lunes, 18 de noviembre de 2013

Presenting "AndroIDS: Mobile Security Reloaded" at DeepSec


Being popular is not always a good thing and here’s why: as mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones.

The threat to mobile devices, however, is not limited rogue versions of popular apps and adware. Threat actors are also pouncing on mobile user's banking transactions. Android continues to be a primary target for malware attacks due to its market share and open source architecture.

Nowadays, several behavior-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices but only about 30 percent of all Android smart phones and tablets have security apps installed.

At DeepSec I will present AndroIDS, a signature-based intrusion detection system (IDS) and intrusion prevention system (IPS) that protects your mobile phone by examining headers and contents of all packets entering or leaving it. It will raise alerts o will drop packets when it sees suspicious headers or payloads.

This open source network-based intrusion detection system and network-based intrusion protection system is being presented as a solution that will provide a high return on investment based on visibility, control, and uptime.


It has the ability to perform real-time traffic analysis and packet logging on networks, featuring:
- Protocol analysis, focusing on the examination of values within IP, TCP, UDP and ICMP headers
- Content searching & matching, by analyzing every incoming packet against a database of rules; each rule represents the signature of a security exploit.

The framework architecture consists of:
* Sensor: runs continuously without human supervision and is capable of analyze traffic in real time (imposing minimal overhead), sending push alerts to the Android device in order to warn the user about the threat and reporting to Logging Server.
* Server: runs inside a Linux Box, and is will receive all the messages the sensor is sending. Is also responsible for sending updated signatures to remote devices, storing events in database and detecting statistical anomalies & analysis real-time.

The IDS rule language is powerful enough to represent current and future security exploits as accurately and very precisely. With the help of custom build signatures, the framework can also be used to detect all kind probes or attacks designed for mobile devices like the USSD exploit, Webkit remote code execution exploits, DoS attacks or the meterpreter module for Android, although it has can convert snort-like rules to an AndroIDS friendly format. It also has some interesting modules that let users cheat the operating system fingerprinting attempts by sending up to 16 TCP, UDP, and ICMP responses to nmap's probes or changing the TCP header fields to avoid pof's detection engine.

Android mobile users should start taking security seriously...

No hay comentarios:

Publicar un comentario