APP-0
Vulnerable Applications
Eavesdropping on Unencrypted App Traffic
Remote Code Execution as System User on Samsung Phones [^55]
Insecurity Cameras and Mobile Apps: Surveillance or Exposure? [^56]
Team Joch vs. Android [^57]
CBS App & Mobility Website [^116]
The Fork [^117]
Card Crypt [^121]
CVE-2015-4640
CVE-2017-2412
Mobile Device User
To use HTTPS for web servers that support both HTTP and HTTPS, prepend URLs entered into the browser location bar with 'https://'.
Mobile App Developer
Implement secure communications in apps. On iOS, use the App Transport Security feature. On Android, opt out of the use of Cleartext traffic.
Enterprise
Use app vetting tools/services that can detect the use of cleartext traffic in mobile apps before deployment within your organization.
To protect the confidentiality of enterprise data against passive interception, particularly when mobile devices may be connected to public networks (e.g. coffee shop Wi-Fi), deploy mobile VPN technologies to encapsulate potentially clear-text network traffic with a layer of strong encryption.
APP-1
Vulnerable Applications
Man-in-the-middle Attack on Server Authentication
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices [^61]
Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security [^62]
SMV-HUNTER: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps [^63]
How We Discovered Thousands of Vulnerable Android Apps in One Day [^65]
CVE-2016-3664
CVE-2014-5618
Mobile App Developer
Use fail-safe logic when establishing a connection to the back-end server; if server certificate validation fails, do not continue to negotiate a secure session or fall back to an unencrypted communication protocol, and warn the app user.
On Android devices, use the Android Network Security Policy feature, Certificate Pinning.
To reduce the impact of a successful MiTM attack on your application, consider the use of public key cryptography to protect sensitive data destined for back-end servers prior to transmission off the device.
Enterprise
App vetting tools/services or pen testing to detect MiTM vulnerabilities in mobile apps.
APP-10
Vulnerable Applications
Poorly Implemented Cryptography
OWASP Mobile Top 10 2016 [^9]
FortiClient Multiple Vulnerabilities [^82]
CVE-2017-4896 [^AirWatch-1]
Mobile App Developer
Strictly avoid the use of hard-coded cryptographic keys in application source code.
Explicitly overwrite variables containing cryptographic keys or other secrets following each use to prevent unauthorized disclosure of the secret if that memory location is subsequently accessed by untrusted code.
Use each cryptographic key for a single purpose to limit the impact of key compromise.
Strictly avoid the use of 'broken', weak, or novel algorithms (those that have not undergone extensive evaluation by the cryptographic community at large) to protect long-term secrets.
Consider the use of cryptographic functions provided by the mobile operating system and where possible, leverage hardware-backed cryptographic and secure storage services.
Additionally, application developers are strongly encouraged to familiarize themselves with best practices for cryptography and general key management, and to integrate that knowledge early in the application design process. See NIST SP 800-57 Part 1 Revision 4, Recommendation for Key Management, Part 1 General[^244]
For Android developers, review guidance on the proper use of the Android Keystore System.[^245]
For iOS developers, review guidance on the proper use of the iOS Keychain.[^246]
Enterprise
Use app vetting tools/services to detect the misuse of cryptography in mobile apps.
APP-11
Vulnerable Applications
Untrusted Input to Sensitive Operations
Team Joch vs. Android [^57]
CVE-2017-7005
Mobile App Developer
When input should match one of a set of known and comparable options, use whitelisting to ensure the input is safe before applying it to security logic.
When whitelisting is not possible, use vetted data sanitization libraries to verify the input appears syntactically safe prior to applying it to security logic.
Always use fail-safe security logic in apps; if input cannot be verified to be safe (versus not identified as unsafe), reject the input and do not perform the security action.
APP-12
Malicious or privacy-invasive application
Malicious Device Information Gathering
The Google Android Security Team's Classifications for Potentially Harmful Applications [^83]
Slembunk: An Evolving Android Trojan Family [^84]
An investigation of Chrysaor Malware on Android [^AndroidDevBlog-1]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the sideloading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Perform application vetting to identify inappropriate behaviors by apps including permission requests made by the apps
Use application threat intelligence data about potential data collection risks associated with apps installed on devices
Mobile Device User
Use Android Verify Apps feature to identify apps that may abuse permissions to perform data collection.
Consider the use of devices that support Android 11 or higher, in which applications have limited visibility of what other apps are on the device.
APP-13
Malicious or privacy-invasive application
Sensitive Information Discovery via OS APIs
The Google Android Security Team's Classifications for Potentially Harmful Applications [^83]
An investigation of Chrysaor Malware on Android [^AndroidDevBlog-1]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the sideloading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Perform application vetting to identify privacy-invasive behaviors by apps.
Use application threat intelligence data about potential privacy risks associated with apps installed on devices
Use features such as Apple iOS Managed Apps, Android for Work, or Samsung KNOX Workspace that provide additional separation between personal apps and enterprise apps to mitigate the leakage of private information between work/personal contexts.
Mobile Device User
Use Android Verify Apps feature to identify apps that may violate privacy.
Mobile App Developer
Only request access to the minimal set of shared data stores (e.g., contacts, calendar), OS services (e.g. location services), and device sensors (e.g. camera, microphone) necessary for the app to provide functionality.
Only collect the minimal set of device or user data necessary for the app to provide functionality.
APP-14
Malicious or privacy-invasive application
Masquerade as Legitimate Application
The Google Android Security Team's Classifications for Potentially Harmful Applications [^83]
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices [^61]
Dissecting Android Malware: Characterization and Evolution [^85]
New Android Malware Family Evades Antivirus Detection by Using Popular Ad Libraries [^86]
Slembunk: An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps [^84]
Incident Response for Android and iOS [^87]
Cloned banking app stealing usernames sneaks into Google Play [^88]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the sideloading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use application threat intelligence data about potentially harmful apps installed on COPE or BYOD devices
Mobile Device User
Use Android Verify Apps feature to identify potentially harmful apps.
Mobile App Developer
To reduce the ease of an attacker to abuse existing app functionality, only request access to the minimal set of shared data stores (e.g., contacts, calendar), OS services (e.g. location services), and device sensors (e.g. camera, microphone) necessary for the app to provide functionality.
APP-15
Malicious or privacy-invasive application
Distribution of malicious apps by a 3rd party store
Change to sideloading apps in iOS 9 is a security win [^89]
Mobile Security: Threats and Countermeasures [^90]
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Enterprise
Ensure iOS devices are running the latest version of iOS, as iOS 9 introduces improvements to make it more difficult for users to inadvertently install non-Apple App Store apps (e.g. apps distributed using illicitly obtained enterprise certificates).
Mobile Device User
Enterprise
When the installation of apps from unofficial app stores (e.g., enterprise app stores) is necessary, use Android Verify Apps feature to identify potentially harmful apps.
Mobile Device User
To protect against arbitrary installation of 3rd party apps, when the installation of apps from unofficial app stores (e.g., enterprise app stores) is necessary, disable the installation of 3rd party apps once installation is complete.
Mobile Device User
APP-16
Malicious or privacy-invasive application
Premium SMS Fraud
Dissecting Android Malware: Characterization and Evolution [^85]
zSone, RogueSPPush, GGTracker malware described in Dissecting Android Malware: Characterization and Evolution [^85]
Mkero: Android malware secretly subscribes victims to premium SMS services [^94]
Chinese Android botnet 'netting millions' [^95]
Android Security 2015 Year In Review [^98]
Enterprise
Ensure Android devices are running a recent version of Android, as starting in Android 4.2, user confirmation is needed before apps can send premium SMSs (source: https://source.android.com/security/enhancements/enhancements42.html).
Perform application vetting to identify SMS fraud by apps including permission requests made by the apps.
Use application threat intelligence data about potential SMS fraud risks associated with apps installed on devices.
Mobile Device User
Ensure Android devices are running a recent version of Android, as starting in Android 4.2, user confirmation is needed before apps can send premium SMSs (source: https://source.android.com/security/enhancements/enhancements42.html).
Use Android Verify Apps feature to apps that attempt to abuse SMS functionality.
APP-17
Malicious or privacy-invasive application
Intercepting SMS Messages
Dissecting Android Malware: Characterization and Evolution [^85]
New Android Trojan xBot Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom [^96]
How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication [^97]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Perform application vetting to identify inappropriate behaviors by apps including interception of SMS messages.
Avoid the use of applications that rely on SMS messages for 2-factor authentication.
When stronger 2-factor authentication methods are available, such as FIDO U2F tokens, educate enterprise users to avoid the use of SMS messages for configuring 2-factor authentication for enterprise applications.
Use application threat intelligence data to identify apps that increase risks associated with SMS message interception.
Mobile Device User
Use Android Verify Apps feature to identify apps that may intercept SMS messages.
Avoid the use of applications that rely on SMS messages for 2-factor authentication.
Mobile App Developer
Avoid the use of SMS messages for 2-factor authentication.
APP-18
Malicious or privacy-invasive application
Premium Service Fraud
Android Security 2015 Year In Review [^98]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use application threat intelligence data about potential abuse of carrier services associated with apps installed on COPE or BYOD devices
Mobile Device User
Use Android Verify Apps feature to identify apps that may abuse premium carrier services.
APP-19
Malicious or privacy-invasive application
Audio or Video Surveillance
Malware designed to take over cameras and record audio enters Google Play [^99]
An investigation of Chrysaor Malware on Android [^AndroidDevBlog-1]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Deploy MDM solutions that support geo-fencing of BYOD devices with policies that disable device sensors (e.g., camera, microphone) when the device is being operated in sensitive locations.
Deploy MDM solutions for COPE devices that support disabling device sensors (e.g. camera, microphone) that can be used for recording of nearby activity.
Deploy MAM solutions for COPE devices that support selectively enabling device sensors (e.g. camera, microphone) for a whitelist of trusted enterprise applications that require those functionalities.
Use application threat intelligence data about potential abuse of access to device sensors associated with apps installed on COPE or BYOD devices
Mobile Device User
Use Android Verify Apps feature to identify apps that may abuse access to sensor data to record nearby activity.
Mobile App Developer
To reduce risks of using the app, only request access to the minimal set of shared data stores (e.g., contacts, calendar), OS services (e.g. location services), and device sensors (e.g. camera, microphone) necessary for the app to provide functionality.
APP-2
Vulnerable Applications
Sensitive Information Exposure
Vulnerability in Skype for Android [^67]
World Writable Code Is Bad, MMMMKAY [^68]
LOOK-11-001 something [^69]
CVE-2011-1717
Enterprise
Use app-vetting tools or services to identify insecure storage of sensitive data.
Consider the use of devices that support Android 7.0 and later, which enables app-level encryption in addition to block-level encryption.
Mobile Device User
Consider the use of devices that support Android 7.0 and later, which enables app-level encryption in addition to block-level encryption.
APP-20
Malicious or privacy-invasive application
Loading Malicious Code at Runtime
Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications [^240]
Jekyll on iOS: When Benign Apps Become Evil [^111]
Android Hax [^100]
Hot or Not? The Benefits and Risks of iOS Remote Hot Patching [^241]
Method Swizzling [^242]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use application threat intelligence data about potential abuse of dynamic code execution associated with apps installed on COPE or BYOD devices
Mobile Device User
Use Android Verify Apps feature to identify potentially harmful apps.
Consider the use of devices that support Android 10 or higher, in which applications cannot execute code within their own system binaries and libraries.
APP-21
Malicious or privacy-invasive application
App Vetting Misses Malicious App
Dissecting Android Malware: Characterization and Evolution [^85]
CVE-2015-07555
CVE-2016-5131
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Use app-vetting tools or services to identify untrusted apps that contain encrypted or obfuscated code.
Use application threat intelligence data about apps that contain encrypted or obfuscated code
Mobile Device User
Use Android Verify Apps feature to identify potentially harmful apps.
Mobile App Developer
To mitigate your app being detected as potentially malicious, do not arbitrarily encrypt or obfuscate code.
APP-22
Malicious or privacy-invasive application
Avoiding Uninstallation via Permissions Abuse
Android Security 2015 Year In Review [^98]
CVE-2017-0594
CVE-2017-0595
CVE-2017-0596
Enterprise
Ensure Android devices are running a recent version of the operating system. As described at 44:20 in the Google I/O 2016 "What's new in Android security" (https://www.youtube.com/watch?v=XZzLjllizYs), enhancements were made in Android M or N to ensure that all device admin apps can be uninstalled.
Mobile Device User
Ensure Android devices are running a recent version of the operating system. As described at 44:20 in the Google I/O 2016 "What's new in Android security" (https://www.youtube.com/watch?v=XZzLjllizYs), enhancements were made in Android M or N to ensure that all device admin apps can be uninstalled.
APP-23
Malicious or privacy-invasive application
Ransoming Assets via Device Management Abuse
Android Security 2015 Year In Review [^98]
New Android Trojan xBot Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom [^96]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use application threat intelligence data about potential abuse of Administrator privileges associated with apps installed on COPE or BYOD devices
Consider the use of devices that support Android 7.0 and later and ensuring a PIN is set. Starting in 7.0, device administrator apps can no longer change the device PIN/password when one is already set, as described in https://developer.android.com/preview/behavior-changes.html and at 44:20 of https://www.youtube.com/watch?v=XZzLjllizYs
Mobile Device User
Use Android Verify Apps feature to identify apps that may abuse Administrator privileges.
Consider the use of devices that support Android 7.0 and later and ensuring a PIN is set. Starting in 7.0, device administrator apps can no longer change the device PIN/password when one is already set, as described in https://developer.android.com/preview/behavior-changes.html and at 44:20 of https://www.youtube.com/watch?v=XZzLjllizYs
APP-24
Malicious or privacy-invasive application
Covertly Track Device Location
Dissecting Android Malware: Characterization and Evolution [^85]
An investigation of Chrysaor Malware on Android [^AndroidDevBlog-1]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use application threat intelligence data about potential abuse of location services associated with apps installed on COPE or BYOD devices
Mobile Device User
Use Android Verify Apps feature to identify apps that may abuse location services.
When apps that require location services (e.g., map services) are not in use, use OS-provided settings to globally disable access to location services
When using untrusted apps that require locations services (e.g., map services), use OS-provided settings to revoke access to location services once the app is no longer in use.
Consider the use of devices that support iOS 14 or higher, in which users can decide whether or not applications have access to precision location of their device.
APP-25
Malicious or privacy-invasive application
Abusing Existing Root Access
How to clean up the Duh iPhone worm [^101]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
For the lowest risk tolerance, deploy MDM or containerization solutions with policies that can detect and block access to enterprise resources by rooted/jail-broken devices.
Use application threat intelligence data to detect potential abuse of rooted/jail-broken BYOD devices
Mobile Device User
Use Android Verify Apps feature to identify harmful apps.
Mobile App Developer
To avoid launching applications that handle sensitive information on a rooted/jail-broken device, perform device integrity checking, such as using Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other applicable remote attestation technologies device integrity attestation API
APP-26
Malicious or privacy-invasive application
Privilage Escalation via OS Vulnerability
Dissecting Android Malware: Characterization and Evolution [^85]
CVE-2017-2398
CVE-2017-2401
CVE-2017-2440
CVE-2017-2451
CVE-2017-2456
CVE-2017-2472
CVE-2017-2473
CVE-2017-2474
CVE-2017-2478
CVE-2017-2482
CVE-2017-2483
CVE-2017-2490
CVE-2017-0593
CVE-2017-0598
CVE-2017-0601
CVE-2016-7056
CVE-2016-10274
CVE-2016-10275
CVE-2016-10276
CVE-2016-9794
CVE-2017-0331
CVE-2017-0604
CVE-2017-0605
CVE-2016-10280
CVE-2016-10281
CVE-2016-10282
CVE-2016-10283
CVE-2016-10284
CVE-2016-10285
CVE-2016-10286
CVE-2015-9004
CVE-2016-10287
CVE-2017-0606
CVE-2016-5860
CVE-2016-5867
CVE-2017-0607
CVE-2017-0608
CVE-2017-0609
CVE-2016-5859
CVE-2017-0610
CVE-2017-0611
CVE-2016-5853
CVE-2016-10288
CVE-2016-10289
CVE-2016-10290
CVE-2017-0465
CVE-2017-0612
CVE-2017-0613
CVE-2017-0614
CVE-2017-0616
CVE-2017-0618
CVE-2017-0619
CVE-2017-0620
CVE-2016-5862
CVE-2017-0621
CVE-2016-5868
CVE-2017-0622
CVE-2017-0623
CVE-2017-0624
CVE-2017-0625
CVE-2017-0626
CVE-2017-0627
CVE-2016-10293
CVE-2016-10294
CVE-2016-10295
CVE-2016-10296
CVE-2017-0628
CVE-2017-0629
CVE-2017-0630
CVE-2016-5858
CVE-2017-0631
CVE-2016-5347
CVE-2016-5854
CVE-2016-5855
CVE-2017-0632
CVE-2017-0633
CVE-2017-0634
CVE-2017-2522
CVE-2017-2523
CVE-2017-2497
CVE-2017-6981
CVE-2017-6979
CVE-2017-2051
CVE-2017-2507
CVE-2017-6987
CVE-2017-7004
CVE-2017-2513
CVE-2017-2518
CVE-2017-2520
CVE-2017-2519
CVE-2017-6983
CVE-2017-6991
CVE-2017-7000
CVE-2017-7001
CVE-2017-7002
CVE-2017-2524
CVE-2017-2496
CVE-2017-2505
CVE-2017-2506
CVE-2017-2514
CVE-2017-2515
CVE-2017-2521
CVE-2017-2525
CVE-2017-2526
CVE-2017-2530
CVE-2017-2531
CVE-2017-2538
CVE-2017-2539
CVE-2017-2544
CVE-2017-2547
CVE-2017-6980
CVE-2017-6984
CVE-2017-2504
CVE-2017-2508
CVE-2017-2510
CVE-2017-2528
CVE-2017-2536
CVE-2017-2549
CVE-2017-2499
CVE-2016-7056
CVE-2017-0603
CVE-2016-10294
CVE-2017-0615
CVE-2017-0617
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use application threat intelligence data to identify apps that exploit the OS to achieve privilege escalation.
Use app-vetting tools or services to identify apps that exploit the OS to achieve privilege escalation.
To limit the opportunity for malicious apps to exploit known vulnerabilities, ensure timely installation of security updates.
Mobile Device User
Use the Android Verify Apps feature to identify potentially harmful apps.
