In this second segment of the interview with Dan Guido, CEO and co-founder of Trail of Bits, Dan focuses on vulnerabilities in mobile devices, and shares the outcome of his research findings that he presented at SOURCE called “Mobile Exploit Intelligence Project”. Click Play to watch the interview.
Read below for a quick synopsis of the interview. Is iOS the most secure platform? Dan states that it’s definitely possible to exploit vulnerabilities in iOS. He then goes on to explain that it’s either too costly to do this or there are other mitigations that prevent this from happening. By disincentivizing the mobile malware community from performing malware attacks on the iOS platform using clever design choices, Apple demonstrated a different approach to tackle the problem of mobile malware. Dan concludes that Apple’s approach has been different and certainly a very effective response to the mobile malware problem.
Dan mentions that trying to trace every single unique identifier for very single malicious application is neither effective nor intelligent, in addition to also being resource heavy on an organization. What are your recommendations with respect to “bring your own device” policy? Dan references his research presentation that he delivered at SOURCE Boston this year titled “Mobile Exploit Intelligence Project”. As part of the research, Dan collected a comprehensive database of every piece of mobile malware that affected iOS and Android. This research was used to draw conclusions as to what security measures would be effective if implemented on those devices to protect against the malware that currently exists in the wild. He points out that there are not really any mobile security products in the market right now that can mitigate against these flaws. To have an effective BYOD policy, Dan states that you need to assume that your devices are compromised, no endpoint security products that can prevent your devices from being compromised. One possible solution Dan talks about is the concept of “secure containers” to store encrypted information on mobile devices. Dan’s colleague, Dino Dai Zovi has written a paper on how effective the data protection APIs are on iOS, and how it is somewhat tenable to create secure containers to store encrypted information in iOS. CLICK HERE to view Dan's presentation at SOURCE Boston titled "Mobile Exploit Intelligence Project".