How Mobile Malware Bypasses Secure Container Solutions

redlemonbalmMobile - Wireless

Dec 10, 2013 (3 years and 6 months ago)


How Mobile Malware Bypasses Secure Container Solutions
Secure containers and wrappers fail to prevent mobile malware from compromising enterprise content.
Why? And more importantly, how can you mitigate the threat?
A Short Primer to Android and iOS Application Sandbox Security Model
To understand how secure containers work, we first need to look at the sandbox security model –
embraced by both Android and iOS operating systems.
Under this model, each mobile application is executed in its own separate environment. In other words,
each application is allocated its own separate storage space, is assigned to run in a specific memory
location and is entitled to perform only a specific set of device functionalities such as GPS, Network and
SMS. These three restrictions are defined upon application installation, and once the application is
installed they cannot be altered.
It is the mobile operating system which enforces the sandbox model and thereby prevents one
application from accessing another application’s storage and memory.
What are Secure Containers and Wrappers
Secure containers are components provided by MDM vendors and are designed to deliver and store
enterprise content on the mobile device – such as emails and documents - in a more secure and
controllable manner. All leading MDM solutions such as AirWatch, Good Technology, Mobile Iron and
FiberLink offer secure containers.
Secure containers rely on the operating system’s sandbox security model. Essentially, their solution
“wraps” up the mobile’s inherent sandbox model to prevent any application from accessing the content
of any other application within the secure container. The additional layer of security that they provide
comes in the form of encryption:
- Data in motion. Encrypts the communication between the application and the enterprise
resources by using a SSL VPN.
- Data at rest. Encrypts all the data that is stored on the mobile device.
Wrappers are a slightly modified version of secure containers. This mechanism is similar to that of the
secure container. The difference is that they introduce the encryption to third-party applications such as
Box and Evernote.
How Mobile Malware Breaks Secure Containers
All mobile operating systems, across all models and versions, contain a large number of vulnerabilities.
Malware that exploits these vulnerabilities receive elevated privileges -namely, the same privileges as the
operating system itself. By alleviating itself from any permission restrictions, malware breaks the sandbox
security model. The malware can then bypass any encryption measure as well as access the storage,
memory and specific functionalities of any desired application.
This can be viewed as a 2-step process:

Step 1: Infecting the mobile device with malware
The malware exploits mobile vulnerabilities to gain the operating system privileges - what is commonly
referred to as “rooting”(Android) or “jailbreaking” (Apple).
These exploits can be delivered through malicious documents, PDFs and Web pages. Currently, the most
popular ways to deliver exploits are by embedding them into applications, or via a cable. Recent well-
known examples of such exploits are Evasion (Apple, February 2013) and the Exynos exploit (Android,
December 2012).
Step 2: Bringing down the security model
By receiving elevated privileges, the malware is capable of bringing down the operating system’s security
model and execute malicious code outside of the sandbox.
The common way it then accesses encrypted content is by grabbing that content once it gets decrypted in
the application’s memory- say, when a user pulls up an email to read. In a similar fashion, the malware
can expose all the enterprise’s confidential data.
This attack is relatively straightforward. A more technical description can be found in this BlackHat
More on Breaking Secure Containers: Android
On Android, in particular, there are other means of breaking into the secure container- without “rooting”
the device. The reason is that Android allows the installation of alternative keyboards as well as
applications that take screenshots. An attacker can embed malicious code into these applications, turning
these applications into actual keylogging and screen-capturing software. Consequently, any text which
the user enters into the secure container –such as emails and documents – becomes privy to the attacker.
A more illustrative example is that of Citrix. Mobile malware on a Citrix-supported device can grab all
screenshots containing sensitive data and send it on to an attacker-controlled server.
Lacoon Mobile Security: Mitigating the Threat of Mobile Malware
Lacoon provides advanced mechanisms to identify exploitation and malware activity on mobile devices.
These measures are designed to detect malicious behavioral patterns against secure containers and
enterprise content.
Since Lacoon’s solution is behavior-based, and not signature-based, it can also detect zero-day threats.
Lacoon capabilities include:
• Cloud-based virtual execution of applications and payloads to detect exploits
• Identification of malicious behaviors within the applications (such as keyloggers and screen-
• Detection and blocking of C&C activity when mobile malware attempts to exfiltrate information
from the device
• Blocking of drive-by attacks, including exploits of unpatched Web browser vulnerabilities and
jailbreaking attempts