To limit the opportunity for malicious apps to exploit known vulnerabilities, ensure timely installation of security updates.
APP-27
Malicious or privacy-invasive application
Persistance via Writing to System Partition
Brain Test re-emerges: 13 apps found in Google Play [^102]
CVE-2016-10277
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use application threat intelligence data about apps that may achieve malicious persistence
Use app-vetting tools or services to identify apps that exploit the underlying OS to achieve malicious persistence.
Deploy MDM solutions that require successful boot attestation prior to granting access to enterprise resources.
Mobile Device User
Use Android Verify Apps feature to identify potentially harmful apps.
Mobile App Developer
To avoid executing apps that process sensitve information while low-level malware is present on the device, perform device integrity checking within enterprise applications, such as use of Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other applicable remote attestation technologies device integrity attestation API
APP-28
Malicious or privacy-invasive application
Encrypting and Ransoming Files
New Android Trojan xBot Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom [^96]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use application threat intelligence data about apps that maliciously encrypt user data.
Use app-vetting tools or services to identify apps that maliciously encrypt user data.
Mobile Device User
Use Android Verify Apps feature to identify potentially harmful apps.
APP-29
Malicious or privacy-invasive application
Command-and-control Traffic Evades Analysis
Mobile Malware Evolution: 2013 [^103]
DroydSeuss: A Mobile Banking Trojan Tracker [^104]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use app-vetting tools or services to identify remote access control apps that receive commands over notification or messaging serices or other communication channels.
Mobile Device User
Disable access to notification or messaing services to apps for which such functions are not actually used.
Use Verify Apps feature to identify potentially harmful apps.
APP-3
Vulnerable Applications
Sensitive Information in System Logs
CVE-2012-2630
CVE-2014-0647
Mobile App Developer
Avoid logging sensitive data in an unencrypted state, even to files internal to the app, as these files may be exposed in backups or direct access to the device's file system.
Use the Compatibility Test Suite, which checks for the presence of potentially sensitive information in the system logs; See https://source.android.com/security/overview/implement.html.
Enterprise
Consider the use of devices that support Android 4.1 or later, in which apps can no longer access the system log (other than reading log entries added by the app itself).
Use app-vetting tools or services to identify apps that store sensitive information in system logs or other unsecure storage locations.
Mobile Device User
Consider the use of devices that support Android 4.1 or later, in which apps can no longer access the system log (other than reading log entries added by the app itself).
APP-30
Malicious or privacy-invasive application
Exfiltration Evades Analysis
Dissecting Android Malware: Characterization and Evolution [^85]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use application threat intelligence data about potential data exfiltration risks associated with apps installed on COPE or BYOD devices
Use app-vetting tools or services to identify apps that appear to exfiltrate data.
Mobile Device User
Use Android Verify Apps feature to identify apps that may abuse communication channels to exfiltrate data.
APP-31
Malicious or privacy-invasive application
Masquerading as a Legitimate Application
Phishing on Mobile Devices [^105]
Exploiting Androids for Fun and Profit [^106]
The Latest Android Overlay Malware Spreading via SMS Phishing in Europe [^107]
Password-Stealing Instagram App [^108]
Hackers Sneak Malware Into Apple App Store 'To Steal iCloud Passwords' [^109]
Enterprise
Consider the use of devices that support Android 5.0 and later, in which ActivityManager.getRunningTasks() has been modified to stop leaking information about the current foreground activity, increasing the difficulty of malicious apps being able to perform a user interface spoofing attack
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use app-vetting tools or services to identify apps that attempt to spoof the interface to other apps or common web sites, such as banking sites.
Mobile Device User
Consider the use of devices that support Android 5.0 and later, in which ActivityManager.getRunningTasks() has been modified to stop leaking information about the current foreground activity, increasing the difficulty of malicious apps being able to perform a user interface spoofing attack
Use Android Verify Apps feature to identify potentially harmful apps.
APP-32
Malicious or privacy-invasive application
Exploiting Access to Enterprise Resources
Juniper Networks Third Annual Mobile Threats Report [^236]
CVE-2016-10292
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use app-vetting tools or services to identify apps that perform host discovery or attempt to access hosts with internal (e.g. inside a private LAN) domains or IP addresses.
Use features such as Apple iOS Managed Apps, Android for Work, or Samsung KNOX Workspace that provide some level of separation between personal apps and enterprise apps to mitigate the impact of malicious behaviors, including use of per-app/per-user VPN features, so that only enterprise-approved apps can traverse the VPN and access enterprise resources.
Mobile Device User
Use Android Verify Apps feature to identify potentially harmful.
APP-33
Malicious or privacy-invasive application
Bypassing OS Private API Controls
Symantec Internet Security Threat Report 2016 [^110]
YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs [^43]
Jekyll on iOS: When Benign Apps Become Evil [^111]
CVE-2017-0598
CVE-2017-0602
CVE-2017-7003
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use application threat intelligence data about potential data collection risks associated with apps installed on COPE or BYOD devices
Use app-vetting tools or services to identify apps that appear to abuse the OS API to gather sensitive data.
Mobile Device User
Use Android Verify Apps feature to identify apps that appear to abuse the OS API to gather sensitive data.
Mobile App Developer
To avoid inadvertent detection as a harmful app, review current developer documentation for the supporting OS and always use the recommended API calls to deliver app functionality.
APP-34
Malicious or privacy-invasive application
App Provides Remote Control Over Device
Dendroid malware can take over your camera, record audio, and sneak into Google Play [^237]
Mobile RAT attack makes Android the ultimate spy tool [^112]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use app-vetting tools or services to identify apps that appear to provide remote control to an attacker.
Use application threat intelligence services to identify apps flagged as providing remote access to an attacker
Mobile Device User
Use Android Verify Apps feature to identify potentially harmful apps.
When installing apps, be suspicious of those requesting access to OS services or sensors that do not appear related to the functionality of the app
APP-35
Malicious or privacy-invasive application
Retrieving Sensitive Information from Clipboard
Attacks on Android Clipboard [^238]
Update: XcodeGhost Attacker Can Phish Passwords and Open URLs Through Infected Apps [^239]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Deploy MAM solutions that can restrict access to the device clipboard and similar OS-provided services to a whitelist of trusted apps.
Deploy MAM or container solutions that can restrict communication between trusted and untrusted apps using the device clipboard, copy-and-paste, and similar OS-provided services.
Use application threat intelligence services to identify apps reported to abuse access to the device clipboard or similar OS-provided services to obtain sensitive information.
Use app-vetting tools or services to identify applications that appear to abuse access to the device clipboard or similar OS-provided services to obtain sensitive information.
Mobile Device User
Use Android Verify Apps feature to identify potentially harmful apps.
APP-36
Malicious or privacy-invasive application
Pre-Installed Apps Invading Privacy
Device Squad: The story behind the FTC's first case against a mobile device maker [^113]
Certifi-gate: Hundreds of Millions of Android Devices Could Be Pwned [^114]
Samsung Keyboard Security Risk Disclosed [^115]
CVE-2015-4640
CVE-2015-4641
Mobile Device User
To mitigate the potential for abuse or exploits by pre-installed apps, ensure that devices have the latest security updates installed.
Uninstall pre-installed apps that are not in use.
For pre-installed apps that cannot be uninstalled, revoke access to device sensors and OS-provided services.
For pre-installed apps that cannot be uninstalled, disable the app so that it cannot be launched.
Enterprise
To mitigate the potential for abuse or exploits by pre-installed apps, ensure that devices have the latest security updates installed.
Deploy MAM solutions to identify and block access to devices running high-risk pre-installed apps.
Deploy MAM or container solutions to provide additional separation between trusted and untrusted pre-installed apps to mitigate the potential for pre-installed apps to violate the privacy of user actions performed within trusted apps.
APP-37
Malicious or privacy-invasive application
Unknowingly Performing Hidden Actions in Other Apps
"Accessibility Clickjacking" - The Next Evolution in Android Malware that Impacts More Than 500 Million Devices [^YAmit1]
Android ransomware variant uses clickjacking to become device administrator [^M-Zhang-1]
Android.Lockdown.E [^Symantec-1]
Mobile Device User
To detect if an unauthorized app has access to restricted functionality, such as Device Administrator or Accessibility Services, use device settings to review permissions and identify any app for which that functionality is not authorized.
On Android 6.0 and later, use device settings to revoke access to unauthorized services, such as Device Administrator or Accessibility Services. On earlier versions, permissions cannot be individually revoked; instead, the app must be uninstalled.
To prevent this attack, use Android 5.0 and later devices, which does not allow apps to appear above any system dialogs used to grant permissions.
Enterprise
To prevent this attack, use Android 5.0 and later devices, which does not allow apps to appear above any system dialogs used to grant permissions.
APP-38
Malicious or privacy-invasive application
Abusing Device Resources for Computations
Mobile Malware Mines Dogecoins Litecoins for Bitcoin Payout[^V-Zhang-1]
Androidos_kagecoin.hbt [^TrendMicro-1]
Currency-mining Android malware is so aggressive it can physically harm phones [^D-Goodin-2]
Mobile Device User
To reduce the risk of installing apps with trojan functionality, only download apps from official app stores.
Use malware detection apps that identify malware by anomalous energy consumption.
Enterprise
Use malware detection apps that identify malware by anomalous energy consumption.
APP-39
Malicious or privacy-invasive application
Using Device for DDoS
Android.Tascudap [^T-Katsuki-1]
CVE-2017-6982
CVE-2017-2495
CVE-2017-0599
CVE-2017-0600
CVE-2017-0603
Mobile Device User
To reduce the risk of installing apps with trojan functionality, only download apps from official app stores.
Use malware detection apps that identify malware by anomalous network activity.
Enterprise
Use malware detection apps that identify malware by anomalous network activity.
APP-4
Vulnerable Applications
Need to Use a Known Vulnerable App or Device
Stumping the Mobile Chipset [^70]
CVE-2016-5340
CVE-2016-2059
CVE-2016-2503
CVE-2016-2504
Mobile Device User
Use iOS and Android runtime permission features to remove risky permissions (e.g. GPS access, contact list access, etc.) from unsupported apps or apps with known vulnerabilities.
Uninstall vulnerable apps from the device. Once a patched version is available for download, redownload and install the app.
Enterprise
Use iOS and Android runtime permission features to remove risky permissions (e.g. GPS access, contact list access, etc.) from unsupported apps or apps with known vulnerabilities.
Use MAM solutions to detect vulnerable apps and prevent access to enterprise resources while the app is installed.
Use MAM solutions to forcefully disable vulnerable apps until a patch is available and installed.
Use MAM solutions to temporarily revoke access to sensitive device sensors or OS-provided services.
APP-40
Malicious or privacy-invasive application
Capturing Raw Screen Buffer
An investigation of Chrysaor Malware on Android [^AndroidDevBlog-1]
An investigation of Chrysaor Malware on Android [^AndroidDevBlog-1]
Mobile Device User
To limit the opportunity for an attacker to realize this threat following a security patch for a priviledge escalation vulnerability, ensure timely installation of mobile OS security updates.
To reduce the probability of installing a malicious application, obtain public apps from an official app store (e.g., Google Play, iTunes Store).
On Adroid, to prevent an attacker from remotely installing 3rd party malicious apps, ensure Security > Unknown Sources is turned off.
To detect malicious applications, use on-device agents that automatically perform signature- and/or behavior-based malware detection.
Enterprise
To limit the opportunity for an attacker to realize this threat following a security patch for a priviledge escalation vulnerability, ensure timely installation of mobile OS security updates.
To prevent users of managed Android devices from installing applications from unknown sources, deploy EMM solutions that effectively disable the Unknown Sources feature.
To detect malicious applications, use on-device agents that automatically perform signature- and/or behavior-based malware detection.
To prevent granting access to compromised devices, use tools or device APIs (Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other applicable remote attestation technologies) to detect and block enterprise connectivity from devices that fail attestation or integrity checks.
APP-41
Malicious or privacy-invasive application
Recording Audio by Placing or Answering Phone Calls
An investigation of Chrysaor Malware on Android [^AndroidDevBlog-1]
An investigation of Chrysaor Malware on Android [^AndroidDevBlog-1]
Mobile Device User
To prevent data collection using the device microphone, install a protective cover over the device which reliably blocks sound from being picked up when features requiring use of the microphone are not in use. Alternatively, turn off the device or do not take it into areas in which audio collection is a main concern.
To reduce the potential for such an exploit for which a security patch is available, ensure OS security updates are installed in a timely fashion.
Enterprise
To reduce the potential for such an exploit for which a security patch is available, ensure OS security updates are installed in a timely fashion.
APP-43
Malicious or privacy-invasive application
Malware Uninstalls Itself
An investigation of Chrysaor Malware on Android [^AndroidDevBlog-1]
An investigation of Chrysaor Malware on Android [^AndroidDevBlog-1]
Enterprise
To help reduce the opportunity for attack following availability of patches, ensure timely installation of mobile OS security updates.
On Android devices, to prevent an attacker from remotely installing malicious applications from unknown sources, ensure Security > Unknown Sources is turned off; an enterprise can deploy EMM solutions that enforce a policy to never permit the installation of apps from unknown sources.
To decrease the time-to-detection following the installation of a malicious app, deploy on-device agents that automatically detect the installation of any app and initiate either local (on-device) or remote processes for detection and identification of malware and potentially-harmful applications.
Mobile Device User
To help reduce the opportunity for attack following availability of patches, ensure timely installation of mobile OS security updates.
To reduce the potential of installing malicious applications, download public apps directly from an official app store (e.g., Google Play, iTunes Store).
On Android devices, to prevent an attacker from remotely installing malicious applications from unknown sources, ensure Security > Unknown Sources is turned off; an enterprise can deploy EMM solutions that enforce a policy to never permit the installation of apps from unknown sources.
To decrease the time-to-detection following the installation of a malicious app, deploy on-device agents that automatically detect the installation of any app and initiate either local (on-device) or remote processes for detection and identification of malware and potentially-harmful applications.
APP-5
Vulnerable Applications
Malicious Code Downloaded via Malicious URL
Android Towelroot Exploit Used to Deliver Dogspectus Ransomware [^71]
JailbreakMe [^72]
CVE-2010-1797
CVE-2010-2973
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
To reduce the potential for drive-by downloads or similar exploits, ensure the latest security updates for the mobile OS are installed.
Use built-in browser features or third-party products to identify and avoid known malicious web pages.
Use a proxy or VPN for all web traffic and identify and block connections to known malicious web pages.
Educate enterprise users about safe browsing practices.
Use anti-malware device agents to detect malicious applications inadvertently installed on the device.
Mobile Device User
To reduce the potential for drive-by downloads or similar exploits, ensure the latest security updates for the mobile OS are installed.
Use built-in browser features or third-party products to identify and avoid known malicious web pages.
Use anti-malware device agents to detect malicious applications inadvertently installed on the device.
Regularly use Verify Apps feature to identify potentially harmful applications.
APP-6
Vulnerable Applications
Vulnerable Third-Party Library
A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications [^73]
Unsafe Exposure Analysis of Mobile In-App Advertisements [^74]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use app-vetting tools or services to identify apps that use vulnerable libraries.
APP-7
Vulnerable Applications
Data or Functionality Exposed to Untrusted Apps
{"50 Ways to Leak Your Data"=>"An Exploration of Apps’ Circumvention of the Android Permissions System [^75]"}
Smishing Vulnerability in Multiple Android Platforms [^76]
Android SMS Spoofer [^77]
Content provider permission bypass allows malicious application to access data [^78]
CVE-2016-2810
Enterprise
Use app-vetting tools or services to identify apps that expose functionality to untrusted apps.
Use personal/enterprise app separation features (e.g. Android for Work or Samsung KNOX Workspace) so that vulnerabilities in an enterprise app cannot be exploited by a personal app or vice versa.
APP-8
Vulnerable Applications
WebView App Vulnerable to Browser-Based Attacks
WebView addJavaScriptInterface Remote Code Execution [^79]
DRD13. Do not provide addJavaScriptInterface method access in a WebView which could contain untrusted content [^80]
Remote code execution on Android devices [^81]
CVE-2017-0587
CVE-2017-0588
CVE-2017-0589
CVE-2017-0590
CVE-2017-0591
CVE-2017-0592
Enterprise
Use app-vetting tools or services to identify vulnerable applications
Use a proxy or VPN for connections to decrease the chance of success of a man-in-the-middle attack.
Mobile App Developer
Always use https URLs for WebView content.
Avoid enabling the WebView JavaScript bridge (with addJavascriptInterface) unless explicitly needed.
APP-9
Vulnerable Applications
Compromised Backend Server
CVE-2015-1581
Mobile App Developer
Follow best practices for server security, for example as described in https://www.owasp.org/index.php/Mobile_Top_10_2014-M1
AUT-0
Authentication: User or Device to Remote Service
Use of Stolen Credentials
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices [^61]
CBS App & Mobility Website [^116]
The Fork [^117]
Star Q8 [^118]
Corriere Della Sera App [^119]
LaTribune [^120]
Card Crypt [^121]
Starbucks Caught Storing Mobile Passwords in Clear Text [^122]
Enterprise
To hinder an authentication attempt with a stolen credential, use anomaly detection based on user activity to detect abnormalities (e.g. authentication from new domains, unusual times, or to rarely-accessed services) and require additional authentication steps before granting access.
To mitigate an attacker's ability to achieve authentication using a stolen credential, when possible, configure services to use multi-factor authentication. Ideally, the additional factor should be provided by a separate device than the one being used to perform primary authentication (e.g., laptop and mobile app). Further, avoid the use of SMS messages for 2FA codes, as SMS messages can be readily intercepted.
To limit the value of stolen credentials to an attacker, use centralized identity and access management tools that permit simultaneous revocation of stolen authentication credentials across all access control mechanisms and terminate active sessions based on those credentials.
To limit the value of stolen credentials, enforce a policy that limits the maximum age of credentials and limits the use of identical or similar credentials.
To limit the value of stolen credentials, enforce an access policy that restricts the resources a user can access based on location parameters (e.g. domain, IP address, MAC address, geolocation) of the authentication request.
Incorporate the principle of least privilege to limit lateral movement by an attacker with stolen credentials.
To limit the potential for predictive attacks on new passwords, employ authentication mechanisms that utilizes randomly generated one-time passwords or tokens for access from untrusted locations.
To prevent an attacker with a stolen password from locking out the legitimate user or defining new credentials, require 2-factor authentication mechanisms to change authentication credentials or credential recovery processes.
