouldn't be able to do.","startTime":1736160,"duration":3370,"startOfParagraph":false},{"content":"But if the application has code in there to do that","startTime":1739530,"duration":3500,"startOfParagraph":false},{"content":"you know that it's probably a malicious application ","startTime":1743030,"duration":2930,"startOfParagraph":false},{"content":"or very highly likely to be a malicious application,","startTime":1745960,"duration":3660,"startOfParagraph":false},{"content":"and so what would happen is that app would have some way of escalating privilege.","startTime":1749620,"duration":4290,"startOfParagraph":false},{"content":"It would have some privilege escalation exploit","startTime":1753910,"duration":3290,"startOfParagraph":false},{"content":"in the application, and then once it escalated privileges","startTime":1757200,"duration":3530,"startOfParagraph":false},{"content":"it would do these system modifications.","startTime":1760730,"duration":3070,"startOfParagraph":false},{"content":"You can find malware that has privilege escalation","startTime":1763800,"duration":4210,"startOfParagraph":false},{"content":"in it even without knowing how the privilege escalation","startTime":1768010,"duration":4540,"startOfParagraph":false},{"content":"exploit is going to happen, and that's a nice, easy way","startTime":1772550,"duration":5410,"startOfParagraph":false},{"content":"to look for malware.","startTime":1777960,"duration":3260,"startOfParagraph":false},{"content":"DroidDream was probably the most famous piece of Android malware.","startTime":1781220,"duration":4810,"startOfParagraph":false},{"content":"I think it affected about 250,000 users over a few days","startTime":1786030,"duration":4500,"startOfParagraph":false},{"content":"before it was found.","startTime":1790530,"duration":2280,"startOfParagraph":false},{"content":"They repackaged 50 bogus applications,","startTime":1792810,"duration":4080,"startOfParagraph":false},{"content":"put them in the Android app store, ","startTime":1796890,"duration":3480,"startOfParagraph":false},{"content":"and essentially it used Android jailbreak code to escalate privileges","startTime":1800370,"duration":10570,"startOfParagraph":false},{"content":"and then install a command and control and turn all the victims","startTime":1810940,"duration":5440,"startOfParagraph":false},{"content":"into a bot net, but you could have detected this","startTime":1816380,"duration":4310,"startOfParagraph":false},{"content":"if you were scanning the application and just looking for","startTime":1820690,"duration":3480,"startOfParagraph":false},{"content":"API calls that required root permission to execute correctly.","startTime":1824170,"duration":8060,"startOfParagraph":false},{"content":"And there's an example here I have which is changing the proxy,","startTime":1832230,"duration":7920,"startOfParagraph":true},{"content":"and this actually is only available on the Android.","startTime":1840150,"duration":6230,"startOfParagraph":false},{"content":"You can see I'm giving you a lot of examples on Android ","startTime":1846380,"duration":2690,"startOfParagraph":false},{"content":"because this is where the most active malware ecosystem is","startTime":1849070,"duration":4920,"startOfParagraph":false},{"content":"because it's really easy for an attacker to get malicious code","startTime":1853990,"duration":4700,"startOfParagraph":false},{"content":"into the Android Marketplace.","startTime":1858690,"duration":2780,"startOfParagraph":false},{"content":"It's not so easy to do that in the Apple App Store","startTime":1861470,"duration":5010,"startOfParagraph":false},{"content":"because Apple requires developers to identify themselves","startTime":1866480,"duration":3770,"startOfParagraph":false},{"content":"and sign the code.","startTime":1870250,"duration":2540,"startOfParagraph":false},{"content":"They actually check who you are, and Apple is actually scrutinizing the applications.","startTime":1872790,"duration":7550,"startOfParagraph":false},{"content":"We don't see a lot of true malware where the device is getting compromised.","startTime":1880340,"duration":7110,"startOfParagraph":false},{"content":"I will talk about some examples where it's really privacy that's getting compromised,","startTime":1887450,"duration":4800,"startOfParagraph":false},{"content":"and that's what's really happening on the Apple device.","startTime":1892250,"duration":6210,"startOfParagraph":false},{"content":"Another thing to look for malicious code, risky code in devices","startTime":1898460,"duration":5630,"startOfParagraph":false},{"content":"is logic or time bombs, and time bombs are probably ","startTime":1904090,"duration":6210,"startOfParagraph":false},{"content":"much easier to look for than logic bombs.","startTime":1910300,"duration":3070,"startOfParagraph":false},{"content":"But with time bombs, what you can do is you can look for","startTime":1913370,"duration":3660,"startOfParagraph":false},{"content":"places in the code where the time is tested or an absolute time is looked for","startTime":1917030,"duration":7730,"startOfParagraph":false},{"content":"before certain functionality in the app happens.","startTime":1924760,"duration":3430,"startOfParagraph":false},{"content":"And this could be done to hide that activity from the user,","startTime":1928190,"duration":6010,"startOfParagraph":false},{"content":"so it's happening late at night.","startTime":1934200,"duration":3310,"startOfParagraph":false},{"content":"DroidDream did all its activity between 11 PM and 8 AM local time","startTime":1937510,"duration":6840,"startOfParagraph":false},{"content":"to try to do it while the user might not be using their device.","startTime":1944350,"duration":6300,"startOfParagraph":false},{"content":"Another reason to do this is if people are using behavioral analysis of an application,","startTime":1950650,"duration":8030,"startOfParagraph":true},{"content":"running the app in a sandbox to see what the behavior of the application is,","startTime":1958680,"duration":4750,"startOfParagraph":false},{"content":"they can use time-based logic to do the activity","startTime":1963430,"duration":7660,"startOfParagraph":false},{"content":"when the app isn't in the sandbox.","startTime":1971090,"duration":3550,"startOfParagraph":false},{"content":"For example, an app store like Apple","startTime":1974640,"duration":6880,"startOfParagraph":false},{"content":"runs the application, but they