September 8, 2022 • 33 mins
This episode of Android Bytes, we're talking about mobile app security. Android has a lot of robust, built-in mechanisms that protect against exploits and security vulnerabilities, but there's only so much it can do to protect against misuse of sensitive permissions and APIs. Google augments Android's protection mechanisms with Play Protect, a service that looks out for potentially harmful applications.
Brian Reed, Chief Mobility Officer from NowSecure, joins us on the show to explain how Android and Google Play Protect work together to secure your device.
- 2:05 - How does Android's app security model work at a platform level?
- 3:27 - What does NowSecure do?
- 4:16 - How does Android sandbox apps?
- 5:30 - How does Android's security model compare to other platforms?
- 7:24 - How does sideloading affect Android security?
- 13:28 - How is Google Play Protect distributed to GMS Android devices?
- 14:17 - What is the App Defense Alliance (ADA)? What is static and dynamic analysis?
- 17:12 - What are the reverse engineering/disassembly tools security firms use to analyze Android apps?
- 18:55 - Why is dynamic analysis important?
- 24:05 - What is a potentially harmful application (PHA)?
- 25:32 - What is a mobile bundled application (MHA)? Are there any security risks?
- 27:42 - What can developers do to protect their Android apps from hackers?
Additional links mentioned in the show:
- nowsecure.com/masa (Get your Mobile Application Security Assessment)
- academy.nowsecure.com (Learn about mobile app security)
- owasp.org (Open Web Application Security Project)
Android Bytes is hosted by Mishaal Rahman, Senior Technical Editor, and David Ruddock, Editor in Chief, of Esper.
Esper enables next-gen device management for company-owned and managed tablets, kiosks, smart phones, IoT edge devices, and more.
For more about Esper:
- Esper Blog
- Mobile Device Management (MDM) Guide
- Android MDM Guide
- iOS MDM Guide
- MDM Solutions
- MDM APIs & SDK
New from the Esper blog:
Our music is "
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Mishaal (00:02):
Hello, and welcome to Android bys powered by Esper, the podcast that
dives deep into the world of Android.
I'm Michelle Ramon.
And while I'd normally be joined by myco-host David Ruddock, he unfortunately
couldn't make it to this one.
Still.
We've got a great topic and guestlined up on the show this week,
we'll be talking about security,specifically mobile app security.
So if you listen to our podcast before,you know, we've talked about Android
(00:23):
security model, at least when itcomes to applications, as well as our
permissions work in the previous episode.
But this time, we want to focusmore specifically on how Google app
developers and outside firms team upto protect you and your Android device.
So today we've invited Brian Reed,chief mobility officer at now secure
to talk about mobile app security.
Welcome to the show,
Brian (00:42):
Brian.
Thanks, Michelle.
It's great to be here andpart of your community.
Thanks for having me.
Thanks for joining us.
So
Mishaal (00:48):
this is the topic that in my now seven years of covering Android, you know,
I've kind of delved into the security sidea bit here and there, even though, while
it's been up in my primary focus, justcovering the Android platform ecosystem,
these security issues come up and tendto cover them pretty much every week.
You'll hear from some mobilesecurity threat firm that there's
some new malware strain out inthe wild, and that is wing havoc.
(01:11):
And then when you dive into the detailsyou discover, oh, they're mostly misusing
some Android API or application somepermission or they're tricking users
into enabling some sensitive permiss.
And so like, this is a topic that isever pervasive in our lives, because
you probably know people in your liveswho could be tricked into enabling
something they shouldn't have whensongs something they shouldn't have.
(01:33):
And even if you think that youwouldn't do that, there's a very high
chance that you could be tricked to.
No one is ever completely foolproof fromfishing or any other malware attacks.
There are many things you cando to prevent yourself from
being taken advantage of.
But on the ecosystem side, thereare also many things that Android
does and that Google does and thatoutside firms can do to proactively
(01:56):
protect you from harming yourself.
So just so we're all on the samepage, I kind of wanna just touch upon
the background of Android securitymodel and how Android actually
protects you at a platform level.
So we talked about this before,but every time you install
an app, it comes an APK file.
And within that APK file.
There's all the assets, the code, theresources, et cetera, but there's also
(02:17):
a digital signature that is generatedwhenever the developer signs a package.
And whenever that app installs on yourdevice, it's given a unique package name.
And whenever you try to install an appthat has a package name matching an
existing app, it installed on the device.
If that signature doesn't match thesignature, that was with the previous.
Then Android will object the installation.
(02:39):
And because it's assumed that the signingkey, the developer used to sign that
app is generally kept somewhere safe andsecure within their own repository on
their computer, or upload it to Google.
Then you can assume that somethird party didn't just modify
the app and then upload it.
And then you installedit onto your device.
So that's how Android generallysecures updating applications.
The one challenge with that is whileit ensures that some outside developer
(03:03):
didn't modify and push an app onto yourdevice, it doesn't guarantee that the
update hasn't been tampered with hasn'thad in any malicious or potentially
harmful code within the update.
Like it could still be signed by theoriginal developer, but how do you.
If that update is still safe to use.
And that's generally wherefirms like now secure come in.
So I wanted to ask you, Brian, canyou tell us a bit about the company?
(03:26):
Sure.
Brian (03:26):
So now secure actually got started as a forensics company in 2008 and 2009.
So the birth of Android thatwas around the same time as iOS.
Our founder got interested in thesecool little devices that seemed to
have a whole lot of computing powerand a lot of forensic data on him.
And while he wasn't a forensic specialist,he actually became the world's expert
in mobile forensics and ultimately builda business that is now secure today.
(03:49):
We're kind of an all in onesolution provider we have for
mobile application securities.
So we have testing tools,developing tools, pen testing
services, open source tools.
Training all of those kinds of thingsand partner with lots of organizations
to make sure they're able to deliverthose secure applications on whatever
mobile operating system they want.
So our roots are in Android, cuzthat's really where he started and we
(04:10):
continue to do a lot with Google andthe entire ecosystem community today.
Mishaal (04:15):
Thanks Brian.
And just to follow up on the Androidaspect, one other thing that Android
does at the platform level to protectyou is that it has a very secure
model of protecting applications frominteracting with other applications.
So you may have heardthe term sandbox before.
So whenever you install an app onAndroid, every app that has a unique
package name, you know, every apphas to have a unique package name.
(04:36):
You can't have two apps with thesame package name solved on a.
So what happens is that that packageis assigned a, a unique identifier.
And when you run that app,Android runs it in a container
and it's called the process.
And then that identifier iscalled the P I D for that process.
So by putting processes incontainers, Android ensures
that apps can only interact withother apps through a well-defined
(04:58):
process called the binder IPC.
So this way apps can only interactand only execute only like send a
request to get data from another app.
Through well defined permissions throughwell defined, intense and whatnot.
So like you can't just have one apppoking around the data of another app
without break the sandbox, which isjust not something that is very easily
(05:18):
achievable without some very seriousexploit in the Android platform.
I wanted to ask you, Brian, howdoes this in your experience,
how does Android security modelcompare to other operating systems?
Would you say it's more or less secure?
Brian (05:31):
Yeah, that's always a loaded question.
What I would say is that the Linuxkernel underneath the Android in and
of itself with its advanced securitycapabilities, gives it a strength.
Apple has a more closed system on iOS,just in terms of how they operate.
Uh, the sandboxing model is very strong.
You know, the containerizationof applications, the
control of the IPC channel.
All of those things aregood strengths for Android.
(05:53):
What's been really interesting to watchis that Android kind of was very heavy.
I've been around this sinceBlackberry, just to be my background.
I was with the original mobilesecurity company called Blackberry.
So I've seen a lot over the years andBlackberry was completely locked down
and completely impossible to innovate.
Just about it all, but itwas really secure, right?
And that's an example of a nicheuser experience with high security,
(06:14):
but it was really inflexible whenyou wanted to write applications.
The Android world kindof has two communities.
You have the, I just wanna get stuff done.
And then you have kind of thefanboy world I wanna customize
and do really interesting thingsand, you know, so on and so forth,
which leads to rooting and morecustomizations in the operating system.
What has been really interesting to watchis that Android has become incredibly.
(06:34):
If you look at the number of CVEs andcess listed for Android operating system
or for device hardware for at least thetier one manufacturers, they have gone
down as a rate over time, apple hasn't.
Now apple may have beena little bit ahead.
So there sort of is this, it depends.
On who your hardware manufacturer is,how they are properly or improperly
(06:55):
using the operating system and thelicensing that they're doing around the
play store and the tooling around that.
But Android today is avery safe environment.
And so I live in a blended world.
So I have yes, one of everythingbecause I'm in a mobile business.
I have no qualms about saying which deviceor which operating system is better.
Android and iOS are bothbetter than windows, frankly.
And so from that perspective, there'slots of different places we can go
(07:17):
in terms of talking about, well, howdo I make sure I'm safe and secure?
And how do I make sureI do the right things?
You mentioned
Mishaal (07:22):
something that I wanna kind of wanted to follow up on power users.
You know, there are people who likethe brute and tinker their devices.
That's something that wasn'treally possible with the older,
more lockdown operating systemsand current ones like iOS.
So on Android, you are allowed.
Side load applications.
This term side loading.
Isn't really much of a thingin the windows world, but it is
something that exists in Android.
(07:42):
And in order to side load, anapplication from outside of the official
Google play store, you have to optin, you have to enable permission.
You have to do it on aper application basis.
And there are also other securityfeatures that kind of irk power users.
And I wanted to ask you yourthoughts first on side loading.
Like how does Google balance.
Ability to allow users to side loadapplications with actually protecting
(08:05):
them from installing somethingthat's potentially untrusted.
Brian (08:08):
Yeah.
I think there's kind oftwo ways to look at it.
So I'm gonna take a macro viewand then kind of a micro view.
So the macro view is there are threeor 4 billion users of Android, and
that means everybody of every kindeverywhere in the world, trying
to do everything you can imagine.
Right.
And so there's lots of differentsegments of people that wanna
use it in certain behavior.
I do a lot of work with companies thatuse lockdown, Android tablets that are
(08:30):
purpose designed for a specific use.
They may have one application on them.
I do work in automotives.
I do work in healthcare, right?
And so there's that class financialservices where regulatory matters control
matters, sensitive data matters you asa patient, don't want that data lost.
If it's your car, you don'twant that car broken into.
Right.
So there's that category.
(08:52):
And then you kind of move into themore general maybe business user.
Then you move into the more generalizedconsumer and then you move into the
tinkerer category, like the fanboyand you know, and what I think
Google's done a pretty good job of istrying to balance all of them, right.
From that perspective.
And so they've set up the guardrails.
They've continued to improvethe guardrails and gates to
make it hard to be malicious.
(09:14):
So you've got the containerized model.
We just talked about side loadingto me is an enabler for the category
of people who want it, but mostpeople should stay away from it.
If you were to ask me how do regularpeople, consumers, not more technical,
advanced customizer, stay safe.
Don't side.
Because Google play with play protectdata, safety labels, and all of the system
(09:36):
services that are built into the premiumlevel are designed to keep you safe.
And it's really easy to stay safewhen you're leveraging those things.
Side loading is one ofthe top malware paths.
The other biggest breach vector actuallyis SMS fishing, and that's not Google
or apple or anybody else's fault.
That's the nature of the way SMS behaves.
And that's a whole differentsecurity conversation.
(09:56):
And the fact that people click onthat stuff just in the same way,
they sometimes click on spam email.
Right.
So side loading, isn't a bad thing, butside loading can get you in trouble.
So you really should focus on brandname apps from brand name companies,
you know, that have attestationin them with data safety program.
That have four or more stars havemillions of downloads, right?
(10:17):
That's just the collective beingsafe, doing the smart thing, which
is probably 80% of the world really.
Mishaal (10:23):
Right.
I kind of like in side loading to decidingwhere to purchase something online.
So if you're a side loader,you're kind of bypassing all the.
Extra scrutiny that is placed on thoseapplications by Google play and by
play protect and all the stuff that'sthat developers have to go through
to even get their apps on there.
So like if you were to shop online, sure.
You could go to all express.
(10:44):
You could find literally anythingyou want at any time, but you're
kind of putting yourself at riskby, you know, are you actually gonna
get what you're trying to order?
Is the seller actually legitimate isthe product actually as described.
Or could you just do the easy thingand go to like Amazon, you know?
Sure.
There are going to be some fakes.
There are going to pieces of productissues, but generally those are
(11:04):
more vetted because there's morebarriers to entry to get on there.
Brian (11:08):
Right.
You know, a lot of this is riskand reward for the bad guys.
Right?
So those barriers of entry, the frictionthat's put in the system make it harder
for the people who wanna be malicious tobehave malicious and the cost of being M.
Becomes so high, it's not worth it.
So from that perspective,take advantage of everything.
You can buy a first class device froma first class vendor, make sure they're
using they're licensing, Google correctly,and leveraging that technology and so
(11:30):
on and so forth and you can be safe.
And when we look at what Google has donefor the two primary safety systems, we
have the play protect side of the house.
We have the data safety label side ofthe house and data safety labels just
became mandatory in the last week.
And so between those two things,if I can play protect is basically
Google's giant malware engine.
(11:50):
Google is continuouslyscanning for malware.
Google has a lot of partners that are insecurity and endpoint management that are
contributing to the malware signature.
While you sometimes see it.
And I'm not saying they're in any it'sway better now than it used to be.
And that database allow our signaturesand the sophistication of the testing
between Google and Google's partnerscontinues to get better and better and
better take advantage of play protect.
(12:12):
You can run it on your own device.
It's being scanned when it'sgoing into the app store.
If you find something reported andkind of help the community, the data
safety label is really interesting.
So I'll show my age.
I remember when my parents wouldonly buy electronics if they had the
underwriter's laboratory safety labelon it, which meant some third party
company tested that piece of electronics.
(12:35):
So it wouldn't like burn youor blow up your house or, you
know, something else like that.
And for the first time, anywhere insoftware that I have ever seen, Google's
actually added labeling that this thing's.
It's called a data safety label.
And so one half of a label is the softwaredeveloper is going to attest and say,
here is what my app does with your data.
(12:56):
I transmit it.
I collect it.
I send it.
What have you, the other half is you canget an independent security verification
done by an accredited third party.
And that accredited third party nowsecures one of them will actually
test it sufficiently to say,yeah, this app is safe based on
this industry standard benchmark.
That's like a good housekeepingseal of approval or underwriter's
lab label on it now.
(13:18):
So now with play protect, I'mprotecting myself from malware
with data safety labels.
I'm also ensuring that the appmanufacturer is doing the right thing.
And that's really great for users.
So
Mishaal (13:28):
just to take a step back, because on this show, we love to
talk about a O S P and GMs, andtry to differentiate between them.
Google play protect, asBrian had mentioned is part
of Google mobile services.
So it's something that is availableon devices with GMs, Android.
So, if you were to compile a S P fromGoogle ski repositories, you would
not have play protect available to youbecause it is part of, I believe Google
(13:51):
play store app itself, or Google playservices, either one of those two.
And as Brian mentioned, it is amassive database of malware signatures.
And I kind of wanted to talk about now,like I wanted to ask you how exactly.
Is that malware signaturedatabase actually built.
How does Google go out and decideto add something to its database?
(14:12):
So for the two who looked up anythingrelated to this before you might have
heard terms like static and dynamicanalysis, can you walk us through what
Brian (14:18):
those mean?
Sure.
So there is something calledthe app defense Alliance.
So I'm just gonna introduce the,how does the data get collected?
So the app defense Alliance was created.
Five six years ago.
And it's a group of folks who do malware.
They do endpoint management, theydo antivirus a lot of the subjects
you might expect in this world.
And so Google said, Hey, wewanna crowdsource this stuff.
(14:41):
We've got a whole bunch.
We know you have more.
So let's start collecting them.
So through all of the differentvendors who participate in that, when
they find something, they submit itthrough a special channel to Google.
Google adds it to their database, verifiesthat the giant database gets bigger.
And it's because there's multiplevendors scanning billions of device.
You get a pretty good signaturedatabase as a result of that.
Now, what we're all doing underthe hood is we're basically doing
(15:03):
some combination of static anddynamic analysis or SAST and DAS.
And so SAST is basically scanning codeeither the source code or binary image
of the app to statically identifycoding failures in the application.
So with SAST, you might find thingslike say hard coded secrets embedded
(15:24):
in the application or debuggingcode that made it into production
in the app store submission orhard coded URLs or stuff like that.
Those are vulnerabilities.
You could.
You can also find malicious behavior,like, Hey, it's scooping up this data
and transmitting it to this IP address.
And then dat, which is dynamicanalysis is actually running the app.
Most of us who participate in theprogram have some sort of dynamic
(15:47):
analysis, which we observe the apprunning on a real device, whether it's
in a lab or it's on some customer'sdevice that has an agent running on it.
And we see the maliciousbehavior, we capture it.
So dynamic finds things likepermissions, escalation,
because something changes over.
It finds transmission of sensitivedata that maybe shouldn't be there.
Is that data properly encrypted?
Does it go to a bad end point?
(16:08):
That's a known malware harvester endpointfrom the endpoint databases on the.
Things like that.
So what's interesting about it isthe collective is kinda looking for
malware through bad behaviors, butalso looking for vulnerabilities.
Some of the more recent issues we foundin the market weren't actually malware.
They were vulnerable commercialapplications used by millions of
people where the bad guys figuredout how to exploit weakness in them.
(16:31):
There was a security weakness thattheir developers had introduced to.
So that's a little bitabout how that works.
Now, the app defense Alliancerecently added the MAs specification,
which is that independentsecurity verification strategy.
So this is how to use SAS and dat toanalyze the app for vulnerabilities that
could be exploited work with the vendorto fix them, and then give them that good
(16:52):
housekeeping label of approval, which isthe independent security review stamp.
So that when you go their data safetylabel, In the Google play store.
You see, it says independentsecurity review has been completed
by an attested third party.
This is deep save foruse in these categories.
And now you have that attestation,which is great from the third party.
So you mentioned
Mishaal (17:12):
before that, you know, you typically look at either the source
code or the compiled code of anapplication, and I'm guessing like 99%
of the time you don't have access tothe source code of the application.
You're looking for most of the time,you're looking at the binary, the
compiled binary, and you'd have touse some kind of de compilation.
Or some kind of analyzer to analyzebehavior while it's on device.
Can you tell us about like someof the tools that you might use?
(17:34):
Are they like all inhouse?
We use any
Brian (17:36):
commercial for those who are into reversing, you may have heard of Frida
and rod Aari are the top two reversingdisassembly tools in the market.
Frida and red were created byresearchers on our now secure.
And pancake are their handles.
And so those are used by alot of security researchers.
They're also used in some othertooling by other folks, and
(17:57):
those are embedded in our tools.
So we can reverse and disassemble aniOS or an Android app, whether it's DRM
or not with it, you can break most ofthe obfuscation tools and hook the app.
Even the ones that have antiFrita capabilities in it, it's
like a cat and mouse game.
They try to block and thenyou find new ways around it.
But in reversing it, you can get downto bite code or Java code or some
(18:17):
intermediate language that you canthen scan to get a sense from a static
perspective about what's going on.
What I will say is that freedomand Dari are great tools.
Have a look at them.
If you really wanna kinda learn yourway through what this world looks.
There's some free training on how touse freedom, Ary and participate in the
community on our academy.now secure.comor you can just find them on the internet.
(18:38):
They're great tools.
There's some other tools out there.
There are various othertools that might go into kit.
You might use perp suite to do networksniffing and some things like that
when you kind of build out a tool kit.
So we leverage those and other advance.
IP that we built.
So do the other vendors have all builtsomething that involves some combination
of static and dynamic analysis?
Mishaal (18:55):
Speaking of static and dynamic analysis, there is one thing
I wanted to follow up with you on.
And it's something that I thinkrequires some clarification for
listeners who may not be familiar.
And it's that why is dynamicanalysis actually important to do?
Why do you have to test on a real deviceversus why can't you just statically
analyze the code and look for some, saypotentially malicious thing happening.
Brian (19:15):
We talked earlier about containers in IPC and data transmission between
say two containers or two processes.
Right?
Well, that's why you need dynamicanalysis, static analysis.
We'll never see if data wasimproperly transmitted to the IPC
found from one process to another.
You need dynamic analysis to understandwhat's being written to the device in
(19:37):
log files, or being stored on the device.
We find key material, forensic data.
IP.
We actually found a, uh,coupon code generator.
The actual IP generation ofthat was spewed out and log
files under error conditions.
Now static source code scanning.
Won't find that you only findthat when you run it dynamically.
(19:58):
So it's a general rule.
Dynamic is about testing the crypto.
Is the crypto working correctly.
And then it's testing storage,which is what is being written
and what can I forensically find?
And what's being written into myown address, space, my own storage,
other storage file system log files,and then network transmission.
So what is gettingtransmitted over the air?
(20:18):
Is it intercept?
Am I doing proper certificate pinning?
Am I using the TLS channel?
Correct.
What endpoints am I talking to?
Are those endpoints safe?
There's a whole bunch of thingsyou can test around authentication
and authorization that you'll pickout through testing dynamically.
So I'll give you wild data.
We scan all the apps in the app store.
So there are 6 million appand Google play store apps.
(20:39):
Approximately we scan almostall of them on a regular basis.
And what I can tell you is that 80%of them have security vulnerability.
The good news is 20%.
Don't have really bad securityvulnerabilities in 'em, but 80% do.
And that number's been the samefor five or six years since
we've been benchmarking them.
What's also interesting is thatwhen you carve into that static
(21:00):
versus dynamic, almost everythingwe're finding is dynamically found.
It's really hard to do dynamicanalysis and dynamic testing
at scale in a development.
So a lot of 'em just don't do it.
So they run a static analyzeruntil we find a very low proportion
of static vulnerabilities inproduction apps, because most
people are using static tools.
Dynamic is really hard to do.
(21:22):
It's expensive if you pay somebodyto do it, not a lot of people do it.
And that's why we find that'swhere most of the vulnerabilities
are in storage in crypto, innetwork and backend APIs by far.
Mishaal (21:32):
Yeah, I'm not surprised because you know, they want to avoid detection.
So if you just have all your maliciouscode statically, it's in the application
itself and it's easy to find, thenthere's nothing in it for them.
It's, it's gonna be detected and,you know, added to the database
and then detected in the futureagain and over and over again.
And I've heard stories of likethese malicious applications
that behave differently or.
Different parts of code differently,depending on your location or
(21:55):
what device you're running ora combination of those factors.
So like you need to beable to test, and that
Brian (22:00):
can be hard to find exactly.
It can be hard to find two dynamics.
So, uh, screw an ator.
You're not necessarily gonna seeall the IC conversation to the ator.
You're not necessarily gonna see theinteraction with the OS layer all the
way down through the hardware or thewifi chip before the carrier chip.
Right.
So what we have found.
For a number of clients whohave done emulator based
testing, they bring it to us.
We find stuff.
(22:20):
I mean, you can't truly emulate theenvironment to get full coverage.
And again, sometimes it's malware.
A lot of it's just vulnerabilities.
I mean, last year, Walgreens slack, theyhad vulnerabilities that were exploited.
People stole prescription datato the Walgreens mobile app
because of a vulnerability in it.
Slack had a zero day.
So even what you would thinkwould be really great companies.
(22:43):
They can make mistakes, their developerscan make mistakes, it might be code.
They write party libraries that put in it.
But what we're actually seeingis the nation state actors and
the criminals are finding thesezero days in these applications.
And they're exploiting them as bador worse as they are the malware,
the price of building malwareand getting it into the app store
is getting higher and higher.
Cuz it's harder and harder cuz ofeverything we just talked about today.
(23:04):
But you know what, if I can find a zero.
In slack and go steal a bunch of corporatedata or, you know, shopping cart X and
there's numerous applications like that.
Well, then I can harvest information offof that and use that, you know, there, uh,
if I can diverge for a second, a coupleyears ago, British airway was preached.
They found a weakness in theway British airways mobile app
(23:25):
was talking to its back backend.
So they learned how to attackthe backend by the mobile app.
Then they attacked the backend 380,000records were stolen, including passport
information, travel history, credit cards.
They were fine.
Bridge share was fined 158 millionpounds by the EU as the first GDPR.
Fine.
Now all of that had to do with the factof a poorly written mobile application.
(23:46):
That was exploitable.
There was no malware involved.
It was just straight up goodscientific research that discovered it.
And then they used it togo after the back end.
And that's what we need to think about ismobile's just part of the overall chain of
all the it systems that some company has.
Then you make sure the mobile app andwhat it talks to is secure, whether it's
malware or whether it's a commercial app.
So this
Mishaal (24:06):
whole time we've been talking mostly about malware
and like malicious applications.
But if you read online about likewhat Google pay, protect actually
identifies it, doesn't usually.
Positively identifyactual malicious behavior.
It identifies potentiallyharmful applications.
Can you describe what exactly qualifiesto potentially harmful application?
Brian (24:27):
Yeah, so potentially harmful application is the app is collecting and
maybe transmitting over the error data.
It shouldn't be the app is tryingto execute system level commands.
It shouldn't have rights to execute.
It could be spyware.
It could be fishing.
You know, more common things.
We know it could be ransomwarein terms of its behavior.
I haven't heard a lot of productionransomware on mobile, but we've seen some
(24:50):
academic experiments along those lines.
Uh, there's a lot of system logginggoing on, data harvesting going on.
And so what kind of comes back is,Hey, this has some unusual beha,
it's a camera app and it's great.
The entire contact databaseand shipped it to the cloud.
Right.
And that's gonna get a flag.
If it's picked up, right?
Cause it doesn't make sense that someonewho's taking photos is scraping the
(25:12):
entire address book off the device or thehistory of all the wifi nodes that this
device ever connected to with the S S ID and whatever passwords hashed or not.
Right.
So that's part of what it's looking foris it doesn't make sense that this app
would be doing that thing, whether it'sobviously malicious or possibly malicious.
Mishaal (25:32):
Right.
And another thing is that potentiallydodgy and sketchy or malicious behavior,
isn't only limited to apps that youcan install from the Google play store
or outside of the Google play store.
It can also be happening withinpre-installed applications, which Google
refers to as mobile bundle applications.
This isn't really talked about muchfrom what I can see, mostly because it's
like a conversation Google has with O.
(25:54):
They have like strict requirements aboutwhat these mobile bundle applications can.
And can't do.
I wanted to ask you, what do youknow about the security risks
with mobile bundle applications?
I
Brian (26:03):
can't speak for all the carriers.
I can't speak for all Google.
I can't speak for allthe device manufacturers.
You need to talk to each of them.
What I would say is that mostmanufacturers and carriers are
working hard to do it the right way.
So for example, we workwith at and T and Google.
And so the things that at and Tsells are tested and certified by us.
And we work with a lotof the other carriers.
(26:24):
There are other vendors likeus that work with the carriers
to try to do the right thing.
Google has some attestation and testingrequirements that the device manufacturers
and carriers must submit, especially ifthey're part of the Google play ecosystem.
And if they're, youknow, full GMs licensees.
And so what they're trying to dois enable lots of people to grow
vibrant businesses and enable.
(26:44):
This very broad ecosystem that wehave today that has so many users and
so many kinds of applications on it.
The trick is saying, Hey,here's a set of standards.
We want you to align with.
And we are either gonna test youor have used an independent third
party or self attest that you aredoing the right things here and here.
And by and large, everybody'sgot the right idea and
trying to do the right thing.
(27:04):
You don't hear so much aboutreally bad stuff happening.
I will say that supply chain attackslike we've been hearing in the market
overall on lots of different things,whether you're the colonial pipeline
or what have you, those are out there,and those are hitting mobile, just like
they're hitting other corporate systems.
And so to no fault of their owndevelopers may wind up with an
exploitable or malicious app becauseof some third party library they're
(27:27):
using or system service they'reusing that suddenly changed because
a bad actor got in there and made a.
So that will be something I think we'regonna live on in the mobile world,
the web world, the network world, andevery other world, until we really get
supply chain management under controland, and more safe use of components.
All right.
Mishaal (27:42):
So on that front, what can app developers do to protect their
applications from any malicious exploits?
Brian (27:48):
You know, I think there's a handful of things.
So when we work with organizationswho are application developers,
whether they're large or small, wegive them a set of recommendations.
First one is make sure you'vegot some basic security
training for your developers.
Make sure they understandthe fundamentals.
Make sure we've got like a guide.
That's like here's 10 APIs.
You should make sure you use andhow to configure them properly.
And then a guide on permissioning.
A lot of it has to do with justdon't collect and store it.
(28:09):
If you don't need it, then there arethings about how to handle storage,
how to handle crypto, how to handlenetwork, how to handle backend API.
They're not very difficult.
In many instances, it's they didn'tknow there was a flag they should set.
They didn't know there was aconfiguration option they should be using.
They didn't know there wasan ordering of operations.
They should be using, make suredevs doing the right thing.
The second thing is, make sure thatthere are product requirements that.
(28:30):
What kind of security, thisthing should have, right?
If I'm building a banking app, thereshould be fundamental requirements
that say I'm regulated by the industry.
Here's a set of requirements.
Well, if I'm not building a bankingapp, we've been building something else.
This requirements may not clear, butjust like you're saying, you want a
really cool augmented reality experience,make sure that you're protecting
using multifactor authentication andprotecting my Phi while you do it.
(28:50):
Right test it.
Whether you using SAS in the pipelineor SA and da in the pipeline, there
are open source and paid commercialtools that are cheap and easy to use.
They can run autonomously, theycatch all the low hanging through.
They make your life easier.
What's really cool about a lot ofthe DAS tools including now secure.
Now, is it also identifiesapp store blockers?
So you may have a build version issue.
(29:11):
You may have a third party SDK issue.
You may have some other reason.
Google may say, Nope, I'm not gonnaaccept this binary because you're
not following one of my rules.
You can catch that too.
So that's not just security and privacy.
That's finding those rules.
And if you're super high end app,you're that embedded health app, that's
maintaining my heartbeat to a cardiacmonitor or you're my banking app or
my financial account management app.
(29:32):
You should be doing pen testing oncein a while and have really smart
experts, tear it down just to makesure there isn't something exploitable.
So teach requirements, automateyour testing everywhere you.
Pen test the high risk stuff.
Be serious enough that say, Hey, wewanna have a great user experience
and millions or billions of downloads.
And we just wanna make sure that people'sdata does what it's supposed to do.
Mishaal (29:54):
Security is essential, of course, for every application and developer
should be top of mind, but it shouldbe even more top of mind, especially
if you're dealing with sensitive data.
And as Brian mentioned, medical financial,you don't want to be slapped with, uh,
billions of dollars in a lawsuit formishandling or having some data breach.
That you could have solved byprotecting your application better.
(30:15):
And if you are dealing with any missioncritical application or you need to
deploy mission critical applicationsonto fleets of dedicated devices, and
you wanna make sure that the firmwareit's running on and the data you
depend on secured, come talk to us.
That SPER we specialize in helpingcompanies manage fleets of dedicated
devices, including deploying andkeeping your apps updated on them.
(30:35):
If you're trying to deploy akiosk or point of sale terminal,
you need to lock it down.
So potentially malicious applications,can't be side loaded onto.
That's especially important becausemost of the time, these dedicated
devices won't have GMs on them.
So you can't count on Google,play, protect for protection.
And if you're worried about any mobilebundle applications that are pre-installed
on the off the shelf hardware that you'vepicked up for your dedicated device
(30:57):
fleet, you'll need to look at deployingyour own firmware based on AOS P.
We can also help with that.
Check us out@esper.io andBrian, thanks for joining us on
this episode of Android bites.
Is there anything you'dlike to close us off with?
Can you like work?
Can people find you online and work?
Can people work with now secureon securing their application?
Brian (31:15):
Yeah, so you, you can find us online.
There's a bunch of great resources.
I'm gonna talk out real quick.
So now secure.com/nasa, M a S a thatwill help you understand the app defense
Alliance and the independent security.
If you're a user look to see thatthe apps you're choosing have
an independent security review.
If you're a developer, get yourindependent security review, we
can help you expedite that process.
(31:36):
That's cheap and easy to go do.
If you want some training@cat.nowsecure.com is a free training environment.
It's for development, QA, DevOps, andsecurity teams to learn everything they
needed to know about building testingand running secure apps in production.
Again, that's a free resource.
You can find me all over the place.
I'm actually known as readon the run is my handle.
So you can find me on, you know, LinkedIn,Twitter, and other kinds of fun places.
(31:59):
Speaking to events of all kinds.
The last thing I'll give youis O O is growing dramatically.
The O OS mobile project is advancing.
There's some really great thingscoming from O O this fall.
And until later this yearwith the evolution of the
mobile app security project.
So if you're into the communityactivities, come join us at OAS, spend the
mobile project and get involved becausethere's some really great stuff going on.
(32:21):
It's a place you can learna place you can contribute.
And really be part of a community.
Who's trying to do the rightthing for mobile application
Mishaal (32:27):
security.
And just to clarify, what is O OSP?
Exactly?
What does it stand for?
Oh,
Brian (32:31):
O OSP is the open web application security project or program.
It's an independent vendor, agnosticcommunity of, uh, security professionals.
Who've been building standards andspecifications for how to build secure web
apps, mobile apps, how to secure your APIson the back end and things of that nature.
So O O for those who are in the security.
(32:52):
Are generally familiar with it asa non-for-profit that drives that
O OSP has a number of initiativesgoing on in the development world.
And what's really great about it isthat Google has fully embraced O O
so the app defense Alliance mastercertification program, which gets you
that independent security verificationactually is using the O OSP standard.
And you're gonna see the O OSPstandard in many other places.
(33:15):
As a mechanism for a common industrystandard for what security means, whether
it's web mobile network, device or API.
So there's some really greatthings going on at that
Mishaal (33:24):
standards body.
All right.
Thank you, Brian.
And thank you everyone again for listeningto another episode of Android bites.
We'll catch you next time.
Hello, and welcome to Android bys powered by Esper, the podcast that
dives deep into the world of Android.
I'm Michelle Ramon.
And while I'd normally be joined by myco-host David Ruddock, he unfortunately
couldn't make it to this one.
Still.
We've got a great topic and guestlined up on the show this week,
we'll be talking about security,specifically mobile app security.
So if you listen to our podcast before,you know, we've talked about Android
(00:23):
security model, at least when itcomes to applications, as well as our
permissions work in the previous episode.
But this time, we want to focusmore specifically on how Google app
developers and outside firms team upto protect you and your Android device.
So today we've invited Brian Reed,chief mobility officer at now secure
to talk about mobile app security.
Welcome to the show,
Brian (00:42):
Brian.
Thanks, Michelle.
It's great to be here andpart of your community.
Thanks for having me.
Thanks for joining us.
So
Mishaal (00:48):
this is the topic that in my now seven years of covering Android, you know,
I've kind of delved into the security sidea bit here and there, even though, while
it's been up in my primary focus, justcovering the Android platform ecosystem,
these security issues come up and tendto cover them pretty much every week.
You'll hear from some mobilesecurity threat firm that there's
some new malware strain out inthe wild, and that is wing havoc.
(01:11):
And then when you dive into the detailsyou discover, oh, they're mostly misusing
some Android API or application somepermission or they're tricking users
into enabling some sensitive permiss.
And so like, this is a topic that isever pervasive in our lives, because
you probably know people in your liveswho could be tricked into enabling
something they shouldn't have whensongs something they shouldn't have.
(01:33):
And even if you think that youwouldn't do that, there's a very high
chance that you could be tricked to.
No one is ever completely foolproof fromfishing or any other malware attacks.
There are many things you cando to prevent yourself from
being taken advantage of.
But on the ecosystem side, thereare also many things that Android
does and that Google does and thatoutside firms can do to proactively
(01:56):
protect you from harming yourself.
So just so we're all on the samepage, I kind of wanna just touch upon
the background of Android securitymodel and how Android actually
protects you at a platform level.
So we talked about this before,but every time you install
an app, it comes an APK file.
And within that APK file.
There's all the assets, the code, theresources, et cetera, but there's also
(02:17):
a digital signature that is generatedwhenever the developer signs a package.
And whenever that app installs on yourdevice, it's given a unique package name.
And whenever you try to install an appthat has a package name matching an
existing app, it installed on the device.
If that signature doesn't match thesignature, that was with the previous.
Then Android will object the installation.
(02:39):
And because it's assumed that the signingkey, the developer used to sign that
app is generally kept somewhere safe andsecure within their own repository on
their computer, or upload it to Google.
Then you can assume that somethird party didn't just modify
the app and then upload it.
And then you installedit onto your device.
So that's how Android generallysecures updating applications.
The one challenge with that is whileit ensures that some outside developer
(03:03):
didn't modify and push an app onto yourdevice, it doesn't guarantee that the
update hasn't been tampered with hasn'thad in any malicious or potentially
harmful code within the update.
Like it could still be signed by theoriginal developer, but how do you.
If that update is still safe to use.
And that's generally wherefirms like now secure come in.
So I wanted to ask you, Brian, canyou tell us a bit about the company?
(03:26):
Sure.
Brian (03:26):
So now secure actually got started as a forensics company in 2008 and 2009.
So the birth of Android thatwas around the same time as iOS.
Our founder got interested in thesecool little devices that seemed to
have a whole lot of computing powerand a lot of forensic data on him.
And while he wasn't a forensic specialist,he actually became the world's expert
in mobile forensics and ultimately builda business that is now secure today.
(03:49):
We're kind of an all in onesolution provider we have for
mobile application securities.
So we have testing tools,developing tools, pen testing
services, open source tools.
Training all of those kinds of thingsand partner with lots of organizations
to make sure they're able to deliverthose secure applications on whatever
mobile operating system they want.
So our roots are in Android, cuzthat's really where he started and we
(04:10):
continue to do a lot with Google andthe entire ecosystem community today.
Mishaal (04:15):
Thanks Brian.
And just to follow up on the Androidaspect, one other thing that Android
does at the platform level to protectyou is that it has a very secure
model of protecting applications frominteracting with other applications.
So you may have heardthe term sandbox before.
So whenever you install an app onAndroid, every app that has a unique
package name, you know, every apphas to have a unique package name.
(04:36):
You can't have two apps with thesame package name solved on a.
So what happens is that that packageis assigned a, a unique identifier.
And when you run that app,Android runs it in a container
and it's called the process.
And then that identifier iscalled the P I D for that process.
So by putting processes incontainers, Android ensures
that apps can only interact withother apps through a well-defined
(04:58):
process called the binder IPC.
So this way apps can only interactand only execute only like send a
request to get data from another app.
Through well defined permissions throughwell defined, intense and whatnot.
So like you can't just have one apppoking around the data of another app
without break the sandbox, which isjust not something that is very easily
(05:18):
achievable without some very seriousexploit in the Android platform.
I wanted to ask you, Brian, howdoes this in your experience,
how does Android security modelcompare to other operating systems?
Would you say it's more or less secure?
Brian (05:31):
Yeah, that's always a loaded question.
What I would say is that the Linuxkernel underneath the Android in and
of itself with its advanced securitycapabilities, gives it a strength.
Apple has a more closed system on iOS,just in terms of how they operate.
Uh, the sandboxing model is very strong.
You know, the containerizationof applications, the
control of the IPC channel.
All of those things aregood strengths for Android.
(05:53):
What's been really interesting to watchis that Android kind of was very heavy.
I've been around this sinceBlackberry, just to be my background.
I was with the original mobilesecurity company called Blackberry.
So I've seen a lot over the years andBlackberry was completely locked down
and completely impossible to innovate.
Just about it all, but itwas really secure, right?
And that's an example of a nicheuser experience with high security,
(06:14):
but it was really inflexible whenyou wanted to write applications.
The Android world kindof has two communities.
You have the, I just wanna get stuff done.
And then you have kind of thefanboy world I wanna customize
and do really interesting thingsand, you know, so on and so forth,
which leads to rooting and morecustomizations in the operating system.
What has been really interesting to watchis that Android has become incredibly.
(06:34):
If you look at the number of CVEs andcess listed for Android operating system
or for device hardware for at least thetier one manufacturers, they have gone
down as a rate over time, apple hasn't.
Now apple may have beena little bit ahead.
So there sort of is this, it depends.
On who your hardware manufacturer is,how they are properly or improperly
(06:55):
using the operating system and thelicensing that they're doing around the
play store and the tooling around that.
But Android today is avery safe environment.
And so I live in a blended world.
So I have yes, one of everythingbecause I'm in a mobile business.
I have no qualms about saying which deviceor which operating system is better.
Android and iOS are bothbetter than windows, frankly.
And so from that perspective, there'slots of different places we can go
(07:17):
in terms of talking about, well, howdo I make sure I'm safe and secure?
And how do I make sureI do the right things?
You mentioned
Mishaal (07:22):
something that I wanna kind of wanted to follow up on power users.
You know, there are people who likethe brute and tinker their devices.
That's something that wasn'treally possible with the older,
more lockdown operating systemsand current ones like iOS.
So on Android, you are allowed.
Side load applications.
This term side loading.
Isn't really much of a thingin the windows world, but it is
something that exists in Android.
(07:42):
And in order to side load, anapplication from outside of the official
Google play store, you have to optin, you have to enable permission.