Mobile Device User
To mitigate an attacker's ability to achieve authentication using a stolen credential, when possible, configure services to use multi-factor authentication. Ideally, the additional factor should be provided by a separate device than the one being used to perform primary authentication (e.g., laptop and mobile app). Further, avoid the use of SMS messages for 2FA codes, as SMS messages can be readily intercepted.
AUT-1
Authentication: User to Device
Unauthorized Information Disclosure via Lockscreen
About the security content of iOS 10.3 [Apple-1]
How hackers can access iPhone contacts and photos without a password [^129]
CVE-2017-2397
CVE-2017-2399
CVE-2017-2452
Mobile Device User
To limit opportunity for lockscreen bypass attacks, strongly secure mobile devices when not directly attended.
To reduce the success of lockscreen bypass exploits, ensure mobile OS security updates are installed in a timely manner
To reduce the potential that sensitive information is displayed on the lock screen, use mobile OS settings to disable access to notification features for apps that may receive sensitive content, or configure such notifications to only display when the device is unlocked.
Use mobile OS settings or deploy MDM solutions that can effectively enforce policies to limit the data or services available while the device screen is locked (e.g., notifications, voice-operated assistants, camera)
Enterprise
To reduce the success of lockscreen bypass exploits, ensure mobile OS security updates are installed in a timely manner
Use mobile OS settings or deploy MDM solutions that can effectively enforce policies to limit the data or services available while the device screen is locked (e.g., notifications, voice-operated assistants, camera)
AUT-10
Authentication: User or Device to Remote Service
Capturing Credentials
OAuth 2.0 for Native Apps [^141]
Stealing Passwords is Easy in Native Mobile Apps Despite OAuth [^140]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Use app-vetting tools or services to identify malicious behaviors in apps.
AUT-11
Authentication: User or Device to Remote Service
Stolen Credentials
Mobile Top 10 2016 [^9]
Serious OS X and iOS Flaws Let Hackers Steal Keychain, 1Password Contents [^130]
Mobile App Developer
When creating files, named sockets, or similar resources statically-defined (i.e., predictable by an attacker), verify that the resource does not already exist. If it does, cease execution and exit the app with an error that prompts the user to take action.
Enterprise
Use app-vetting tools or services to identify malicious apps that exploit cross-application resource attacks.
AUT-12
Authentication: User or Device to Network
Insecure Credential Storage
Mobile App Developer
Follow best practices for storing sensitive material such as using short-live tokens and the AccountManager on Android and Keychain for iOS. [^227][^228]
To mitigate the risk associated with a stolen credential, use authentication protocols that generate unpredictable one-time cryptographic tokens that are replay-resistant (e.g. public key authentication, FIDO Alliance protocols)
Mobile Device User
Educate users that Oauth 2.0 style authorization request from native applications should only be made through external user-agents (system browser)
AUT-13
Mobile Operating System
Credential Theft via Keylogging
An investigation of Chrysaor Malware on Android [^AndroidDevBlog-1]
An investigation of Chrysaor Malware on Android [^AndroidDevBlog-1]
Mobile Device User
To reduce the potential of downloading a malicious app, such as a keylogger, only install (or permit the installation of) mobile apps downloaded directly from an official app store (e.g. Apple iTunes Store, Google Play).
To help reduce the opportunity for attack following availability of patches, insure timely installation of mobile OS security updates.
To detect malicious applications, deploy on-device agents that automatically initiate malware detection for all installed applications.
To decrease the value of captured credentials, enable 2-factor authentication for sensitive services (e.g., online banking) where the second factor is not tied to the same device.
Enterprise
To reduce the potential of downloading a malicious app, such as a keylogger, only install (or permit the installation of) mobile apps downloaded directly from an official app store (e.g. Apple iTunes Store, Google Play).
To help reduce the opportunity for attack following availability of patches, insure timely installation of mobile OS security updates.
To detect malicious applications, deploy on-device agents that automatically initiate malware detection for all installed applications.
Use tools or device APIs (Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other applicable remote attestation technologies) to detect and block enterprise connectivity from devices until they pass such integrity checks.
AUT-2
Authentication: User to Device
PIN/password Brute Force
Black Box Brouhaha Breaks Out Over Brute Forcing of iPhone Pin Lock [^125]
The bumpy road towards iPhone 5c NAND mirroring [^243]
Mobile Device User
To directly increase the time required for a successful brute-force authentication attempt, increase the length, complexity, and randomness of device unlock codes, with a strong preference for a 'password' option that may contain letters (uppercase and lowercase), numbers, and special characters, rather than a simpler numeric PIN or (on Android devices) a geometric pattern.
To increase the time required to perform brute-force attacks, use mobile devices that incur incrementally increasing delays when the wrong unlock code is entered.
To reduce the likelihood of a successful brute-force user-to-device authentication attempt on a device, configure the device to wipe all device data after a preset number of consecutive failed unlock attempts (e.g., 10).
To reduce the opportunity for an attacker to conduct a brute-force authentication attack against the device, use strong physical security measures (e.g.,locking the device into a container) when not directly attended.
Enterprise
To prevent employees from accessing enterprise resources from devices with a weak device unlock code, deploy MDM or containerization solutions that enable device configuration policies that require the unlock code for enrolled devices to meet minimum length and complexity requirements prior to granting access to enterprise resources.
To increase the time required to perform brute-force attacks, use mobile devices that incur incrementally increasing delays when the wrong unlock code is entered.
AUT-3
Authentication: User to Device
Inferring PIN/password from Recordings
Black Hat: Google Glass Can Steal Your Passcodes [^126]
Mobile Device User
When entering PINs, passwords, or other secrets, limit visibility of the device to others.
Use devices and applications that support biometric authentication methods (e.g. fingerprint), which are not as easily captured by casual recording methods as entry of PINs or passwords.
Increase the minimum length and reduce the maximum lifetime of passwords and PINs to reduce the probability a inference attack will be successful.
When possible, configure remote services with authentication mechanisms that allow the use of random one-time passwords, which if recorded during entry, cannot later be used to authenticate.
To prevent a successful password inferrence attack from singly enabling authentication by an attacker, configure sensitive services to require 2-factor authentication.
Enterprise
Use devices and applications that support biometric authentication methods (e.g. fingerprint), which are not as easily captured by casual recording methods as entry of PINs or passwords.
Increase the minimum length and reduce the maximum lifetime of passwords and PINs to reduce the probability a inference attack will be successful.
When possible, configure remote services with authentication mechanisms that allow the use of random one-time passwords, which if recorded during entry, cannot later be used to authenticate.
To prevent a successful password inferrence attack from singly enabling authentication by an attacker, configure sensitive services to require 2-factor authentication.
Mobile OS Developer
To increase the difficulty of visual or sensor-based inference attacks on entries by the on-screen keyboard, a randomized keyboard layout for PIN or password entry could be implemented as a feature of the mobile OS.
AUT-4
Authentication: User to Device
Inferring PIN/password from Screen Smudges
Smudge Attacks on Smartphone Touch Screens [^124]
Enterprise
To increase the difficulty in successfully inferring the authentication credential, increase the minimum length and complexity of PINs, passwords, or other authentication credentials.
To reduce the window of opporuntity during which an attacker can use an inferred authentication credential, reduce the maximum lifetime of authentication credentials.
Use devices and applications that support biometric authentication methods (e.g. facial recognition, voice print), which do not result in direct physical evidence of authentication data being left on the device for later analysis.
Mobile Device User
To increase the difficulty in successfully inferring the authentication credential, increase the minimum length and complexity of PINs, passwords, or other authentication credentials.
To reduce the window of opporuntity during which an attacker can use an inferred authentication credential, reduce the maximum lifetime of authentication credentials.
To limit the amount of data available to an attacker conducting a screen smudge inferrence attack, clean the screen of the device often, particularly when leaving the device directly unattended.
To limit the amount of authentication data available to the attacker (e.g. size, and number of smudges), enter device unlock codes and passwords using a stylus on (ideally) a clean device screen.
Use devices and applications that support biometric authentication methods (e.g. facial recognition, voice print), which do not result in direct physical evidence of authentication data being left on the device for later analysis.
To limit the window of opportunity for an attacker to conduct a screen smudge inferrence attack, physically secure the device when it is being left directly unattended.
Mobile OS Developer
To increase the difficulty of visual or sensor-based inference attacks on entries by the on-screen keyboard, a randomized keyboard layout for PIN or password entry could be implemented as a feature of the mobile OS.
AUT-5
Authentication: User to Device
Inferring PIN/password from Sensor Information
Your Smartphone Isn't As Safe As You'd Think [^128]
Touchscreen keylogger created using accelerometer movement during typing [^248]
Tapprints: your finger taps have fingerprints [^249]
ToughLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion [^250]
Mobile Device User
To detect Android apps that may realize this threat, use the Verify Apps feature to detect 3rd party apps that appear to abuse access to device sensors.
To reduce the opportunity for this threat, do not authorize (or revoke if granted) access to device sensors by untrusted applications when those applications are not actively in use (e.g., running in the background).
To reduce the opportunity for this threat, use access controls native to the mobile OS to revoke access to device peripherals or services for an app when related application functions are no longer in use.
To prevent this threat, before authenticating to sensitive applications, forcibly close all untrusted applications that have access to device sensors such as an accelerometer or gyroscope.
To prevent this threat, before authenticating to sensitive applications, use OS configuration settings to revoke global access for all apps to device sensors such as an accelerometer or gyroscope.
Enterprise
To reduce the opporunity for this threat, deploy containerization or MAM solutions in combination with devices that successfully enforce policies that restrict access to device sensors by untrusted apps.
To detect apps that may realize this threat, use app-vetting services to determine if any apps present in your mobile device deployment appear to use sensor data in an untrusted manner.
Mobile OS Developer
To increase the difficulty of visual or sensor-based inference attacks on entries by the on-screen keyboard, a randomized keyboard layout for PIN or password entry could be implemented as a feature of the mobile OS.
AUT-6
Authentication: User to Device
Android Smartlock Device Spoofing
Which is the most secure Android Smart Lock? [^131]
Enterprise
As appropriate, use MDM solutions that enable policies to prevent features that would automatically unlock mobile devices or prevent mobile devices from otherwise locking based on your existing security policy, such as after a period of user inactivity.
Mobile Device User
To reduce the potential than communication from a paired device can be successfully spoofed, observe physical security measures to prevent interception of communication during the initial pairing of devices (e.g. in a secure location outside of which, interception or manipulation of NFC or Bluetooth signals is limited.
To reduce the potential an attacker can, post-pairing, spoof a paired device, maintain strong physical security over it when being left directly unattended (e.g., secure it in a locked container).
To reduce the potential an attacker acquires your device in an unlocked but unattended state or can acquire the pair of devices, avoid pairing your mobile device with a device that is typically already located in proximity to it, such as a keyboard or headset.
Avoid pairing with Bluetooth 2.0 or earlier devices, or those that otherwise only support Legacy Pairing, which is vulnerable to eavesdropping attacks that greatly facilitates the spoofing a trusted device.
AUT-7
Authentication: User to Device
Biometric Spoofing
Liveness Detection to Fight Biometric Spoofing [^132]
iPhone 5S Touch ID susceptible to fingerprint spoofs [^135]
Why I hacked TouchID (again) and still think it's awesome [^133]
Mobile Device User
To reduce the opportunity for an attacker to conduct a biometric spoofing attack, physically secure the device (e.g., lock it in a secure container) when leaving it directly unattended.
To prevent an attacker able to successfully conduct a biometric spoofing attack against the device from automatically gaining access to sensitive data, implement multi-factor authentication mechanisms for sensitive apps or services.
Mobile Device user
Consider devices in which multi-factor biometric authentication mechanisms transform the biometric data using an additional factor (e.g., password or cryptographic token).
Enterprise
Consider devices in which multi-factor biometric authentication mechanisms transform the biometric data using an additional factor (e.g., password or cryptographic token).
To prevent an attacker able to successfully conduct a biometric spoofing attack against the device from automatically gaining access to sensitive data, implement multi-factor authentication mechanisms for sensitive apps or services.
AUT-8
Authentication: User or Device to Remote Service
Man-in-the-middle Malicious Website Substitution
Man-in-the-Middle Attack [^136]
Using spoofed Wi-Fi to attack mobile devices [^20]
Enterprise
To prevent captured authentication credentials from enabling persistent access to sensitive services, configure them with authentication methods that use unpredictable one-time cryptographic tokens that are replay-resistant (e.g. public key authentication, FIDO Alliance protocols, pre-shared access codes).
Mobile Device User
To limit the usefulness of captured passwords, do not use the same password or derivations thereof to authenticate to multiple services.
To increase the difficulty of establishing a MiTM attack on a given wireless access session in which authentication credentials are exchanged, avoid authenticating to sensitive remote services over untrusted Wi-Fi networks.
AUT-9
Authentication: User or Device to Remote Service
Phishing Websites
Phishing Defenses for Webmail Providers [^138]
Your Account PayPal Has Been Limited Phishing Scam [^139]
Enterprise
Ensure corporate e-mail policy is configured to scan for suspicious files, executables, or attachments, and segregate such emails to increase end-user awareness of their potential to contain malicious content.
Deploy email and web proxy services that will examine URL resources for malicious content, and if any is found, prevent delivery of the message to the intended recipient.
Deploy email filtering tools or services that will automatically remove detected URLs from the body of emails from untrusted domains.
Educate end users on how to recognize phishing attempts and increase their awareness of techniques to browse safely from mobile devices, such as tap-and-hold on a hyperlink to examine its associated URL.
STA-0
Mobile Operating System
Privilege Escalation via Software Vulnerabilities
Internet Security Threat Report 2016 [^110]
Mobile Security: Threats and Countermeasures [^90]
Zimperium Applauds Google's Rapid Response to Unpatched Kernel Exploit [^213]
Remote Code Execution as System User on Samsung Phones [^55]
CVE-2010-2973
CVE-2016-4655
CVE-2016-4656
CVE-2017-0538
CVE-2017-0539
CVE-2017-0540
CVE-2017-0544
CVE-2017-0546
CVE-2017-0547
CVE-2017-0548
CVE-2017-0549
CVE-2017-0553
CVE-2017-0554
CVE-2017-0556
CVE-2017-0557
CVE-2017-0558
CVE-2017-0564
Enterprise
To reduce the risk to enterprise resources being accessed from vulnerable devices, deploy EMM/MDM solutions that can successfully enforce policies to monitor the OS version of devices and block enterprise connectivity from out-of-date devices or those with known-exploitable privilege escalation vulnerabilities.
To help reduce the latency between exploit notification and patch availability, purchase devices from vendors/carriers who have committed to providing timely updates or who have known track records for prompt updates.
To help reduce the opportunity for attack following availability of patches, configure automatic installation of, or, at a minimum, automatic notification of the availability of mobile OS security updates.
Use tools or device APIs (Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other applicable remote attestation technologies) to detect and block enterprise connectivity from devices that fail attestation or integrity checks.
Disable components with known vulnerabilities (e.g. disable MMS, Bluetooth, etc.) until the vulnerability is patched to prevent exploitation.
Mobile Device User
To help reduce the opportunity for attack following availability of patches, configure automatic installation of, or, at a minimum, automatic notification of the availability of mobile OS security updates.
Disable components with known vulnerabilities (e.g. disable MMS, Bluetooth, etc.) until the vulnerability is patched to prevent exploitation.
STA-1
Mobile Operating System
Rooting or Jailbreaking
Mobile Security: Threats and Countermeasures [^90]
CVE-2015-3636
Mobile Device User
Ensure devices are kept up-to-date with security patches to decrease the likelihood that they can be rooted/jailbroken.
Enterprise
Ensure devices are kept up-to-date with security patches to decrease the likelihood that they can be rooted/jailbroken.
Use hardware mechanisms, device APIs (Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other applicable remote attestation technologies), or other tools to detect rooted/jailbroken devices, provide notification to the enterprise and user, and block enterprise connectivity.
Help users to understand the risks associated with rooting/jailbreaking their devices.
STA-10
Device Drivers
Low level backdoor inadvertently left by firmware developer
This is what a root debug backdoor in a Linux kernel looks like [^207]
Chinese ARM vendor left developer backdoor in kernel for Android, other devices [^208]
Obtain devices from a reputable vendor with a strong record of addressing security flaws in a timely fashion.
Enterprises
Mobile Device User
To reduce the opportunity for an attacker to exploit a patched vulnerability, ensure security updates are applied in a timely manner by configuring automated installation of or, at a minimum, automatic notification of the availability of security updates.
Enterprise
Mobile Device User
To reduce the opportunity for attacks against various firmware components, disable device features when not in use (e.g., Bluetooth, Wi-Fi, NFC), and globally revoke access to unused device sensors or OS-provided functions (e.g., camera, microphone, location services).
Mobile Device User
STA-11
Isolated Execution Environments
Vulnerable Isolated Execution Environment Software
Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption [^209]
CVE-2016-0825
CVE-2016-5349
Mobile Device User
To decrease the latency between availability and installation of security fixes for isolated execution environments, configure devices (potentially using EMM solutions) to automatically install security updates, or at a minimum, provide automated notification to the user that security updates are available for installation.
Enterprise
To decrease the latency between availability and installation of security fixes for isolated execution environments, configure devices (potentially using EMM solutions) to automatically install security updates, or at a minimum, provide automated notification to the user that security updates are available for installation.
To decrease the risk of persistent and unpatched vulnerabilities in isolated execution environments in deployed devices, consider acquiring mobile devices from vendors and carriers with a history of addressing and releasing security updates in a timely fashion.
Original Equipment Manufacturer
Use TEE OS that provide integrity protections over trustlets, such as verification of digital signatures on installed trustlets, such as Trusty OS. [^222]
STA-12
Isolated Execution Environments
Backdoors Introduced by Developers
Chinese ARM vendor left developer backdoor in kernel for Android, other devices [^208]
STA-13
Isolated Execution Environments
Reverse Engineering of TEE Components
ARM Security Technology Building a Secure System using TrustZone Technology [^210]
Enterprise
Assume any device that has been under the physical control of an attacker for any timeframe sufficient to have executed this attack has been permanently compromised and should be transitioned to end-of-lifecycle.
STA-14
Isolated Execution Environments
Reverse Engineering Components
ARM Security Technology Building a Secure System using TrustZone Technology [^210]
Enterprise
Assume any device that has been under the physical control of an attacker for any timeframe sufficient to have executed this attack has been permanently compromised and should be transition to the to end-of-lifecycle.