probably don't run every application for, say, 30 days","startTime":1981520,"duration":6420,"startOfParagraph":false},{"content":"before approving it, so you can put ","startTime":1987940,"duration":2610,"startOfParagraph":false},{"content":"logic in your application that said, okay, only do the bad thing","startTime":1990550,"duration":3570,"startOfParagraph":false},{"content":"after 30 days has gone by or after 30 days after the publish date of the application,","startTime":1994120,"duration":6370,"startOfParagraph":false},{"content":"and that can help the malicious code hide from people inspecting for it.","startTime":2000490,"duration":6530,"startOfParagraph":false},{"content":"If anti-virus companies are running things in sandboxes","startTime":2007020,"duration":3030,"startOfParagraph":false},{"content":"or the app stores themselves are this can help","startTime":2010050,"duration":6320,"startOfParagraph":false},{"content":"hide that from that inspection.","startTime":2016370,"duration":2890,"startOfParagraph":false},{"content":"Now, the flip side of that is it's easy to find with static analysis,","startTime":2019260,"duration":3760,"startOfParagraph":false},{"content":"so actually inspecting the code you can look for all the places ","startTime":2023020,"duration":3150,"startOfParagraph":false},{"content":"where the application tests the time and inspect that way.","startTime":2026170,"duration":7840,"startOfParagraph":false},{"content":"And here I have some examples on these 3 different platforms","startTime":2034010,"duration":4840,"startOfParagraph":false},{"content":"how time can be checked for by the app maker","startTime":2038850,"duration":6790,"startOfParagraph":false},{"content":"so you know what to look for if you're inspecting the app statically.","startTime":2045640,"duration":4880,"startOfParagraph":false},{"content":"I just went through a whole bunch of different malicious activities","startTime":2050520,"duration":4050,"startOfParagraph":true},{"content":"that we've seen in the wild, but which ones are the most prevalent?","startTime":2054570,"duration":4399,"startOfParagraph":false},{"content":"That same study from North Carolina State Mobile Genome Project","startTime":2058969,"duration":4971,"startOfParagraph":false},{"content":"published some data, and there were basically 4 areas","startTime":2063940,"duration":4620,"startOfParagraph":false},{"content":"that they saw where there was a lot of activity.","startTime":2068560,"duration":4290,"startOfParagraph":false},{"content":"37% of the apps did privilege escalation,","startTime":2072850,"duration":2520,"startOfParagraph":false},{"content":"so they had some type of jailbreak code in there ","startTime":2075370,"duration":3059,"startOfParagraph":false},{"content":"where they tried to escalate privileges so that they could ","startTime":2078429,"duration":3641,"startOfParagraph":false},{"content":"do API commands running as the operating system.","startTime":2082070,"duration":6290,"startOfParagraph":false},{"content":"45% of the apps out there did premium SMS,","startTime":2088360,"duration":4160,"startOfParagraph":false},{"content":"so that's a huge percentage that is trying to directly monetize.","startTime":2092520,"duration":4740,"startOfParagraph":false},{"content":"93% did remote control, so they tried to set up a bot net, a mobile bot net.","startTime":2097260,"duration":5380,"startOfParagraph":false},{"content":"And 45% harvested identifying information","startTime":2102640,"duration":6350,"startOfParagraph":false},{"content":"like phone numbers, UUIDs, GPS location, user accounts,","startTime":2108990,"duration":7240,"startOfParagraph":false},{"content":"and this adds up to more than 100 because most malware tries to do a few of these things.","startTime":2116230,"duration":6640,"startOfParagraph":false},{"content":"I'm going to switch to the second half and talk about the code vulnerabilities.","startTime":2122870,"duration":4200,"startOfParagraph":true},{"content":"This is the second half of the risky activity.","startTime":2127070,"duration":2410,"startOfParagraph":false},{"content":"This is where essentially the developer is making errors.","startTime":2129480,"duration":3970,"startOfParagraph":false},{"content":"A legitimate developer writing a legitimate app","startTime":2133450,"duration":3760,"startOfParagraph":false},{"content":"is making errors or is ignorant of the risks of the mobile platform.","startTime":2137210,"duration":4620,"startOfParagraph":false},{"content":"They just don't know how to make a secure mobile app,","startTime":2141830,"duration":2950,"startOfParagraph":false},{"content":"or sometimes the developer doesn't care about putting the user at risk.","startTime":2144780,"duration":2920,"startOfParagraph":false},{"content":"Sometimes part of their business model might be ","startTime":2147700,"duration":3150,"startOfParagraph":false},{"content":"harvesting the user's personal information.","startTime":2150850,"duration":3760,"startOfParagraph":false},{"content":"That's sort of the other category, and that's why some of this malicious ","startTime":2154610,"duration":3480,"startOfParagraph":false},{"content":"versus legitimate starts to bleed over because there's difference of opinions","startTime":2158090,"duration":5110,"startOfParagraph":false},{"content":"between what the user wants and what the user considers risky","startTime":2163200,"duration":7240,"startOfParagraph":false},{"content":"and what the application developer considers risky.","startTime":2170440,"duration":2610,"startOfParagraph":false},{"content":"Of course, it's not the application developer's data in most cases.","startTime":2173050,"duration":5330,"startOfParagraph":false},{"content":"And then finally, another way this happens is a developer might link in","startTime":2178380,"duration":3650,"startOfParagraph":true},{"content":"a shared library that has vulnerabilities or this risky behavior in it","startTime":2182030,"duration":6570,"startOfParagraph":false},{"content":"unbeknownst to them.","startTime":2188600,"duration":3880,"startOfParagraph":false},{"content":"The first category is sensitive data leakage,","startTime":2192480,"duration":4580,"startOfParagraph":false},{"content":"and this is when the app collects information","startTime":2197060,"duration":2970,"startOfParagraph":false},{"content":"like location, address book information, owner