Mobile App Evidence, Security and Privacy

Carney Forensics

Mobile App Evidence,

Security and Privacy John J. Carney, Esq.

SECURE360 Conference

May 13, 2015

Why Mobile Evidence?

Mobile Devices are Everywhere & Touch Everything

• 41% of Americans Have No Landline

• 66% of Ages 25 to 29 are Wireless

• 71% of Americans Use Smart Phones

• 57% of Americans Use Tablets

• 80% Use Smart Phone within 15 Mins of Wake Up

• Apple Sold 10M New iPhone6 Units in 1st Weekend

“Phones contain more probative

evidence per byte of data than

computer hard drives do.” Gary C. Kessler, Ph.D.

The Year Ahead for Mobile Forensics

Cellebrite’s Panel Predictions for 2013

Why Mobile Evidence?

Discoverable Evidence in Smart Devices

E-mail and Attachments

Documents

Text Messages

Multi-media Messages

Instant Messaging and Chat

Contacts

Appointments and Calendar

Voice Calls

Voice Mail

Photographs

Video and Audio Recordings

Web Browsing History

Social Media

Mobile Apps

Metadata Smart Phone Device

• Make, Model, Equipment IDs, Phone Number

• Software Versions, Language

• Date, Time, Time Zone, DST

Forensic Tool • Identification (Make, Model, Serial Number)

• Software Versions

• Exam Date, Time, Time Zone, DST

Case • Case Id, Evidence Id, Agency, Examiner

Smart Phone Content • Hash codes (MD5, SHA1)

• Date and Time Stamps

• Geolocation Information (Geotags) • EXIF data from onboard camera snapshots and video

• Access point data from Wi-Fi logins and activity

• Reminders

Discoverable Evidence in Smart Devices

“There’s An App for That”

“Apps are nuggets of magic” Bart Decrem, CEO, Tapulous

App Downloads

We download 10 apps for every single woman, man, and

child on planet Earth annually

Exponential Growth in App Installs

App Platforms

Pure Oxygen Labs, LLC

Growth in Unique Apps

• >1M unique iOS apps with multiple releases & languages

• >1M unique Android apps with multiple releases & languages

• How Many Dark Apps? • Corporate Apps in Enterprises behind Corporate Firewalls

• Absent from App Stores

Apps in the Enterprise

Apps – Categories to Watch

Mobile Messaging – Consumer

Mobile Messaging – Enterprise Mobility

Mobile Messaging – Expiration / Retention

Personal Navigation – GPS

Payment – Apple Pay, Google Wallet, PayPal

Social Media

Photo Sharing

Document Creation

Web Mail

Productivity – Calendars, Notes, To-do List

Storage/Backup – Cloud Documents

Spyware – SpouseWare

Mobile Messaging Apps

Mobile Messaging Apps

• Popular “Text Message Killers”

• Use Internet and App Servers

• Text Free from Costs & Quotas

• Multi-platform for Many Devices

• Global to Bypass Country Limits

• Special and Unique Features

Mobile Messaging Apps

• Attorneys often Unaware of

Exploding Use in U.S. and

Abroad

• Evidence Recovery Challenging

• Subpoena or Court Order Issues

• Advanced Decoding Required

Mobile Messaging Apps

Enterprise Mobility

Mobile Messaging Apps

Expiration / Retention

Social Media Apps

Cloud Storage Apps

iPhone Personal Navigation Apps

• Apple Maps

• Garmin USA

• Magellan RoadMate

• TomTom

• Navigon North America

• Google Maps

• CoPilot Live

• MotionX GPS Drive

• MapQuest

• Scout by TeleNav

• Bing Maps

• Waze – Social GPS

Android Personal Navigation Apps

• Google Maps

• Wisepilot

• Navigon North America

• CoPilot Live

• MapQuest

• Scout by TeleNav

• Waze – Social GPS Maps

• GPS Navigation by Sygic

• iGO My Way

• BackCountry Navigator

• MapFactor

• OsmAnd+ Maps & Navigation

Web Mail Apps

Payment Apps

Apps Security Rationale Critical Role of Mobile App Data Security

Protection Required for: • Protected Health Information (PHI) – HIPAA

• Consumer & Security Firm Financial Info – GLBA / FINRA

• Student Records – FERPA

• Personally Identifiable Information (PII) – State Data Breach Laws

Apps HIPAA / HITECH Compliance

Final Ruling (Civil Money Penalties)

Apps HIPAA / HITECH Compliance

mHealth / Electronic Health Record Apps • Epic Systems – MyChart, MyChart Bedside, Haiku

• SAP – EMR Unwired, Clinical Task Tracker

• Humetrix – iBlueButton, ICEBlueButton

• Mayo Clinic Patient

• Cognovant PocketHealth

• drchrono EHR

• Quest Diagnostics Care360 Mobile

• CVS Caremark, Pharmacy

MedTech Apps Medtronic CareLink Mobile

St. Jude Medical Merlin.net Patient Care Network

AliveCor Heart Monitor

Banking Apps Rationale

• “Concerns about security are holding back the adoption of mobile financial services.”