STA-15
Boot firmware
Bootloader Unlocking
Xiaomi Locks Mi Devices' Bootloaders On Fears Of Malware And Security Risks: Up To 21 Days To Unlock [^47]
Enterprise
Educate users of the risks of unlocking the device bootloader.
Use EMM/MDM solutions or on-device agents that can potentially detect rooted or jail-broken devices and subsequently, successfully block access to enterprise resources.
Mobile App Developer
To mitigate the potential of accessing sensitive data or functionality on rooted or jail-broken devices, leverage device attestation APIs to determine the device is in a known-good state prior to executing sensitve actions.
STA-16
Boot firmware
Boot Firmware Vulnerability
CVE-2009-2795
STA-17
Boot firmware
Operating System Downgrade
Enterprise
Use EMM/MDM solutions in combination with devices that can detect mobile OS verions and successfully block access to enterprise resources from devices running unapproved OS versions.
Consider the use of iOS devices; to prevent devices from being downgraded to older versions that lack the latest security updates, iOS uses a process called System Software Authorization. [^54]
STA-18
Baseband Subsystem
Remote Code Execution
Samsung S6 calls open to man-in-the-middle base station snooping [^48]
Software flaw puts mobile phones and networks at risk of complete takeover [^49]
Original Equipment Manufacturer
Implementation of a baseband firewall.
STA-19
Baseband Subsystem
Inadequate Baseband Processor and Application Processor Separation
Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks [^50]
Original Equipment Manufacturer
Implementation of a baseband firewall
STA-2
Mobile Operating System
Improper Application Update Authentication
Android: One Root to Own Them All [^202]
Own your Android! Yet Another Universal Root [^214]
CVE-2013-4787
Enterprise
Monitor the security patch state of devices and block enterprise connectivity from out-of-date devices with known exploitable vulnerabilities.
Purchase devices from vendors/carriers who have committed to providing timely updates or who have known track records for prompt updates.
Ensure devices are kept up-to-date with security patches to decrease the likelihood that they can be rooted/jailbroken.
Use tools or device APIs (Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other applicable remote attestation technologies) to detect and block enterprise connectivity from known compromised devices.
Use device APIs (e.g. SystemUpdatePolicy) to enforce system update policies.
Restrict installation of apps from unofficial app stores, which may not undergo certificate validation processes (e.g., side-loading)
Use device built-in separation technologies such as Android for Work, Apple iOS managed apps, or Samsung Knox Workspace to provide a level of separation between enterprise apps and potentially harmful personal-use apps.
STA-20
USIM / SIM / UICC security
SIM Card Crypto Downgrade
Rooting SIM Cards [^211]
Rooting SIM Cards [^211]
STA-21
USIM / SIM / UICC security
SIM Software Vulnerabilites
Spoofing and intercepting SIM commands through STK framework [^219]
CVE-2015-3843
STA-22
USIM / SIM / UICC security
SIM Card Theft
AT&T SIM-Card Switch Scam [^52]
4 Surprising Ways Your Identity Can Be Stolen [^51]
Carriers
Carriers should be encouraged to strongly authenticate account holders before allowing account changes such as issuance of new SIM cards
STA-23
USIM / SIM / UICC security
Terminal Identity Manipulation
3G Security; Security Threats and Requirements (Release 4) [^165]
STA-24
USIM / SIM / UICC security
Masquerading as a USIM or Terminal
3G Security; Security Threats and Requirements (Release 4) [^165]
STA-25
USIM / SIM / UICC security
UICC Terminal Interface Replay Attack
3G Security; Security Threats and Requirements (Release 4) [^165]
STA-26
USIM / SIM / UICC security
Smartcard Hidden Commands
A Review of Smartcard Security Issues [^212]
STA-27
USIM / SIM / UICC security
Parameter Poisoning or Buffer Overflow
A Review of Smartcard Security Issues [^212]
STA-28
USIM / SIM / UICC security
Smartcard File Access
A Review of Smartcard Security Issues [^212]
STA-29
USIM / SIM / UICC security
Malicious Applets
A Review of Smartcard Security Issues [^212]
STA-3
Mobile Operating System
Arbitrary Code Execution via Malicious File
TALOS Vulnerability Report [^215]
CVE-2016-4637
CVE-2017-2379
CVE-2017-2406
CVE-2017-2407
CVE-2017-2416
CVE-2017-2430
CVE-2017-2432
CVE-2017-2435
CVE-2017-2462
CVE-2017-2467
CVE-2017-2485
CVE-2017-2487
Enterprise
To reduce the probability of this variety of attack, configure devices to automatically install or, at a minimum, notify users of the availability of security updates for the mobile OS, drivers, and installed apps.
To minimize the latency between exploit notification and the availability of security fixes, choose devices that have a reputation for providing security patches in a timely fashion.
To minimize opportunity for this attack under a known exploit, use email filtering technologies to block attachments from untrusted domains to contain suspect file types.
To prevent exploitation of this variety of attack under a known exploit, educate users to be suspicious of the file types in question, and when possible, avoid opening them on vulnerable devices.
To minimize the risk of access from compromised devices, use EMM/MDM solutions in combination with devices that successfully enforce policies to block access to enterprise resources for vulnerable devices.
Mobile Device User
To reduce the probability of this variety of attack, configure devices to automatically install or, at a minimum, notify users of the availability of security updates for the mobile OS, drivers, and installed apps.
STA-30
USIM / SIM / UICC security
Communication Protocol information exchange between smartcard and terminal is dictated by a communication protocol that handles data flow control and error recovery.
A Review of Smartcard Security Issues [^212]
STA-31
USIM / SIM / UICC security
Smartcard Crypto Protocol, Design, and Implementation
A Review of Smartcard Security Issues [^212]
STA-32
USIM / SIM / UICC security
Etching
A Review of Smartcard Security Issues [^212]
STA-33
USIM / SIM / UICC security
Microscopes Analyzing Chips
A Review of Smartcard Security Issues [^212]
STA-34
USIM / SIM / UICC security
Probe Stations
A Review of Smartcard Security Issues [^212]
STA-35
USIM / SIM / UICC security
Focused Ion Beams
A Review of Smartcard Security Issues [^212]
STA-36
USIM / SIM / UICC security
Differential Power Analysis
A Review of Smartcard Security Issues [^212]
STA-37
USIM / SIM / UICC security
Power Glitching
A Review of Smartcard Security Issues [^212]
STA-38
USIM / SIM / UICC security
Pre-Shared Key Owner Data Manipulation
3G Security; Security Threats and Requirements (Release 4) [^165]
STA-39
Mobile Operating System
Rooting via Hardwawre Weaknesses
Using Rowhammer bitflips to root Android phones is now a thing [^D-Goodin-1]
CVE-2016-0823
Enterprise
Ensure devices are kept up-to-date with security patches to decrease the likelihood that they can be rooted/jailbroken.
STA-4
Mobile Operating System
Improper OS Update Validation
UAE cellular carrier rolls out spyware as a 3G update [^203]
Enterprise
Use EMM/MDM solutions in combination with devices that successfully enforce a policy to maintain a minimum OS patch level and block access to enterprise resources to non-compliant devices.
Purchase devices from vendors/carriers who have committed to providing timely updates or who have known track records for prompt updates.
Use EMM/MDM solutions in combination with other tools or device APIs (Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other applicable remote attestation technologies) to detect and block enterprise connectivity from devices that show indications of device compromise.
Prior to authorizing general users to install an upgrade to an untested and potentially malicious software update, evaluate the behavior of the update on test devices to determine if it appears to be free of malicious or vulnerable behaviors.
Use devices that require updates to be signed by the device vendor.
STA-40
SD Card
Code Execution via SD Card Vulnerability
Exploiting Vulnerabilties of Wi-Fi SD cards [^S-Konstantaras-1]
On Hacking MicroSD Cards [^Bunnie-1]
CVE-2016-2494
Mobile Device User
On Android devices running 5.0 or later, do not grant access to the SD card to untrusted apps.
Remove an attached SD card when not in use.
Enterprise
Deploy MAM or containerization solutions that support policies that can restrict access to the SD card by untrusted apps.
STA-41
SD Card
Unauthorized Disclosure of SD Card Data
On Hacking MicroSD Cards [^248]
CVE-2014-7259
CVE-2014-1566
CVE-2014-1969
Mobile Device User
Configure the mobile device to encrypt data stored on an attached SD card.
If sensitive data is to be stored on or processed by an SD card, use a distinct SD card for each security context (e.g. business and personal) to limit the potential for data leakage between them via common use of an attached SD card.
On Android devices running 5.0 or later, do not grant access to the SD card to untrusted apps.
Remove any attached SD card when not in use.
When not in use, secure SD cards storing sensitive data with strong physical security controls.
Enterprise
Deploy MAM or containerization solutions that support policies that can enforce strong encryption on any data stored on the SD card by trusted apps
Deploy MAM or containerization solutions that support policies that can restrict access to the SD card by untrusted apps.
Use app-vetting services to determine if any apps present in your mobile device deployment store data on or access an SD card in an untrusted manner so appropriate policies and controls can be established to mitigate those risks.
STA-42
SD Card
Malicious Files Delivered from SD Card to USB-Connected Computer
Exploiting Smart-Phone USB Connectivity for Fun and Profit [^143]
Exploiting Smart-Phone USB Connectivity for Fun and Profit [^143]
Computer User
Configure the computer to not automatically execute content stored on mounted USB devices.
Mobile Device User
Configure the mobile device to not automatically make attached SD media available to a USB-connected computer.
Remove any attached SD card from the mobile device prior to connecting to a computer.
Use an anti-malware app to scan the attached SD card for malicious files prior to connecting to a computer.
STA-43
Mobile Operating System
Malicious App Reading Secrets from Memory
Project Zero: Reading privileged memory with a side-channel [^J-Horn-1]
Spectre Attacks: Exploiting Speculative Execution [^P-Kocher-et-al-1]
Meltdown [^M-Lipp-et-al-1]
CVE-2017-5754
CVE-2017-5753
CVE-2017-5715
Mobile App Developer
To reduce the opportunity for an attacker to compromise the confidentiality of secrets in process memory, the memory location allocated to any secrets, such as cryptographic keys, should be explicitly overwritten as soon as its contents are no longer in use.
To reduce the opportunity for an attacker to compromise the confidentiality of secrets in process memory, secrets (e.g. cryptographic keys) should not be read into memory until they are needed as input to computations.
Enterprise
To reduce the opportunity for an attacker to leverage any underlying vulnerability in the mobile OS or computing hardware, apply OS security updates in a timely fashion.
Mobile Device User
To reduce the opportunity for an attacker to leverage any underlying vulnerability in the mobile OS or computing hardware, apply OS security updates in a timely fashion.
STA-5
Mobile Operating System
Bypassing Code Signing Mechanisms
iOS 8.4.1 Kernel Vulnerabilities in AppleHDQGasGaugeControl [^216]
CVE-2015-5839
Enterprise
Use EMM/MDM solutions in combination with devices that successfully enforce a policy to maintain a minimum OS patch level and block access to enterprise resources to non-compliant devices.
Purchase devices from vendors/carriers who have committed to providing timely updates or who have known track records for prompt updates.
Use EMM/MDM solutions in combination with other tools or device APIs (Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other applicable remote attestation technologies) to detect and block enterprise connectivity from devices that show indications of device compromise.
STA-6
Mobile Operating System
Malicious Apps Installed via USB
Mobile Iron Q4 Mobile Security and Risk Review [^195]
Government Mobile and Wireless Security Baseline [^204]
Injecting Malware into iOS Devices via Malicious Chargers [^217]
Enterprise
To reduce the probability of this attack, follow general best practices for securing systems to which a trusted mobile device may synchronize or access debugging functionality. For example, ensure the OS and applications maintain current security updates, endpoint protection software is installed, and systems are monitored for anomalous behavior.
Consider use of Android 4.2.2 or later devices. In Android 4.2.2, connections to ADB are authenticated with an RSA keypair. This prevents unauthorized use of ADB where the attacker has physical access to a device. [^220]
Consider the use of Android 6.0 or later, in which users must confirm to allow USB access to files, storage, or other functionality on the phone. The default behavior permits charging only. [^221]
Consider the use of iOS 7.x or later, in which synchronization with a computer over USB that requires the device be unlocked and the user confirm an explicit trust request. Failure to establish trust permits charging only.
Provide extra device chargers to users that plug directly into an electrical socket and encourage users to use them instead of plugging into potentially malicious USB charging stations or USB ports on potentially infected computers.
Mobile Device User
To prevent some varities of this attack, ensure ADB debugging is disabled.
To reduce the probability of this attack, do not accept prompts to trust untrusted systems.
Consider use of Android 4.2.2 or later devices. In Android 4.2.2, connections to ADB are authenticated with an RSA keypair. This prevents unauthorized use of ADB where the attacker has physical access to a device. [^220]
Consider the use of Android 6.0 or later, in which users must confirm to allow USB access to files, storage, or other functionality on the phone. The default behavior permits charging only. [^221]
Consider the use of iOS 7.x or later, in which synchronization with a computer over USB that requires the device be unlocked and the user confirm an explicit trust request. Failure to establish trust permits charging only.
Provide extra device chargers to users that plug directly into an electrical socket and encourage users to use them instead of plugging into potentially malicious USB charging stations or USB ports on potentially infected computers.
STA-7
Mobile Operating System
Malicious Configuration Profiles
Malicious Profiles - The Sleeping Giant of iOS Security [^205]
Mobile Threat Protection: A Holistic Approach to Securing Mobile Data and Devices [^61]
Symantec Internet Security Threat Report 2016 [^110]
Threat Advisory Semi Jailbreak [^218]
YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs [^43]
iOS SideStepper Vulnerability Undermines MDM Services: Check Point [^44]
Apple iPhone, iPad iOS 9 security flaw lets malicious apps sneak onto enterprise devices [^45]
Enterprise
To prevent attackers from creating counterfeit management profiles by signing them with stolen enterprise certificates, ensure strong security measures are used to protect both enterprise access to trusted certificate services (e.g., VeriSign) and any obtained certficates (e.g. MDM server certificates, Apple Push Notification Services certificates).
To prevent a device from accepting a malicious management profile after enrollment, use EMM/MDM solutions in combination with devices that properly verify the integrity and authenticity of device management profiles prior to their application, such as by using digitally-signed profiles.
To prevent users from accepting prompts to install malicious management profiles, educate users about the risks associated with installing an untrusted profile and ensure that enrollment processes allow users to know when management profiles are legitimate (e.g., in-person enrollment, or secure out-of-band deployment methods such as digitally-signed or encrypted e-mails.
To prevent users from installing malicious digital certificates, which can be used to greatly facilitate this form of attack, educate users about the risks associated with installing digital certifications, and ensure that installation processes allow users to know when digital certificates are legitimate (e.g., in-person enrollment, or secure out-of-band deployment methods such as digitally-signed or encrypted e-mails).
STA-8
Mobile Operating System
Services Requiring Insecure Configuration
Android: Third-party app stores (whether for enterprise or personal use) that require user to weaken device security posture by enabling installation of apps from unknown sources.
Mobile Device User
For Android devices, to reduce the duration of this threat, when needing to install app not available from the Google Play Store (e.g., in-house enterprise app), only enable the __Unknown Sources__ option in __Settings > Security__ menu for as long as necessary to complete installation of the 3rd party app; disable it when installation is complete.
To reduce the probability that an attacker exploits the reduced security posture to install unauthorized apps on the device, while **Unknown Sources** is enabled, perform enterprise app installation while connected to trusted and secure Wi-Fi networks, or at a minimum, over a VPN connection to a secured enterprise network.
To reduce the probability that an attacker exploits the reduced security posture to install unauthorized apps on the device, while __Unknown Sources__ is enabled, limit device activity to installing trusted enterprise applications through trusted channels (e.g., enterprise app store). Web pages, e-mails, SMS/MMS messages, and NFC/RFID tags can all present (and potentially automatically access) URLs to malicious apps that would normally blocked from installation.
STA-9
Device Drivers
Device Driver or Firmware Software Exploit
Android Security Bulletin June 2016 [^206]
Broadpwn: Remotely Compromising Android and iOS via a bug in the Broadcom's Wi-Fi Chipset [^Artenstein-1]
CVE-2016-10231
CVE-2016-10236
CVE-2016-10240
CVE-2016-10241
CVE-2016-10278
CVE-2016-10279
CVE-2016-2066
CVE-2016-2469
CVE-2016-2474
CVE-2016-2490
CVE-2016-2491
CVE-2016-5346
CVE-2017-0325
CVE-2017-0329
CVE-2017-0339
CVE-2017-0454
CVE-2017-046
CVE-2017-056
CVE-2017-0561
CVE-2017-0562
CVE-2017-0565
CVE-2017-0566
CVE-2017-0567
CVE-2017-0569
CVE-2017-057
CVE-2017-057
CVE-2017-0570
CVE-2017-0571
CVE-2017-0572
CVE-2017-0575
CVE-2017-0579
CVE-2017-058
CVE-2017-058
CVE-2017-0584
CVE-2017-0585
CVE-2017-6424
CVE-2017-6425
CVE-2017-6975
CVE-2017-9417
Enterprise
Use EMM/MDM solutions in combination with devices that successfully enforce a policy to maintain a minimum OS patch level and block access to enterprise resources to non-compliant or devices with known-exploitable vulnerabilities.
Purchase devices from vendors/carriers who have committed to providing timely updates or have good track records for providing prompt security updates.
Use EMM/MDM solutions in combination with other tools or device APIs (Android SafetyNet, Samsung Knox hardware-backed remote attestation, or other applicable remote attestation technologies) to detect and block enterprise connectivity from devices that show indications of device compromise.
To reduce the probability an exploit for a driver for a peripheral or OS-provided service that can be disabled via device management APIs, use EMM/MDM solutions in combination with devices that successfully enforces a policy to disable unauthorized resources, including temporarily disabling known-vulnerable resources until a security patch is available.
Mobile Device User
To reduce the probability an exploit for a driver for an access-controlled peripheral or OS-provided service (e.g., camera, microphone), use OS configuration settings to disable or block access to these resources, with a preference for global settings (e.g., disabling NFC device-wide) over app-specific permissions.
CEL-0
Cellular Air Interface
Air Interface Eavesdropping
3G Security: Security Threats and Requirements (Release 4) [^165]
LTE Architecture Overview and Security Analysis (Draft NISTIR 8071) [^166]
Attacking phone privacy [^175]
A man-in-the-middle attack on UMTS [^176]
Original Equipment Manufacturer
Use of a ciphering indicator in the interface of the mobile device to inform the user as to whether or not user data (e.g. voice calls, SMS/MMS messages, data) are being encrypted.
