The Study of Security and Privacy in Mobile Applications Name: Liang Wei Email: lw2425@columbia.edu Introduction • Why do we need to pay attention to the security and privacy in mobile applications? Introduction • The reason is that now many mobile applications may try to transfer sensitive data, for example, personal information through the network. Mobile Payment Application Mobile payment applications need a secure mechanism to protect the credit card information of the users. Mobile Social Network Application Mobile social network applications need to authenticate the identities of the users at first. Only after the authentication, the mobile social network application can start to exchange information with the server. Mobile Database Application Mobile database application is used for the users to make small-footprint modifications through the mobile device. The data in the server and mobile device are both need to be protected. Mobile Database Application (MDA) 1. 2. 3. 4. A mobile database is a part of a replica of the central database The user make modifications of the mobile database at first Synchronization occurs between the server and the mobile device to ensure the data are the same In order to complete the synchronization, a publication is needed. A publication is the meta-data package of information about which data is replicated. With the publication, the database server can synchronize with the mobile database correctly. The publication can only be accessed by the users after they are authenticated. Information Risks 1. The mobile device may be stolen by malicious attacker. Then the attacker may try to access the data stored in the device. 2. The sensitive data transferred through the network may be intercepted by the malicious attacker. 3. The users who have no accounts of mobile applications may try to access the server without permissions. Or they may try to log in with others’ accounts to obtain the personal information of them. 4. The malicious users of the mobile applications may try to modify the data in the server even if they are not granted with sufficient permissions or they may try to access the data which are not allowed them to obtain. Methods to Ensure Security and Privacy in Mobile Applications 1. 2. 3. 4. 5. 6. Secure Network Connection Encrypted Local Data User Authentication Grant Minimum Sufficient Permissions Separate User Accounts Applications Provided Security Mechanisms Analysis 1. Secure Network Connection In order to ensure that the sensitive data transferred through the network will not be obtained by malicious attacker, we can choose a secure network connection. We can make use of https instead of http because all the traffic are encrypted so that the data can be protected. Analysis 2. Encrypted Local Data Because the mobile device may be lost or stolen, so it is also necessary to take some mechanisms to ensure that the data in the device are also safe. Therefore, we can encrypt the data in the mobile device. Analysis 3. User Authentication In order to keep malicious attacker from entering into the system, user authentication is necessary. If the mobile application is a mobile database application, then it means that the user must be authenticated by the database server. Only after they are authenticated then they can access the publication to synchronize the mobile database with the database server. Analysis 3. User Authentication And also, user should also be authenticated at the Web Server to protect them from accessing the Web Server just by the same URL. Analysis 4. Grant Sufficient Minimum Permissions The users should be granted with sufficient minimum permissions to ensure the security and privacy in mobile applications. For example, the user who can only view the data should not be granted with the write permission because they may try to make modifications as their wishes. Analysis 5. Separate User Accounts Sometimes we may provide a user with two accounts in order to ensure the security and privacy in the mobile applications. For example, a user can view all the data but only modify part of them. Therefore, we can design two accounts. The first one is a readonly account and it can view all the data. While the other one is a read-write account but it can only view and modify part of the data. Analysis 6. Application Provided Security and Privacy Mechanism The mobile application can provide other security and privacy mechanisms. For example, the application may encrypt and sign the data before they enter into the secure communication link. Another example is that the user can only access a replica of the main table of the central database so that even if they successfully attack the replica through the mobile application, the data in the central database can still be protected. Future Work 1. With the development of network infrastructure, for example, 3G to 4G, new properties should be taken into consideration to develop new secure mechanisms. 2. Apple, Google and many other companies will release new mobile device in the future, and they may provide new features in their devices to ensure security and privacy. Therefore, we need to research new devices to change our methods. Conclusion From my point of view, the following aspects are the basic points to ensure security and privacy in mobile applications: 1. Secure Network Connection 2. Encryption of Sensitive Data 3. User Authentication Almost all the applications need to pay attention to the abovementioned points so that they can protect the sensitive data. Thank You!