From Mobile Security Penetration Tester to Zimperium Employee

Share this blog

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of light, it was the season of darkness, it was the spring of hope, it was the winter of despair.” ― Charles Dickens, A Tale of Two Cities

If one did not know better, one might suspect that Dickens was writing about the state of mobile security in 2022.

On the one hand, the industry made numerous strides forward and, in many ways, mobile users and mobile platforms are more secure than ever. “It was the best of times”.

On the other hand, the industry left many threats still unresolved and our society now depends upon mobile connectivity and remote workers more than ever before. “It was the worst of times”.

Security practitioners, security vendors, platform vendors, and even users seemingly know more about security than they ever knew previously. “It was the age of wisdom”.

But mobile users, and even security practitioners, are still as likely to fall for phishing, particularly targeted phishing, to install malware, to skip software updates, and to frequent untrustworthy websites. “It was the age of foolishness”.

In this year’s Global Mobile Threat Report, we have taken a retrospective look at mobile security in 2022. What changed, what stayed the same, what did we as an industry and society do well, where do we need to improve, and how can we bring Dickens’ “spring of hope” to fruition?

But first, an origin story…because the world loves a good origin story.

Zimperium has been on my radar since the very beginning of my career. Back in 2011 / 2012, as I was working on and releasing my first tool for the security community, the DARPA Fast Track funded “Smartphone Pentest Framework” (aimed at providing pentesting capabilities for mobile devices), Zimperium released zAnti (a suite of tools for allowing testers to run their pentesting tools from a mobile device). Clearly, Zimperium and I were on parallel tracks.

Time went by and Zimperium moved into the burgeoning Mobile Threat Defense (MTD) space and I moved toward building products for enterprises to test the security of mobile devices as well as the effectiveness of mobile security technology such as anti-virus, Enterprise Mobility Management (EMM) / Mobile Device Management (MDM), and Mobile Threat Defense itself.

In my work as a penetration tester, I far too often saw companies ignore mobile and especially Bring Your Own Device (BYOD) programs as part of their security assessment programs. I remained unimpressed by the performance of most mobile security products on the market. I began using the phrase, “Quis custodiet ipsos custodes?” or “Who watches the watchers?” in my marketing material. I became perpetually disgusted by the disconnect between what products claimed to be able to do in terms of, for example, detection of zero-day exploits, and what they could actually do — likely catch an exact replica of a long-known threat.

Mobile devices had been built with enough security in mind that the precepts we had come to live by for desktop and traditional enterprise security did not easily translate. Take, for example, anti-virus. The security community tends to look down its nose at anti-virus, simply because in its traditional form of signature detection it can be bypassed without nation-state-level effort. However, your typical desktop antivirus program is quite good at the job it does, detecting known and unsophisticated malware. Of course, a targeted, sophisticated attack will make sure its payloads sail right by the anti-virus used by the specific target before a single packet is sent. On the other hand, the primitive attacks typically delivered by mass phishing will be scooped up by anti-virus before the user even finishes downloading it.

With the advent of mobile and the design choice to sandbox applications, the desktop anti-virus model of scanning the filesystem for offending signatures failed to translate. Though it is simplifying things slightly, in my talks I often say that an early mobile antivirus app could do little more than wake up periodically and check if it itself was a virus. It did not have any oversight into the goings on of other apps or whether they were pulling known malware from the internet into their own sandboxed storage. This certainly did not stop anyone from building, marketing, and selling mobile antivirus apps. And I feel like this set an unfortunate precedent in mobile security to simply follow the desktop model – there were line items in the budget for them after all, regardless of whether a given solution was at all effective in the reality of mobile.

And so, that was seemingly the state of the mobile security market. Products that didn’t really work, the enterprise increasingly flooded by BYOD devices not under their control, and security awareness training focused on how people used to work — on computers, in offices, on corporate networks, behind a firewall — and not how they really worked – on mobile devices, on the road, on public networks.

Then, one fateful day, a Fortune 500 company commissioned me to assist with their ongoing mobile security bake-off. They were trying to learn what mobile security products would be best to deploy in their enterprise, and, like me, they were interested in whether those products lived up to their claims around detecting attacks or whether the vendors in question were simply selling lion repellent.

