Faux Disk Encryption: Realities of Secure Storage on Mobile Devices

Presented at Black Hat USA 2015, Aug. 5, 2015, 4:20 p.m. (50 minutes)

The number of mobile users has recently surpassed the number of desktop users, emphasizing the importance of mobile device security. In traditional browser-server applications, data tends to be stored on the server side where tight controls can be enforced. In contrast, many mobile applications cache data locally on the device thus exposing it to a number of new attack vectors. Moreover, locally stored data often includes authentication tokens that are, compared to browser applications, typically long-lived. One main concern is the loss or theft of a device which grants an attacker physical access which may be used to bypass security controls in order to gain access to application data. Depending on the application's data, this can result in a loss of privacy (e.g., healthcare data, personal pictures and messages) or loss of intellectual property in the case of sensitive corporate data.

In this talk, we discuss the challenges mobile app developers face in securing data stored on devices including mobility, accessibility, and usability requirements. Given these challenges, we first debunk common misconceptions about full-disk encryption and show why it is not sufficient for most attack scenarios. We then systematically introduce the more sophisticated secure storage techniques that are available for iOS and Android respectively. For each platform, we discuss in-depth which mechanisms are available, how they technically operate, and whether they fulfill the practical security and usability requirements. We conclude the talk with an analysis of what still can go wrong even when current best-practices are followed and what the security and mobile device community can do to address these shortcomings.

At the end of our talk, attendees will understand the significant challenges involved in storing data on an always-on and portable device, how to securely store data for different use cases, and how to uncover secure storage flaws in real-world applications.


Presenters:

  • Daniel Mayer - NCC Group
    Daniel Mayer is a Principal Consultant with NCC Group. While working at Matasano Security, part of NCC Group, Daniel became an expert on iOS application security and developed a tool for iOS application penetration testing called 'idb'. Prior to joining NCC Group, Daniel was a researcher at the Stevens Institute of Technology working on applied cryptography and privacy. He has presented his research at various security conferences including Black Hat, ShmooCon, SOURCE Boston, Toorcon, THOTCON, and several international academic venues. Daniel holds a PhD degree in Computer Science from Stevens and a MS degree in Physics from Rutgers.
  • Drew Suarez - NCC Group
    Drew is a Senior Security Consultant for NCC Group with a focus in mobile application testing and research. Before moving to Matasano Security, part of NCC Group, Drew built and maintained large enterprise UNIX environments for a variety of companies. In addition, Drew is a member of the CyanogenMod (open source side) team and has ported custom Android bootable recoveries to dozens of devices. Besides facilitating the installation of custom code such as CyanogenMod, Drew likes working on unloved, problem devices with strange or nonstandard setups. Drew also writes and maintains the CyanogenMod wiki which helps users install CM on their stock Android devices using a variety of different exploits and techniques.

Links:

Similar Presentations: