Page 17 - Mobile Data Loss
P. 17

Understanding Mobile Data Loss Threats  11















            Figure 2.2 Wireshark packet capture of an App communicating clear-text with no encryption.

            data. And many of these fall into the realm of Personally Identified
                                                       3
            Information (PII) as outlined by NIST 800-53 publication.
               Developers may not always be focused on security and therefore
            employ poor coding practices such as not encrypting data-at-rest or
            data-in-motion. This may not only expose the data, but also creden-
            tials such as the user’s username and password, web tokens, keys, and
            other sensitive information.

               Free apps commonly are designed to monetize the app through
            marketing, adware, or redirect to an alternative search engine. Here’s
            an example of an app that claimed to be using encryption for the
            data-in-motion, but is sending the password clear-text as demonstrated
            by the Wireshark packet capture (Figure 2.2):

               Also, app developers commonly use SDKs and libraries from untrusted
            Internet sites and use them in their apps. This can cause them to unknow-
            ingly embed malware, adware, and other risky components into their apps.
            A good example of this was XcodeGhost. Xcode is the SDK provided by
            Apple to developers to be used for creating apps for iOS. But many develo-
            pers download Xcode from websites other than Apple. Some of these sites
            were found to have malware infested versions of Xcode, known as
            XcodeGhost. Developers unknowingly created apps, or updates to apps,
            using these infected versions of Xcode. As a result, it was found that
            XcodeGhost infected apps were uploaded to the Apple App Store and
            downloaded by innocent users who subsequently infected their devices.

               In summary, attackers have shifted their focus to apps thereby making
            this the most common mobile threat vectors. Malicious apps and risky
            legitimate apps must always be considered when mapping out the mobile
            threat landscape and risks to enterprise data.


            3
            http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf Security and Privacy
            Controls for Federal Information Systems and Organizations
   12   13   14   15   16   17   18   19   20   21   22