Yury Chemerkin

Security Expert (RU)

Yury Chemerkin started as a reverser and security developer and continued to gain experience on malware and mobile security. Last years he has been researching Mobile and Cloud solutions (and IAM solutions in general) for exploitation from different viewpoints (incl. forensics) based on misunderstood security principles and developing as a distributed spyware infrastructure. Now he is a multi-skilled security expert on security & compliance and mainly focused on privacy and leakage showdown. Key activity fields are EMM and Mobile Computing, IAM, Cloud Computing, Forensics & Compliance.

Untrusted Mobile Applications. State of Art of Security App-Apocalypse

Security and Privacy of Mobile Applications have been under fire last years since 2015. Native & 3rd-party apps like Gmail or Instagram had various problems on data protection. You could credentials or sensitive information in plaintext, in logs, everywhere. There were many recent disclosures about it in 2014 and dive into transport security, stored data, log leakages, encryption fails. On another side, the mobile market has been growing very fast. Mobile apps go everywhere, it carried everywhere. Software development pay a little attention to the security that it’s need. Some methodologies prevent vulnerabilities and known security fails due to compilation process. Most of secure coding guides are implemented wrong even it’s written by Apple or Google. Both factors (insecurity & growing market) lead us to App-Apocalypse. Do we really have a solution? Having a good understanding of security mechanism of the mobile environment (incl. application) can help keeping us our devices more protected. Only findings in apps made by security-trained experts are a way to decrease the level of untrustiness.

However, security life-circle looks like “we’ve it done once, let’s stop here”. But we can’t really stop anywhere. New apps are releasing, new updates are coming. We really have to talk about community based knowledge database on data insecurity. It’s first step. If you familiar with NVD or CVE databases, you should know it doesn’t contain anything about data protection of mobile apps. We found a few records on it. It absolutely doesn’t mean the databases are very bad, these databases solve another problems by design since they has appeared. Second step is a way to keep users informed about insecurity use cases.In fact, it’s about mobile secure awareness. If you go with your device to the public place, you should know what application fails to protect you data and what data may be leaked out your devices. There are many cases when you prefer to wipe you app data before doing something but you don’t know what application you have to apply ‘wiping’ to. Moreover, corporate mobile users have another way to control their by implementing EMM solutions. Does is solve the problem? No, it doesn’t, because to control it, they have to know what data exactly is out of protection. However, they have an opportunity to protect it by sandbox’ing app data in-rest and vpn’ing data in-transfer on application level. It’s a quick way to bypass the real problem and it works at the moment. What non-corporate users should to do and is there any solution for them. No solutions, even AV (antiviruses) solutions can’t help because it’s goal on preventing malware spreading. What This presentation is going to present new results on mobile apps insecurity and a way to solve the current problem for general public.

Presentation @DefCamp 2015