Answers to Frequently Asked Questions on Mobile Security

From the experts at Zimperium

MOBILE SECURITY

More than likely you will not be able to determine if your phone has been hacked or compromised without knowledge of the operating system and device hardware. However, you may notice your phone exhibiting new behaviors like becoming slower, crashing, and having excessive battery drain. Some users received enormous data usage bills from their service providers after malicious adware was installed on the device. To determine with certainty whether or not your phone has been hacked or compromised by a third party requires specialized software to do so. Zimperium provides a mobile security or mobile threat defense app, zIPS, that determines if your phone is being tampered with. zIPS privately monitors the behavior of your device using a machine learning technology to detect and prevent smartphones and tablets from being hacked or compromised. In the event your phone is being hacked, zIPS can detect and stop the attack. zIPS will also gather technical details about the attack and how it is being delivered to your device so you can avoid future hack attempts. The information about the attack is stored in an administration console for your security team. You can download zIPS in the Apple App Store or Google Play and contact Zimperium for an activation license. There are also videos available explaining “What is zIPS?” and “How to Tell if Your Phone is Hacked?”
Mobile security threats are vulnerabilities or attacks that attempt to compromise your phone's operating system, internet connection, Wi-Fi and Bluetooth connections, or apps. Smartphones possess very different behaviors and capabilities compared to PCs or laptops and need to be equipped to detect attacks specific to mobile devices. Mobile devices contain unique functions and behaviors making traditional IT security solutions ineffective to securing mobile devices. One of the primary differences how mobile devices are different from PCs and laptops, is administration privileges. There are several administrators for a PC or laptop making it simple for corporate IT to install security software and monitor computers for problems. On mobile devices administration is handled by the device owner. The device owner is the only one that can install apps or allow other management profiles on the device. This means the burden of securing the mobile device and its data falls entirely on the user--who may not have the time or expertise to provide proper mobile device security. To address this issue, Zimperium provides a platform uniquely allowing IT organizations to protect company networks and systems by installing a mobile security app on devices accessing corporate systems. The zIPS mobile security app monitors mobile devices for malicious behavior and detects attacks to the device from operating system vulnerabilities, the network, apps or mobile malware. The app uses specialized technology specific for mobile to detect all types of attacks without the need to read user data or hinder device performance.
Mobile security is very important since our mobile device is now our primary computing device. On average, users spend more than 5 hours each day on a mobile device conducting company and personal business. The shift in device usage habits has also moved the prime target for hackers from PCs to our mobile devices. Since mobile devices are now a prime target, we need to secure them and arm them with threat detection and malware protection just like PCs. Smartphones are able to circumvent traditional security controls, and typically represent a massive blind spot for IT and security teams. Hackers know this, which no doubt contributed to the number of smartphone attacks recorded between January and July 2016. The number of attacks nearly doubled compared to the last six months of 2015. During that same time period, smartphones accounted for 78% of all mobile network infections. According to Zimperium, 4% of corporate mobile users detected malicious Wi-Fi attacks in the first half of 2017. You can review information about these attacks in the Zimperium Global Threat Report.
There are over 3 million apps in Google Play and 2 million in the Apple App Store. These stores perform analysis on apps and remove malicious apps once they are identified. However, malicious apps do enter the stores and infect users’ devices. Examples of app-based attacks include XcodeGhost on iOS and Gooligan, a family of Android-based malware. Apps have special privileges and access to device functions, such as location, access to cameras, microphones, and user data. Users provide access to device functions upon app install but may not fully comprehend the potential harm they may be allowing. Plus, sophisticated attacks could activate days after an initial install or after an app update, to evade signature-based malware detection. You need to install a real-time mobile security solution to detect attacks from apps and mobile malware. Zimperium monitors device behavior and also investigates apps for security issues and privacy abuse. Some of the most severe issues include:
  • Does the app contain known malware?
  • Does an app app share passwords from its keychain with other apps made by the same team?
  • Does the app use weak encryption?
  • Does the app use private or outdated frameworks?
  • Does the app send query parameters with private user or device information?
  • Does the app read private information such as the UDID or device identification number?
Zimperium completed a study of 50,000 iOS apps installed on enterprise users devices. The study found 1,101 or 2.2% of the apps had at least one of the aforementioned security or privacy issues. This is a significant concern to enterprises since 1 of 50 apps is potentially leaking data to third parties. The complete study is available in the Zimperium Global Threat Report, 2017.
Mobile security refers to the set of technologies and practices that aim to protect mobile devices against operating system vulnerabilities, network and app attacks, or mobile malware. Technologies such as enterprise mobility management (EMM) solutions manage compliance policies and issues relating to device privilege or loss. Mobile threat detection (MTD) technologies such as Zimperium's zIPS complement EMM solutions, protecting devices from cyberattacks via network, application and operating-system threats and vulnerabilities. Your mobile security strategy will vary on your deployment architectures and whether you need an EMM and / or MTDContact Zimperium for a briefing and risk analysis on how to determine your mobile risk posture.
In order to determine which mobile security is best for Android, it is important to take into account both known threats (those for which there are already recognized signatures) and unknown threats (which are zero-day threats). Zimperium’s zIPS app uses real-time, on-device machine learning-based technology to protect Android devices against both known and unknown threats. You can download zIPS in Google Play and contact Zimperium for an activation license. There are also videos available explaining “What is zIPS?” and “How to Tell if Your Phone is Hacked?”
To understand which mobile security is best for iOS / iPhones, it is helpful to understand that iOS devices are subject to both known and unknown threats. Known threats are those that have already been discovered and for which there are known signatures. Unknown threats, also referred to as zero-day threats, do not have known signatures. Zimperium solutions such as zIPS use real-time, on-device machine learning-based technology to protect iOS devices against both known and unknown threats. You can download zIPS in the Apple App Store and contact Zimperium for an activation license. There are also videos available explaining “What is zIPS?” and “How to Tell if Your Phone is Hacked?”
There are a number of mobile security solutions available on the market, but identifying which mobile security is best for enterprises entails using specific criteria. As is often the case, solutions designed for consumers and end-users may not be as robust, full-featured, reliable and scalable as solutions designed specifically for the enterprise. In particular, mobile security solutions that are suitable for enterprise use should include scalability, autonomous functionality, machine learning, on-device operation, and protection from zero-day threats. Enterprises also need to consider flexible deployment models to take advantage of existing infrastructure or cloud computing environments. Zimperium solutions such as zIPS uniquely meet all of those criteria. You can download zIPS in the Apple App Store or Google Play and contact Zimperium for an activation license. There are also videos available explaining “What is zIPS?” and “How to Tell if Your Phone is Hacked?”
Yes. Mobile security apps are necessary to prevent phone tampering from operating system vulnerabilities, other apps, or malicious activity on network or Wi-Fi connections. Mobile devices contain and have access to private and sensitive data about your business or person and the data needs to remain private. Mobile phones do provide some security features like PIN and lock codes, but they do not come with security software to prevent mobile attacks and hack attempts nor will they alert you if there is a problem. For these reasons, we recommend using a mobile security app such as zIPS. zIPS mobile security app monitors your mobile device for malicious behavior and dynamically detects attacks from malware, apps or your Wi-Fi and network connections. zIPS users have detected attacks in every region of the world from operating system vulnerabilities, bad apps and network attacks. You can review these attacks and review the details in the Zimperium Global Threat Report.

