Android Security Symposium 2017

Building threat models for the mobile ecosystem

About the speakers

Joshua M. Franklin

NIST, Gaithersburg, MD, USA
Joshua M. Franklin is an information security engineer at NIST, focusing on enterprise mobile security, cellular security, and electronic voting. He graduated from George Mason University with an M.S. in Information Security & Assurance, and received a B.S. in Information Systems from Kennesaw State University. Joshua participates in numerous mobile security working groups and standards efforts, such as 3GPP and Communications Security, Reliability and Interoperability Council (CSRIC), part of the Federal Communications Commission (FCC).

Michael Peck

The MITRE Corporation, McLean, VA, USA
Michael Peck is a security engineer at The MITRE Corporation, where he primarily focuses on mobile device security, mobile application security, and network security protocols and standards. He holds an M.S. in Security Informatics from Johns Hopkins University and a B.S. in Computer Science from the University of Virginia.


Mobile devices and the surrounding mobile ecosystem face many security threats. This
presentation will provide an in-depth discussion and analysis of NIST's National
Cybersecurity Center of Excellence's (NCCoE) efforts to enumerate and model these
threats, resulting in our Mobile Threat Catalogue and a mobile profile of MITRE's
ATT&CK model.

NCCoE's mobile security efforts are dedicated to solving enterprise mobile security
challenges. In talking with mobile security stakeholders, we realized there was a
need for a comprehensive catalog of threats posed to mobile devices. The resulting
Catalogue outlines a taxonomy of threats, including those faced by a mobile device
itself as well as the broader mobile ecosystem upon which the device depends. Each
Catalogue entry includes a title, exploit examples, countermeasures, and references.
The Catalogue resides on GitHub, enabling public collaboration and continuous

The NCCoE and MITRE have augmented the Catalogue by building a mobile-specific
version of MITRE's ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)
model. The mobile ATT&CK model depicts tactics and techniques used by adversaries
to gain initial access to a mobile device and then take advantage of that access to
accomplish adversarial objectives.

We will discuss how our work can benefit mobile security stakeholders, including
enabling stakeholders to depict strategies used in adversarial campaigns, identify
defensive gap areas, implement countermeasures, and determine effective security
testing strategies.


Get the slides here.