Bezpieczne urządzenie mobilne – czy to możliwe?

Hello, my name is Łukasz Bobrek and I will tell you about the threats that await our mobile devices and if there is anything to worry about, if we can feel safe with our phones. I can't hear you. And now better? Ok, I will start again from the beginning so that everyone can hear. My name is Łukasz Bobrek and I will tell you about the threats that await our mobile devices and if there is anything to worry about, if we can feel safe with our phones. First of all, I'm working in Securing as IT Security Specialist. I'm working on web and mobile security analysis and also IT security consulting. I'm a hobbyist and I'm an engineer of high-quality software, mainly for Android.

That's why this presentation, because there will be many examples of software engineering for Android. First, we will look at mobile devices. I think everyone knows about it, but I will also show you the data scale we store on them. Then I will show you what threats are waiting for us, i.e. what are the vectors of attack. At the same time, I will also talk about how to protect yourself against such attacks. And at the end, we will summarize everything and wonder if there is really something to be afraid of, whether we can use our phones safely. Does anyone use a smartphone at all? Ok, there is one person, but it is more or less the same statistics, more

than 99% of our society uses phones. We store a lot of sensitive data on the phone. These are contacts, SMS, photos, videos. I will not go into what can be on these photos or videos, but these are very private data. We also have a paired account from social media, from Google, Facebook. We also usually use mobile banking, so as we can see, the whole data that we store on is very sensitive to us. If someone would take over this data, we would have a big problem. We can say that our whole digital personality is stored on these phones. Now a few statistics. More or less 2 billion people use smartphones in the world. There are about 4 million applications. Half of all users use

mobile banking. It's more than a billion, so it's a huge number and a space for possible attacks for software developers. 500 billion dollars are dedicated to mobile payments annually, so it's a huge amount. So I'm wondering how can you attack mobile devices? Does anyone have any idea how to do it? If someone has a phone and we want to steal its data, do you know how to do it? Yes, this is the easiest solution, but it can have a pin, a encrypted disk, and then we can't do it. You can do it with violence, but that's not the point. There are several attacks vectors. You can actually physically customize this device and see what you can do with it. You can also reverse the system itself,

for example iOS and Android. It's very difficult technically, but if we succeed, we can have access to all the devices. all the phones that exist, so it's probably worth it. You can also install an application that will interact with other applications on the device and try to steal some data in this way. You can also attack transmissions, i.e. communication between the application and the server. You can see how this communication looks, what kind of protocol, whether you can inject some code there that will do something. To sum up, you can steal a device, install a software that has a specific function, or you can look for vulnerabilities in existing applications, for example banking. So, you steal a device.

With a thief, I feel safe and secure when it comes to my data. I think so. I never stole anyone's phone, but if someone does, it's probably to sell it and have money from the device, not my data. Moreover, it's very easy to secure your data. You just need to use the password pin. The pin or password on iOS is identical to the encryption of the entire content of all the data on the device. On Android 6.0, this encryption is already on. Previously, it was possible to turn it on, but this was not a default setting. It is written that this encryption is supported since 2014, but it is not true. It was supported in previous versions, but since 2014 it is implemented

in such a way that even Apple is not able to decode such a disk. Earlier Apple could have done it, but now it doesn't know how the keys are generated. And of course it's always worth to control device remotely and if someone steals it we can delete all data remotely and we have peace, besides we don't have a phone, it's something else. Another vector of attack on our data is malicious programming. All scripts and applications that without our knowledge work in a way that is harmful for us, very often also criminal. There is a lot of malicious programming on the mobile platform. It is also a thing that is not yet aware of, because it seems that this malicious programming is

of course related to computers, of course, you need to have an antivirus, there are numerous problems, and on the mobile platform it seems that this is not yet such a common problem. It turns out that it is beginning to be. There are over 1.5 million apps that are classified as software programming. Moreover, it is estimated that every day there are 1.5 thousand new software programming tests. How does it work geographically? Mainly Asian market is affected by bad programming. China is very active in this aspect. In Poland, as you can see, it is not bad at all, even in comparison to EU. We are one of the less affected countries in terms of bad programming. Team