MOBILE APPLICATION SECURITY

MAPS is Zimperium’s Mobile Application Protection Suite. It is a holistic platform focussed on helping enterprises build SAFE and SECURE mobile applications. It helps secure the app during development and runtime by automating and integrating security into the entire mobile application lifecycle.
iOS and Android are supported. Native languages and Hybrid frameworks are supported as well.
We provide a continuous and automated Mobile Application Security Testing(MAST) tool that identifies Privacy, Security, Internal, and Regulatory Compliance gaps within the mobile application development process.
We provide an SDK that enables the app to protect itself from on-device attacks and provide threat visibility while operating on mobile devices in the wild to help prevent data loss, data breaches, and fraud.
Application protection, also referred to as in-app protection, can be categorized as security solutions that focus on building and increasing the defense capabilities within an application, making it more resistant to attacks. It generally includes techniques such as code obfuscation, specialized cryptographic key protection, anti-tampering protections, and Runtime Application Self-Protection (RASP). In-app protection solutions are proactive in nature, embedding defenses into your applications so they can withstand and block threats like reverse-engineering, data and IP theft, misuse, vulnerability exploitation, and tampering. Application protection secures your software-based assets, and safeguards your organization and customers from attacks.
Often all of these terms are used interchangeably. However, application protection and in-app protection can be regarded as broader terms that include application hardening and shielding techniques, as well as cryptographic key protection and additional security measures that increase the self-defense capabilities of an application. In-app protection incorporates mechanisms to detect and respond to threats and malicious behavior in real-time. These capabilities are critical for applications to operate securely in untrusted environments. Application hardening and application shielding generally refer to a subset of the security techniques covered by application protection. Application shielding involves making strategic modifications to the source, byte, or binary code that make the application resistant to reverse-engineering and tampering.
Unlike security solutions focused on testing, detecting, and then remediating vulnerabilities in apps, in-app protection plays its part primarily in the prevention and thwarting of attempted attacks. Application testing solutions are based on analyzing and finding known vulnerabilities and weaknesses against identified threats. By contrast, application shielding hardens code to make it extremely difficult to understand it or find a foothold to launch any type of attack on an application. It evaluates and analyzes an app’s environment to ensure it can run securely and proactively blocks attacks before they can cause damage. Application security testing and in-app protection address different security needs and complement, rather than substitute for, one another.
Yes, application protection techniques should be used by both desktop and mobile applications, although many tools focus exclusively on one or the other. Zimperium’s application security hardening solutions support Android, iOS, Linux, macOS, and Windows platforms—along with embedded systems, set-top boxes, connected-cars, medical devices, mobile banking solutions, and more. ZImperium’ zShield can protect Android Java, Desktop/Server Java, Kotlin for Android, C, C++, Objective-C, and Swift source code and requires no significant changes to the code itself or the existing build chain.
Several combinations of techniques are used to provide robust in-app protection. Below are some of the most crucial. Reverse engineering protections Code obfuscation: Code obfuscation makes strategic modifications to the code so that it is difficult to decipher and decode. Anti-debugging: Adding mechanisms that detect the presence of common debuggers and debugging techniques, and take action to block them. Binary packing: Binary packing is a technique used to protect against static analysis. Diversification: Diversification alters code so that each software instance must be cracked individually.
White-box cryptography: A software-based method to secure cryptographic keys that combines obfuscation, encryption, and mathematical transformation techniques to hide cryptographic keys and algorithms so that even if a program or device is compromised, cryptographic keys remain safe. Tampering Integrity Checking: Integrity checking hardens applications by inserting thousands of small, overlapping checksums. During runtime, each of these checksums tests whether a particular segment of the executable has been tampered with. iOS Jailbreak Detection: Jailbreak protection identifies if the device security has been breached and reports it to the application, enabling it to take the appropriate response. Android Rooting Detection: Android rooting detection methodologies implement anti-rooting techniques to detect the legitimacy of the operating system and execute defense actions accordingly. RASP/intrusion detection and response: Apps can protect themselves by executing a defense response when a tampering attempt is detected. For example, sending an alert, preventing execution of some commands, deleting sensitive data, or shutting the app down.
