I've got an interesting question regarding mobile devices based on iOS or Android (maybe also Symbian and/or Blackberry OS to a much lesser extent). I searched the forums but haven't found anything posted that ask the the following questions:
1) How does an administrator ensure that apps downloaded via the app stores (i.e iStore or Adroid market place) are not infected with virusses etc. If they are, block them as per usual. Does Palo's threat protection database include Android and/or iPhone virus signatures?
2) Continuing from question 1, how does one do this if the connection to the app store(s) is SSL based. Will Palo's SSL decryption work in this case?
1) I hope someone from PAN can answer this.
In short you cant assure that apps downloaded from market(s) is virusfree (except for a regular signaturebased scan similar to the one in PA or a standalone desktop virusscanner).
You would need to create your own market, block all other markets (within the settings of each mobile device) and then manually approve each application (before it shows up in your market) by examine the sourcecodes or such. In Android you can customize this to include signed applications so that only apps from your own market will be able to be installed on your devices (because a user can otherwise mail the apk file to itself and install it that way).
When it comes to privacy issues PDroid seems like a good option - this way you as the owner of the device will decide which data will be available to each application (not uncommon these days that applications requests more permissions than really needed).
2) Create a custom CA (and import its private stuff into your PA) and install the CA cert as trusted in your mobile device in order for ssl-termination to work.
However some services, such as windowsupdate among others, use their own certstore which means that they will refuse to function if the ssl isnt as expected. PA have a list of which these services are.
I was thinking about this last night. How about "force" all BYOD's to use HTTP when connecting to their respective market places. For example, setup firewall rules to block connections to the market place if it is on port 443. This would cause the BYOD's to fall back to HTTP connections.This way you could monitor/scan and log user traffic. Identifying will be done via captive portal since these devices do not log onto a domain. Will this work?
Slightly off topic, but can you set the PA to block connections if it SSL. Reason why I'm asking is the following - just in case the BYOD's try and SSL over port 80.
So idea is the following - Instead of trying to decrypt the SSL connection between the respective market place and the BYOD, just force it to use an unencrypted connection to allow scanning/monitoring/logging.
Then of course confirmation if PA's TP does contain Android and Apple virus signatures would be great.
App-ID will see all applications regardless of their port.
In order to see our threat coverage, you can go to the Threat Vault in this support site and search on Android, iOS and similar.
I did some checking on Applipedia/ Threat Vault and did not find for example the recent Apple IOS virus in the database – Did a search for Apple, IOS, mac, flashback etc. So it is my understanding that currently Threat Vault does not include virus signatures for Android and Apple IOS at present. Is this correct? I did see some vulnerabilities signatures for these platforms which is nice.
Reason why this is so important is that the App stores are currently a massive haven for all kinds of security vulnerabilities/virusses etc. It would be great to be able to scan traffic to and fro for these stores for mobile platform viruses and threats.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!