Mobile OS Developer
Use of a ciphering indicator in the interface of the mobile device to inform the user as to whether or not user data (e.g. voice calls, SMS/MMS messages, data) are being encrypted.
Mobile Network Operator
Network level air interface encryption for user-plane traffic.
Mobile Device User
To prevent an attacker who intercepts traffic on the unencrypted channel between a mobile device and a base station, use a mobile VPN or another third-party over-the-top encryption solution to encrypt data prior to transmission over the air interface.
Enterprise
To prevent an attacker who intercepts traffic on the unencrypted channel between a mobile device and a base station, use a mobile VPN or another third-party over-the-top encryption solution to encrypt data prior to transmission over the air interface.
CEL-1
Cellular Air Interface
Cryptanalysis of Air Interface Traffic
GSM Sniffing [^173]
GSM Sniffing [^173]
Original Equipment Manufacturer
Where possible, prefer the use of modern air interface technologies to ensure stronger cryptographic algorithms are used.
CEL-10
Consumer-grade Femtocell
Use of weaker, nonstandard handset authentication mechanism for consumer-grade femtocells
CEL-11
Consumer-grade Femtocell
Rooted Femtocell Eavesdropping
I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell [^180]
Enterprise
To increase detection of compromised devices, use small cells implemented with secure boot technologies.
Mobile Network Operator
To increase detection of compromised devices, use small cells implemented with secure boot technologies.
CEL-12
Consumer-grade Femtocell
Masquerading
3G Security: Security Threats and Requirements (Release 4) [^165]
CEL-13
VoLTE
Downgrade via Circuit Switched Fallback (CSFB)
Insecurity of Voice Solution VoLTE in LTE Mobile Networks [^170]
How Voice Call Technology Poses Security Threats in 4G LTE Networks [^181]
CEL-14
VoLTE
Covert VoLTE Channels
Insecurity of Voice Solution VoLTE in LTE Mobile Networks [^170]
How Voice Call Technology Poses Security Threats in 4G LTE Networks [^181]
CEL-15
VoLTE
VoLTE Data Injection
Insecurity of Voice Solution VoLTE in LTE Mobile Networks [^170]
How Voice Call Technology Poses Security Threats in 4G LTE Networks [^181]
CEL-16
VoLTE
Unauthorized QoS Indicator Modification
Insecurity of Voice Solution VoLTE in LTE Mobile Networks [^170]
How Voice Call Technology Poses Security Threats in 4G LTE Networks [^181]
CEL-17
SMS / MMS / RCS
SMS-induced DoS
Attacking SMS [^182]
Beware of the Text Massage That Crashes iPhones [^183]
CVE-2015-1157
CEL-18
SMS / MMS / RCS
Phone Call Eavesdropping
Researchers exploit cellular tech flaws to intercept phone calls [^168]
CEL-19
SMS / MMS / RCS
Message Injection
Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks [^184]
Attacking SMS [^182]
CEL-2
Cellular Air Interface
Device and Identity Tracking via Rogue Base station
3G Security: Security Threats and Requirements (Release 4) [^165]
LTE Architecture Overview and Security Analysis [^166]
Enterprise
To increase the complexity of tracking a device over a longer term (e.g., following consecutive hand-offs), use devices that generate temporary device identities.
To reduce the amount of high-quality data an attacker can use to track a device, employ methods of rogue base station detection
Original Equipment Manufacturer
To reduce the amount of high-quality data an attacker can use to track a device, employ methods of rogue base station detection
CEL-20
SMS / MMS / RCS
Device Fingerprinting via SMS
A Silent SMS Denial of Service (DoS) Attack [^185]
Attacking SMS [^182]
CEL-21
SMS / MMS / RCS
Silent Message DoS
A Silent SMS Denial of Service (DoS) Attack [^185]
CEL-22
SMS / MMS / RCS
SMS Parser RCE
CVE-2015-6602
CEL-23
USSD
Traffic Eavesdropping
Zimperium zLabs is Raising the Volume: New Vulnerability Processing MP3/MP4 Media [^186]
Mobile Network Operator
Network level air interface encryption for user-plane traffic.
CEL-24
USSD
Modification of Requests and Responses in Transit
Mobile Network Operator
Network level air interface encryption for user plane traffic.
CEL-25
USSD
Unauthorized USSD Code Autodial
Dirty USSD Code Could Automatically Wipe Your Samsung TouchWize Device (Updated) [^187]
Remote USSD Code Execution on Android Devices [^188]
Enterprises
Choose devices without a USSD software stack.
Mobile Device User
Choose devices without a USSD software stack.
Choose devices that will not execute USSD codes without user confirmation.
Enterprise
Choose devices that will not execute USSD codes without user confirmation.
CEL-26
Carrier Infrastructure
Voicemail Hacking via Default PIN
Safe Use of Mobile Devices and the Internet [^171]
Mobile Device User
Ensure that a new PIN is set on voicemail accounts.
Enterprise
Ensure that a new PIN is set on voicemail accounts.
CEL-27
Carrier Infrastructure
No validation or authentication of caller ID information
CEL-28
Carrier Infrastructure
Backhaul and Core Eavesdropping
Mobile Network Operator
Ensure Confidentiality Protection of S1 Interface
Encrypt Exposed Interfaces Between Core Network Components
Enterprise
To mitigate the impact of eavesdropping on an unencrypted backhaul or core network communications channel, employ over-the-top encryption services to user-plane data prior to transmission off the mobile device.
Mobile Device User
To mitigate the impact of eavesdropping on an unencrypted backhaul or core network communications channel, employ over-the-top encryption services to user-plane data prior to transmission off the mobile device.
CEL-29
Carrier Infrastructure
Preshared Key Theft
LTE Architecture Overview and Security Analysis (Draft NISTIR 8071) [^166]
Mobile Network Operator
Ensure that baseline industry recommended practices are implemented and validated
CEL-3
Cellular Air Interface
Downgrade Attacks via Rogue Base station
3G Security: Security Threats and Requirements (Release 4) [^165]
LTE Architecture Overview and Security Analysis (Draft NISTIR 8017) [^166]
LTE Security and Protocol Exploits [^167]
Researchers exploit cellular tech flaws to intercept phone calls [^168]
Every LTE call, text, can be intercepted, blacked out, hacker finds [^247]
Original Equipment Manufacturer
Ensure baseband firmware prevents the use of insecure cellular encryption algorithms
Mobile Network Operator
Use of application layer encryption technologies
CEL-30
Carrier Infrastructure
Unauthorized OAM Network Access
LTE Architecture Overview and Security Analysis (Draft NISTIR 8071) [^166]
Attacking BaseStations - an Odyssey through a Telco's Network [^177]
Mobile Network Operator
Use of strong passwords
Properly wipe and dispose of old network equipment
Ensure that baseline industry recommended practices for information system security are implemented and validated
CEL-31
Carrier Infrastructure
Physical Attacks on Network Infrastructure
LTE Architecture Overview and Security Analysis (Draft NISTIR 8071) [^166]
Mobile Network Operator
Implement industry standard physical security mitigations
CEL-32
Carrier Infrastructure
Malware Attacks on Base Station Infrastructure
LTE Architecture Overview and Security Analysis (Draft NISTIR 8071) [^166]
Mobile Network Operator
Ensure that baseline industry recommended practices are implemented and validated
CEL-33
Carrier Infrastructure
Malware Attacks on Core Infrastructure
LTE Architecture Overview and Security Analysis (Draft NISTIR 8071) [^166]
Mobile Network Operator
Ensure that baseline industry recommended practices are implemented and validated
CEL-34
Carrier Infrastructure
User Impersonation
3G Security: Security Threats and Requirements (Release 4) [^165]
CEL-35
Carrier Infrastructure
Traffic Interception via Masquerading
3G Security: Security Threats and Requirements (Release 4) [^165]
CEL-36
Carrier Infrastructure
Unauthorized Phone Call and SMS Rerouting
3G Security: Security Threats and Requirements (Release 4) [^165]
CEL-37
Carrier Interoperability
Monitor or Redirection of Phone Calls and SMS via SS7 Exploit
SCTPscan - Finding Entry Points to SS7 Networks & Telecommunication Backbones [^172]
GSM Sniffing [^173]
Toward the HLR: Attacking the SS7 & SIGTRAN Applications [^174]
Mobile Network Operator
SS7 Firewalls may be deployed throughout the network. See Securing SS7 Telecommunications Networks [^191]
CEL-38
Carrier Interoperability
Obtaining Device Location via SS7 Exploit
SCTPscan - Finding Entry Points to SS7 Networks & Telecommunication Backbones [^172]
GSM Sniffing [^173]
Toward the HLR: Attacking the SS7 & SIGTRAN Applications [^174]
Mobile Self Defense [^189]
Mobile Network Operator
SS7 Firewalls may be deployed throughout the network. See Securing SS7 Telecommunications Networks [^191]
CEL-39
Carrier Interoperability
Device Location Tracking
Mobile Self Defense [^189]
CEL-4
Cellular Air Interface
Preventing Emergency Phone Calls via Rogue Base station
3G Security: Security Threats and Requirements (Release 4) [^165]
LTE Architecture Overview and Security Analysis (Draft NISTIR 8071) [^166]
Original Equipment Manufacturer
Implement rogue base station detection.
Use bandband firmware that does not connect to a base station unless it has been verified as a legitimate device operated as part of a trusted mobile network.
Use baseband firmware that does not support deprecated communciation protocols that are more vulnerable to attack (e.g., 2G or 3G connections).
CEL-40
Carrier Interoperability
Device Information Leak
Mobile Self Defense [^189]
CEL-41
Carrier Interoperability
SMS Spam
Mobile Self Defense [^189]
CEL-42
Carrier Interoperability
Redirect, Duplicate, or Eavesdrop on Phone Calls
Mobile Self Defense [^189]
CEL-43
Carrier Interoperability
Air Interface Traffic Decryption
Mobile Self Defense [^189]
CEL-5
Cellular Air Interface
Incomplete Attach Procedure via Rogue Base station
LTE Architecture Overview and Security Analysis (Draft NISTIR 8071) [^166]
LTE Security and Protocol Exploits [^167]
Enterprise
Ensure that the behavior of a mobile device's chipset in these conditions is understood before relying on cellular communication in critical situations.
In anticipation of a potential denial-of-service attack on the air interface of devices, establish contingency plans for continued operations, such as use of alternative communication channels.
Baseband Developer
Ensure that the behavior of a mobile device's chipset in these conditions is understood before relying on cellular communication in critical situations.
CEL-6
Cellular Air Interface
Call / Data Eavesdropping via Compromised Small Cell
Researchers exploit cellular tech flaws to intercept phone calls [^168]
LTE Architecture Overview and Security Analysis (Draft NISTIR 8071) [^166]
Enterprise
Use applications that strongly encrypt data prior to transmission of data over cellular interfaces.
CEL-7
Cellular Air Interface
Jamming Device Radio Interface
Analysis and Mitigation of Interference to the LTE Physical Control Format Indicator Channel [^169]
Researchers exploit cellular tech flaws to intercept phone calls [^168]
Mobile Device User
Detect, locate and deactivate the device interfering with the radio interface.
Enterprise
Detect, locate and deactivate the device interfering with the radio interface.
Mobile Network Operator
Detect, locate and deactivate the device interfering with the radio interface.
CEL-8
Cellular Air Interface
Jamming Base Station Radio Interface
LTE Architecture Overview and Security Analysis (Draft NISTIR 8071) [^166]
Mobile Network Operator
Detect, locate, and deactivate the device causing interference with the base station radio interface.
CEL-9
Cellular Air Interface
Theft of Preshared Keys Stored in UICC/SIM
LTE Architecture Overview and Security Analysis (Draft NISTIR 8071) [^166]
Original Equipment Manufacturer
Ensure that baseline industry recommended practices are implemented and validated
ECO-0
Mobile OS & Vendor Infrastructure
Exploitation of PC Backups
BackStab: Mobile Backup Data Under Attack from Malware [^192]
iOS 10: Security Weakness Discovered, Backup Passwords Much Easier to Break [^O-Afonin-1]
Mobile Device User
As knowledge of the authentication credentials for any associated account (e.g., iTunes, Google) may facilitate an attacker's ability to initiate, access, or decrypt device backups, follow best practices for management of device account passwords.
To detect malware that may realize this threat against device backups to a trusted computer, ensure up-to-date anti-malware software is configured to regularly scan for malicious files and application behavior.
To prevent this threat for backups to a trusted computer, configure any device backup software (e.g., iTunes) to encrypt all device backups. Furthermore, securely erase any unencrypted backups that may already exist.
To prevent a device from being inadvertently backed up to an computer under an attacker's control, when charging the device, do not grant trust to an untrusted computer or charging station.
To prevent an attacker from directly initiating an unauthorized device backup to a controlled computer, ensure a device unlock code has been configured for the device and that the device is left in a locked state when being left unattended.
To further prevent an attacker from directly initiating an unauthorized device backup to a controlled computer, use strong physical security measures (e.g., lock the device into a secure container) when leaving a device directly unattended.
Enterprise
To detect malware that may realize this threat against device backups to a trusted computer, ensure up-to-date anti-malware software is configured to regularly scan for malicious files and application behavior.
To prevent this threat for all backups of managed devices, deploy EMM/MDM solutions in combination with devices that successfully enforce policies to either encrypt all device backups or to block device backups entirely, as appropriate.
To prevent this threat for enterprise data contained in backups of managed devices, deploy EMM/MDM/container solutions in combination with devices that successfully enforce policies to either encrypt all enterprise data, or block enterprise data from being included in device backups.
ECO-1
Mobile OS & Vendor Infrastructure
Unauthorized Access to Cloud Backups
Elcomsoft Phone Breaker [^194]
Mobile Device User
To prevent an attacker from realizing this threat, disable or do not enable cloud backups for the device, which can be accomplished either through mobile OS settings or for enterprises, MDM device policy settings.
To increase the difficulty of an attacker gaining access to a cloud service account, enable increased authentication requirements, such as two-factor authentication or step-up authentication when initally accessing the account from an unknown device.
Some tools used to access cloud-based device backups leverage cryptographic tokens left on computers or devices used to legitimately access the cloud service (e.g., iCloud); if it is believed an attacker has had access to any such system, invalidate any recovered tokens they may have recovered by changing the authentication credentials for the cloud service.
As knowledge of the authentication credentials for a cloud-based backup service may enable an attacker to gain access, protect cloud service authentication credentials from unauthorized disclosure.
Enterprise
To prevent an attacker from realizing this threat, disable or do not enable cloud backups for the device, which can be accomplished either through mobile OS settings or for enterprises, MDM device policy settings.
ECO-10
Mobile Application Store
Compromise leading to distribution of rogue / malicious applications
Enterprise
To decrease the probability that unvetted apps are malicious, prohibit users from sideloading apps or downloading apps from unofficial and unauthorized app stores
Use app threat intelligence data to identify malicious applications unknowingly distributed through official or unofficial application stores.
Use features such as Apple iOS Managed Apps, Android for Work, or Samsung KNOX Workspace that provide some level of separation between personal apps and enterprise apps to mitigate the impact of malicious behaviors.
Use app-vetting tools or services to determine if enterprise applications appear free of malicious behaviors before authorizing their installation.
Host vetted apps within a locally controlled repository of an application store, such as F-Droid [^158]
ECO-11
Mobile Application Store
Redirect Genuine URL to Malicious Application
Enterprise
To decrease the time to detection of malicious apps, use app threat intelligence data to identify malicious apps.
Use app-vetting tools or services to determine if apps acquired from even official or authorized app stores appear free of malicious or vulnerable behaviors of apps prior to authorizing their use.
Use features such as Apple iOS Managed Apps, Android for Work, or Samsung KNOX Workspace that provide additional separation between personal apps and enterprise apps to mitigate the impact of malicious behaviors.
ECO-12
Mobile Application Store
Man in the Middle Attack on Application Download
Enterprise
To decrease the time to detection, use app threat intelligence data to identify malicious applications installed on devices
Use features such as Apple iOS Managed Apps, Android for Work, or Samsung KNOX Workspace that provide additional separation between personal apps and enterprise apps to mitigate the impact of malicious behaviors.
To reduce the probability that an attacker will have established a MiTM on a session during which a user attempts to intall apps from a trusted source (e.g., official app store), recommend or require users to download apps when connected to a trusted and secured Wi-Fi network.
To reduce the probability that malicious apps will be installed on managed devices, use app-vetting tools or services in combination with MAM solutions to push vetted apps directly onto enrolled devices over trusted and secured Wi-Fi networks.
ECO-13
Mobile Application Store
Use of links or NFC tags, QR codes, or other distribution channels (e.g., sms, email) to point to malicious apps
http://netsecurity.about.com/od/securityadvisorie1/a/How-To-Protect-Yourself-From-Malicious-QR-Codes.htm
ECO-14
Mobile Application Store
Application Store Infrastructure Attack
Enterprise
To prevent users from acquiring fraudulent versions of in-demand legitimate apps that are typically available from authorized app stores, prohibit side-loading or installing apps from unauthorized app stores
To ensure the availability of enterprise apps typically available from official app stores (e.g., Google Play), create a locally controlled repository of an application store such as F-Droid [^158]
ECO-15
Mobile Application Store
Enterprise App Store Compromise
Enterprise
Use solutions such as Google Play Private Channel or Apple's Developer Enterprise program to securely distribute private applications.
To limit the distribution of sensitive enterprise apps outside of authorized mobile devices, use MAM solutions to push private apps directly onto authorized and enrolled devices.
Mobile App Developer
To prevent the unauthorized disclosure of secrets within private enterprise apps, do not hardcode secrets, such as cryptographic keys, directly into private enterprise applications.
Application Developer
To prevent unauthorized access to private enterprise apps from further granting unauthorized access to sensitive data, require the user of a mobile app to pass strong authentication mechanisms prior to granting access to sensitive data.
ECO-16
Mobile Application Store
Modify or Replace Deployed App
Keep out hijackers: Secure your app store dev account [^150]
Major security hole allows Apple passwords to be reset with only email address, date of birth (update) [^152]
Enterprise
Use app-vetting tools or services to determine that apps appear free of malicious behaviors or vulnerabilities prior to authorizing their use.
To decrease the time to detection for malicious apps, use app threat intelligence services to detect malicious apps installed on devices
Educate end users to scrutinize the permissions requested by apps, particularly if an updated version requests significantly different permissions than previous ones.