Cook-Zafla said that 99% of malware is on Android, but it's obvious that competition is getting worse. It's not entirely true. In fact, at least 97% of the software is on Android. So we can see that iOS is a bit safer, even 97% safer. Nevertheless, we have to take into account that some software can also be used on iOS. How can we install malware on our phone? Most often, through shops with apps. I spent a lot of time on that, I downloaded apps from shops, I unpacked them, looked inside and there was some malware in each of them. It wasn't necessarily intended for our market, it didn't have an active CNC, it didn't work, but it was there somewhere. So

if someone wants to have a game in a store that is free, let them not install it and pay 3-4 PLN for it. I think it's worth it. Another distribution factor is the use of robot stations. So if someone has a virus on their computer, they put a phone on it and this way the application is transferred to the phone. It can also be used for some system vulnerabilities. This is a relatively rare place. And these updates are very fast, so if someone updates their device, it is usually safe. But unfortunately, malware is also found in official shops with applications. Of course, the algorithms that detect whether the application that goes to the store is correct or not,

work better and better. However, it still happens that in the official store, whether it is Google or Apple, there are applications that can be considered to do something harmful to us. So, this malware is an app that does something wrong. The app itself is just a zip file, which contains some binary, in Android it's a form of index, and there are some XML files that define how the app works, all the graphic, multimedia files. In iOS, the situation looks similar, but all files are signed by developer key, so there is no possibility to compile the binary to the source code and then recompile it. What can we do with an application that we suspect can be harmful

to us? First of all, we can perform a static analysis.

What is this all about? We just look at what is being built on this click-zip. And we also look at the code, if you can reconstruct it, for example on Android. And we check how this code works, if there is any method that we see will work for our disadvantage. It is also a very good practice to see in Click Android Manifest what regulations the application is in charge of. Because if I have an application that I will show you later, it pretends to be a multimedia player, but it wants to have a permission to send SMS, then something is wrong. The same on iOS, we can unpack files, see what's inside, possibly try to

guess if this application is correct or not. Then we carry out a dynamic analysis, i.e. we just look at how the application works, how it communicates with the server, what protocols it uses, what it puts into logs. And so, for the whole process of dynamic analysis, it consists of analyzing all the features in the application, checking logs, checking communication, testing the API server itself, verifying SSL connection and a few other things. And finally, let's go back to malware. So what can it do, what are its capabilities? The largest historical group are We have premium SMS, so we have an app that sends premium SMS and eats our money from the account. Then there is adware, ransomware, botnet, financial app malware and

malware that tries to escalate the legal system. SMS is the oldest type of programming in history. It was first introduced in 2010. As I mentioned before, it works in such a way that an application asks for permission to send SMS messages. If someone agrees to it, Every now and then this application sends a text message, "I'll eat your money" and the creator of the software benefits from it. And that's how it works. Another group is AdWare, or actually MadWare, because AdWare is a way of distributing applications where creators benefit from the fact that there are ads in these applications. So every free app in the store is actually AdWare. The problem starts when these ads start to attack us so aggressively and sometimes even prevent us from

using the device. These are examples of such applications, for example, Durac, Mobi, Dash, Plankton, Muda on iOS. There is an interesting story with Durac, because it was available for about a month for download from Google Play store, it was downloaded by about 10 million users. Why was it possible? Because it used very simple but effective mechanisms of Google's algorithm cheating As we can see, it's a cut from the source code of the app It has time in settings, after which it starts to work So we install the app through the first 8 days 86400 seconds and nothing happens. And then we are suddenly bombarded with ads. And we don't even know why, because we have installed this app a few days ago, so it's hard

to imagine that it can be a problem. And in practice it looks like this. With every screen unlock, we are bombarded with ads. Which makes it impossible or even very difficult to use the phone.

And so, every time, these ads usually lead us to install some other app that would do even worse things. Another group are spying apps, which without our knowledge and conscious consent send private data about us to some untrusted servers, where they are processed in a way harmful for us. A few examples, as we can see on iOS, are known such applications. How does it work? We install an app, send an SMS, then when we analyze the network communication, it turns out that we send the content of our SMS to a completely unreliable server. Of course, this is done by the app, we have no idea how the information on the server is processed, which we send in SMS. Most

often, in the case of sending SMS to unreliable servers, it is about having access to tokens from Transaction bank, for example, because usually the other channel of notification is SMS messages, so if someone is concerned, maybe if they do not have access to our banking, make transactions from our account. Here is a Keylogger example, we install an app, it's one of the apps I found in an unofficial store. The SwiftKey app is paid for Android for about 4 PLN, you can download it for free from the store. The app works very well, and besides working well, it also sends every click to the remote server, so it has access to all the data we entered. Another one is ransomware,