information","startTime":2200030,"duration":4950,"startOfParagraph":false},{"content":"and sends that off the device.","startTime":2204980,"duration":3020,"startOfParagraph":false},{"content":"And once it's off the device, we don't know what's happening with that information.","startTime":2208000,"duration":5050,"startOfParagraph":false},{"content":"It could be stored insecurely by the application developer.","startTime":2213050,"duration":4120,"startOfParagraph":false},{"content":"We've seen application developers get compromised,","startTime":2217170,"duration":4900,"startOfParagraph":false},{"content":"and the data that they're storing gets taken.","startTime":2222070,"duration":3750,"startOfParagraph":false},{"content":"This happened a few months ago to a developer down in Florida","startTime":2225820,"duration":5150,"startOfParagraph":false},{"content":"where a huge number of—it was iPad UUIDs and device names","startTime":2230970,"duration":10690,"startOfParagraph":false},{"content":"were leaked because someone, I think it was anonymous,","startTime":2241660,"duration":3610,"startOfParagraph":false},{"content":"claimed to do this, broke into this developer's servers","startTime":2245270,"duration":4190,"startOfParagraph":false},{"content":"and stole millions of iPad UUIDs","startTime":2249460,"duration":5460,"startOfParagraph":false},{"content":"and computer names.","startTime":2254920,"duration":2470,"startOfParagraph":false},{"content":"Not the most risky information,","startTime":2257390,"duration":2870,"startOfParagraph":false},{"content":"but what if that was the storage of user names and passwords","startTime":2260260,"duration":6560,"startOfParagraph":false},{"content":"and home addresses?","startTime":2266820,"duration":1350,"startOfParagraph":false},{"content":"There's lots of apps that store that kind of information.","startTime":2268170,"duration":2930,"startOfParagraph":false},{"content":"The risk is there.","startTime":2271100,"duration":2130,"startOfParagraph":false},{"content":"The other thing that can happen is if the developer doesn't take care","startTime":2273230,"duration":3390,"startOfParagraph":true},{"content":"to secure the data channel, and that's another big vulnerability I'm going to talk about,","startTime":2276620,"duration":4750,"startOfParagraph":false},{"content":"that data is being sent in the clear.","startTime":2281370,"duration":3790,"startOfParagraph":false},{"content":"If the user is on a public Wi-Fi network","startTime":2285160,"duration":3880,"startOfParagraph":false},{"content":"or someone is sniffing the internet somewhere","startTime":2289040,"duration":3290,"startOfParagraph":false},{"content":"along the path that data is being exposed.","startTime":2292330,"duration":6930,"startOfParagraph":false},{"content":"One very famous case of this information leakage happened with Pandora,","startTime":2299260,"duration":4530,"startOfParagraph":false},{"content":"and this is something we researched at Veracode.","startTime":2303790,"duration":3460,"startOfParagraph":false},{"content":"We heard that there was a—I think it was a Federal Trade Commission ","startTime":2307250,"duration":5950,"startOfParagraph":false},{"content":"investigation going on with Pandora.","startTime":2313200,"duration":2110,"startOfParagraph":false},{"content":"We said, \"What's going on there? Let's start digging into the Pandora application.\" ","startTime":2315310,"duration":4520,"startOfParagraph":false},{"content":"And what we determined was the Pandora application collected","startTime":2319830,"duration":6860,"startOfParagraph":false},{"content":"your gender and your age, ","startTime":2326690,"duration":4580,"startOfParagraph":false},{"content":"and it also accessed your GPS location, and the Pandora application ","startTime":2331270,"duration":5390,"startOfParagraph":false},{"content":"did this for what they said were legitimate reasons.","startTime":2336660,"duration":3540,"startOfParagraph":false},{"content":"The music that they were playing—Pandora is a music streaming app—","startTime":2340200,"duration":5160,"startOfParagraph":false},{"content":"the music they were playing was only licensed in the United States,","startTime":2345360,"duration":2170,"startOfParagraph":false},{"content":"so they had to check to comply with their license agreements that they had","startTime":2347530,"duration":5490,"startOfParagraph":false},{"content":"for the music that the user was in the United States.","startTime":2353020,"duration":4220,"startOfParagraph":false},{"content":"They also wanted to comply with the parental advisory","startTime":2357240,"duration":7830,"startOfParagraph":false},{"content":"around adult language in music, ","startTime":2365070,"duration":8720,"startOfParagraph":false},{"content":"and so it's a voluntary program, but they wanted to comply with that","startTime":2373790,"duration":3710,"startOfParagraph":false},{"content":"and not play explicit lyrics to children 13 and under.","startTime":2377500,"duration":5510,"startOfParagraph":false},{"content":"They had legitimate reasons for collecting this data.","startTime":2383010,"duration":3270,"startOfParagraph":true},{"content":"Their app had the permissions to do it.","startTime":2386280,"duration":2880,"startOfParagraph":false},{"content":"Users thought this was legitimate. But what happened?","startTime":2389160,"duration":2840,"startOfParagraph":false},{"content":"They linked in 3 or 4 different ad libraries.","startTime":2392000,"duration":3810,"startOfParagraph":false},{"content":"Now all of a sudden all these ad libraries","startTime":2395810,"duration":3330,"startOfParagraph":false},{"content":"are getting access to this same information.","startTime":2399140,"duration":3830,"startOfParagraph":false},{"content":"The ad libraries, if you look at the code in the ad libraries","startTime":2402970,"duration":2860,"startOfParagraph":false},{"content":"what they do is every ad library says","startTime":2405830,"duration":2600,"startOfParagraph":false},{"content":"\"Does my app have permission to get GPS location?\"","startTime":2408430,"duration":2910,"startOfParagraph":false},{"content":"\"Oh, it does? Okay, tell me the GPS location.