According to IDC, there are currently over 2 billion people worldwide who are using mobile devices to access the internet, and in many cases, sensitive business information. That is a tremendous amount of data streaming between the world’s communications infrastructures. It’s all proven hugely valuable to people, organizations, and countries but, as with all great things, there are a handful of folks who view these communications through a more malicious lens.
Just as banks spawned bank robbers, mobile devices have spawned mobile hackers. And, unfortunately, the hackers have a unique advantage: where the defenders have to try and make sure everything is protected all the time, the attackers only have to find one vulnerability. It’s a huge strategic advantage for the hacker, which is why as defenders we have to hedge our bets in every way possible. One of the best ways to do this is by thinking like the hackers, and by doing so, proactively fixing vulnerabilities they may seek to exploit and identify new strategies they may take to compromise devices.
Skycure understands this principle, that the best defense is a good offense, which is why the Skycure Research Labs division is always investigating the mobile threat landscape with two core goals:
- Uncover vulnerabilities before an attacker does, so that software manufacturers can release patches before attackers have done any damage. This cycle helps keep mobile threat defense proactive to minimize damage, as opposed to relying on strategies that are reactive and costly to fix after-the-fact.
- Use research findings to enhance Skycure’s threat analysis engine, and augment the massive crowd-sourced intelligence apparatus, so that end users and their devices benefit from the most up-to-date information.
Both of these goals help IT departments keep end users (and their data) safe. Here are just a few examples of mobile vulnerabilities that Skycure Research Labs has identified in the past few years:
- LinkedOut is a classic example of a mobile app that collects too much information and, worse, sends the data to their servers for storage and potential viewing by others. In this case, the iOS LinkedIn app had a feature so sync calendar data with others on LinkedIn, but instead of just connecting the individual people, it collected and stored all meeting details, including meeting notes, which are often confidential. Skycure co-founder and CEO Adi Sharabani presented this discovery at a cyber security conference, prompting LinkedIn to immediately correct the bad app behavior.
- WiFiGate allows network-based attackers to set up a rogue WiFi network that imitates one of many pre-defined network configurations pushed out by carriers. Unfortunately, even without manually connecting to a WiFi network, carriers will often include WiFi configurations in their predefined mobile carrier settings. If the device sees one of these, it will automatically connect, even if it is a malicious fake, designed to observe communications or steal data.
- HTTP Request Hijacking was discovered a couple of years ago by Skycure researchers, and at the time, affected a huge number of mobile apps that used HTTP to communicate with their servers instead of HTTPS. A hacker could gain access to a victim’s app first through a man-in-the-middle attack that allows them to see and manipulate traffic. When an app, such as a news or finance app, sends a message to its designated server, the hacker will return a 301 Redirection code back to the app, telling it from now on to go to a different server to get its information. From then on, nothing that app retrieves can be trusted, but unfortunately, there is almost no way for the victim to know it has happened. Most mobile apps now use HTTPS to communicate.
- Shared Cookie Stores is another iOS security issue that is now fixed (in iOS 9.2.1) and contributes to improved security of iOS users. Previously, when a user connected to a captive portal network, common for free or paid WiFi at hotels, airports and cafes, the embedded browser shares the Safari Cookie Store with that of the captive portal, exposing sites and credentials used by the victim. All a hacker needs to do is trick a user into connecting to a malicious captive portal network and the victim will have enough information to impersonate the victim on any number of websites and services.
- Malicious iOS Profiles, when first disclosed, exploded the myth that iOS users enjoyed nothing but peace and security in Apple’s “walled garden”, while those in the Android community lived in the wild west of potentially dangerous apps around every corner. A profile is not an app and does not come from the app store, but users do need to give permission to install one. These are often used for MDM management in business or for special network access. A user can be tricked into installing a malicious profile by promising something like free movies. Once installed, the hacker has potentially unlimited access to device data and even control over the device, and the victim may not have any indication of the intrusion.
- Invisible Malicious Profiles, whereby attackers get a profile installed on your mobile device that grants them access which they shouldn’t have. And as if that wasn’t bad enough, this profile remains hidden from plain view so you may not even know it’s there, even though an attacker has extraordinary privileges on your device with the profile installed. Skycure reported this to Apple and was patched accordingly in iOS 7.1
- Accessibility Clickjacking isn’t an easy Android hack, but it’s an attractive one for attackers because of the access they’ll gain. In short, an attacker uses display overlays that trick the user into clicking on certain places on your screen. In the background, and unbeknownst to you, these clicks are actually toggling special permissions on your phone. Once enabled, an attacker can gain access to any text displayed on your screen, be that SMS, corporate email, twitter, etc. Because this vulnerability exists across so many versions of Android, the total exposure at the time of discovery was 95.4% of all Android devices! Skycure presented this finding at the RSA Conference in 2016 and has instructions on preventing this attack here.
- No iOS Zone would be a huge problem for users and businesses alike. Since SSL is a security best practice, it means the attack surface of an SSL-based vulnerability is massive. Skycure discovered that a carefully crafted SSL certificate and a little bit of scripting could crash apps on iOS devices, opening the door to massive distributed denial of service (DDoS) attacks. Something like this could virtually cripple iOS users, but thankfully this vulnerability was also reported to Apple and patched in their iOS 8.3 release.
A less obvious benefit of Skycure Research Labs’ efforts is with the recent Pegasus attack on an Emirates human rights advocate. This extremely sophisticated zero-day attack simultaneously leveraged three iOS vulnerabilities, dubbed Trident. Although no security vendors had previously identified these vulnerabilities, Skycure Research Labs understood enough about likely methods of hacking, that Skycure users would have been alerted to the presence of Pegasus on their device prior to the big public announcement, which then triggered the rest of the community to add Pegasus detections.
This is just a small sampling of Skycure Research Labs findings over the past few years. In fact, there has been at least one major vulnerability patched as a result of Skycure Research Lab’s work in three of the last major iOS updates (iOS 7,8,9). If an attacker used any one of the above exploits in a widespread way, the affected users could have been in the millions (and maybe even in the billions). This is a testament to Skycure’s philosophy that the best defense is a good offense, and that keeping end users and their data safe needs to be proactive, not reactive.
Want to learn more about threats the Skycure Research Lab has discovered? Be sure to check out the many blogs linked above, or read more on how Skycure’s Enterprise Mobile Threat Defense solution is helping IT organizations protect their users across the globe.