which is a software that makes it impossible to use a phone or makes it much more difficult. To reverse the possibility of using a phone, we have to pay some debt, mostly in bitcoins. This is a very problematic software, because in the last few years, actually a year, a lot of such software has been created and many people are affected by it. If someone has a lower technical awareness, they usually prefer to pay a few dozen zlotys to use their device. Here are some examples of applications. All of them are on Android and iOS. I haven't found any working application that would work as a ransomware. How does it look in practice? It looks like we install an application that is being set up under

the Flash player. And we see that the FBI suddenly wants some money from us. There is no way to exit from this screen, even if we manage to do it, it turns out that after entering any other application, the same screen pops up and we are unable to do anything about it. This is an attempt to enter the settings and what happens? Of course, the window that informs us that we have to pay for the purchase is turned on again. In this case, the situation was so good that it didn't encrypt our files on the disk. It was just a painful notification that we have to pay, but our photos, our files that we kept on the device were not modified. But there are also such examples of

programming as this one, which we see here, we have a PNG file. We install ransomware, which encrypts all multimedia files on the disk and we won't be able to get this file until we pay for it. As we can see, this is a notification that is made at each action. And what happened now with the graphic file? For some reason, the last box is not displayed, where it is shown that this file no longer has a PNG extension, only ENC. It is encrypted with AS. But believe me, it is. And then we have a big problem, because technically it is possible that these encrypted files have the keys on the background so that we are not able to decrypt them ourselves. So then we

have to open the backup scopes if we had them, and if not, we have to pay or say goodbye to these files. The next group is botnet, which is a network of devices that remain under remote control of the CNC server and can be used for attacks such as DDoS. Here are a few examples. The most common was NodeCompatible, which had 4 million installations on the market in the US. And how does it look in practice? The application we install must get the permission to start at the very beginning, in the restart of the system. And when it's working, it's communicating with CNC servers and asking for instructions on what to do Here we can see that there are

two servers, not compatible app.eu and 3x3 budget9.ru Another group is financial applications. To make such a campaign work, we need to take two steps. First, we need to take control of the banking application. Second, we need to take control of SMS messages used to verify the transaction. Here are some examples of applications. The most creative is Fake Bank, which works in such a way that it asks the authorities to read SMS messages. So we have already done the first step. It is worse with taking control over banking, because it is not so trivial. This application does it in a very creative way, because as you can see it is intended for the Chinese market. The green ones are the names of Chinese banking applications. If malware detects that a

banking application is installed on the device, it uses these two methods, which are used to display a user notification that there is a new update of the banking application, remove your own and download a new application from this page. It sounds naive, but some people installed these apps from bank accounts and then they could take over their funds The last group is system-based malware. Both iOS and Android have the same security management structure as in Unix, because the systems are based on Unix. So the application has access only to a small part of the resources. In iOS it's even more restrictive, because it can't reach common resources, but it can charge from its own resources. So it's very important that

it can't access files and other system settings.

So the most important and desired effect of malware is to exit the sandbox of the application and go to the whole system. In Android, it's called root, in iOS it's jailbreak. And it's all about getting the administrative rights on the device And if we have the mobile device malware and we have access to the administrative devices, then it can do everything It can install additional packages without our knowledge, it can reach all files, all resources To our token of out, for example to Facebook, so it can just log in to social media in our name So it's not good, to put it briefly Another important element for Maduro is the fact that last year there was a contest that

was awarded $1 million for breaking iOS 9 security. I will say as a fun fact that this contest was solved after 4 days and a message was sent that someone has already reported and won $1 million. I would like to add that this year, about a month ago, IOS 10 was released and Z-Gradium announced a new competition, this time for $1.5 million. Here are a few examples of such a model that can distinguish system security. An example that most of you may remember, because it was quite loud, is StageFlight. It is estimated that at the time of its premiere it had over a billion of paid devices. The fee was due to mistakes in creating multimedia in Android. To receive