You have to do it on aper application basis.
And there are also other securityfeatures that kind of irk power users.
And I wanted to ask you yourthoughts first on side loading.
Like how does Google balance.
Ability to allow users to side loadapplications with actually protecting
(08:05):
them from installing somethingthat's potentially untrusted.
Brian (08:08):
Yeah.
I think there's kind oftwo ways to look at it.
So I'm gonna take a macro viewand then kind of a micro view.
So the macro view is there are threeor 4 billion users of Android, and
that means everybody of every kindeverywhere in the world, trying
to do everything you can imagine.
Right.
And so there's lots of differentsegments of people that wanna
use it in certain behavior.
I do a lot of work with companies thatuse lockdown, Android tablets that are
(08:30):
purpose designed for a specific use.
They may have one application on them.
I do work in automotives.
I do work in healthcare, right?
And so there's that class financialservices where regulatory matters control
matters, sensitive data matters you asa patient, don't want that data lost.
If it's your car, you don'twant that car broken into.
Right.
So there's that category.
(08:52):
And then you kind of move into themore general maybe business user.
Then you move into the more generalizedconsumer and then you move into the
tinkerer category, like the fanboyand you know, and what I think
Google's done a pretty good job of istrying to balance all of them, right.
From that perspective.
And so they've set up the guardrails.
They've continued to improvethe guardrails and gates to
make it hard to be malicious.
(09:14):
So you've got the containerized model.
We just talked about side loadingto me is an enabler for the category
of people who want it, but mostpeople should stay away from it.
If you were to ask me how do regularpeople, consumers, not more technical,
advanced customizer, stay safe.
Don't side.
Because Google play with play protectdata, safety labels, and all of the system
(09:36):
services that are built into the premiumlevel are designed to keep you safe.
And it's really easy to stay safewhen you're leveraging those things.
Side loading is one ofthe top malware paths.
The other biggest breach vector actuallyis SMS fishing, and that's not Google
or apple or anybody else's fault.
That's the nature of the way SMS behaves.
And that's a whole differentsecurity conversation.
(09:56):
And the fact that people click onthat stuff just in the same way,
they sometimes click on spam email.
Right.
So side loading, isn't a bad thing, butside loading can get you in trouble.
So you really should focus on brandname apps from brand name companies,
you know, that have attestationin them with data safety program.
That have four or more stars havemillions of downloads, right?
(10:17):
That's just the collective beingsafe, doing the smart thing, which
is probably 80% of the world really.
Mishaal (10:23):
Right.
I kind of like in side loading to decidingwhere to purchase something online.
So if you're a side loader,you're kind of bypassing all the.
Extra scrutiny that is placed on thoseapplications by Google play and by
play protect and all the stuff that'sthat developers have to go through
to even get their apps on there.
So like if you were to shop online, sure.
You could go to all express.
(10:44):
You could find literally anythingyou want at any time, but you're
kind of putting yourself at riskby, you know, are you actually gonna
get what you're trying to order?
Is the seller actually legitimate isthe product actually as described.
Or could you just do the easy thingand go to like Amazon, you know?
Sure.
There are going to be some fakes.
There are going to pieces of productissues, but generally those are
(11:04):
more vetted because there's morebarriers to entry to get on there.
Brian (11:08):
Right.
You know, a lot of this is riskand reward for the bad guys.
Right?
So those barriers of entry, the frictionthat's put in the system make it harder
for the people who wanna be malicious tobehave malicious and the cost of being M.
Becomes so high, it's not worth it.
So from that perspective,take advantage of everything.
You can buy a first class device froma first class vendor, make sure they're
using they're licensing, Google correctly,and leveraging that technology and so
(11:30):
on and so forth and you can be safe.
And when we look at what Google has donefor the two primary safety systems, we
have the play protect side of the house.
We have the data safety label side ofthe house and data safety labels just
became mandatory in the last week.
And so between those two things,if I can play protect is basically
Google's giant malware engine.
(11:50):
Google is continuouslyscanning for malware.
Google has a lot of partners that are insecurity and endpoint management that are
contributing to the malware signature.
While you sometimes see it.
And I'm not saying they're in any it'sway better now than it used to be.
And that database allow our signaturesand the sophistication of the testing
between Google and Google's partnerscontinues to get better and better and
better take advantage of play protect.
(12:12):
You can run it on your own device.
It's being scanned when it'sgoing into the app store.
If you find something reported andkind of help the community, the data
safety label is really interesting.
So I'll show my age.
I remember when my parents wouldonly buy electronics if they had the
underwriter's laboratory safety labelon it, which meant some third party
company tested that piece of electronics.
(12:35):
So it wouldn't like burn youor blow up your house or, you
know, something else like that.
And for the first time, anywhere insoftware that I have ever seen, Google's
actually added labeling that this thing's.
It's called a data safety label.
And so one half of a label is the softwaredeveloper is going to attest and say,
here is what my app does with your data.
(12:56):
I transmit it.
I collect it.
I send it.
What have you, the other half is you canget an independent security verification
done by an accredited third party.
And that accredited third party nowsecures one of them will actually
test it sufficiently to say,yeah, this app is safe based on
this industry standard benchmark.
That's like a good housekeepingseal of approval or underwriter's
lab label on it now.
(13:18):
So now with play protect, I'mprotecting myself from malware
with data safety labels.
I'm also ensuring that the appmanufacturer is doing the right thing.
And that's really great for users.
So
Mishaal (13:28):
just to take a step back, because on this show, we love to
talk about a O S P and GMs, andtry to differentiate between them.
Google play protect, asBrian had mentioned is part
of Google mobile services.
So it's something that is availableon devices with GMs, Android.
So, if you were to compile a S P fromGoogle ski repositories, you would
not have play protect available to youbecause it is part of, I believe Google
(13:51):
play store app itself, or Google playservices, either one of those two.
And as Brian mentioned, it is amassive database of malware signatures.
And I kind of wanted to talk about now,like I wanted to ask you how exactly.
Is that malware signaturedatabase actually built.
How does Google go out and decideto add something to its database?
(14:12):
So for the two who looked up anythingrelated to this before you might have
heard terms like static and dynamicanalysis, can you walk us through what
Brian (14:18):
those mean?
Sure.
So there is something calledthe app defense Alliance.
So I'm just gonna introduce the,how does the data get collected?
So the app defense Alliance was created.
Five six years ago.
And it's a group of folks who do malware.
They do endpoint management, theydo antivirus a lot of the subjects
you might expect in this world.
And so Google said, Hey, wewanna crowdsource this stuff.
(14:41):
We've got a whole bunch.
We know you have more.
So let's start collecting them.
So through all of the differentvendors who participate in that, when
they find something, they submit itthrough a special channel to Google.
Google adds it to their database, verifiesthat the giant database gets bigger.
And it's because there's multiplevendors scanning billions of device.
You get a pretty good signaturedatabase as a result of that.
Now, what we're all doing underthe hood is we're basically doing
(15:03):
some combination of static anddynamic analysis or SAST and DAS.
And so SAST is basically scanning codeeither the source code or binary image
of the app to statically identifycoding failures in the application.
So with SAST, you might find thingslike say hard coded secrets embedded
(15:24):
in the application or debuggingcode that made it into production
in the app store submission orhard coded URLs or stuff like that.
Those are vulnerabilities.
You could.
You can also find malicious behavior,like, Hey, it's scooping up this data
and transmitting it to this IP address.
And then dat, which is dynamicanalysis is actually running the app.
Most of us who participate in theprogram have some sort of dynamic
(15:47):
analysis, which we observe the apprunning on a real device, whether it's
in a lab or it's on some customer'sdevice that has an agent running on it.
And we see the maliciousbehavior, we capture it.
So dynamic finds things likepermissions, escalation,
because something changes over.
It finds transmission of sensitivedata that maybe shouldn't be there.
Is that data properly encrypted?
Does it go to a bad end point?
(16:08):
That's a known malware harvester endpointfrom the endpoint databases on the.
Things like that.
So what's interesting about it isthe collective is kinda looking for
malware through bad behaviors, butalso looking for vulnerabilities.
Some of the more recent issues we foundin the market weren't actually malware.
They were vulnerable commercialapplications used by millions of
people where the bad guys figuredout how to exploit weakness in them.
(16:31):
There was a security weakness thattheir developers had introduced to.
So that's a little bitabout how that works.
