Bluebox Security, a mobile app security and management provider, recent released research about public key infrastructure (PKI), certificates of authority (CAs), and mobile devices.
If a device trusts the wrong certificate, you maycompromise your device and enterprise to outside malicious actors.
CAs and mobile devices
There are hundreds of CAs installed by default on smartphones. Some of those CAs are from well-known companies like Google. Other CAs are from government entities, entities suspected of being government-sponsored or acting on behalf of a government and even research institutions. If one of these CAs is compromised, a malicious attacker can intercept and decrypt your mobile traffic.
You have a lot of different vendors that do a lot of different modifications to your phone with their different or various sorts of applications or wireless networks, or administrative types of applications, according to Andrew Blaich, lead security analyst for Bluebox Security.
Blaich said there are software libraries that load when you launch a mobile app. When you run a mobile app, your device is trusting a lot of things inherently that you as a user may not even be aware of on your device, according to Blaich.
Secure network connections and device trust
“At the heart of all of your secure connections there are these things called the roots of trust,” Blaich said. “These are SSL certificate providers that basically will sign certificates for a main part of the chain, basically. We call these the root CAs. They reside on your device.
“If you’ve ever used the web browser and you go to a secure website, like a secure Gmail site or just your banking site, HTTPS or things like that, when the connection’s secure you’ll see a lock icon. In Chrome, it’ll be green unless it’s unsecure, then it’ll be red. You’ll see some sort of lock icon on there, Blaich said.
“The way in which you actually get that lock icon is that your connection is validated against these roots of trust on your device,” he said. “It checks what is the person that is vouching that the site I’m connecting to Google.com, is actually Google.com. There person that vouches for that, that root CA is actually on your device, essentially.”
Mobile devices and man in the middle attacks
Blaich explained the security risks posed by man in the middle attacks attack might affect mobile users differently, but the risk is about the same.
The one concern he does see on mobile is that while PC and Mac web browsers are updated with a black list to block connections, mobile device browsers don’t get the same treatment. He used Google’s recent banishment of the Chinese certificate of authority (CNNIC) for breach of trust as an example. On mobile devices the browser might get an update to not trust the CNNIC, but the certificate actually is installed at the system level in your operating system which means any other application on your phone that might be doing a network request is susceptible to this man in the middle attack.
Blaich said, “In that case, certs actually have not been revoked from the operating system. They’re actually there, enabled, and sitting there. This is true for both iOS, Android and any other platform that has these certificates on there.”
He said, “A certificate authority from Turkey called eGovern that Mozilla had decided to revoke their root CA status from their browser coming up in the next release. Once again, though, only for the browser, as this certificate actually exists on your phone as well. It is there in your system trust store. Any applications that are connecting to sites that are signed by this cert will be acceptable.”
BYOD and device trustability
Device trustability and BYOD may seem to be at odds, especially with Android devices. While speaking with Blaich, I tested the Bluebox Security Scanner app (Android only at the current time) on my new Google Nexus 9 tablet.
Their app showed some threats and vulnerabilities on what I thought would be a squeaky clean device. Blaich said the app allows his company to compare and contrast the device to a variety of different devices out in the ecosystem. Figure A shows the results of the scan:
[insert image A]
Scan results from my tablet
“This lets us actually measure and see what’s actually in the environment,” Blaich said.
“When a new Google Nexus device running Lollipop first came it out scores in the nines or tens. Devices from other manufacturers may only score in the sixes or sevens because the device ship with extra features leading to vulnerabilities you should care about,” Blaich said.
“In terms of trustability with BYOD, obviously, admins can let whatever devices they want on their network,” Blaich said. “That’s what we see as well is that you can let whatever device you want on the network as long as you’re securing the data and the connections at the application level and not trusting what’s on the device. You can at least ensure that your corporate data will be protected if you’re protected at that application level.
Bloatware and device trustability
Blaich said bloatware could affect device trustability depending on permissions and how those apps are installed in your phone.
Blaich said there is a potential problem with carrier bloatware that you can’t remove yourself. He said, “It has permissions on things that you may not want it to have access to like being able to control your cellular information or having direct access to your contacts. You haven’t actually granted permission to these apps, but it just comes as a result of you having this phone.”
“There’s other types of bloatware you get that you can remove depending on if it’s downloaded from Google Play, or whatever app store is being used upon that,” Blaich said. “Yeah, the bloatware is a very interesting study and depending on if it’s a reputable device or if it’s one that you get from a vendor you don’t trust.”
Bluebox Security did some recent studies looking at some of the cheaper Android tablets out on the market. One of their studies focused on Black Friday tablet deals. Blaich told me many of the tablets came with bloatware; some even had malware
“The devices really aren’t that trustable at all,” Blaich said.
“What you have is that these devices, you know people might go away for winter holiday and come back, and then they’re bringing these devices into their organization because of the BYOD policy,” he said. “I mean how trustable are these devices, really? The study proves that they’re not really trustable. You get what you pay for.”
iOS and trustability
iOS has trustability issues of its own, Blaich said. In fact, he referred to iOS jailbreaks as a “weaponized exploit.”
Blaich offered, “iOS has a little bit of a better of an update mechanism where they can update more devices faster. They still have an issue of trustability in terms of what’s happening in that device.”
“Even if it’s jailbroken, the user can install special tools that can try and manipulate data on the device in applications,” Blaich said.
Device trustability and mobile security
Device trustability and SSL certificates need to become part of the mobile security discussion because today’s mobile workforce is dependent on a growing number of cloud and mobile apps.