Mobile App Developer
To reduce the potential for an attacker to impersonate you to official apps stores, follow best practices to protect your developer accounts, such as using multi-factor authentication. [^159] [^160]
To reduce the potential for an attacker to craft malicious apps that validate against your developer account, follow best practices to protect cryptographic signing material for applications [^162]
Mobile Device User
To decrease the time to detection for malicious apps, use Android Verify Apps feature.
ECO-17
Mobile Application Store
Sign and Distribute Malicious App
Keep out hijackers: Secure your app store dev account [^150]
Major security hole allows Apple passwords to be reset with only email address, date of birth (update) [^152]
Enterprise
Use app-vetting tools or services to determine that apps appear free of malicious behaviors or vulnerabilities prior to authorizing their use.
To decrease the time to detection for malicious apps, use app threat intelligence services to detect malicious apps installed on devices
Educate end users to scrutinize the permissions requested by apps, particularly if an updated version requests significantly different permissions than previous ones.
Mobile App Developer
To reduce the potential for an attacker to impersonate you to official apps stores, follow best practices to protect your developer accounts, such as using multi-factor authentication. [^159] [^160]
To reduce the potential for an attacker to craft malicious apps that validate against your developer account, follow best practices to protect cryptographic signing material for applications [^162]
Mobile Device User
To decrease the time to detection for malicious apps, use Android Verify Apps feature.
ECO-18
Mobile Application Store
Remove App From App Store
Keep out hijackers: Secure your app store dev account [^150]
Major security hole allows Apple passwords to be reset with only email address, date of birth (update) [^152]
Mobile App Developer
To reduce the potential for an attacker to impersonate you to official apps stores, follow best practices to protect your developer accounts, such as using multi-factor authentication. [^159] [^160]
ECO-19
Mobile Application Store
Bring the app store offline by attacking the hosting infrastructure
ECO-2
Mobile OS & Vendor Infrastructure
Exploitation of Cloud Backups
Mobile Security: Threats and Countermeasures [^90]
Q4 Mobile Security and Risk Review [^195]
Enterprise
To prevent sensitive app data from unknowingly being backed-up to unauthorized or unsecure cloud services, analyze app data storage practices as part of the app vetting process prior to authorizing apps for use.
To protect the confidentiality of app data backed-up to a cloud service, prefer the use of FedRAMP-certified cloud service providers to gain assurance that app data backed-up to the cloud is strongly encrypted.
To prevent an attacker from gaining access to app data backups via the cloud service account, enable two-factor or other strong authentication mechanisms.
To protect the confidentiality of app data backed-up to a cloud service, deploy MAM or MDM solutions in combinations with devices that successfully enforce a policy to strongly encrypt app data backed-up or synchronized to authorized cloud services.
To prevent sensitive app data from being backed-up to an untrusted cloud service, deploy MAM or MDM solutions in combination with devices that successfully enforce a policy that prohibits app data from being synchronized or backed-up to any cloud services.
Mobile Device User
To prevent an attacker from gaining access to app data backups via the cloud service account, enable two-factor or other strong authentication mechanisms.
ECO-20
Mobile Application Store
Restricted Access to Legitimate App Stores
Google Play Store seems blocked now from China. How can I update my Quora app? [^153]
ECO-21
Mobile Application Store
Distributing URLs Pointing to Malicious Applications
How to Protect Yourself From Malicious QR Codes [^149]
Find and Call app becomes first trojan to appear on iOS App Store [^154]
An investigation of Chrysaor Malware on Android [^AndroidWebBlog-1]
Enterprise
To prevent the installation of malicious applications, prohibit sideloading of apps and the use of unauthorized app stores
To decrease the time to detection, use app threat intelligence data to identify malicious applications installed on devices.
Use features such as Apple iOS Managed Apps, Android for Work, or Samsung KNOX Workspace that provide additional separation between personal apps and enterprise apps to mitigate the impact of malicious behaviors.
Educate users about the risks of activating links in emails or SMS messages, and instead encourage users to identify the app where hosted by an official app store.
ECO-22
Mobile Application Store
App Store Vetting Bypass
Researchers Find Methods for Bypassing Google's Bouncer Android Security [^151]
Dissecting the Android Bouncer [^155]
Adventures in Bouncerland [^156]
Malware designed to take over cameras and record audio enters Google Play [^99]
Enterprise
Use app-vetting tools or services to determine that apps appear free of malicious behaviors or vulnerabilities prior to authorizing their use.
To decrease the time to detection for malicious apps, use app threat intelligence services to detect malicious apps installed on devices
Educate end users to scrutinize the permissions requested by apps, particularly if an updated version requests significantly different permissions than previous ones.
Mobile Device User
To decrease the time to detection for malicious apps on Android devices, use Android Verify Apps feature.
ECO-23
Mobile OS & Vendor Infrastructure
Distribution of malicious apps by a 3rd party store
Change to sideloading apps in iOS 9 is a security win [^89]
Mobile Security: Threats and Countermeasures [^90]
Enterprise
Deploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security checks on the app.
Deploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app stores.
Ensure iOS devices are running the latest version of iOS, as iOS 9 introduces improvements to make it more difficult for users to inadvertently install non-Apple App Store apps (e.g. apps distributed using illicitly obtained enterprise certificates).
Mobile Device User
Ensure iOS devices are running the latest version of iOS, as iOS 9 introduces improvements to make it more difficult for users to inadvertently install non-Apple App Store apps (e.g. apps distributed using illicitly obtained enterprise certificates).
When the installation of apps from unofficial app stores (e.g., enterprise app stores) is necessary, use Android Verify Apps feature to identify potentially harmful apps.
To protect against arbitrary installation of 3rd party apps, when the installation of apps from unofficial app stores (e.g., enterprise app stores) is necessary, disable the installation of 3rd party apps once installation is complete.
ECO-3
Mobile OS & Vendor Infrastructure
Insufficient Security Practices of Third-Party App Stores
Security Guidance for Critical Areas of Mobile Computing [^196]
Enterprise
Prohibit users from installing apps from unofficial and authorized app stores.
Use app-vetting tools or services to determine that enterprise apps appear free from malicious behaviors or vulnerabilities prior to authorizing their use.
ECO-4
Mobile OS & Vendor Infrastructure
Remote App Installation Exploit
Symantec Internet Security Threat Report 2016 [^110]
How I Almost Won Pwn2Own via XSS [^200]
How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication [^201]
Mobile Device User
To prevent an attacker from gaining unauthorized access to remote installation functionality, enable two-factor or other strong authentication methods for user accounts on app stores.
To detect unauthorized activity, including remote installation of apps, use features from Google or others to periodically analyze account activity for suspicious logins.
Enterprise
To prevent an attacker from gaining unauthorized access to remote installation functionality, enable two-factor or other strong authentication methods for user accounts on app stores.
To detect unauthorized activity, including remote installation of apps, use features from Google or others to periodically analyze account activity for suspicious logins.
Deploy a combination of MDM, MAM, or container solutions and mobile devices that successfully enforce policies (e.g., whitelisting) that prevent unauthorized applications from being installed to managed areas of the device.
To reduce the time to detection of malicious applications, use app threat intelligence services to identify malicious apps installed on devices.
ECO-5
Mobile OS & Vendor Infrastructure
Exploit Remote Management Services
How Apple and Amazon Security Flaws Led To My Epic Hacking [^197]
Mobile Device User
To prevent an attacker from gaining unauthorized access to sensitive functionality (e.g., locating or wiping a device associated with the account), enable two-factor or other strong authentication methods for user accounts on Google, Apple, or other device management and tracking services.
To detect unauthorized access to user accounts, use features from Google or others to periodically analyze account activity for suspicious logins.
Enterprise
To prevent an attacker from gaining unauthorized access to sensitive functionality (e.g., locating or wiping a device associated with the account), enable two-factor or other strong authentication methods for user accounts on Google, Apple, or other device management and tracking services.
To detect unauthorized access to user accounts, use features from Google or others to periodically analyze account activity for suspicious logins.
ECO-6
Mobile OS & Vendor Infrastructure
Malicious Application Delivered By Network Operator
UAE Blackberry update was spyware [^198]
ECO-7
Mobile OS & Vendor Infrastructure
Zombie Applications
The State of the Mobile Ecosystem, Appthority Unveils New Security Research at Black Hat [^199]
Enterprise
To reduce the time to detection, use app threat intelligence services to detect malicious or vulnerable apps installed on devices.
To reduce the risk of malicious behaviors or exploitation of vulnerable apps, deploy MDM or MAM solutions that successfully enforce policies restricting access to enterprise resources for devices running untrusted and unsupported versions of apps.
Mobile Device User
To detect malicious or vulnerable apps installed on Android devices, use the Android Verify Apps feature.
ECO-8
Mobile OS & Vendor Infrastructure
Varying Mobile Data/Device Regulations
The State of the Mobile Ecosystem, Appthority Unveils New Security Research at Black Hat [^199]
Enterprise
As part of the app-vetting process, engage with app vendors to determine if data processed by the app may potentially be stored, temporarily or persisently, on systems located in areas that present unacceptible legal or privacy risks to enterprise data.
Before authorizing the use of mobile devices in areas outside of corporate control, understand the legal and privacy risks to enterprise data.
ECO-9
Mobile OS & Vendor Infrastructure
Parallelized Brute Force
iOS Security: iOS 9.3 or later [^54]
Mobile Device User
To reduce the probability an attacker will successfully launch a brute-force attack against cloud-based cryptographic keys, periodically change authentication credentials, digital certificates, or any cryptographic secret used to derive keys that protect access to the account or data associated with it.
As the strength of cryptographic mechanisms generally increases relative to that of any passwords or cryptographic secrets used, prefer or enforce the use of stronger passwords (increasing length, complexity, and randomness).
Enterprise
To reduce the probability an attacker will successfully launch a brute-force attack against cloud-based cryptographic keys, periodically change authentication credentials, digital certificates, or any cryptographic secret used to derive keys that protect access to the account or data associated with it.
As the strength of cryptographic mechanisms generally increases relative to that of any passwords or cryptographic secrets used, prefer or enforce the use of stronger passwords (increasing length, complexity, and randomness).
EMM-0
Enterprise Mobility
Improper Digital Certificate Validation
The Security of MDM Systems[^3]
CVE-2014-5903
Enterprise
As part of the decision process when choosing to deploy an EMM solution that uses an on-device agent app, verify with the suite vendor that the agent app properly validates the digital certificate of the EMM server for any communication session.
Consider choosing on-device agent apps that have certified against the most recent NIAP protection profile for MDM agents, as this provides a measure of assurance that the agent properly validates digital certificates.
To mitigate the risk of a MiTM attack on remote agent-server communications (for on-premises deployments) due to improper certificate validation by the agent, use mobile OS-provided VPN features to first establish a secure connection to the enterprise network.
EMM-1
Enterprise Mobility
Improper Tenant Segmentation
New VMSA-2014-0014 _ AirWatch by VMWare Product Update Addresses Information Disclosure Vulnerabilities [^190]
New VMSA-2014-0014 _ AirWatch by VMWare Product Update Addresses Information Disclosure Vulnerabilities [^190]
CVE-2014-8372
Enterprise
To avoid this threat, deploy on-premises instances of EMM solutions when possible.
To further reduce the potential impact of unauthorized access to account and device data, configure the EMM solution to capture and store the minimum amount of device, user, and activity data as required to meet your broader mobile device security goals.
To further reduce the potential impact of unauthorized access to account and device data, dissociate or anonymize the data provided to the EMM service as much as possible (e.g., map enterprise or personal identities to aliases provisioned within the EMM solution).
To reduce the time to detection of unauthorized access to EMM administrative accounts, configure the EMM solution to audit system access and administrative actions, and establish procedures to review recent activity for indications of unauthorized access.
To reduce the potential for an attacker to activate sensitive EMM functionality, such as remote wiping of enrolled devices, configure the EMM solution to require authorization by multiple administrators before such actions will execute.
EMM-10
Enterprise Mobility
Insecure Internally-developed App Installation
Mobile Top Ten 2016 [^9]
Enterprise
Prior to deployment, ensure internally developed apps are evaluated with rigor, such as by using app-vetting services to establish confidence they present minimal risk to the enterprise and device users.
Consider the use of container solutions, such as Android for Work, that can prevent launching of managed apps when the device user is not authenticated to the work-centric container, thus minimizing the risk those apps present to the user outside of a work context.
Mobile Device User
For device users with concerns about the security implications of a mandatory enterprise app during personal use of the device, restrict its permissions or if possible, temporarily disable it when operating the device in a personal context.
EMM-2
Enterprise Mobility
Unauthorized Access to MDM Admin Console
The Security of MDM Systems[^3]
The Security of MDM Systems[^3]
Enterprise
Ensure that strong authentication methods are enabled for access to the administrative console.
To prevent compromise of other administrator credentials from granting unauthorized access to EMM solutions, create distinct administrative credentials for EMM administrators.
Configure EMM solutions to use multi-factor authentication mechanisms for remote EMM/MDM administration sessions.
Audit administrative actions within EMM/MDM systems to enable detection of unauthorized access or actions
Employ application vetting processes on prospective EMM/MDM solutions to reduce the risk attackers can gain unauthorized access to administrative functions.
To prevent an attacker with unauthorized administrative access from activating sensitive features, such as remote full-wipe of devices, configure EMM solutions to with workflows that require authorization by multiple administrators prior to executing such actions.
To limit the functions available to an attacker with unauthorized administrative access, divide administrative responsibilities across distinct administrator roles or accounts.
EMM-3
Enterprise Mobility
MDM Impersonation
Mobile Device Mismanagement [^4]
Mobile App Developer
Design on-device agents to only accept MDM administrative commands during secure communication with a trusted EMM server (e.g. during a TLS session).
Enterprise
Consider the use of EMM/MDM products that use digital signatures to allow the on-device agent to perform validation of the source and the integrity of device management messages.
EMM-4
Enterprise Mobility
Improper Data Handling
Mobile Device Mismanagement [^4]
Enterprise
Employ application vetting mechanisms on prospective EMM/MDM solutions to reduce the risk that sensitive data processed by the EMM/MDM is handled in an insecure fashion.
To reduce the impact of this threat, configure EMM solutions to capture the minimum set of user and device necessary to meet your broader mobile device security goals.
To limit the impact of the theft of credentials supplied to an EMM solution, configure user authentication from mobile devices to enterprise services to use one-time passwords or other replay-resistant cryptographic tokens.
EMM-5
Enterprise Mobility
Bypassing Root/Jailbreak Checks
All Your Root Checks Are Belong to Us: The Sad State of Root Detection [^5]
CVE-2017-4895 [^AirWatch-1]
Enterprise
To increase the potential that device root or jail-break is detected, deploy a variety of mechanisms capable of root or jail-break detection (e.g., on-device agents, apps that require successful boot attestation checks, manual inspection)
To reduce the opportunity for an attacker to locally root or jail-break devices, educate users on the importance of physically securing their devices (e.g., locking it into a container) when not directly attended.
To reduce the potential a given root or jail-break attack will succeed, ensure devices are configured with a strong device unlock code.
Mobile Device User
To reduce the potential for USB-based root or jail-break exploits, do not accept prompts to grant trust when connecting to untrusted computers or charging stations.
EMM-6
Enterprise Mobility
Unauthorized Enrollment in MDM
Mobile Device Mismanagement [^4]
Enterprise
To increase the difficulty of such an attack, consider EMM/MDM solutions that support enrollment procedures that require users to expressly opt-in to management of their device, such as by issuing one-time enrollment tokens using an out-of-band channel, or requiring enrollment be performed in person
EMM-7
Enterprise Mobility
Breach of Privacy By MDM Administrator
Worker Fired for Disabling GPS App That Tracked Her 24 Hours a Day [Updated] [^6]
Enterprise
Ensure that the EMM/MDM console provides privacy controls to limit administrator access to privacy-sensitive information.
Configure EMM/MDM solutions to audit administrative access and activity, particularly with respects to privacy-sensitive information.
Configure EMM/MDM solutions to collect and audit only the minimal set of data necessary to meet the organization's broader mobile device security goals.
Educate enterprise users about the privacy implications of enrolling their device into a EMM solution, such as clearly defining what data will be collected, and establishing procedures for resolving potential privacy violations.
To prevent the potential for an attacker to gain access to highly privacy-sensitive information, such as call logs, configure EMM solutions with workflows that require multiple adminstrators to authorize access to such information prior to its release by the system.
To further minimize the potential for EMM solutions to capture privacy-sensitive data, particularly for BYOD scenarios, deploy EMM solutions that discriminate the data collected when a device is being operated in a business context versus a personal context.
EMM-8
Enterprise Mobility
Personal Data Deletion
Personal Data Security and the ''BYOD'' problem: Who is Truly at Risk? [^7]
Enterprise
Consider the use of EMM/MDM solutions that can be configured to require dual authorization (two administrative users) to trigger device wipe functions, or at a minimum, solutions for which wiping functions involve multiple steps to complete.
To enable recovery of personal data wiped from a managed device, provide a mechanism for users to preserve personal data, such as encrypted back-ups to the native cloud service (e.g. iCloud Backup & Storage).
To limit the potential loss of personal data, encourage users of enrolled devices to use authorized mechanisms for the synchronization or transfer of personal data to external systems not subject to remote wipe by enterprise EMM solutions.
Educate users regarding the risks to any personal data generated on an enrolled mobile device.
EMM-9
Enterprise Mobility
Unauthorized Data Synchronization
Man in the Cloud: Threat, Impact, Resolution and the Bigger Picture [^8]
Enterprise
To avoid this threat, use a combination of EMM/MDM solutions and devices that successfully enforce a policy that prohibits devices from synchronizing enterprise data to unauthorized cloud services.
To reduce the risk of a loss of confidentiality for enterprise data stored by an authorized cloud-based file storage or synchronization service, use a combination of EMM/MDM solutions and devices that successfully enforce a policy to encrypt any enterprise data synchronized to authorized but potentially unmanaged cloud services.