\"","startTime":2411340,"duration":3550,"startOfParagraph":false},{"content":"Every single ad library does that,","startTime":2414890,"duration":1730,"startOfParagraph":false},{"content":"and if the app doesn't have GPS permission","startTime":2416620,"duration":3120,"startOfParagraph":false},{"content":"it won't be able to get it, but if it does, it will get it.","startTime":2419740,"duration":3720,"startOfParagraph":false},{"content":"This is where the business model of the ad libraries","startTime":2423460,"duration":2780,"startOfParagraph":false},{"content":"is opposed to the privacy of the user.","startTime":2426240,"duration":4920,"startOfParagraph":false},{"content":"And there's been studies out there that will say if you know the age","startTime":2431160,"duration":3820,"startOfParagraph":false},{"content":"of a person and you know their location","startTime":2434980,"duration":3450,"startOfParagraph":false},{"content":"where they sleep at night, because you have their GPS coordinates","startTime":2438430,"duration":4100,"startOfParagraph":false},{"content":"while they perhaps are sleeping, you know exactly who that person is","startTime":2442530,"duration":3500,"startOfParagraph":false},{"content":"because you can determine which member of that household is that person.","startTime":2446030,"duration":4200,"startOfParagraph":false},{"content":"Really this is identifying to advertisers","startTime":2450230,"duration":4550,"startOfParagraph":false},{"content":"exactly who you are, and it looks like it was legitimate.","startTime":2454780,"duration":4750,"startOfParagraph":false},{"content":"I just want my streaming music, and this is the only way to get it.","startTime":2459530,"duration":3270,"startOfParagraph":false},{"content":"Well, we exposed this.","startTime":2462800,"duration":2570,"startOfParagraph":true},{"content":"We wrote this up in several blog posts,","startTime":2465370,"duration":2660,"startOfParagraph":false},{"content":"and it turned out that someone from Rolling Stone magazine","startTime":2468030,"duration":5250,"startOfParagraph":false},{"content":"read one of our blog posts and wrote their own blog in Rolling Stone about it,","startTime":2473280,"duration":5530,"startOfParagraph":false},{"content":"and the very next day Pandora thought it was a good idea","startTime":2478810,"duration":3310,"startOfParagraph":false},{"content":"to remove the ad libraries from their application.","startTime":2482120,"duration":5480,"startOfParagraph":false},{"content":"As far as I know they're the only—they should be commended.","startTime":2487600,"duration":3670,"startOfParagraph":false},{"content":"I think they're the only freemium type of app that has done this.","startTime":2491270,"duration":4500,"startOfParagraph":false},{"content":"All the other freemium apps have this same behavior,","startTime":2495770,"duration":2890,"startOfParagraph":false},{"content":"so you've got to think about what kind of data you're giving ","startTime":2498660,"duration":3120,"startOfParagraph":false},{"content":"these freemium applications because it's all going to advertisers.","startTime":2501780,"duration":6550,"startOfParagraph":false},{"content":"Praetorian also did a study about shared libraries and said, ","startTime":2508330,"duration":5060,"startOfParagraph":false},{"content":"\"Let's look at what shared libraries are the top shared libraries,\" and this was the data.","startTime":2513390,"duration":3710,"startOfParagraph":false},{"content":"They analyzed 53,000 apps,","startTime":2517100,"duration":2320,"startOfParagraph":true},{"content":"and the number 1 shared library was Admob.","startTime":2519420,"duration":2480,"startOfParagraph":false},{"content":"It was actually in 38% of the applications out there,","startTime":2521900,"duration":4160,"startOfParagraph":false},{"content":"so 38% of the applications you're using ","startTime":2526060,"duration":2740,"startOfParagraph":false},{"content":"are likely harvesting your personal information","startTime":2528800,"duration":2450,"startOfParagraph":false},{"content":"and sending it to the ad networks.","startTime":2531250,"duration":5400,"startOfParagraph":false},{"content":"Apache and Android were 8% and 6%,","startTime":2536650,"duration":2700,"startOfParagraph":false},{"content":"and then these other ones down at the bottom, Google Ads, Flurry,","startTime":2539350,"duration":3610,"startOfParagraph":false},{"content":"Mob City and Millennial Media,","startTime":2542960,"duration":3640,"startOfParagraph":false},{"content":"these are all ad companies, and then, interestingly enough,","startTime":2546600,"duration":3900,"startOfParagraph":false},{"content":"4% linked in the Facebook library","startTime":2550500,"duration":3000,"startOfParagraph":false},{"content":"probably to do authentication through Facebook","startTime":2553500,"duration":5370,"startOfParagraph":false},{"content":"so the app could authenticate the Facebook.","startTime":2558870,"duration":1940,"startOfParagraph":false},{"content":"But that also means the corporation Facebook controls code","startTime":2560810,"duration":3850,"startOfParagraph":false},{"content":"that's running in 4% of the Android mobile apps out there,","startTime":2564660,"duration":4350,"startOfParagraph":false},{"content":"and they have access to all the data that that app has permission to get at.","startTime":2569010,"duration":4480,"startOfParagraph":false},{"content":"Facebook essentially tries to sell advertising space.","startTime":2573490,"duration":3680,"startOfParagraph":false},{"content":"That's their business model.","startTime":2577170,"duration":2950,"startOfParagraph":false},{"content":"If you look at this whole ecosystem with these permissions","startTime":2580120,"duration":2800,"startOfParagraph":true},{"content":"and shared libraries you start to see that ","startTime":2582920,"duration":4820,"startOfParagraph":false},{"content":"you have a lot of risk in a supposedly legitimate application.","startTime":2587740,"duration":6110,"startOfParagraph":false},{"content":"The same similar thing that happened with Pandora","startTime":2593850,"duration":5510,"startOfParagraph":false},{"content":"happened with an application called Path,","startTime":2599360,"duration":2980,"startOfParagraph":false},{"content":"and Path thought they were being helpful, friendly developers.","startTime":2602340,"duration":5320,"startOfParagraph":false},{"content":"They were just trying to give you a great user experience,","startTime":2607660,"duration":4500,"startOfParagraph":false},{"content":"and it turned out that without prompting the user or telling the user anything—","startTime":2612160,"duration":5650,"startOfParagraph":false},{"content":"and this happened on the iPhone and on