Robust application protection generally includes specific security measures in accordance with requirements by GDPR, PCI-DSS, EMV, HIPAA, the EU Medical Device Regulation, and other regulatory statutes and bodies. For example, many regulations require strong protections against reverse-engineering and tampering including code obfuscation, environmental checks, embedded integrity checkers, as well as cryptographic key security.
While most in-app protection solutions provide at least some level of key protection, they may or may not include dedicated cryptographic key security such as white-box cryptography. White-box cryptography is probably the most effective software-based method to protect encryption keys. It uses extremely sophisticated mathematical transformation and obfuscation techniques to hide cipher keys and cryptographic operations. White-box cryptography ensures that encryption keys remain protected at all times, even if the application or device is compromised.
The goal of DevSecOps is to bake security in as a part of the software development lifecycle (SDLC) with secure coding best practices and testing automation. This has proven to be better and more efficient than addressing security concerns after applications are in production. Combining development, security, and operations teams under a DevSecOps model helps teams release app builds faster, with fewer vulnerabilities, and with upgraded security. While it may require an additional early investment, it saves on major post-production costs by preventing attackers from exploiting the app easily. Combining application shielding in the DevSecOps framework strengthens the app at its core, adding a layer of protection that is toughened and ready for launch into zero-trust environments.
Enterprise-grade application protection solutions give comprehensive protection from attacks associated with reverse engineering, tampering, code lifting, exploitation of vulnerabilities, and even from unconventional attacks like side-channel attacks. The consequences of such attacks include data exfiltration, intellectual property theft, encryption key discovery, financial fraud, malware insertion, and reputation damage.
Reverse engineering plays a central role in almost every attack on an application. Hackers use it to discover sensitive data, unprotected keys, and information that could be used to further penetrate the application and connected systems. Reverse engineering also exposes unprotected proprietary algorithms and other intellectual property. Application shielding uses different techniques like code obfuscation, anti-debugging mechanisms, binary packing, and diversification to make the source code of an application extremely difficult to reverse engineer. White-box cryptography adds specialized protection for encryption keys. This makes even the most determined hackers abandon their attacks in most cases.
Jailbreaking an iOS device and rooting an Android device gives the user administrator-level root access to various subsystems. Once a device is jailbroken or rooted, security controls installed by the manufacturers are breached allowing attackers and rogue apps to access your application data or keys. Zimperium’s solution detects when there is a breach in the security of a device and reports it to the application to take appropriate defense measures. The solution also helps strengthen the defense capabilities of the application, so even when operating in an insecure environment such as a compromised OS, it can withstand attacks from different possible threats.
Code obfuscation is an application protection technique that works by transforming the code to make it very difficult for hackers to understand and decipher. Strong and well-applied code obfuscation: Hides and confuses the logic, structure, and purpose of the code to stop hackers who attempt to reverse engineer or tamper with your application Conceals information that can be used in further attacks, such as debug information, log messages, and strings displayed to the user Secures valuable intellectual property, such as proprietary algorithms or licensed technology or content Hardens potential attack points by obscuring security flaws and vulnerabilities so they can’t be exploited Obfuscation methods range from basic to complex, and include stripping out potentially revealing metadata, renaming useful class and variable names to meaningless labels, adding decoy logic, inlining functions, encrypting some or all of the code, and obfuscating the application’s control flow in.
Hackers tamper with an app to change its compiled code or runtime behavior. For example, they might inject malicious code or spoof an authorized identity, allowing them to access valuable information and possibly the entire network. Apps can protect themselves by using RASP techniques to detect tampering attempts and execute an appropriate defense response. Runtime application self-protection (RASP) is a term used to describe the variety of detection methods and defensive actions an app can employ to prevent code reverse-engineering, tampering, and other attacks in real-time.

