Top 3 Mobile App Security Takeaways from Black Hat USA 2019 and DEFCON 27
I attended my first DEF CON in 2013, and I was lucky to make it back to Chicago unscathed. One of my more memorable Black Hat / DEF CONs however was in 2017 when I came back to my hotel room after a vendor party to find a terrifying animatronic zombie mannequin with glowing green eyes smuggled into my room by former colleagues.
So I chuckle at stories about the “Dangers of DEF CON” that air on Las Vegas news while hackers gather in town for Black Hat USA and DEF CON, the premiere information security industry events of the year. I’d argue that the greatest risk is the scare of your life provided by rascally former colleagues.
This year’s events were larger than ever. I returned safely yet again — and without a zombie. But, here are three themes related to mobile device and app security that I came back with this year:
- DevOps has proven itself, but it requires a different approach to information security that security pros need to embrace.
- Security is a journey not a destination, and well-intentioned security researchers fuel our progress.
- Researchers are seeing signs of malicious actors evolving their attacks on mobile apps and devices (and yes, iOS has security problems, too).
1. DevOps/DevSecOps: Get Involved or Get Left Behind
DevOps and DevSecOps were themes of many presentations during Black Hat, but I was able to attend two talks specifically around this topic. They caught my immediate attention.
Black Hat USA 2019 kicked off with a focus on DevOps and how information security professionals need to adapt to the new paradigm. During his talk “Every Security Team is a Software Team Now,” keynote speaker and Mobile Security Lead at Square Dino Dai Zovi made the point that a decade ago with the introduction of the DevOps concept, software teams began to own deployment and uptime.
Now, he argued, it’s time for development teams to own security as well. He posits that security professionals will need to learn to deliver value to developers by providing self-service tools and platforms. He suggested that security pros switch their perspective from being solely critics and instead think about why their development teams might “hire” them for the job of security and how they can better deliver on that value.
On the same topic, the tag team of Dr. Nicole Forsgren of Google Cloud and Kelly Shortridge of Capsule8 began by sounding an alarm for the information security community, warning “Infosec has a choice: marry DevOps or be rendered impotent and irrelevant.” Their talk “Controlled Chaos: The Inevitable Marriage of DevOps & Security” was one of my favorites at Black Hat because of their no-nonsense tone and ambitious ideas. For example, they said the advent of cloud and microservices created the “Infosec Copernican Revolution.”
The Copernican Revolution was the realization that the Earth wasn’t the center of the known universe — it was the sun. Similarly, security no longer revolves around the network perimeter or firewall. They also suggested that the Confidentiality, Integrity, and Availability (CIA) triad that traditionally guides information security should be replaced with the Distributed, Immutable, and Ephemeral (D.I.E) model in the future:
- Distributed – multiple systems support the same goal and distributed infrastructure/resources reduce the risk of DoS attacks
- Immutable – resources/infrastructure doesn’t change after deployment and disallowing Shell access to a production server reduces risk
- Ephemerality – resources/infrastructure has a short lifespan, so they “die” after a task and are of less use to an attacker
A number of leading companies were used as examples that have implemented some of these processes, but it will be interesting to see whether more people and businesses heed the warning from Forsgren and Shortridge.
2. Empowering Researchers to Find Vulnerabilities First
In the spirit of incentivizing more security researchers to spend their time helping to harden their systems, Ivan Krstić, the Head of Apple Security Engineering and Architecture, announced updates to the Apple Bug Bounty program during his talk “Behind the Scenes of iOS and Mac Security”. Some say these updates were a long time coming.
Setting the stage for Krstić’s session on Thursday, a number of talks explored the iOS attack surface throughout the conferences:
- Tencent researchers demonstrated a bypass of Apple Face ID’s attention detection using eye-glasses and tape during their talk “Biometric Authentication Under Threat: Liveness Detection Hacking”
- Google Project Zero Security Researcher Natalie Silvanovich explained her discovery of a group of iPhone vulnerabilities across SMS, MMS, visual voice mail, email, and iMessage during her talk, “Look, No Hands! — The Remote, Interaction-less Attack Surface of the iPhone”
- Security experts from Alibaba explained how iOS APIs could be abused to uniquely identify and track users across multiple devices in their talk, “All Your Apple are Belong to Us: Unique Identification and Cross-Device Tracking of Apple Devices”
My purpose in listing the talks above is not to disparage Apple or the security of iOS. It’s important to remember that even with Apple’s control of both the hardware and software of their devices, iOS has security vulnerabilities just as Android does. Businesses, especially banks, cannot solely depend on the mobile operating systems alone to protect their apps against attack or their users against fraud. Additionally, encouraging as many virtuous researchers as possible to scrutinize the security of both ecosystems helps us all.