A variety of products were deployed in their test bed for me to put through their paces. I first delivered a set of attacks starting with mobile phishing via SMS, WhatsApp, Facebook Messenger, QR codes, etc. Then I upped the ante to include malicious apps using both known and unknown apps, network-based attacks (including ARP spoofing and rogue certificate), and privilege escalation attacks including jailbreaking / rooting. The most sophisticated attacks included jailbreaking/rooting without the crucial final steps of the process that most security products rely on for detection.

And something extraordinary happened. Zimperium’s Mobile Threat Defense detected an unprecedented number of my attacks. I was intrigued. Was there finally a mobile security company looking at the problem the same way I had been for years, building a technology that could provide protection against real world attacks targeting mobility?

So much of what I had tested in bake-offs and independent research was barely scratching the surface at the kind of detection that would be required to make good on the promises the entire industry was making: to protect users from real-world attacks including unknown zero-day attacks. This is a bold claim and a non-trivial problem and, in general, the mobile security technologies I was testing fell far short of that, but Zimperium’s products seemed to buck that trend!

Take, for example, detecting mobile applications on devices performing privilege escalation attacks. This can occur when a user roots or jailbreaks their own device, but also occurs when a malicious attacker is trying to gain persistent elevated privileges on the device. Many of the solutions I tested detected only the presence of common rooting and jailbreaking apps and libraries on the device. Thus, they will detect a user jailbreaking or rooting their own device, which is admittedly valuable information to the enterprise. However, sophisticated attackers do not need to install these apps and libraries as part of their attack chain. These are primarily for assisting the device owner in using their elevated privileges more effectively. An attacker is not interested in tweaking the user interface, instead they are going after the keychain and other sensitive data, remotely controlling the device, or using it as a pivot point to attack other devices in the enterprise.

What excited me about Zimperium’s offering was that it was not just detecting rooting and jailbreaking apps and libraries, but rather it was detecting key indicators of compromise that would occur regardless of whether it was a user jailbreaking / rooting their own device or an attacker escalating their privileges to take over the device. Even better, although the exact attack code and static detection signatures would change with each new vulnerability that was discovered, key elements of the attack chain remain the same even for a never before seen, zero-day attacks such as turning off code execution protections or disabling operating system security features. Zimperium’s Mobile Threat Defense was successfully detecting these indicators of compromise. Here was a product that was making good on the claim to detect both known and unknown threats.

As I began to engage with Zimperium directly, I was pleased to find out that in addition to a best-in-class mobile threat defense solution, they had, in recent years, begun to work in the mobile app security space. Mobile security traditionally seemed to fall firmly into two camps: protect the apps so much the platform being compromised does not matter or protect the platform so much the apps being compromised do not matter. It was a revelation to see Zimperium with a foot firmly in both camps. On the one hand, Zimperium was helping build apps that are secure and aware of their platform surroundings while, on the other hand, actually providing mobile platform security. Like me, they seemed to believe that only by creating a symbiosis between the security of mobile apps and the security of the platforms and surrounding ecosystem can a mature mobile security posture be achieved in the enterprise.

In the spring of 2023, the stars aligned. While initially, I was only discussing consulting opportunities with Zimperium, after meeting with the CEO, CTO, VP of Research, product leads, and even sales and marketing leadership, they and I decided instead that we should join forces.

Having previously recognized Zimperium’s efforts to secure enterprise mobility, I was further delighted by learning of their efforts to extend that same level of protection to end-users via initiatives such as Dallas Secure. I have pushed mobile security awareness on six continents everywhere from elementary schools to Brownie troops to on campus at NSA, Oxford, and West Point to the United States Congress. Getting automated tools onto the devices and literally into the hands of end-users that truly makes them more secure in a transparent manner is a huge step forward!

While, of course, the money is always in the enterprise, bringing security to end users at scale is our duty as security professionals. I have always fancied myself a bit of an aspiring superhero and efforts like these are as close as one can come to actually being one! I am beyond excited for the opportunity to join Zimperium in these and other endeavors and I look forward to helping bring Dickens’ “spring of hope” to mobile security and society as a whole.

Avatar photo
Security Architect. View the author's experience and accomplishments on LinkedIn.