a particular device, it was enough to send an MMS message to it. Pegasus is working on iOS and it was possible to take control of the device only because the victim entered the website from her phone. There were three exploits: one on the browser, two on the core and in the end the device could be taken. Google introduced a 600-functioning assist API, which allows any application to have access to content contained in other applications. Previously, it was impossible and from the point of view of security, it should not be. But Google did it, because Google is the default app, so everything is fine here. The problem is that these controls can be moved to any other app, and then every app

we install can reach the exact content of the screen of any other app that is open. So the question is whether it is not malware in itself, or at least it is a good point of attachment for creators to start creating something here. Now a few words about how to protect yourself against malicious programming. First of all, avoid installing applications from fake sources. I would like you to remember this from this presentation. Do not install applications from fake stores, because it usually ends badly. Secondly, you can check what kind of permissions are reported by the app If they don't cover what the app should do functionally, then I would wonder if I would like to use such an app You also need to monitor the efficiency of

the device and battery life Because if we notice significant drop in this efficiency, we can expect that some app is doing something we wouldn't want It's a piece of advice for programmers as well, that if we have some views with some sensitive data, like bank account numbers or some balance sheet, we need to put a secure flag, because it protects us from other apps from seeing the content of these views. We can also create backup copies, and of course we need to update the system on a regular basis, so we can avoid exploits on the whole system, which will cause us to have administrative problems. Why mobile antiviruses do not solve the problem? Why don't we install antivirus and we

are safe? This is how antiviruses should work. They do it quite well on computers, but on mobile platforms they have very low efficiency. We need to compromise between battery life and safety If we had antiviruses that work based on heuristics and dynamic analysis of every app we download, battery life would be reduced by half, so it's a bit over the phone's goal That's why antivirus only do static signature analysis and it's not enough to counteract in today's programming. The next group that can play with this phone are applications. Here is the first example. Here is the key to the car that was in 2012 in the production of the Airbnb app After decryption and application compilation, we could see that there are keys to LinkedIn,

Facebook Microsoft is a key to manage, for example, the IP and reach the data of all users who have connected their account, for example, Facebook, and so on. This is a huge problem and the users in the end, in fact, they could not do anything about it, they did not even know that they were installing an application. There is such a flexibility that allows access to all their data from these platforms. Another example is data transmission app EcoZephyr, which is used to manage remote air conditioning in our homes We install air conditioner in this app Then we have mobile app, which works in such a way that we enter IP address of our air conditioner Enter password, which was set before And

we can remotely control temperature in our home You need to have static IP, you need to give it an address, you need to have a hard-coded password on the device and you can adjust the temperature remotely. It's quite comfortable, you can go back from the holidays, in winter you can increase the heat in the house. The question is how the transmission between the app and the air conditioner was implemented. It looks like this, it's a binary protocol, not HTTP or anything we know. This is how communication from client to server looks like, message back and another message from client. You can't see it here yet, but if we would enter different passwords in each next connection attempt, it looks

like this. This is the first password, second and third. We see that only a small number of bytes changes, exactly the one from the end. So we can expect that this is a password or at least some hash from the password. And it turned out after more detailed analysis that these few bytes are exactly the first ten characters from the D5 that We have generated from our password So by using this communication We are in the same network as someone who is connecting to his home and wants to change temperature By using his communication we take this MD-5 from his password And it is enough to report to his home and change temperature Because it is one security There is no SSL or anything So

users of such applications They probably don't expect that they are being attacked like that Of course, there are a lot of errors in the server's API They are errors of access control, of encryption, of logic, and many many others I won't talk about them now, if someone would like to read them a little more There is a document called Office Mobile Top 10 and here are the most important problems resulting from communication between the phone and the server explained, you can read them a little more And now how to protect yourself from attacks resulting from taxed applications? First of all, you need to update the application. If someone reports a problem to the sender, he usually fixes it and updates the application. So you

should keep your application up to date. The same applies to the operating system. You should also avoid using an unreliable Wi-Fi network. Yes, if you have Android, it's really okay. If you have iOS, it's a bit better. But you have to be aware that there are exploits on Android operating systems, if there are enough versions. So I recommend you to try to use the latest versions. Although it's not easy. So is a mobile device safe? So, not all of these threats are really important. Of course, we can mitigate most of them and deal with them, but with threats like We are not able to do anything with the current system with many vulnerabilities. We have to be aware