GPS-0
GPS
GPS Jamming
A study of GPS jamming and anti-jamming, [^179]
Mobile Device User
To prevent loss of GPS signals from preventing location services from operating, select devices that attempts to a variety of location input sources, such as signal strength from cellular towers, Wi-Fi hotspots, and Bluetooth beacons. See __Ten Ways Your Smartphone Knows Where You Are__ [^40]
Enterprise
To prevent loss of GPS signals from preventing location services from operating, select devices that attempts to a variety of location input sources, such as signal strength from cellular towers, Wi-Fi hotspots, and Bluetooth beacons. See __Ten Ways Your Smartphone Knows Where You Are__ [^40]
GPS-1
GPS
GPS Spoofing
On the requirements for successful GPS spoofing attacks [^1]
Assessing the spoofing threat: Development of a portable GPS civilian spoofer. [^2]
Original Equipment Manufacturer
Several countermeasures to be implemented in GPS receiver software have been presented in GPS Spoofing Countermeasures [^41]
LPN-0
Network Threats: Wi-Fi
Rogue Access Points
Guidelines for Securing Wireless Local Area Networks (WLANs) (SP 800-153) [^16]
Darkhotel: A Sophisticated New Hacking Attack Targets High-Profile Hotel Guests [^17]
Mobile Device User
Avoid the use of untrusted and unencrypted Wi-Fi networks, particularly when needing to access sensitive services.
When needing to connect to untrusted and unencrypted Wi-Fi networks, attempt to verify with a representative of the hosting organization (e.g., coffe shop employee) that the detected network is the correct one.
To reduce the probability of connecting to rogue access points, use Wi-Fi hotspot services that associate access points with registered Wi-Fi provider, geolocation, and crowd-sourced reputation data to make assertions about the their apparent trustworthiness.
Enterprise
To reduce the probability of connecting to rogue access points, use Wi-Fi hotspot services that associate access points with registered Wi-Fi provider, geolocation, and crowd-sourced reputation data to make assertions about the their apparent trustworthiness.
To avoid this threat, only allow mobile devices to connect to authorized Wi-Fi networks that use WPA2 encryption.
LPN-1
Network Threats: Wi-Fi
Wi-Fi SSID Tracking
CAPEC-163: Wi-Fi SSID Tracking (Version 2.8) [^18]
Enterprise
To prevent an attacker from persistently associating a tracked mobile device with the SSID of a known network (e.g., home or enterprise Wi-Fi), frequently change the SSID to a new and unrelated value.
Mobile Device User
To reduce the number of SSIDs available to an attacker to track a specific device, configure it to not attempt to automatically connect or notify the user of available Wi-Fi networks.
To further reduce the number of SSIDs available to an attacker to track a specific device, configure network settings to 'forget' Wi-Fi networks, particularly infrequently used public Wi-Fi networks.
To greatly reduce the number of messages available to an attacker to actively track a specific device, disable Wi-Fi whenever networked services are not in use.
LPN-10
Network Threats: Bluetooth
Bluebugging
Guide to Bluetooth Security (SP 800-121) [^28]
Studying Bluetooth Malware Propagation: The BlueBag Project [^30]
Mobile Device User
To reduce the opportunity for an attacker to conduct this attack, disable Bluetooth on vulnerable (circa 2004) devices when that feature is not in use. [^J-Padgette-1]
LPN-11
Network Threats: Bluetooth
Bluetooth Encryption Brute-Force
Guide to Bluetooth Security (SP 800-121) [^28]
Mobile Device User
To resist brute-force decryption attacks, use the maximum PIN length and encryption key sizes available on configurable Bluetooth devices.
Restrict the use of older Bluetooth devices with a static or 4-digit PIN to very low-risk use cases.
To prevent unauthorized disclosure or modification to data transmitted over a compromised Bluetooth session, use Bluetooth applications that provide strong over-the-top encryption to data prior to transmission over the Bluetooth interface.
Enterprise
Restrict the use of older Bluetooth devices with a static or 4-digit PIN to very low-risk use cases.
To prevent unauthorized disclosure or modification to data transmitted over a compromised Bluetooth session, use Bluetooth applications that provide strong over-the-top encryption to data prior to transmission over the Bluetooth interface.
LPN-12
Network Threats: NFC
NFC Relay MiTM
Implementation and Analysis of a Practical NFC Relay Attack Example [^31]
Demo: NFCGate - An NFC Relay Application for Android [Extended Abstract] [^32]
Mobile Device User
To prevent an attacker from launching a successful NFC relay attack, use mobile devices and NFC apps that require user authorization of the transaction prior to fulfilling requests communicated over NFC.
To reduce the opportunity for this attack, disable NFC or associated apps when that feature is not in use.
To reduce the number of potentially vulnerable applications running on the device, disable or uninstall any NFC apps that are no longer in use.
Enterprise
To prevent an attacker from launching a successful NFC relay attack, use mobile devices and NFC apps that require user authorization of the transaction prior to fulfilling requests communicated over NFC.
LPN-13
Network Threats: NFC
Malicious NFC tags
NFC Threat Landscape [^33]
Near field communication (NFC) technology, vulnerabilities and principal attack schema [^34]
CVE-2016-3761
Mobile Device User
Use devices with NFC features and apps that explicitly request user authorization prior to following URLs or executing potentially harmful instructions on the device. See __QR Codes and NFC Chips: Preview-and-Authorize Should be Default__ [^39]
To reduce the opportunity for this attack, disable NFC when that feature is not in use.
To further reduce the opportunity for this attack, protect the device from malicious signals using a NFC-blocking case when that features is not in use.
LPN-14
Network Threats: Bluetooth
Bluejacking
Guide to Bluetooth Security: Draft NIST SP 800-121rev2 [^J-Padgette-1]
Mobile Device User
To reduce opportunity for this attack, disable Bluetooth when that feature is not in use.
Do not accept data transfers, such as contact cards, transmitted over Bluetooth without confidence the message is legitimate.
LPN-15
Network Threats: Bluetooth
Secure Simple Pairing Attacks
Guide to Bluetooth Security: Draft NIST SP 800-121rev2 [^J-Padgette-1]
Mobile Device User
To reduce opportunity for this attack, disable Bluetooth when that feature is not in use.
Enterprise
Use EMM/MDM solutions in combination with devices that successfully enforce a policy inhibit Just Works functionality or disable Bluetooth entirely, as appropriate.
LPN-16
Network Threats: Bluetooth
Pairing Eavesdropping Attacks
Guide to Bluetooth Security: NIST SP 800-121rev2) [^J-Padgette-1]
Mobile Device User
To prevent this attack, when pairing devices, observe physical security, such as pairing devices in a secure location outside of which, the ability of an attacker to intercept Bluetooth messages is remote.
Mobile Device user
Avoid the use of Bluetooth 2.0 or earlier devices, or those that only support Legacy Pairing.
LPN-2
Network Threats: Wi-Fi
Eavesdropping on Poorly Encrypted Wi-Fi Networks
Guidelines for Securing Wireless Local Area Networks (WLANs) (SP 800-163) [^16]
Using the Fluhrer, Mantin, and Shamir Attack to Break WEP [^19]
Mobile Device User
To reduce the opportunity for this attack, configure mobile devices to not automatically connect to untrusted and unsecure networks.
To mitigate eavesdropping over unencrypted Wi-Fi networks, use over-the-top encryption products that encrypt data prior to transmission off the device.
Enterprise
To reduce the probability of this attack, configure Wi-Fi networks to WPA2 in personal mode with a strong password (increased length, complexity, and randomness).
To further reduce the probability of this attack, configure Wi-Fi networks with WPA2 in enterprise mode with digital certificates.
To mitigate eavesdropping over unencrypted Wi-Fi networks, use over-the-top encryption products that encrypt data prior to transmission off the device.
To mitigate eavesdropping over unencrypted Wi-Fi networks, use VPN solutions to establish an encrypted tunnel.
LPN-3
Network Threats: Wi-Fi
Wi-Fi Hotspot Hijacking
Guidelines for Securing Wireless Local Area Networks (WLANs) (SP 800-163) [^16]
FCC Fines Marriott $600,000 for Jamming Hotel Wi-Fi [^21]
Mobile Device User
When choosing to connect to an unencrypted and potentially spoofed Wi-Fi network, to reduce the probability of connecting to a malicious network, verify the network appears consistently geolocated with the host (e.g., on the premises), and if possible, verify with a representative that the intended Wi-Fi network is the one they host.
To decrease the probability of connecting to a spoofed Wi-Fi network, configure devices to not automatically connect to unknown Wi-Fi networks, and to 'forget' public networks once they are no longer in use.
Enterprise
To greatly decrease the probability of this attack, only allow mobile devices to connect to authorized Wi-Fi networks that use WPA2 encryption with a strong pre-shared key (for personal mode).
LPN-4
Network Threats: Wi-Fi
Client MAC Address Tracking
IEEE 802 Privacy Threat Analysis [^22]
How Stores Use Your Phone's Wi-Fi to Track Your Shopping Habits [^23]
Attention, Shoppers: Store is Tracking Your Cell [^24]
FTC Goes After Firm for Tracking Shoppers' Cell Phones [^25]
How Retailers Use Smartphones to Track Shoppers In the Store [^26]
Mobile Device Owner
To increase the complexity of MAC address tracking, procure mobile devices with OS and hardware versions that support MAC address randomization. Starting in Android 6.0, randomized MAC addresses are used for Wi-Fi and Bluetooth scans. See __Android 6.0 Changes__. [^35] In iOS 8, Wi-Fi scanning behavior changed to use random, locally administrated MAC addresses. See User Privacy on iOS and OS X. [^36] Windows 10 and later verions support MAC address randomization. [^251]
Enterprise
To increase the complexity of MAC address tracking, procure mobile devices with OS and hardware versions that support MAC address randomization. Starting in Android 6.0, randomized MAC addresses are used for Wi-Fi and Bluetooth scans. See __Android 6.0 Changes__. [^35] In iOS 8, Wi-Fi scanning behavior changed to use random, locally administrated MAC addresses. See User Privacy on iOS and OS X. [^36] Windows 10 and later verions support MAC address randomization. [^251]
Consider the use of devices supporting Android 10 or later, in which MAC randomization is enabled by default for client mode, SoftAp, and Wi-Fi Direct.
Mobile Device User
To reduce traceable signals from a mobile device, place it airplane mode when wireless communication is not in use. In this mode, most devices will disconnect from any current Wi-Fi network, and not attempt to join any Wi-Fi networks until reenabled.
To minimize traceable signals from a mobile device, power it off when not in use.
LPN-5
Network Threats: Wi-Fi
Illegal RF Transmitters
GPS, Wi-Fi, and Cell Phone Jammers Frequently Asked Questions (FAQs) [^27]
FCC Fines Marriott $600,000 for Jamming Hotel Wi-Fi [^21]
Enterprise
Contingency planning for use of another communication band.
To mitigate interference to on-premises communications, detect, locate, and deactivate the device causing interference to Wi-Fi communications.
Mobile Device User
Contingency planning for use of another communication band.
LPN-6
Network Threats: Bluetooth
BluePrinting
Blueprinting [^29]
Mobile Device User
To reduce the opportunity for this attack, disable Bluetooth when that feature is not in use
Operate Bluetooth on mobile devices in limited discoverable mode only as long as necessary to achieve desired pairing. See Specification of the Bluetooth System ver. 1.0B [^37]
LPN-7
Network Threats: Bluetooth
BlueStumbling
War Nibbling: Bluetooth Insecurity [^O-Whitehouse-1]
Mobile Device User
To reduce opportunity for this attack, disable Bluetooth when that feature is not in use
To increase the complexity of this attack, consider the use of devices that support Bluetooth 4.0 and later. Bluetooth 4.0 allows for the address used by a device to change frequently, preventing persistent association of a given address with any user. See __Security, Bluetooth Smart (Low Energy)__ [^38]
As pairing with an attacker-controlled device greatly increases the success of this attack, never authorize an unanticipated pairing request.
As interception of pairing messages facilitates this attack, when pairing devices, observe physical security, such as pairing devices in a secure location outside of which, the ability of an attacker to intercept Bluetooth messages is remote.
Enterprise
To increase the complexity of this attack, consider the use of devices that support Bluetooth 4.0 and later. Bluetooth 4.0 allows for the address used by a device to change frequently, preventing persistent association of a given address with any user. See __Security, Bluetooth Smart (Low Energy)__ [^38]
LPN-8
Network Threats: Bluetooth
Bluetooth DoS
Guide to Bluetooth Security (SP 800-121) [^28]
Studying Bluetooth Malware Propagation: The BlueBag Project [^30]
Mobile Device User
To limit opportunity for this threat, disable Bluetooth when that feature is not in use
To prevent this threat from being realized, operate Bluetooth on devices in a secure location away from windows and doors, to which an attacker is unlikely to have physical access.
To limit opporunity for this threat, protect devices with a case that blocks Bluetooth signals.
LPN-9
Network Threats: Bluetooth
Bluesnarfing
Guide to Bluetooth Security (SP 800-121) [^28]
Studying Bluetooth Malware Propagation: The BlueBag Project [^30]
Mobile Device User
To reduce opportunity for this attack on vulnerable devices, disable Bluetooth when that feature is not in use. Note: per NIST SP 800-121 Revision 1, some _older_ devices possessed a firmware vulnerability enabling this exploit.
To reduce opportunity for this attack while Bluetooth is in use, operate the device in a secure location away from windows and doors, outside of which the probability an attacker can establish Bluetooth communication is remote.
PAY-0
NFC-based
NFC Payment Relay Attacks
iOS Security: iOS 9.3 and Later [^54]
Practical NFC peer-to-peer relay attack using mobile phones. [^11]
Mobile Device User
To reduce opportunity for this attack, disable NFC when that feature is not in use.
To avoid this attack, do not activate - or if no longer in use, deactivate - native mobile payment features, such as Apple Pay.
To prevent this attack, ensure native payment services (e.g. Apple Pay) are configured to require user interaction to complete any contactless payment transaction.
PAY-1
NFC-based
Compromised Mobile Payment Terminal
Demystifying Point of Sale Malware and Attacks [^12]
Home Depot Hit By Same Malware as Target [^13]
Mobile Device User
To mitigate the potential losses incurred as a result of successful PoS attacks, configure mobile payment services to use accounts with limited funds available for purchases, such as pre-paid cards, maximum transaction amounts, or daily spending limits.
To reduce the time to detection for compromised mobile payment information, perform regular review of statements for accounts for unauthorized transactions.
Enterprise
To reduce the time to detection for compromised mobile payment information, perform regular review of statements for accounts for unauthorized transactions.
Point-of-Sale Administrators
Follow security best practices regarding the protection of point-of-sale systems. See __Malware Targeting Point of Sale Systems__ [^42]
PAY-2
NFC-based
Unauthorized Mobile Payment Usage
The Weak Link in Apple Pay's Strong Chain is Bank Verification. Who's to Blame? [^14]
Mobile Device User
To reduce the time to detection for unauthorized enrollment in mobile payment services, use credit monitoring services to monitor credit card accounts for unauthorized changes.
To prevent an attacker from bypassing holder-to-bank authentication to achieve card enrollment, configure payment services to use multi-factor authentication to enroll the user's card into a mobile payment service.
As one method of enrollment into Apple Pay requires the attacker to provide the CVV, use strong physical security mechanisms to prevent unauthorized disclosure of the CVV. See iOS Security: iOS 9.3 and Later [^54]
Follow general guidelines to protect credit card info: When conducting online transactions or accessing banking sites online, never access the URL from a link in an email or SMS/MMS; always type the URL directly into the location bar.
Verify the browser indicates the session is secured with HTTPS before authenticating to a banking site or making online payments to vendors.
To prevent attackers from obtaining authentication credentials or account details for payment systems, never access banking sites from public or untrusted systems, as these may have been infected with malware designed to steal authentication credentials or credit card information.
Consider the use of devices that support Android 9 or higher, in which the Protected Confirmation feature, a hardware protected UI, was added to bolster protection for transactions.
PAY-3
Application-based
Mobile Banking Application Vulnerabilities
The most dangerous code in the world: validating SSL certificates in non-browser software [^15]
CVE-2015-1314
Mobile Device User
Carefully weigh the risks of using 3rd party mobile banking apps over more mature technologies, such as online transactions via web browsers, which may undergo more rigorous evaluation and benefit from more rapid deployment of security updates.
Consider the use of pre-paid credit card services for payment apps to limit the potential financial harm an attacker can cause by placing charges against the linked account.
Enterprise
Carefully weigh the risks of using 3rd party mobile banking apps over more mature technologies, such as online transactions via web browsers, which may undergo more rigorous evaluation and benefit from more rapid deployment of security updates.
Consider the use of pre-paid credit card services for payment apps to limit the potential financial harm an attacker can cause by placing charges against the linked account.
PAY-4
In-app Purchases
Accidental In-App Purchase
Enterprise
If the use of enterprise apps that support in-app purchases is authorized, consider the use of EMM/MDM solutions that offer policy settings to require user authentication for each access to the native app store.
Mobile Device User
Configure settings for native app store purchases on the device so that each purchase requires successful authentication. Alternatively, only enable the bypassing of authentication for purchases during a limited period following a successful authentication to the app store (e.g. within 15 minutes).
PAY-5
Application-based
Host Card Emulation Application Attacks
Secure Element Deployment & Host Card Emulation v1.0 [^309]
Enterprise
Deploy EMM or containerization solutions to prohibit the use HCE-based apps on rooted or jail-broken devices.
Use app-vetting services for HCE-based payment apps to determine if they are trustworthy prior to deployment.
Mobile Device User
Do not use HCE-based apps on rooted or jail-broken devices.
Mobile App Developer
Review additional methods for ensuring the confidentiality and integrity of mobile payments. Sources of additional guidance include the Smart Card Alliance [^310] and Mozido [^252]
PHY-0
Physical Access
Device Loss or Theft
FAQ on Lost/Stolen Devices [^230]
Phone Theft in America: What really happens when your phone gets grabbed [^225]
Smartphone thefts drop as kill switch usage grows [^226]
Mobile Device User
To prevent accidental loss of a device, pair it with another device, such as a smart watch, capable of alerting the user to separation from the device, or quickly triggering mechanisms to help the user locate it.
To prevent theft of a device, closely attend the device at all times, and if leaving it unattended, apply strong physical security measures (e.g., lock it into a secure container).
To mitigate the impact of a lost or stolen device in the possession of an attacker, use remote lock, activation lock, locate, or wipe capabilities as deemed appropriate based on the sensitivity of data stored on or capabilities of the device.
Enterprise
To mitigate the impact of a lost or stolen device in the possession of an attacker, use remote lock, activation lock, locate, or wipe capabilities as deemed appropriate based on the sensitivity of data stored on or capabilities of the device.
PHY-1
Physical Access
Malicious Charging Station
MACTANS: Injecting Malware Into iOS Devices Via Malicious Chargers [^46]
Researchers Show How to Hack an iPhone in 60 Seconds [^147]
Mobile Device User
Avoid use of public charging stations, which may house malicious chargers.