• “Concerns about the security of the technology were the primary reason given for not using mobile payments (42 percent) and the second most common reason given for not using mobile banking (48 percent).”

“68% of mobile device owners who have not adopted

financial apps are holding back due to security fears.” – Mobile Banking, Consumer Security Practices and the Growing Risks to

Banks, Research Report, Metaforic, 2012

Board of Governors of the Federal

Reserve System (March 2012)

App User Security Stats Apps Installed on Average Mobile Device: 320

Apps Send Data to Ad Network: 50%

Permissions Requested by Android Apps: 20 (average)

Devices Don’t Have a Passcode: 40%

Android Devices Have Debugging Mode Enabled: 18%

Android Devices Allow Installation of Unverified Apps: 43%

Devices are Rooted: 9%

Wi-Fi Access Points Connected Everyday: 2 (average)

Insecure Mobile Wi-Fi Connections: 7.6%

Unique IP Addresses Connected Everyday: >160

Analysis from 104M mobile security data points

uploaded daily from 170K mobile devices

Mobile App Security

NowSecure Tested 62K+ Mobile Apps:

48% of Android Apps Have One or More High Risk Security or Privacy Flaws

15% of All Apps Leak Sensitive Data over Network

9.6% of Apps on Mobile Device Leak Data

12.3% leak IMEIs (International Mobile Equipment Identity)

5% leak MAC Addresses

Presented to RSA Conference April 2015

Mobile App Security

NowSecure Tested 62K+ Mobile Apps:

Least Risky App Categories are Flawed • Finance: 29%

• Medical: 33%

• Health and Fitness: 36%

Financial App Insecurities • 28% Have at Least One Security Issue

• 6% Have Sensitive Data Leak

• 1% Leak Superuser Capabilities

Presented to RSA Conference April 2015

Secure Messaging Scorecard

Secure Messaging Scorecard

Mobile App Privacy

“Get It Right From The Start” • Privacy Recommendations from the FTC

• Build Privacy into Apps

• Practice “Privacy by Design” • Limit Information Collected

• Securely Store What Held

• Safely Dispose of Information

• Use App Defaults Users Expect

• Do Mobile Apps Get It Right?

Mobile App Privacy

PiOS: Detecting Privacy Leaks in iOS Apps • Academics Published Study Using Novel Analysis Tool

• Tested 1,400 iPhone Apps for Privacy Threats • 825 Free Apps Vetted by Apple and Available through AppStore

• 582 Jailbroken Apps from Cydia (not associated with Apple)

• Sensitive Information Sources Giving Rise to Privacy Leaks:

Mobile App Privacy

PiOS: Detecting Privacy Leaks in iOS Apps • Did the 1,400 iOS Apps Get It Right?

Most Leaks Supply Access to Unique DeviceID

• Allows Hackers to Create Detailed Profiles of

Users’ App Preferences and Usage Patterns

App Dev Security Testing

Mobile App Development Lifecycle • Often neglected in mobile app “gold rush”

• Test, validate and mitigate data security issues

• Discover and patch data privacy leaks

Test Coverage • Personally Identifiable Information (PII)

• Protected Health Information (PHI)

• User name / Passcode / PIN transmissions

• Browser Artifact Security (Web History, Caching, etc.)

• Man-in-the-Middle Attacks

• Privacy Policy / Permissions Usage Conformance

App Security Vetting

App Security Vetting

Other App Security Services OWASP Mobile Security Project

• Top Ten Mobile Risks

• Mobile Tools

• Mobile Security Testing

• Mobile Cheat Sheet

• Secure Mobile Development

• Top Ten Mobile Controls

• Mobile Threat Model Project

Mobile Application Reputation Service • App Security Testing Vendors

• Veracode, Trend Micro, etc.

Mobile Vulnerability Database from Varutra

Mobile App Security Apps

NowSecure Protect • Generate risk ratings to understand level of device risk

• Understand what data is being sent insecurely

• Get geo-locations of data to find out where data is going

• Learn about malicious and insecure apps

F-Secure App Permissions • “Why Does This App Need So Many Permissions?”

• One App to Reveal Them All

Mobile Device Forensics Tools

Cellebrite UFED • Accounts and Passwords

• Malware Scanner

• Dictionary (keylogger)

Oxygen Forensic • Accounts and iOS Keychain

• Property Lists (plists)

• SQLite databases

• Dictionary (keylogger)

UFED Malware Scanner

UFED Malware Scanner

UFED Malware Scanner

Mobile App Evidence Demo

Questions & Answers

Carney Forensics

Cell Phones / Smart Phones

Smart Tablets

Computer Forensics

GPS Devices

Social Media / Email

Mobile App Testing / Litigation Readiness

Sign up for our Newsletter!!

www.carneyforensics.com

Carney Forensics