Presentation_Liang_Wei

advertisement
The Study of Security and Privacy in Mobile Applications
Name: Liang Wei
Email: lw2425@columbia.edu
Introduction
• Why do we need to pay attention to the security and privacy
in mobile applications?
Introduction
• The reason is that now many mobile applications may try to
transfer sensitive data, for example, personal information
through the network.
Mobile Payment Application
Mobile payment applications need a secure mechanism to
protect the credit card information of the users.
Mobile Social Network Application
Mobile social network applications need to authenticate the identities of the
users at first. Only after the authentication, the mobile social network
application can start to exchange information with the server.
Mobile Database Application
Mobile database application is used for the users to make small-footprint
modifications through the mobile device. The data in the server and
mobile device are both need to be protected.
Mobile Database Application (MDA)
1.
2.
3.
4.
A mobile database is a part of a replica of the central database
The user make modifications of the mobile database at first
Synchronization occurs between the server and the mobile device to
ensure the data are the same
In order to complete the synchronization, a publication is needed. A
publication is the meta-data package of information about which data
is replicated. With the publication, the database server can
synchronize with the mobile database correctly. The publication can
only be accessed by the users after they are authenticated.
Information Risks
1. The mobile device may be stolen by malicious attacker. Then the
attacker may try to access the data stored in the device.
2. The sensitive data transferred through the network may be intercepted
by the malicious attacker.
3. The users who have no accounts of mobile applications may try to
access the server without permissions. Or they may try to log in with
others’ accounts to obtain the personal information of them.
4. The malicious users of the mobile applications may try to modify the
data in the server even if they are not granted with sufficient
permissions or they may try to access the data which are not allowed
them to obtain.
Methods to Ensure Security and Privacy in
Mobile Applications
1.
2.
3.
4.
5.
6.
Secure Network Connection
Encrypted Local Data
User Authentication
Grant Minimum Sufficient Permissions
Separate User Accounts
Applications Provided Security Mechanisms
Analysis
1. Secure Network Connection
In order to ensure that the sensitive data transferred through the
network will not be obtained by malicious attacker, we can choose a
secure network connection.
We can make use of https instead of http because all the traffic are
encrypted so that the data can be protected.
Analysis
2. Encrypted Local Data
Because the mobile device may be lost or stolen, so it is also
necessary to take some mechanisms to ensure that the data in the
device are also safe. Therefore, we can encrypt the data in the
mobile device.
Analysis
3. User Authentication
In order to keep malicious attacker from entering into the system,
user authentication is necessary.
If the mobile application is a mobile database application, then it
means that the user must be authenticated by the database server.
Only after they are authenticated then they can access the publication
to synchronize the mobile database with the database server.
Analysis
3. User Authentication
And also, user should also be authenticated at the Web Server to
protect them from accessing the Web Server just by the same URL.
Analysis
4. Grant Sufficient Minimum Permissions
The users should be granted with sufficient minimum permissions to
ensure the security and privacy in mobile applications.
For example, the user who can only view the data should not be
granted with the write permission because they may try to make
modifications as their wishes.
Analysis
5. Separate User Accounts
Sometimes we may provide a user with two accounts in order to
ensure the security and privacy in the mobile applications.
For example, a user can view all the data but only modify part of
them. Therefore, we can design two accounts. The first one is a readonly account and it can view all the data. While the other one is a
read-write account but it can only view and modify part of the data.
Analysis
6. Application Provided Security and Privacy Mechanism
The mobile application can provide other security and privacy
mechanisms.
For example, the application may encrypt and sign the data before
they enter into the secure communication link. Another example is
that the user can only access a replica of the main table of the
central database so that even if they successfully attack the replica
through the mobile application, the data in the central database can
still be protected.
Future Work
1. With the development of network infrastructure, for example,
3G to 4G, new properties should be taken into consideration to
develop new secure mechanisms.
2. Apple, Google and many other companies will release new
mobile device in the future, and they may provide new features
in their devices to ensure security and privacy. Therefore, we
need to research new devices to change our methods.
Conclusion
From my point of view, the following aspects are the basic points to
ensure security and privacy in mobile applications:
1. Secure Network Connection
2. Encryption of Sensitive Data
3. User Authentication
Almost all the applications need to pay attention to the abovementioned points so that they can protect the sensitive data.
Thank You!
Download