Ensure Android USB debugging is disabled unless explicitly needed (e.g. by app developers).
Do not accept any prompt to trust an untrusted or public USB charger.
PHY-2
Physical Access
Device Attack via PC Connection
Exploiting Smart-Phone USB Connectivity for Fun and Profit [^143]
New Malware Tries to Infect Android Devices Via USB Cable [^232]
Mobile Device User
When charging a device, avoid connecting mobile devices directly to computers, and prefer the use of simple corded chargers obtained directly from the device vendor.
To prevent some attacks over USB connectivity, disable USB debugging on Android devices when that feature is not in use.
To reduce the opportunity for an attacker to directly connect a device to a malicious computer, use strong physical security when a device is being left directly unattended (e.g., lock it in a secure container).
To prevent some attacks over USB connectivity, ensure the device has an unlock code set and is explicitly locked when being left directly unattended.
PHY-3
Physical Access
Unauthorized Access via Poor Lifecycle Management
BYOD & Mobile Security [^146]
Who's Got Your Old Phone's Data? [^233]
Enterprise
Use EMM or MDM solutions in combination with devices that successfully enforce data encryption and device lock policies (unlock code set, unlock code strength requirements, auto-locking enabled, and auto-wipe enabled) such that the recovery of data from an improperly retired device becomes highly improbable.
Consider devices containing storage media that successfully implement secure-erase functions such that initiating a device wipe or factory reset is sufficient to render the recovery of any wiped data infeasible.
PHY-4
Physical Access
Unattended and Unlocked Device
Eight Ways to Keep Your Smartphone Safe [^231]
The Current State of Android Security [^234]
Enterprise
Enforce activation of the auto-lock feature of a mobile device with a maximum idle time that reduces the likelihood an attacker will gain physical access to the device in an unlocked state
Activate auto-lock features based on loss of proximity to a trusted, paired device attended by the mobile device user, such as a smart watch
Require additional user-to-app or user-to-service authentication for apps that provide access to sensitive data
Educate end-users of the importance of locking their device if they are leaving it unattended in an area lacking strong physical security controls.
Mobile Device User
Enforce activation of the auto-lock feature of a mobile device with a maximum idle time that reduces the likelihood an attacker will gain physical access to the device in an unlocked state
Activate auto-lock features based on loss of proximity to a trusted, paired device attended by the mobile device user, such as a smart watch
PHY-5
Physical Access
Side-Channel Attack
ECDSA Key Extraction from Mobile Devices Via Nonintrusive Physical Side Channels
New Attack Steals Secret Crypto Keys from Android and iOS Phones [^164]
Evolving differential power analysis targets SIM cards [^Rambus-1]
Mobile Device User
To increase the difficulty of this attack, use devices that implement mitigations in their cryptograhic functions against side-channel attacks, such as iOS 9.x and later devices.
Enterprise
To increase the difficulty of this attack, use devices that implement mitigations in their cryptograhic functions against side-channel attacks, such as iOS 9.x and later devices.
Avoid the use of apps that may implement their own cryptographic functions without validation that appropriate mitigations against side-channel attacks have been implemented.
Educate users to be mindful of their physical surroundings when using mobile devices, and to report the appearance of unexpected hardware components to IT security immediately.
Educate users to not directly connect their mobile devices to untrusted systems or docking stations, and to maintain strong physical security for innocent components such as USB charging cables
PHY-6
Physical Access
SIM Swap
A Biometrics-Based Solution to Combat SIM Swap Fraud [^235]
Sim-Swap Fraud Claims Another Mobile Banking Victim [^145]
Mobile Device User
To increase the complexity of this attack, use devices that implement an integrated SIM or eSIM, which cannot be readily replaced with a malicious component.
To reduce opportunity for this attack, when leaving the device directly unattended, use strong physical security controls (e.g., lock it into a secure container).
Enterprise
To increase the complexity of this attack, use devices that implement an integrated SIM or eSIM, which cannot be readily replaced with a malicious component.
PHY-7
Physical Access
Battery Damage from Overheating
The science behind exploding phone batteries [^A-Chen-L-Goode-1]
Mobile Device User
Allow a device that is very warm or hot to the touch cool before charging it.
Do not charge a device that is in a hot or heat-preserving environment, such as in direct sunlight, in a hot car, or under a blanket, as this will decrease the rate at which the device can dissipate heat.
Avoid the use of quick-charge chargers, which will increase the heat produced during charging operations. and will increase risk of causing the battery to overheat.
Charge a device using peripherals specifically designed for it, such as the charging unit and cable packaged with the device.
To lessen the amount of heat produced by the CPU during charging operations, place the device into sleep mode or turn it completely off while charging
To lessen the amount of heat produced by the battery during charging operations, charge the device from the USB port of a trusted computer.
If a device becomes hot while charging while asleep or off, take it to a authorized service center so a defective battery can be replaced before causing damage to the device.
PRI-0
Behavior Tracking
Tracking via Ultrasonic Beacons
Privacy Threats through Ultrasonic Side Channels on Mobile Devices [^Arp-1]
SilverPush Says It's Using Audio Beacons For An Unusual Approach To Cross-Device Ad Targeting [^Ha-1]
Mobile Device User
Scrutinize apps that request access to the device microphone with an understanding that they may listen for and respond to ultrasonic beacons without user consent or knowledge.
To help identify mobile apps that respond to ultrasonic beacons and better inform decisions regarding their use on any mobile device, consult resources such as the AddOns Detector website.
To prevent apps that use ultrasonic beacons in a known and acceptible manner from potentially violating privacy when active outside their intended use (e.g., after leaving a store that uses beacons to offer targeted discounts), either block permission to the microphone, force-close, or disable the app when leaving its intended context.
Enterprise
To identify apps that may abuse access to the microphone to receive ultrasonic beacons and take action without user consent on managed devices, employ app-vetting services that can identify and notify users of potentially privacy-invasive behaviors.
Mobile OS Developer
To prevent apps from generating inaudible signals to relay ultrasonic beacons to other devices without user knowledge or consent, expand existing device resource usage and/or permission models to include controls that prevent apps from abusing the ability listen to or generate audio at ultrasonic frequencies.
OEM Manufacturer
To prevent apps from generating inaudible signals to relay ultrasonic beacons to other devices without user knowledge or consent, expand existing device resource usage and/or permission models to include controls that prevent apps from abusing the ability listen to or generate audio at ultrasonic frequencies.
SPC-0
Supply Chain
Malicious Code in Open Source Software
Supply Chain Attack Framework and Attack Patterns [^142]
Mobile App Developer
To increase the complexity of this attack, prefer open source software libraries for which integrity-checking mechanisms are provided (e.g., strong cryptographic hashes of source files, digital signatures) so the authenticity of the open source library can be verified.
To increase the complexity of this attack, when possible, obtain multiple instances of the same library as hosted by various sources (e.g., FTP mirrors) from which it should be available. Then evaluate all obtained versions for consistency (e.g., compare strong hashes). If any discrepancies are detected, contact the open source software developer.
To detect compromise of the integrity checking mechanisms of a given source of open source libraries, particularly for security sensitive library functions, such as math or cryptographic libraries, contact the developer to verify the library is authentic.
To reduce the probability this variety of attack goes undetected at runtime, implement defensive programming. Any call to untrusted code that can impact critical functionality of the system should include checks on the output for conditions that should always be true given an assumption the library behaves as expected.
To protect open source library used by a product from modification, then if possible, package a verified authentic instance of the open source library and apply cryptographic protections (e.g., strong hashing, digital signatures) to the product to allow customers to verify the authenticity and integrity of all packaged components.
To prevent distributing a software package that contains maliciously modified open source libraries, perform sufficient functional testing of the complete system to verify that it exhibits correct and consistent behavior.
Application Developer
To increase the complexity of this attack, prefer open source software libraries for which integrity-checking mechanisms are provided (e.g., strong cryptographic hashes of source files, digital signatures) so the authenticity of the open source library can be verified.
To increase the complexity of this attack, when possible, obtain multiple instances of the same library as hosted by various sources (e.g., FTP mirrors) from which it should be available. Then evaluate all obtained versions for consistency (e.g., compare strong hashes). If any discrepancies are detected, contact the open source software developer.
To detect compromise of the integrity checking mechanisms of a given source of open source libraries, particularly for security sensitive library functions, such as math or cryptographic libraries, contact the developer to verify the library is authentic.
To reduce the probability this variety of attack goes undetected at runtime, implement defensive programming. Any call to untrusted code that can impact critical functionality of the system should include checks on the output for conditions that should always be true given an assumption the library behaves as expected.
To reduce the probability this variety of attack goes undetected at runtime, implement defensive programming. Any call to untrusted code that can impact critical functionality of the system should include checks on the output for conditions that should always be true given an assumption the library behaves as expected.
To protect open source library used by a product from modification, then if possible, package a verified authentic instance of the open source library and apply cryptographic protections (e.g., strong hashing, digital signatures) to the product to allow customers to verify the authenticity and integrity of all packaged components.
To prevent distributing a software package that contains maliciously modified open source libraries, perform sufficient functional testing of the complete system to verify that it exhibits correct and consistent behavior.
Enterprise
To increase the complexity of this attack, prefer open source software libraries for which integrity-checking mechanisms are provided (e.g., strong cryptographic hashes of source files, digital signatures) so the authenticity of the open source library can be verified.
To increase the complexity of this attack, when possible, obtain multiple instances of the same library as hosted by various sources (e.g., FTP mirrors) from which it should be available. Then evaluate all obtained versions for consistency (e.g., compare strong hashes). If any discrepancies are detected, contact the open source software developer.
To detect compromise of the integrity checking mechanisms of a given source of open source libraries, particularly for security sensitive library functions, such as math or cryptographic libraries, contact the developer to verify the library is authentic.
To protect open source library used by a product from modification, then if possible, package a verified authentic instance of the open source library and apply cryptographic protections (e.g., strong hashing, digital signatures) to the product to allow customers to verify the authenticity and integrity of all packaged components.
To prevent distributing a software package that contains maliciously modified open source libraries, perform sufficient functional testing of the complete system to verify that it exhibits correct and consistent behavior.
To prevent executing an application that relies upon a maliciously modified version of an open source library that is loaded dynamically at runtime (e.g., Dynamic Linked Library), perform verification of the library file prior to execution. This may involve validating hashes, verifying digital signatures, or other integrity protection or detection mechanisms on the host system.
SPC-1
Supply Chain
Hardware or Firmware Component Interception
Supply Chain Attack Framework and Attack Patterns [^142]
Enterprise
Require firmware to be digitally signed by a trusted developer and the signature verified prior to the component being integrated into a larger system
Employ software integrity verification checks on installed firmware, which can be validated against a known-good value (e.g. brute-force resistant cryptographic hash of firmware image) to detect any modification to firmware
Obtain device measurements for comparison to normal ranges (e.g., temperature, timing, EM radiation, power consumption) to detect anomalous behavior.
SPC-10
Supply Chain
Malicious Software in 3rd Party Bundling Process
Supply Chain Attack Framework and Attack Patterns [^142]
Enterprise
Test systems that contain newly integrated or updated software components to detect incorrect function or anomalous behavior prior to production use
Obtain direct from the software developer a list of files changed by the installation or upgrade process, and if possible, strong cryptographic hashes for file updates that are configuration-independent and should produce known values
Use fine-grained role-based access control mechanisms and user/service roles that reduce the potential that malicious installation or upgrade packages can introduce malware outside of files and directories allocated to the associated software
Scan systems with newly integrated or updated software components for indicators of compromise prior to production use
SPC-11
Supply Chain
Vulnerable BIOS Installation
Supply Chain Attack Framework and Attack Patterns [^142]
Enterprise
System maintenance processes for highly sensitive components such as BIOS should require dual authentication to perform, reducing the likelihood a single adversary can introduce malware
Utilize systems with boot validation and attestation to verify that only genuine boot code is executed during system start-up, halting start-up if integrity verification for any component fails
SPC-12
Supply Chain
Corrupted Automated Installer
Supply Chain Attack Framework and Attack Patterns [^142]
Enterprise
Use fine-grained role-based access control mechanisms and user/service roles that reduce the potential that malicious installation or upgrade packages can introduce malware outside of files and directories allocated to the associated software
Scan systems with newly integrated or updated software components for indicators of compromise prior to production use
SPC-13
Supply Chain
Hardware Design and Manufacture Compromise
Supply Chain Attack Framework and Attack Patterns [^142]
Enterprise
Employ software integrity verification checks on firmware, which can be validated against a known-good value (e.g. brute-force resistant cryptographic hash of firmware image) to detect any modification
Obtain device measurements for comparison to normal ranges (e.g., temperature, timing, EM radiation, power consumption) to detect anomalous behavior in received components prior to production use.
SPC-14
Supply Chain
Countefeit Hardware Component
Supply Chain Attack Framework and Attack Patterns [^142]
SPC-15
Supply Chain
Unsecured or Malicious 3rd Party Components
Supply Chain Attack Framework and Attack Patterns [^142]
SPC-16
Supply Chain
Obsolete Hardware Replacement
Supply Chain Attack Framework and Attack Patterns [^142]
SPC-17
Supply Chain
Malicious Hardware or Firmware Inserted During Integration
Supply Chain Attack Framework and Attack Patterns [^142]
SPC-18
Supply Chain
Subassembly Malware
Supply Chain Attack Framework and Attack Patterns [^142]
SPC-19
Supply Chain
Component Substitution during Packaging or Distribution
Supply Chain Attack Framework and Attack Patterns [^142]
SPC-2
Supply Chain
Malicious Critical Hardware Replacement
Supply Chain Attack Framework and Attack Patterns [^142]
Enterprise
Perform background checks on supply chain personnel as appropriate to the level of sensitivity of the component being distributed to detect placement or the potential for or actual manipulation by an adversary
SPC-20
Supply Chain
Component Substitution During Software Upgrade
Supply Chain Attack Framework and Attack Patterns [^142]
SPC-21
Supply Chain
Low-level Backdoor
This is what a root debug backdoor in a Linux kernel looks like [^207]
Chinese ARM vendor left developer backdoor in kernel for Android, other devices [^208]
Enterprises
Obtain devices from a reputable vendor with a strong record of addressing security flaws in a timely fashion.
Mobile Device User
Obtain devices from a reputable vendor with a strong record of addressing security flaws in a timely fashion.
To reduce the opportunity for an attacker to exploit a patched vulnerability, ensure security updates are applied in a timely manner by configuring automated installation of or, at a minimum, automatic notification of the availability of security updates.
To reduce the opportunity for attacks against various firmware components, disable device features when not in use (e.g., Bluetooth, Wi-Fi, NFC), and globally revoke access to unused device sensors or OS-provided functions (e.g., camera, microphone, location services).
Enterprise
To reduce the opportunity for an attacker to exploit a patched vulnerability, ensure security updates are applied in a timely manner by configuring automated installation of or, at a minimum, automatic notification of the availability of security updates.
SPC-3
Supply Chain
Malicious Software Inserted into Software Processes or Tools
Supply Chain Attack Framework and Attack Patterns [^142]
Symantec Internet Security Threat Report 2016 [^110]
XcodeGhost distributed a malicious version of Xcode (Apple''s developer tools) that automatically includes malicious code in compiled iOS apps.
Mobile App Developer
App developers should ensure that development tools are obtained from a trusted source (e.g. directly from the vendor).
Enterprise
Only software digitally signed by a trusted developer should be used, and the integrity of software development installation packages should be verified prior to installation
Obtained software should be installed onto target operating systems in a known-good state (fresh install from verified installation media) in a test environment, which is then evaluated for any indicators of compromise prior to authorization of production use
SPC-4
Supply Chain
Malicious Logic Introduction
Supply Chain Attack Framework and Attack Patterns [^142]
Enterprise
Enforce strict access control and auditing for the configuration control system to enable effective auditing of any unauthorized changes to configuration settings.
Use configuration management tools that can validate that current configuration settings meet policy requirements
Test software and microelectronics to verify their functionality conforms to expected behavior and operates within normal tolerances (e.g. timing, temperature, power consumption, EM emissions) both after development and maintenance prior to placing or returning the component to the production environment
SPC-5
Supply Chain
Malware Embedded in Critical Component
Supply Chain Attack Framework and Attack Patterns [^142]
Enterprise
Obtain device measurements for comparison to normal ranges (e.g., temperature, timing, EM radiation, power consumption) to detect anomalous behavior.
Test hardware to verify it functions as expected (e.g. known inputs yield correct outputs) prior to placing or replacing the device into the production environment
SPC-6
Supply Chain
Improperly Vetted or Untested Malicious Microelectronics
Supply Chain Attack Framework and Attack Patterns [^142]
Enterprise
Require that hardware components be tested for correct functionality and normal operation, and that the output of automated testing processes be digitally signed by the component that performed the test, and that the results are verified prior to acceptance of the tested component into the next stage of procurement, development, or deployment to reduce the likelihood an adversary can successfully introduce a malicious component that is not detected prior to use in production
SPC-7
Supply Chain
Hardware Component Substitution During Transfer
Supply Chain Attack Framework and Attack Patterns [^142]
Enterprise
Test systems that contain newly integrated or updated components to detect incorrect function or anomalous behavior prior to production use
SPC-8
Supply Chain
Firmware Component Substitution During Transfer
Supply Chain Attack Framework and Attack Patterns [^142]
Enterprise
Require firmware to be digitally signed by a trusted developer and the signature verified prior to the component being integrated into a larger system
Employ software integrity verification checks on installed firmware, which can be validated against a known-good value (e.g. brute-force resistant cryptographic hash of firmware image) to detect any modification to firmware
Obtain device measurements for comparison to normal ranges (e.g., temperature, timing, EM radiation, power consumption) to detect anomalous behavior.
SPC-9
Supply Chain
Malicious Code in Custom Software
Supply Chain Attack Framework and Attack Patterns [^142]
Enterprise
Require test results to be digitally signed by both the testing component and a credential uniquely associated with the test operator to enforce non-repudiation
Enforce strict access control and auditing for software testing systems to enable effective auditing of tests
Design testing processes such that individuals responsible for testing do not know the destination of a tested component to prevent sabotage of a specific critical function, location, device, or organizational operation
Design testing processes that use at least two independent testers/processes/tools and compare test results for consistency
For mission-critical components, randomly test the same component multiple times using different testers/processes/tools and compare test results for consistency