Side-channel attacks are a set of security exploits that involve the observation of characteristics and behavior of devices when performing cryptographic operations. When an attack is carried out utilizing these observations, it is known as a side-channel attack. Side-channel attacks can be carried out against any operating system, including Windows and Linux. The infamous Meltdown and Spectre vulnerabilities are prime side-channel attack examples that affected nearly every modern processor.

Types of side-channel attacks include:

  1. Speculative execution attack
  2. Power monitoring attack 
  3. Cache attack 
  4. Timing analysis 
  5. Differential fault analysis (DFA)
  6. Thermal imaging 

Zimperium’s zKey provides an industry-leading white-box cryptography solution to protect secrets and keys from exposure, even against new side-channel attacks as they emerge. 

White-box cryptography is a highly specialized software-based security technique to protect cryptographic keys and operations. It combines obfuscation, encryption, and mathematical transformation techniques to hide cryptographic keys and algorithms so that they never appear in the clear. Standard operations such as encryption, decryption, secure key unwrap, and digital signature creation and validation are done within the secure white-box environment, protecting the keys even if the device is compromised by an attacker. 

White-box cryptography provides essential cryptographic key protection in multiple industries. For example, the Payment Card Industry (PCI) Security Standards Council, has determined white-box cryptography to be a preferred method for securing cryptographic keys in Tap-to-Phone mobile POS applications.

Anti-debugging is a set of techniques used within the code of an application to detect and prevent the act of debugging. This stops attackers from dynamically running applications, trying to understand how they work, and changing the behavior of certain features or checks within the application. Anti-debugging techniques include observation and detection of small memory, the operating system, process information, and latency that arises when a debugger is attached to an application and compared to when there is no debugger present. 

Integrity checking is a technique used in application hardening to determine if an application has been tampered with. Small pieces of code, called checkers, are inserted into your application that act as a trigger in the case of tampering. These triggers execute predetermined actions to protect the application’s integrity such as notifying the user, calling a custom response function, generating a log message, or even shutting down the application.

Applications deployed into zero-trust environments like mobile phones provide opportunities for hackers to easily gain access into systems. Conventional security practices such as firewalls, anti-virus, and MDM are no longer sufficient as none properly protect the app and the assets they contain. 