In the interest of doing just that, Krstić detailed several positive developments in the Apple bug bounty program that will incentivize some of the greatest minds in data security to focus their expertise on making iOS more secure.
Previously, Apple’s bug bounty program was invite-only. Come September, the program will be open to any and all security researchers. In addition, prior maximum payouts of $200,000 have been increased, topping out at $1 million (with the possibility of a 50% bonus on top of that if it’s found in pre-release software) for a zero-click, persistent code execution exploit of the iPhone’s most secure layer – what’s called the kernel (a holy grail of iOS attacks).
Apple’s previous, relatively small bounties were criticized, because they couldn’t compare with rewards paid by the black market or exploit acquisition companies that sell exploits to government spy agencies. Zerodium, one such company, pays $2 million for a remote, zero-click jailbreak exploit of iOS.
Zerodium doesn’t share information about their iOS exploits with Apple, because that devalues the exploits they market. But, if researchers share the information with Apple, the company can fix the vulnerability and make all iOS users more secure. As a part of the program, Apple will also make a kind of pre-jailbroken phone that will be available to approved security researchers. This will give them an advantage in finding vulnerabilities before their less reputable peers.
On the subject of Zerodium and secret exploits, one such example inspired a Google Project Zero Security Researcher, Natalie Silvanovich, to explore attacks on iOS that don’t require user interaction. As an introduction, Silvanovich quoted an article about a team of former U.S. intelligence operatives helping the United Arab Emirates surveil persons of interest using malware (dubbed “Karma”). Karma could obtain emails, location, text messages, and photographs from their targets’ iPhones without the need for any user interaction.
It was thought that the Karma malware took advantage of an undisclosed vulnerability in Apple iMessage. The article piqued Silvanovich’s curiosity. Did these vulnerabilities exist? Are they exploitable? What else besides iMessage might have similar issues? In the end, one of several bugs she discovered allowed her to remotely steal files through iMessage on iOS 12.3.1. The good news is that Silvanovich shared her findings with Apple so that they could fix them. We all benefit from more of this.
3. Mobile Threat Actors Are Evolving their Approaches
Talks at both Black Hat and DEF CON touched on the fact that attackers are changing their approaches to attacking the mobile channel – specifically moving to the supply chain.
For example, Google Project Zero security researcher Maddie Stone explained during her talk, “Securing the System: A Deep Dive into Reversing Android Pre-Installed Apps,” that it’s becoming more difficult to exploit and/or root Android. And in response, attackers are trying to convince device manufacturers to include malicious, pre-installed apps on their devices.
In many cases, these original equipment manufacturers/original device manufacturers (OEMs/ODMs) are producing extremely inexpensive phones with slim margins. These manufacturers are thirsty for additional revenue opportunities. Miscreants know this and may present the manufacturer with what they call a “mobile payment solution” or “advertising SDK” from which they may generate revenue through commissions. Instead, the solution or SDK includes malicious content that downloads a botnet to users’ devices.
In one case, a fonts application from a third-party developer called EagerFonts included an “advertising SDK.” That SDK downloaded and ran “plug-ins” that were actually malicious trojans such as Chamois (described elsewhere by Stone as the “biggest botnet you’d never heard of”), Snowfox, and others. The scheme affected more than 250 OEMs and 1,000 different devices.
Well-known cryptographer and information security expert Bruce Schneier also made the point that the security of a mobile device can be subverted at any point – during development, during shipping, etc. The mobile attack surface is far less contained than many of us consider. And app developers need to remember that any of their users’ mobile devices may be compromised, hostile environments. Hardening and securing the Android and iOS apps so they can operate safely in such environments is all the more important.
Everything is vulnerable, but there’s hope.
Looking Ahead to Next Year’s DEFCON and Black Hat USA
All in all, I remain hopeful despite all of the security issues in the technology we use every day. It simply requires the realization that nothing can ever be 100% invulnerable. An attacker with enough skill, time, and resources can nearly always find a way in – the objective is making that as difficult as possible. Thankfully, we’ve got hackers that can do the same thing, but they’re on our side. And I’d argue that in general, companies are also very slowly getting somewhat better at protecting themselves and their users.
I look forward to next year and signs of additional progress. I expect to hear less about how to get started integrating security into DevOps and more about getting better at it or optimizing existing processes. I also think that even more talks about iOS security on next year’s agenda might signal that Apple’s bug bounty improvements achieve the objective of making iOS more secure. Finally, I’m hoping next year there are more companies that explain supply-side security issues they identified and how they mitigated them, especially in terms of mobile devices and mobile app development, so that the larger community can learn from their efforts. See you next year!