Here’s a quick post to let you know all the places to get your Veracode fix at RSA Conference 2010.
On the Expo floor, we’ll be in booth 729. I’ll be at the booth for a few hours on Tuesday and Wednesday. Stop by if you’d like to talk about our service offerings, get a quick demo, or just say hello.
There have been a lot of great articles written in the wake of my presentation on Mobile Spyware at Shmoocon 2010. Many of them show wonderful insight into the problems that mobile carriers and owners of the mobile applications stores are facing. However, for every handful of great articles, we occasionally come across a technical expert that presents a different viewpoint. Usually it’s best to let the articles stand on their own merit and let the readers decide for themselves, but in this instance I think it might be best to use a recent article to demonstrate how incorrect statements create confusion about the issues.
The article I’m referring to is Mobile security: Hackers kept at bay by lack of a standard platform. The article does not directly reference my presentation, but it does make some points that just don’t make sense. The first half of the article has some expert commentary that is cause for concern, while the second half raises interesting questions that bolster my arguments.
In the first half of the article, the author turned to Candid Wueest, senior threat researcher at Symantec, for comments on monocultures in the arena of mobile malware, ease of malware creation, and the safety of downloading applications from the device manufacturers application marketplace.
As long as smartphone users download applications only through authorised, moderated channels, he argues, they can be confident their mobile platform will limit the actions these applications can perform.
This is absolutely not true. I showed in my presentation examples of spyware that has already been discovered sourcing from so called “authorized, moderated channels” such as the Google Android Marketplace and the Apple iTunes store. This is exactly the type of false sense of security that is coming from the “authorized” marketplaces and trickling down to the consumer. In this instance we see the level of trust that even a subject matter expert is giving to the mobile application stores to provide only secure and trusted applications. Until the application store operators become transparent with their procedures and policies regarding the security of applications they make available, the above statement only makes the problem worse.
“At the same time, he adds, relatively few hackers have the in-depth skills and understanding necessary to create viruses capable of targeting a specific mobile platform.”
Programming, specifically Java, is not my daily job. It’s not what I do day in and day out. I am far from an expert with in-depth skills when it comes to writing mobile malware, yet it didn’t take me all that long to figure it out. I went from zero blackberry knowledge to programming a fully functional piece of spyware within a month or two. I’d say that it doesn’t really take “in-depth skills and understanding” to create malware capable of targeting a specific mobile platform.
“A monoculture is far more helpful to virus writers, so while we’ve seen 4m viruses, worms and trojans attack Windows, we’ve seen only 400 kinds of malware aimed at mobile platforms,” he says.
While I agree that a monoculture is far more helpful to virus writers, it’s not like we are dealing with a culture that has 100+ different options. If you target iPhone and Blackberry alone you would get a huge percentage of the US market, and if you throw in Symbian you cover a good chunk of Europe as well. We also have to consider the amount of time that people have kept sensitive data on Windows systems and how long they have kept that same data on their smartphones. Smartphones have really come into vogue as miniature computing systems in the last year or two, while full service computing systems have been around for ages.
I’m not suggesting that the mobile apocalypse is coming in 2010. What I am suggesting is that 2010 will see a notable increase in the amount of malware created and propagated via the mobile application store fronts such as iTunes, Blackberry App Center, and the Google Android Marketplace. The data is migrating to the hand held, so will the cyberattacks.
Some of the media coverage to date has described Tyler Shields’ proof-of-concept spyware as a “BlackBerry hack”, much to our chagrin. In this blog post, we’d like to clarify some of the misconceptions that have surfaced both in the media and in the BlackBerry user community. Feel free to post additional questions in the comments section and we’ll do our best to respond.
Q: This isn’t a real hack, is it? Tyler’s program is similar to many applications already on the market.
We’ve tried to make it clear from the beginning that txsBBSpy is a demonstration of public, documented APIs and should not be considered a hack, an exploit, or a vulnerability in the BlackBerry OS or infrastructure. There are many commercial apps, including FlexiSpy, SmrtGuard, Mobile Spy, and others, all of which utilize the same BlackBerry APIs. But these apps must be purchased, and they’re only available in compiled form.