Now, the app defense Alliancerecently added the MAs specification,
which is that independentsecurity verification strategy.
So this is how to use SAS and dat toanalyze the app for vulnerabilities that
could be exploited work with the vendorto fix them, and then give them that good
(16:52):
housekeeping label of approval, which isthe independent security review stamp.
So that when you go their data safetylabel, In the Google play store.
You see, it says independentsecurity review has been completed
by an attested third party.
This is deep save foruse in these categories.
And now you have that attestation,which is great from the third party.
So you mentioned
Mishaal (17:12):
before that, you know, you typically look at either the source
code or the compiled code of anapplication, and I'm guessing like 99%
of the time you don't have access tothe source code of the application.
You're looking for most of the time,you're looking at the binary, the
compiled binary, and you'd have touse some kind of de compilation.
Or some kind of analyzer to analyzebehavior while it's on device.
Can you tell us about like someof the tools that you might use?
(17:34):
Are they like all inhouse?
We use any
Brian (17:36):
commercial for those who are into reversing, you may have heard of Frida
and rod Aari are the top two reversingdisassembly tools in the market.
Frida and red were created byresearchers on our now secure.
And pancake are their handles.
And so those are used by alot of security researchers.
They're also used in some othertooling by other folks, and
(17:57):
those are embedded in our tools.
So we can reverse and disassemble aniOS or an Android app, whether it's DRM
or not with it, you can break most ofthe obfuscation tools and hook the app.
Even the ones that have antiFrita capabilities in it, it's
like a cat and mouse game.
They try to block and thenyou find new ways around it.
But in reversing it, you can get downto bite code or Java code or some
(18:17):
intermediate language that you canthen scan to get a sense from a static
perspective about what's going on.
What I will say is that freedomand Dari are great tools.
Have a look at them.
If you really wanna kinda learn yourway through what this world looks.
There's some free training on how touse freedom, Ary and participate in the
community on our academy.now secure.comor you can just find them on the internet.
(18:38):
They're great tools.
There's some other tools out there.
There are various othertools that might go into kit.
You might use perp suite to do networksniffing and some things like that
when you kind of build out a tool kit.
So we leverage those and other advance.
IP that we built.
So do the other vendors have all builtsomething that involves some combination
of static and dynamic analysis?
Mishaal (18:55):
Speaking of static and dynamic analysis, there is one thing
I wanted to follow up with you on.
And it's something that I thinkrequires some clarification for
listeners who may not be familiar.
And it's that why is dynamicanalysis actually important to do?
Why do you have to test on a real deviceversus why can't you just statically
analyze the code and look for some, saypotentially malicious thing happening.
Brian (19:15):
We talked earlier about containers in IPC and data transmission between
say two containers or two processes.
Right?
Well, that's why you need dynamicanalysis, static analysis.
We'll never see if data wasimproperly transmitted to the IPC
found from one process to another.
You need dynamic analysis to understandwhat's being written to the device in
(19:37):
log files, or being stored on the device.
We find key material, forensic data.
IP.
We actually found a, uh,coupon code generator.
The actual IP generation ofthat was spewed out and log
files under error conditions.
Now static source code scanning.
Won't find that you only findthat when you run it dynamically.
(19:58):
So it's a general rule.
Dynamic is about testing the crypto.
Is the crypto working correctly.
And then it's testing storage,which is what is being written
and what can I forensically find?
And what's being written into myown address, space, my own storage,
other storage file system log files,and then network transmission.
So what is gettingtransmitted over the air?
(20:18):
Is it intercept?
Am I doing proper certificate pinning?
Am I using the TLS channel?
Correct.
What endpoints am I talking to?
Are those endpoints safe?
There's a whole bunch of thingsyou can test around authentication
and authorization that you'll pickout through testing dynamically.
So I'll give you wild data.
We scan all the apps in the app store.
So there are 6 million appand Google play store apps.
(20:39):
Approximately we scan almostall of them on a regular basis.
And what I can tell you is that 80%of them have security vulnerability.
The good news is 20%.
Don't have really bad securityvulnerabilities in 'em, but 80% do.
And that number's been the samefor five or six years since
we've been benchmarking them.
What's also interesting is thatwhen you carve into that static
(21:00):
versus dynamic, almost everythingwe're finding is dynamically found.
It's really hard to do dynamicanalysis and dynamic testing
at scale in a development.
So a lot of 'em just don't do it.
So they run a static analyzeruntil we find a very low proportion
of static vulnerabilities inproduction apps, because most
people are using static tools.
Dynamic is really hard to do.
(21:22):
It's expensive if you pay somebodyto do it, not a lot of people do it.
And that's why we find that'swhere most of the vulnerabilities
are in storage in crypto, innetwork and backend APIs by far.
Mishaal (21:32):
Yeah, I'm not surprised because you know, they want to avoid detection.
So if you just have all your maliciouscode statically, it's in the application
itself and it's easy to find, thenthere's nothing in it for them.
It's, it's gonna be detected and,you know, added to the database
and then detected in the futureagain and over and over again.
And I've heard stories of likethese malicious applications
that behave differently or.
Different parts of code differently,depending on your location or
(21:55):
what device you're running ora combination of those factors.
So like you need to beable to test, and that
Brian (22:00):
can be hard to find exactly.
It can be hard to find two dynamics.
So, uh, screw an ator.
You're not necessarily gonna seeall the IC conversation to the ator.
You're not necessarily gonna see theinteraction with the OS layer all the
way down through the hardware or thewifi chip before the carrier chip.
Right.
So what we have found.
For a number of clients whohave done emulator based
testing, they bring it to us.
We find stuff.
(22:20):
I mean, you can't truly emulate theenvironment to get full coverage.
And again, sometimes it's malware.
A lot of it's just vulnerabilities.
I mean, last year, Walgreens slack, theyhad vulnerabilities that were exploited.
People stole prescription datato the Walgreens mobile app
because of a vulnerability in it.
Slack had a zero day.
So even what you would thinkwould be really great companies.
(22:43):
They can make mistakes, their developerscan make mistakes, it might be code.
They write party libraries that put in it.
But what we're actually seeingis the nation state actors and
the criminals are finding thesezero days in these applications.
And they're exploiting them as bador worse as they are the malware,
the price of building malwareand getting it into the app store
is getting higher and higher.
Cuz it's harder and harder cuz ofeverything we just talked about today.
(23:04):
But you know what, if I can find a zero.
In slack and go steal a bunch of corporatedata or, you know, shopping cart X and
there's numerous applications like that.
Well, then I can harvest information offof that and use that, you know, there, uh,
if I can diverge for a second, a coupleyears ago, British airway was preached.
They found a weakness in theway British airways mobile app
(23:25):
was talking to its back backend.
So they learned how to attackthe backend by the mobile app.
Then they attacked the backend 380,000records were stolen, including passport
information, travel history, credit cards.
They were fine.
Bridge share was fined 158 millionpounds by the EU as the first GDPR.
Fine.
Now all of that had to do with the factof a poorly written mobile application.
(23:46):
That was exploitable.
There was no malware involved.
It was just straight up goodscientific research that discovered it.
And then they used it togo after the back end.
And that's what we need to think about ismobile's just part of the overall chain of
all the it systems that some company has.
Then you make sure the mobile app andwhat it talks to is secure, whether it's
malware or whether it's a commercial app.
So this
Mishaal (24:06):
whole time we've been talking mostly about malware
and like malicious applications.
But if you read online about likewhat Google pay, protect actually
identifies it, doesn't usually.
Positively identifyactual malicious behavior.
It identifies potentiallyharmful applications.
Can you describe what exactly qualifiesto potentially harmful application?
Brian (24:27):
Yeah, so potentially harmful application is the app is collecting and
maybe transmitting over the error data.
It shouldn't be the app is tryingto execute system level commands.
It shouldn't have rights to execute.
It could be spyware.
It could be fishing.
You know, more common things.
We know it could be ransomwarein terms of its behavior.
I haven't heard a lot of productionransomware on mobile, but we've seen some
(24:50):
academic experiments along those lines.
Uh, there's a lot of system logginggoing on, data harvesting going on.
And so what kind of comes back is,Hey, this has some unusual beha,
it's a camera app and it's great.
The entire contact databaseand shipped it to the cloud.
Right.
And that's gonna get a flag.
If it's picked up, right?
Cause it doesn't make sense that someonewho's taking photos is scraping the
(25:12):
entire address book off the device or thehistory of all the wifi nodes that this
device ever connected to with the S S ID and whatever passwords hashed or not.