Applications outside the perimeter need to be protected to reduce risk, prevent financial loss, and protect your business brand and intellectual property. Zimperium’s advanced cross-platform application security suite provides patented application shielding to protect software applications, mobile apps, and IoT devices by dramatically increasing their resistance against reverse engineering, tampering, and theft of cryptographic keys.

MOBILE THREAT DEFENSE (MTD)

Mobile Threat Defense (MTD) solutions protect mobile platforms by detecting threats to devices, operating systems, the networks they use and apps on the device. Each of these vectors is vulnerable to a variety of attack methods. More information about mobile threat defense is available on the Zimperium blog here.
Several analyst firms now cover both EMM and MTD markets. There are several analyst reports available on Zimperium.com and on the Zimperium blog.

ZIMPERIUM

Please contact us today for information and reports on how to compare several mobile threat defense technologies and methodologies.

Please contact us today for information and reports on how to compare several mobile threat defense technologies and methodologies.
Zimperium support can be contacted at support.zimperium.com.
Yes. Submit a request for a trial of zIPS and an administration console on our Contact Us page for evaluation licenses.
zLABS – Global Threat Intelligence: Zimperium’s zLabs stays ahead of the ever-changing cybersecurity landscape by providing in-depth, ongoing research. The team has identified and disclosed numerous mobile device vulnerabilities over the past few years to Apple and Google. These discoveries have helped influence security practices, acceleration of security updates by Google and mobile operators and suggest more accountability for iOS security.

zIPS

The zIPS mobile security app provides comprehensive protection for iOS and Android devices against mobile device, network, and application cyberattacks. The app leverages machine learning to provide on-device protection from known and zero-day threats. More information about zIPS is available on the zIPS Product page and YouTube “What is zIPS?”. You can download zIPS in the Apple App Store or Google Play and contact Zimperium for an activation license. There are also videos available explaining “What is zIPS?” and “How to Tell if Your Phone is Hacked?”
Zimperium mobile threat defense integrates with leading enterprise mobile management solutions, including: VMware AirWatch BlackBerry Citrix XenMobile Microsoft Intune MobileIron Silverback
zIPS™ can detect both known and unknown threats by leveraging machine learning to analyze the behavior of mobile devices. zIPS operates by itself or with existing enterprise mobility management solutions (MDM, EMM). More information about zIPS is available on the zIPS Product page or by viewing videos explaining “What is zIPS?” and “How to Tell if Your Phone is Hacked?”

zANTI

zANTI™ is a mobile penetration testing toolkit that lets security managers assess the risk level of a network with the push of a button. This easy to use mobile toolkit enables IT Security Administrators to simulate an advanced attackers and to identify malicious techniques they use in the wild to compromise corporate networks. More information and “how to” videos are available on the zANTI Mobile Penetration Testing page.
There are how to videos on the zANTI Mobile Penetration Testing page. There is also a video on how zIPS detects a MITM when attacking a device with zANTI.

VULNERABILITIES

Stagefright is a vulnerability that can be exploited via 11+ attack vectors and allows remote code execution exploiting several critical vulnerabilities in the Android Media Library. There are over 24 critical CVEs between Stagefright 1 and Stagefright 2. Attack vectors like MMS directly hit the firmware (media server in this case) and bypass the entire application layer. More information about the Stagefright vulnerability and how to defend yourself is available on the Zimperium blog.
Pegasus is a sophisticated trojan targeting the iOS platform. It provides an attacker abilities to remotely monitor and capture communication from a device (including calls, texts, Whatsapp, Viber, etc). A successful attack transforms a device running iOS into a powerful surveillance tool. This is a persistent attack and enables an attacker to remotely update and control the device to provide additional functionality as required. More information about the Pegasus vulnerability and how to defend yourself is available on the Zimperium blog.
DirtyCow is a privilege escalation vulnerability on Android devices. Zimperium detected DirtyCow as an attack before it was disclosed and classified. Zimperium did not require a client update to detect the threat since it’s threat detection technology detected malicious behavior. More information on DirtyCow is available on the Zimperium blog.
BlueBorne is an attack leveraging Bluetooth connections to penetrate and take control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. According to Google it “could enable a proximate attacker to execute arbitrary code within the context of a privileged process.” More information on BlueBorne and how to protect your devices is available on the Zimperium support site.