Android, ","startTime":2617810,"duration":2590,"startOfParagraph":false},{"content":"the Pandora app was on iPhone and Android—","startTime":2620400,"duration":4020,"startOfParagraph":false},{"content":"that the Path application was grabbing your entire address book","startTime":2624420,"duration":4470,"startOfParagraph":false},{"content":"and uploading it to Path just when you installed and ran the application,","startTime":2628890,"duration":3940,"startOfParagraph":false},{"content":"and they didn't tell you about this.","startTime":2632830,"duration":3010,"startOfParagraph":false},{"content":"They thought it was really helpful for you ","startTime":2635840,"duration":2910,"startOfParagraph":false},{"content":"to be able to share with all the people in your address book","startTime":2638750,"duration":5290,"startOfParagraph":false},{"content":"that you're using the Path application.","startTime":2644040,"duration":2880,"startOfParagraph":false},{"content":"Well, obviously Path thought this was great for their company.","startTime":2646920,"duration":2570,"startOfParagraph":true},{"content":"Not so great to the user.","startTime":2649490,"duration":4020,"startOfParagraph":false},{"content":"You have to think that it's one thing if maybe a teenager","startTime":2653510,"duration":5510,"startOfParagraph":false},{"content":"is using this application and their dozens of friends are in there,","startTime":2659020,"duration":4680,"startOfParagraph":false},{"content":"but what if it's the CEO of a company that installs Path","startTime":2663700,"duration":5660,"startOfParagraph":false},{"content":"and then all of a sudden their whole address book is up there?","startTime":2669360,"duration":3810,"startOfParagraph":false},{"content":"You're going to get a lot of potentially valuable contact information","startTime":2673170,"duration":5140,"startOfParagraph":false},{"content":"for a lot of people.","startTime":2678310,"duration":2610,"startOfParagraph":false},{"content":"A reporter from the New York Times, you might be able to get the phone number","startTime":2680920,"duration":3580,"startOfParagraph":false},{"content":"for ex presidents from their address book,","startTime":2684500,"duration":2880,"startOfParagraph":false},{"content":"so obviously a lot of sensitive information gets transferred with something like this.","startTime":2687380,"duration":7400,"startOfParagraph":false},{"content":"There was such a big flap about this that Path apologized.","startTime":2694780,"duration":3310,"startOfParagraph":false},{"content":"They changed their app, and it even impacted Apple.","startTime":2698090,"duration":3520,"startOfParagraph":false},{"content":"Apple said, \"We're going to force app vendors to prompt users","startTime":2701610,"duration":5340,"startOfParagraph":false},{"content":"if they're going to collect their entire address book.\"","startTime":2706950,"duration":5700,"startOfParagraph":false},{"content":"It looks like what's happening here is ","startTime":2712650,"duration":2710,"startOfParagraph":true},{"content":"when there's one big privacy violation and it makes the press","startTime":2715360,"duration":4070,"startOfParagraph":false},{"content":"we see a change out there.","startTime":2719430,"duration":2250,"startOfParagraph":false},{"content":"But of course, there's other things out there.","startTime":2721680,"duration":1550,"startOfParagraph":false},{"content":"The LinkedIn application harvests your calendar entries,","startTime":2723230,"duration":4210,"startOfParagraph":false},{"content":"but Apple doesn't make the user be prompted about that.","startTime":2727440,"duration":7090,"startOfParagraph":false},{"content":"Calendar entries can have sensitive information in them too.","startTime":2734530,"duration":3500,"startOfParagraph":false},{"content":"Where are you going to draw the line?","startTime":2738030,"duration":1970,"startOfParagraph":false},{"content":"This is really kind of an evolving place","startTime":2740000,"duration":3960,"startOfParagraph":false},{"content":"where there's really no good standard out there","startTime":2743960,"duration":3680,"startOfParagraph":false},{"content":"for the users to understand when their information is going to be at risk","startTime":2747640,"duration":4350,"startOfParagraph":false},{"content":"and when they're going to know it's being taken.","startTime":2751990,"duration":5830,"startOfParagraph":false},{"content":"We wrote an app at Veracode called Adios,","startTime":2757820,"duration":5220,"startOfParagraph":false},{"content":"and essentially it allowed you to point the app at your iTunes directory","startTime":2763040,"duration":5310,"startOfParagraph":false},{"content":"and look at all the applications that were harvesting your full address book.","startTime":2768350,"duration":4200,"startOfParagraph":false},{"content":"And as you can see on this list here, Angry Birds,","startTime":2772550,"duration":7210,"startOfParagraph":false},{"content":"AIM, AroundMe.","startTime":2779760,"duration":1830,"startOfParagraph":false},{"content":"Why does Angry Birds need your address book?","startTime":2781590,"duration":2460,"startOfParagraph":false},{"content":"I don't know, but it does somehow.","startTime":2784050,"duration":5110,"startOfParagraph":false},{"content":"This is something that many, many applications do.","startTime":2789160,"duration":3150,"startOfParagraph":true},{"content":"You can inspect the code for this.","startTime":2792310,"duration":2470,"startOfParagraph":false},{"content":"There's well-defined APIs for iPhone, Android and BlackBerry","startTime":2794780,"duration":3880,"startOfParagraph":false},{"content":"to get at the address book.","startTime":2798660,"duration":3460,"startOfParagraph":false},{"content":"You can really easily inspect for this, and this is what we did in our Adios application.","startTime":2802120,"duration":6400,"startOfParagraph":false},{"content":"The next category, Unsafe Sensitive Data Storage,","startTime":2808520,"duration":3800,"startOfParagraph":false},{"content":"is something where developers take something like a pin or an account number","startTime":2812320,"duration":3350,"startOfParagraph":false},{"content":"or a password and store it in the clear on the device.","startTime":2815670,"duration":2860,"startOfParagraph":false},{"content":"Even worse, they might store it in an area on the phone","startTime":2818530,"duration":3780,"startOfParagraph":false},{"content":"which