Right.
So that's part of what it's looking foris it doesn't make sense that this app
would be doing that thing, whether it'sobviously malicious or possibly malicious.
Mishaal (25:32):
Right.
And another thing is that potentiallydodgy and sketchy or malicious behavior,
isn't only limited to apps that youcan install from the Google play store
or outside of the Google play store.
It can also be happening withinpre-installed applications, which Google
refers to as mobile bundle applications.
This isn't really talked about muchfrom what I can see, mostly because it's
like a conversation Google has with O.
(25:54):
They have like strict requirements aboutwhat these mobile bundle applications can.
And can't do.
I wanted to ask you, what do youknow about the security risks
with mobile bundle applications?
I
Brian (26:03):
can't speak for all the carriers.
I can't speak for all Google.
I can't speak for allthe device manufacturers.
You need to talk to each of them.
What I would say is that mostmanufacturers and carriers are
working hard to do it the right way.
So for example, we workwith at and T and Google.
And so the things that at and Tsells are tested and certified by us.
And we work with a lotof the other carriers.
(26:24):
There are other vendors likeus that work with the carriers
to try to do the right thing.
Google has some attestation and testingrequirements that the device manufacturers
and carriers must submit, especially ifthey're part of the Google play ecosystem.
And if they're, youknow, full GMs licensees.
And so what they're trying to dois enable lots of people to grow
vibrant businesses and enable.
(26:44):
This very broad ecosystem that wehave today that has so many users and
so many kinds of applications on it.
The trick is saying, Hey,here's a set of standards.
We want you to align with.
And we are either gonna test youor have used an independent third
party or self attest that you aredoing the right things here and here.
And by and large, everybody'sgot the right idea and
trying to do the right thing.
(27:04):
You don't hear so much aboutreally bad stuff happening.
I will say that supply chain attackslike we've been hearing in the market
overall on lots of different things,whether you're the colonial pipeline
or what have you, those are out there,and those are hitting mobile, just like
they're hitting other corporate systems.
And so to no fault of their owndevelopers may wind up with an
exploitable or malicious app becauseof some third party library they're
(27:27):
using or system service they'reusing that suddenly changed because
a bad actor got in there and made a.
So that will be something I think we'regonna live on in the mobile world,
the web world, the network world, andevery other world, until we really get
supply chain management under controland, and more safe use of components.
All right.
Mishaal (27:42):
So on that front, what can app developers do to protect their
applications from any malicious exploits?
Brian (27:48):
You know, I think there's a handful of things.
So when we work with organizationswho are application developers,
whether they're large or small, wegive them a set of recommendations.
First one is make sure you'vegot some basic security
training for your developers.
Make sure they understandthe fundamentals.
Make sure we've got like a guide.
That's like here's 10 APIs.
You should make sure you use andhow to configure them properly.
And then a guide on permissioning.
A lot of it has to do with justdon't collect and store it.
(28:09):
If you don't need it, then there arethings about how to handle storage,
how to handle crypto, how to handlenetwork, how to handle backend API.
They're not very difficult.
In many instances, it's they didn'tknow there was a flag they should set.
They didn't know there was aconfiguration option they should be using.
They didn't know there wasan ordering of operations.
They should be using, make suredevs doing the right thing.
The second thing is, make sure thatthere are product requirements that.
(28:30):
What kind of security, thisthing should have, right?
If I'm building a banking app, thereshould be fundamental requirements
that say I'm regulated by the industry.
Here's a set of requirements.
Well, if I'm not building a bankingapp, we've been building something else.
This requirements may not clear, butjust like you're saying, you want a
really cool augmented reality experience,make sure that you're protecting
using multifactor authentication andprotecting my Phi while you do it.
(28:50):
Right test it.
Whether you using SAS in the pipelineor SA and da in the pipeline, there
are open source and paid commercialtools that are cheap and easy to use.
They can run autonomously, theycatch all the low hanging through.
They make your life easier.
What's really cool about a lot ofthe DAS tools including now secure.
Now, is it also identifiesapp store blockers?
So you may have a build version issue.
(29:11):
You may have a third party SDK issue.
You may have some other reason.
Google may say, Nope, I'm not gonnaaccept this binary because you're
not following one of my rules.
You can catch that too.
So that's not just security and privacy.
That's finding those rules.
And if you're super high end app,you're that embedded health app, that's
maintaining my heartbeat to a cardiacmonitor or you're my banking app or
my financial account management app.
(29:32):
You should be doing pen testing oncein a while and have really smart
experts, tear it down just to makesure there isn't something exploitable.
So teach requirements, automateyour testing everywhere you.
Pen test the high risk stuff.
Be serious enough that say, Hey, wewanna have a great user experience
and millions or billions of downloads.
And we just wanna make sure that people'sdata does what it's supposed to do.
Mishaal (29:54):
Security is essential, of course, for every application and developer
should be top of mind, but it shouldbe even more top of mind, especially
if you're dealing with sensitive data.
And as Brian mentioned, medical financial,you don't want to be slapped with, uh,
billions of dollars in a lawsuit formishandling or having some data breach.
That you could have solved byprotecting your application better.
(30:15):
And if you are dealing with any missioncritical application or you need to
deploy mission critical applicationsonto fleets of dedicated devices, and
you wanna make sure that the firmwareit's running on and the data you
depend on secured, come talk to us.
That SPER we specialize in helpingcompanies manage fleets of dedicated
devices, including deploying andkeeping your apps updated on them.
(30:35):
If you're trying to deploy akiosk or point of sale terminal,
you need to lock it down.
So potentially malicious applications,can't be side loaded onto.
That's especially important becausemost of the time, these dedicated
devices won't have GMs on them.
So you can't count on Google,play, protect for protection.
And if you're worried about any mobilebundle applications that are pre-installed
on the off the shelf hardware that you'vepicked up for your dedicated device
(30:57):
fleet, you'll need to look at deployingyour own firmware based on AOS P.
We can also help with that.
Check us out@esper.io andBrian, thanks for joining us on
this episode of Android bites.
Is there anything you'dlike to close us off with?
Can you like work?
Can people find you online and work?
Can people work with now secureon securing their application?
Brian (31:15):
Yeah, so you, you can find us online.
There's a bunch of great resources.
I'm gonna talk out real quick.
So now secure.com/nasa, M a S a thatwill help you understand the app defense
Alliance and the independent security.
If you're a user look to see thatthe apps you're choosing have
an independent security review.
If you're a developer, get yourindependent security review, we
can help you expedite that process.
(31:36):
That's cheap and easy to go do.
If you want some training@cat.nowsecure.com is a free training environment.
It's for development, QA, DevOps, andsecurity teams to learn everything they
needed to know about building testingand running secure apps in production.
Again, that's a free resource.
You can find me all over the place.
I'm actually known as readon the run is my handle.
So you can find me on, you know, LinkedIn,Twitter, and other kinds of fun places.
(31:59):
Speaking to events of all kinds.
The last thing I'll give youis O O is growing dramatically.
The O OS mobile project is advancing.
There's some really great thingscoming from O O this fall.
And until later this yearwith the evolution of the
mobile app security project.
So if you're into the communityactivities, come join us at OAS, spend the
mobile project and get involved becausethere's some really great stuff going on.
(32:21):
It's a place you can learna place you can contribute.
And really be part of a community.
Who's trying to do the rightthing for mobile application
Mishaal (32:27):
security.
And just to clarify, what is O OSP?
Exactly?
What does it stand for?
Oh,
Brian (32:31):
O OSP is the open web application security project or program.
It's an independent vendor, agnosticcommunity of, uh, security professionals.
Who've been building standards andspecifications for how to build secure web
apps, mobile apps, how to secure your APIson the back end and things of that nature.
So O O for those who are in the security.
(32:52):
Are generally familiar with it asa non-for-profit that drives that
O OSP has a number of initiativesgoing on in the development world.
And what's really great about it isthat Google has fully embraced O O
so the app defense Alliance mastercertification program, which gets you
that independent security verificationactually is using the O OSP standard.
And you're gonna see the O OSPstandard in many other places.
(33:15):
As a mechanism for a common industrystandard for what security means, whether
it's web mobile network, device or API.
So there's some really greatthings going on at that
Mishaal (33:24):
standards body.
All right.
Thank you, Brian.
And thank you everyone again for listeningto another episode of Android bites.
We'll catch you next time.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!