What’s notable about txsBBSpy is that we’ve released source code to demonstrate how the application works. This serves as an educational resource as well as an eye-opener showing how simple it is to implement malicious functionality.
Q: Is the spyware risk unique to BlackBerry?
Not at all, it’s just the platform we decided to research. Similar work has been done on other mobile platforms such as iPhone, including this presentation from Nicolas Seriot delivered at BlackHat 2010 in Washington, DC last week. His proof-of-concept application, SpyPhone, takes the same approach as txsBBSpy by demonstrating what can be accomplished using public APIs. Any mobile platforms that can run third-party applications have similar risks.
Q: Wouldn’t you still have to trick a human into installing the spyware?
Yes, but this doesn’t negate the risk. Consider the parallel in the PC world. People inadvertently install spyware on their computers because they wanted a cool toolbar or because some message told them they were supposed to. Users make bad choices. If they didn’t, we wouldn’t have a multi-billion dollar anti-virus industry.
The same risks apply to mobile devices. People will install applications. It’s fair enough to say that most users wouldn’t install an app called txsBBSpy, but many would happily download a game featuring dancing bears. All joking aside, there is nothing to prevent an otherwise legitimate program from including unadvertised, malicious functionality. What assurances do you have that the Twitter client, RSS aggregator, or video game that you installed on your BlackBerry isn’t also stealing your emails or intercepting your text messages? Case in point, the Etisalat spyware would have gone completely unnoticed had it not been for a poorly architected “phone home” routine.
Q: RIM requires all apps to be signed. Doesn’t that protect against the spyware risk?
Not at all. It’s a minor hurdle at best. Anyone with $20 and a name (doesn’t have to be your actual name) can get a code signing key. There are plenty of ways to obtain a key anonymously, if you think hard enough; Tyler alluded to a couple during his ShmooCon presentation.
Once a developer has a key, he simply submits a SHA-1 hash of the .cod file to RIM, who will respond back with a RIM signature which gives the application permission to use the requested controlled APIs at runtime. RIM never receives the source code or the compiled application, so they have no way of inspecting its functionality. Further, there is no revocation list for malicious applications. If a developer releases a malicious application, RIM can refuse to sign his apps in the future, but they can’t prevent an app from running once it’s been signed, nor can they prevent the developer from obtaining another anonymous key and creating additional code any time he wants.
Q: Isn’t this whole thing overblown, since BlackBerry users can set permissions for each app they install?
The BlackBerry OS does provide granular controls for application permissions that are configurable by the user. Access to connections, interactions, and user data are split into about 20 categories, each of which can be set to Allow, Deny, or Prompt. The problem is that most users don’t take advantage of these features. According to a Trend Micro survey of 1,016 U.S. smartphone users in June 2009, only 23% of smartphone owners use the security software installed on the devices. During a webinar we held earlier today, we posed this question to attendees: “Do you enable application level security for each application on your BlackBerry device?” Only 15% of attendees answered yes, and that’s for a technical audience. I’d assume the number would be well below 15% across a representative sampling of BlackBerry users.
The other misconception around application permissions is that you’ll always be prompted before the application can access any user data. In reality, the DEFAULT application permissions in both the 4.x and 5.0 BlackBerry OS allow third-party applications to access emails, organizer data (contacts, etc.), files, device settings, media, and many other categories without prompting. Tyler’s slide deck provides a complete listing of default permissions for third-party apps.
Now, the defaults are already pretty loose, but the OS is even more permissive for applications that have been granted “trusted” status. At installation time, the user is asked “Is this a trusted application?” and if they answer “Yes”, the application is given even greater freedom to access phone connections, location data, the Internet, and more, without further prompting. Users don’t think twice about granting trusted access because they hate being inconvenienced by prompts every time the app wants to do something. How does a user know whether or not it’s safe to give an application trusted status?
Q: Aren’t enterprise users immune to spyware, due to BES features that prevent unwanted applications from being installed?
IT Policies on the BlackBerry Enterprise Server (BES) can be configured to restrict which third-party apps employees can install, but this raises a similar question: how does the IT staff know whether or not to whitelist an application? They have no way to objectively assess whether they should trust the application.
Q: Don’t the mobile app stores already screen applications for spyware before making them available for download?