is globally accessible, like the SD card.","startTime":2822310,"duration":4510,"startOfParagraph":false},{"content":"You see this more often on Android because Android allows for an SD card.","startTime":2826820,"duration":4500,"startOfParagraph":false},{"content":"IPhone devices don't.","startTime":2831320,"duration":1880,"startOfParagraph":false},{"content":"But we even saw this happen in a CitiGroup application.","startTime":2833200,"duration":4700,"startOfParagraph":false},{"content":"Their online banking application stored the account numbers insecurely,","startTime":2837900,"duration":7550,"startOfParagraph":false},{"content":"just in the clear, so if you lost your device,","startTime":2845450,"duration":2670,"startOfParagraph":false},{"content":"essentially you lost your bank account.","startTime":2848120,"duration":2550,"startOfParagraph":false},{"content":"This is why I personally don't do banking on my iPhone.","startTime":2850670,"duration":5330,"startOfParagraph":false},{"content":"I think it's too risky right now to do these kinds of activities.","startTime":2856000,"duration":7710,"startOfParagraph":false},{"content":"Skype did the same thing.","startTime":2863710,"duration":2240,"startOfParagraph":true},{"content":"Skype, of course, has an account balance, a user name and password","startTime":2865950,"duration":3920,"startOfParagraph":false},{"content":"that access that balance.","startTime":2869870,"duration":1160,"startOfParagraph":false},{"content":"They were storing all that information in the clear on the mobile device.","startTime":2871030,"duration":9050,"startOfParagraph":false},{"content":"I have some examples here of creating files","startTime":2880080,"duration":5680,"startOfParagraph":false},{"content":"that don't have the right permissions or writing to disc","startTime":2885760,"duration":4550,"startOfParagraph":false},{"content":"and not having any encryption happen for that.","startTime":2890310,"duration":6950,"startOfParagraph":false},{"content":"This next area, Unsafe Sensitive Data Transmission,","startTime":2897260,"duration":2930,"startOfParagraph":false},{"content":"I've alluded to this a few times, and because of public Wi-Fi","startTime":2900190,"duration":4260,"startOfParagraph":false},{"content":"this is something that apps absolutely need to do,","startTime":2904450,"duration":3320,"startOfParagraph":false},{"content":"and this is probably what we see go wrong the most.","startTime":2907770,"duration":3480,"startOfParagraph":false},{"content":"I would say—actually, I think I have the actual data,","startTime":2911250,"duration":3670,"startOfParagraph":false},{"content":"but it's close to half the mobile applications","startTime":2914920,"duration":3200,"startOfParagraph":false},{"content":"screw up doing SSL.","startTime":2918120,"duration":3660,"startOfParagraph":false},{"content":"They just don't use the APIs correctly.","startTime":2921780,"duration":2130,"startOfParagraph":false},{"content":"I mean, all you've got to do is follow the instructions and use the APIs,","startTime":2923910,"duration":4060,"startOfParagraph":false},{"content":"but they do things like not check whether there is an invalid certificate at the other end,","startTime":2927970,"duration":6750,"startOfParagraph":false},{"content":"not check if the other end is trying to do a protocol downgrade attack.","startTime":2934720,"duration":7400,"startOfParagraph":false},{"content":"The developers, they want to get their checkbox, right?","startTime":2942120,"duration":5080,"startOfParagraph":true},{"content":"Their requirement is to use this to sell. They've used this to sell.","startTime":2947200,"duration":4710,"startOfParagraph":false},{"content":"The requirement isn't to use this to sell securely,","startTime":2951910,"duration":2890,"startOfParagraph":false},{"content":"and so this is why all applications that use SSL to secure data","startTime":2954800,"duration":4880,"startOfParagraph":false},{"content":"as it's being transmitted off the device really need to be inspected","startTime":2959680,"duration":3790,"startOfParagraph":false},{"content":"to make sure that was implemented correctly.","startTime":2963470,"duration":5480,"startOfParagraph":false},{"content":"And here I have some examples where you can see an application ","startTime":2968950,"duration":3900,"startOfParagraph":false},{"content":"might be using HTTP instead of HTTPS.","startTime":2972850,"duration":4550,"startOfParagraph":false},{"content":"In some cases apps will fall back to HTTP","startTime":2977400,"duration":3110,"startOfParagraph":false},{"content":"if the HTTPS isn't working.","startTime":2980510,"duration":3740,"startOfParagraph":false},{"content":"I have another call here on Android where they've disabled the certificate check,","startTime":2984250,"duration":4820,"startOfParagraph":false},{"content":"so a man-in-the-middle attack can happen.","startTime":2989070,"duration":2630,"startOfParagraph":false},{"content":"An invalid certificate will be accepted.","startTime":2991700,"duration":4670,"startOfParagraph":false},{"content":"These are all cases where attackers are going to be able to get on","startTime":2996370,"duration":5550,"startOfParagraph":false},{"content":"the same Wi-Fi connection as the user and access all the data","startTime":3001920,"duration":5230,"startOfParagraph":false},{"content":"that's being sent over the internet.","startTime":3007150,"duration":4500,"startOfParagraph":false},{"content":"And finally, the last category I have here is hardcoded password and keys.","startTime":3011650,"duration":4320,"startOfParagraph":true},{"content":"We actually see a lot of developers use the same coding style","startTime":3015970,"duration":5500,"startOfParagraph":false},{"content":"that they did when they were building web server applications,","startTime":3021470,"duration":4430,"startOfParagraph":false},{"content":"so they're building a Java server application, and they're hardcoding the key.","startTime":3025900,"duration":3800,"startOfParagraph":false},{"content":"Well, when you're building a server application, yeah,","startTime":3029700,"duration":2240,"startOfParagraph":false},{"content":"hardcoding the key is not a good idea.","startTime":3031940,"duration":2300,"startOfParagraph":false},{"content":"It makes it difficult to change.","startTime":3034240,"duration":2050,"startOfParagraph":false},{"content":"But it's not so bad on the server side because who