that there may be vulnerabilities in the operating system itself. But we can use safe applications, not trusted stores. check the app's settings and that should be enough to feel safe with your phone although it's not 100% safe but we can't stop using phones because they are too important for us and no one can imagine life without them so we have to be aware that we are not completely safe Ok, that's it. If anyone has any questions, I'll gladly answer them. CyanogenMod has the advantage of being updated on a regular basis. So if someone has a phone that is no longer supported by a manufacturer, for example Samsung, CyanogenMod will support it, it will probably update it every day. The question is, do we trust CyanogenMod? Because

then you can put the whole operating system on your phone and there can be everything. In case of CyanogenMod, it's a big organization, it's open on GitHub, you can check it out. So I felt quite confident and it's updated, so everything is fine. Yes, but... Oh, there are questions. Isn't it safer than normal systems from Samsung, from Sony? - From the point of view of the operating system, it is based on Android. So if you have Android 6.0, regardless of whether it will be on Samsung, Android, Nexus, or CyanogenMod or other ROM, if there is any system vulnerability that is set to Android 6.0, it will work on both CyanogenMod and Samsung. So here is the benefit that you have the latest version of Android, and

if there is any vulnerability on it, you will be affected by it anyway. - You were talking about trusted stores. What are they like for Android besides Google Play? - None. Only Google Play. There is only some sensory analysis of installed apps, but in fact there are all the apps. Of course, apart from Google Play, there are apps with open source code. which we can of course see for ourselves and then it's fine, right? Because if you read the code there, you will see that it does exactly what you want, you can compile this application yourself or download some release, and that's fine. It's worse if you have an application that is either with a closed root column or you just see

that it is over-compiled and something could be added in the meantime. I haven't used it, so I don't know, to be honest. - Here, the problem is very big for Android users from China. There Google Play is not available, Google services are also not available, and then, whether they want it or not, they always use some, so to speak, unofficial stores. - Exactly, and I agree with the percentages. I don't know if you remember, on one of the first slides, it was shown what the distribution is. malware in the world. And the most affected were China and India, if I remember correctly. And that's why there are not always available applications. So people want to deal with it somehow, they extract it from the

unauthorized sources, which ends up as you can see, it is the least safe place and region. There are also... Sometimes, in case of Android, we have to choose between smaller evil or simply buy a new smartphone. Let's say, the manufacturer stops supporting our favorite model, we want small smartphones, at this point there are no small smartphones, and we want to keep it up to some level of update. But the phone manufacturer doesn't make it easier for us, by making available any tools to unlock the bootloader, to root this device. and if we want to do it and integrate some alternative system, we have to trust someone who has provided some tools to root it. De

facto exploit. Of course, we have to do it. When you unblock bootloader, you are on a different layer than operating system itself. You use exploit directly on lower layer and if you install cyano genmodo, I don't see how this exploit could influence system's operation. So if you have an old phone, I think that a safer solution than using Android 2.3 is to use exploit, unblock bootloader, then install a newer version of Android, for example CyanogenMod. And it should work quite well. Of course, it is not a perfect solution, I would prefer that Google would somehow manage to do this, so to speak, to do this actualization, to force producers, but unfortunately it is not. They won't do

that. There are some manufacturers who provide their own tools to unlock bootloader and route specific model. And I think it's a good practice. Besides, they don't add too many things to the system, so they keep it up to date. - Yes, I agree. If a producer releases tools like Bootloader, it's much better than if he doesn't do it. Then he imposes his users on doing it from the source. So it's a better strategy. Anyone else has a question? Unfortunately, the microphone is occupied here. What else can you tell us about the situation in which bank application creators or others who basically rely on sensitive data and have to take care of user safety, Such applications detect if

the phone is rooted, if it is, they stop working. Then the user wants to bypass it, so he installs another modules, Exposed or other separate applications, They are deceiving the banking application that there is no route. And this is throwing a ball between two sides. It stops working every now and then, a few days later it works again, etc. So, the last question. Have you actually met a banking application that would not work on routed devices? Samsung Pay, for example. There are some that are actually rooted. Exactly. I think it was an application that detected a route, refused to operate, but was allowed to cheat. It was a long time ago, I don't know what the status is now. In my opinion,

applications should not prohibit Android users from using the device because it is rooted. Because Android, due to its update policy, very often I think banks should not do that and I think they will not do that for a long time because so much of Android users are looting their devices that banks will notice that it is not worth it to give up such a large group of recipients. Any more questions? Okay, if there are no more questions, thank you for your attention.