The app stores have a unique opportunity to screen submitted applications for malicious behavior, but none of them have come out publicly saying that they do so. There are several references in Tyler’s presentation of malicious apps that have been accepted into various mobile app stores, so we know that the screening processes are not rigorous. Anecdotally, we know that RIM is concerned mostly with ensuring that third-party applications do not crash the operating system. From media reports, we know that the iTunes App Store is concerned with profanity, supposed “misuse” of Apple trademarks, and apparently even mentioning the names of other handsets (but harvesting phone numbers is fine).
The intersection of bad user behavior and app store inaction creates a target rich environment for malicious mobile applications.
[UPDATE, 2/10/2010: We've written a follow-up blog post to address some of the questions and misconceptions we've been seeing.]
Tyler Shields gave a presentation earlier today at ShmooCon 2010 on the threats of mobile spyware, particularly as it relates to data privacy. Smart phones and mobile applications have grown tremendously popular over the past couple of years, and it seemed like an appropriate time to raise awareness of what these applications are capable of.
Our goal was to demonstrate how BlackBerry applications can access and leak sensitive information, using only RIM-provided APIs and no trickery or exploits of any sort. We make no assumptions about how the malicious application will be installed on the phone, and we haven’t attempted to sneak a malicious application into BlackBerry App World. BlackBerry apps can be installed from any location, plus, there are so many examples of malware slipping through the screening processes of the various app stores (Apple, Symbian, Android, etc.) that we didn’t find it necessary to prove the point again. To some degree, official app stores give users a false sense of security because people will assume that everything in the store must be trustworthy.
Here’s a video that demonstrates the features of Tyler’s proof-of-concept spyware. We show how it can be used to dump contacts and messages, intercept text messages, eavesdrop on the room, report on phone usage, and monitor GPS data. To view this in HD resolution, click through to Vimeo and use full screen mode for best results.
We’re also releasing source code. As far as we know, this is the first public release of source code that demonstrates such a broad range of malicious functionality on a BlackBerry device. Code reviewers and security practitioners can use it as an educational resource to help them recognize malicious behavior and understand the specific risks introduced. This is an important educational asset for those of us working to create more secure software. As for the bad guys, it would be naive to think that they don’t already know how to do this stuff. The code doesn’t go out of its way to be stealthy; in fact, it’s quite the opposite (by design).
So how can users protect themselves? There are a few places to defend against malware of this nature.
Users can configure their default application permissions to be more restrictive. This way, if an application tries to use an API that accesses the user’s email or contact list, the OS will ask for permission. Avoid granting applications “trusted application” status, which grants untrusted applications additional privileges. Tyler’s slide deck shows the default and trusted permission sets in more detail.
Corporations using a BlackBerry Enterprise Server can configure their IT policies to restrict their users from installing third-party applications, or whitelist certain approved applications (but brace yourself for the backlash)
BlackBerry App World could introduce a rigorous security screening process that submitted applications must pass in order to be listed in the store.
If app stores don’t provide any security testing, the risk reduction responsibility falls to the enterprise. We recommend creating an approved list of applications that have undergone security testing.
Finally, it should be noted that while we chose BlackBerry for our proof-of-concept, this is not just a BlackBerry problem. All mobile platforms provide similar mechanisms for writing applications that have access to the user’s personal, potentially sensitive information. As consumers become increasingly dependent on their mobile devices, we are certain to see an uptick in the volume and sophistication of mobile malware.
I couldn’t agree more that we may be missing an opportunity to bring whitelisting to these new important mobile platforms. We need to leave the “detect and revoke” mentality of the PC world behind as we move to new platforms. Attackers are able to game the PC antivirus model by continuously flooding the software ecosystem with new unknown malware. The attackers will win in the mobile world too if we don’t change it. The mobile app store is a form of whitelisting that can assure the security of an entire platform if the whitelisting means something. That is if the apps are tested for security before being published.
Veracode is being asked by large financial organizations to build security testing into internal mobile app stores. There is obviously a desire for security screened applications in the corporate and government world. Why not just scan once at the platform provider’s app store and give the benefits to all?
Veracode researcher Tyler Shields is presenting 2/7/2010 at Shmoocon on Blackberry malicious mobile code. The presentation and sample code will be available here.