has access to the server side?","startTime":3036290,"duration":4410,"startOfParagraph":false},{"content":"Only the administrators.","startTime":3040700,"duration":2440,"startOfParagraph":false},{"content":"But if you take the same code and you poured it over to a mobile application ","startTime":3043140,"duration":4960,"startOfParagraph":false},{"content":"now everyone who has that mobile application has access to that hardcoded key,","startTime":3048100,"duration":4450,"startOfParagraph":false},{"content":"and we actually see this a lot of times, and I have some statistics ","startTime":3052550,"duration":3830,"startOfParagraph":false},{"content":"on how often we see this happen.","startTime":3056380,"duration":4540,"startOfParagraph":false},{"content":"It actually was in example code that MasterCard published ","startTime":3060920,"duration":4020,"startOfParagraph":false},{"content":"on how to use their service.","startTime":3064940,"duration":1910,"startOfParagraph":false},{"content":"The example code showed how you would just take the password","startTime":3066850,"duration":5010,"startOfParagraph":false},{"content":"and put it in a hardcoded string right there,","startTime":3071860,"duration":2990,"startOfParagraph":false},{"content":"and we know how developers love to copy and paste code snippets","startTime":3074850,"duration":4530,"startOfParagraph":false},{"content":"when they're trying to do something, so you copy and paste the code snippet","startTime":3079380,"duration":2980,"startOfParagraph":false},{"content":"that they gave as example code, and you have an insecure application.","startTime":3082360,"duration":6090,"startOfParagraph":false},{"content":"And here we have some examples.","startTime":3088450,"duration":3040,"startOfParagraph":true},{"content":"This first one is one we see a lot where they hardcode","startTime":3091490,"duration":4350,"startOfParagraph":false},{"content":"the data right into a URL that gets sent.","startTime":3095840,"duration":4670,"startOfParagraph":false},{"content":"Sometimes we see string password = the password.","startTime":3100510,"duration":4610,"startOfParagraph":false},{"content":"That's pretty easy to detect, or string password on BlackBerry and Android.","startTime":3105120,"duration":3940,"startOfParagraph":false},{"content":"It's actually pretty easy to check for because almost always","startTime":3109060,"duration":4620,"startOfParagraph":false},{"content":"the developer names the variable that's holding the password","startTime":3113680,"duration":3350,"startOfParagraph":false},{"content":"some variation of password.","startTime":3117030,"duration":5260,"startOfParagraph":false},{"content":"I mentioned that we do static analysis at Veracode,","startTime":3122290,"duration":2910,"startOfParagraph":false},{"content":"so we've analyzed several hundred Android and iOS applications.","startTime":3125200,"duration":6590,"startOfParagraph":false},{"content":"We've built full models of them, and we're able to scan them","startTime":3131790,"duration":3370,"startOfParagraph":false},{"content":"for different vulnerabilities, especially the vulnerabilities I was talking about,","startTime":3135160,"duration":4120,"startOfParagraph":false},{"content":"and I have some data here.","startTime":3139280,"duration":1770,"startOfParagraph":false},{"content":"68.5% of the Android apps we looked at","startTime":3141050,"duration":3270,"startOfParagraph":false},{"content":"had broken cryptographic code,","startTime":3144320,"duration":4270,"startOfParagraph":false},{"content":"which for us, we can't detect if you made your own crypto routine,","startTime":3148590,"duration":4650,"startOfParagraph":false},{"content":"not that that's a good idea, but this is actually using the published APIs","startTime":3153240,"duration":5740,"startOfParagraph":false},{"content":"that are on the platform but doing them in such a way ","startTime":3158980,"duration":3550,"startOfParagraph":false},{"content":"that the crypto would be vulnerable, 68.5.","startTime":3162530,"duration":4150,"startOfParagraph":false},{"content":"And this is for people that are sending us their applications actually because ","startTime":3166680,"duration":3190,"startOfParagraph":false},{"content":"they think it's a good idea to do security testing.","startTime":3169870,"duration":3860,"startOfParagraph":false},{"content":"These are already people that are probably thinking securely,","startTime":3173730,"duration":3230,"startOfParagraph":false},{"content":"so it's probably even worse.","startTime":3176960,"duration":2580,"startOfParagraph":false},{"content":"I didn't talk about control line feed injection.","startTime":3179540,"duration":3150,"startOfParagraph":true},{"content":"It's something we check for, but it's not that risky an issue.","startTime":3182690,"duration":4950,"startOfParagraph":false},{"content":"Information leakage, this is where sensitive data is being sent off the device.","startTime":3187640,"duration":7750,"startOfParagraph":false},{"content":"We found that in 40% of the applications.","startTime":3195390,"duration":3880,"startOfParagraph":false},{"content":"Time and state, those are race condition type issues, typically pretty hard to exploit,","startTime":3199270,"duration":4270,"startOfParagraph":false},{"content":"so I didn't talk about that, but we looked at it.","startTime":3203540,"duration":2630,"startOfParagraph":false},{"content":"23% had SQL injection issues.","startTime":3206170,"duration":2580,"startOfParagraph":false},{"content":"A lot of people don't know that a lot of applications","startTime":3208750,"duration":3270,"startOfParagraph":false},{"content":"use a small little SQL database on their back end to store data.","startTime":3212020,"duration":3860,"startOfParagraph":false},{"content":"Well, if the data that you're grabbing over the network","startTime":3215880,"duration":4550,"startOfParagraph":false},{"content":"has SQL injection attack strings in it","startTime":3220430,"duration":3370,"startOfParagraph":false},{"content":"someone can compromise the device through that,","startTime":3223800,"duration":2170,"startOfParagraph":false},{"content":"and so I think we find about 40% of web applications have this problem,","startTime":3225970,"duration":3830,"startOfParagraph":false},{"content":"which is a huge epidemic problem.","startTime":3229800,"duration":3040,"startOfParagraph":false},{"content":"We find it 23% of the time in mobile apps","startTime":3232840,"duration":2900,"startOfParagraph":false},{"content":"and that's probably because many more web applications use SQL than mobile.","startTime":3235740,"duration":6290,"startOfParagraph":false},{"content":"And then we still see some cross-site scripting, authorization issues, ","startTime":3242030,"duration":3550,"startOfParagraph":true},{"content":"and then credential management, that's where you have your hardcoded password.","startTime":3245580,"duration":3820,"startOfParagraph":false},{"content":"In 5% of the applications we see that.","startTime":3249400,"duration":5140,"startOfParagraph":false},{"content":"And then we have some data on iOS.","startTime":3254540,"duration":3430,"startOfParagraph":false},{"content":"81% had error handling issues.","startTime":3257970,"duration":2210,"startOfParagraph":false},{"content":"This is more of a code quality problem,","startTime":3260180,"duration":2950,"startOfParagraph":false},{"content":"but 67% had cryptographic issues, so not quite as bad as Android.","startTime":3263130,"duration":4880,"startOfParagraph":false},{"content":"Maybe the APIs are a little bit easier, the example codes a little better on iOS.","startTime":3268010,"duration":4430,"startOfParagraph":false},{"content":"But still a very high percentage.","startTime":3272440,"duration":2980,"startOfParagraph":false},{"content":"We had 54% with information leakage,","startTime":3275420,"duration":3620,"startOfParagraph":false},{"content":"about 30% with buffer management errors.","startTime":3279040,"duration":3040,"startOfParagraph":false},{"content":"That's places where there could potentially be a memory corruption issue.","startTime":3282080,"duration":3850,"startOfParagraph":false},{"content":"It turns out that that's not as much of a problem for exploitation","startTime":3285930,"duration":4420,"startOfParagraph":false},{"content":"on iOS because all the code has to be signed,","startTime":3290350,"duration":6100,"startOfParagraph":false},{"content":"so it's hard for an attacker to execute arbitrary code on iOS.","startTime":3296450,"duration":5760,"startOfParagraph":false},{"content":"Code quality, directory traversal, but then credentials management here at 14.6%,","startTime":3302210,"duration":5670,"startOfParagraph":false},{"content":"so worse than on the Android.","startTime":3307880,"duration":1370,"startOfParagraph":false},{"content":"We have people not handling passwords correctly.","startTime":3309250,"duration":3990,"startOfParagraph":false},{"content":"And then the numeric errors and buffer overflow,","startTime":3313240,"duration":2550,"startOfParagraph":false},{"content":"those are more going to be code quality issues on iOS.","startTime":3315790,"duration":6890,"startOfParagraph":false},{"content":"That was it for my presentation. I don't know if we're out of time or not.","startTime":3322680,"duration":3430,"startOfParagraph":true},{"content":"I don't know if there's any questions.","startTime":3326110,"duration":3430,"startOfParagraph":false},{"content":"[Male] A quick question around fragmentation and the Android market.","startTime":3329540,"duration":3680,"startOfParagraph":false},{"content":"Apple at least owns patching.","startTime":3333220,"duration":3020,"startOfParagraph":false},{"content":"They do a good job of getting it out there whereas less so in the Android space.","startTime":3336240,"duration":4540,"startOfParagraph":false},{"content":"You almost need to jailbreak your phone to stay current","startTime":3340780,"duration":3500,"startOfParagraph":false},{"content":"with the current release of Android.","startTime":3344280,"duration":2380,"startOfParagraph":false},{"content":"Yeah, that's a huge problem and so if you think about—","startTime":3346660,"duration":4300,"startOfParagraph":false},{"content":"[Male] Why can't you repeat it?","startTime":3350960,"duration":1320,"startOfParagraph":false},{"content":"Oh, right, so the question was what about fragmentation","startTime":3352280,"duration":3330,"startOfParagraph":true},{"content":"of the operating system on the Android platform?","startTime":3355610,"duration":4800,"startOfParagraph":false},{"content":"How does that affect the riskiness of those devices?","startTime":3360410,"duration":5480,"startOfParagraph":false},{"content":"And it actually is a huge problem because what happens is","startTime":3365890,"duration":3810,"startOfParagraph":false},{"content":"the older devices, when someone comes up with a jailbreak for that device,","startTime":3369700,"duration":5410,"startOfParagraph":false},{"content":"essentially that's privilege escalation, and until that operating system is updated","startTime":3375110,"duration":4850,"startOfParagraph":false},{"content":"any malware can then use that vulnerability to totally compromise the device,","startTime":3379960,"duration":5390,"startOfParagraph":false},{"content":"and what we're seeing on the Android is in order to get a new operating system","startTime":3385350,"duration":4850,"startOfParagraph":false},{"content":"Google has to put out the operating system, and then the hardware manufacturer","startTime":3390200,"duration":4490,"startOfParagraph":false},{"content":"has to customize it, and then the carrier has to customize it and deliver it.","startTime":3394690,"duration":4700,"startOfParagraph":false},{"content":"You have basically 3 moving parts here, ","startTime":3399390,"duration":3680,"startOfParagraph":false},{"content":"and it's turning out that the carriers don't care, ","startTime":3403070,"duration":4140,"startOfParagraph":false},{"content":"and the hardware manufacturers don't care, and Google is not prodding them enough","startTime":3407210,"duration":3190,"startOfParagraph":false},{"content":"to do anything, so essentially over half of the devices out there","startTime":3410400,"duration":4030,"startOfParagraph":false},{"content":"have operating systems that have these privilege escalation vulnerabilities in them,","startTime":3414430,"duration":6160,"startOfParagraph":false},{"content":"and so if you get malware on your Android device it's much more of a problem.","startTime":3420590,"duration":7850,"startOfParagraph":false},{"content":"Okay, thank you very much.","startTime":3428440,"duration":1910,"startOfParagraph":true},{"content":"[Applause]","startTime":3430350,"duration":1960,"startOfParagraph":false},{"content":"[CS50.TV]","startTime":3432310,"duration":2000,"startOfParagraph":false}]}