Leom_Research_Proposal
advertisement
Table of Contents 1. Introduction ............................................................................................................................ 3 1.1 Introduction ...................................................................................................................... 3 1.2 Rise of smartphone .......................................................................................................... 3 1.3 Risk of smartphone .......................................................................................................... 5 1.3 Introducing remote wipe .................................................................................................. 6 2. Research Question ................................................................................................................. 8 2.1 Theoretical attack on ADM ............................................................................................. 8 2.2 Formulating research questions ..................................................................................... 13 3. Research Scope .................................................................................................................... 15 4. Literature Review................................................................................................................. 17 4.1 Discussion on patents ..................................................................................................... 17 4.2 Number of overwrites .................................................................................................... 21 4.4 Flash translation layer .................................................................................................... 23 4.5 File system ..................................................................................................................... 23 4.6 Summary ........................................................................................................................ 24 Legal Authorities ..................................................................................................................... 26 References ................................................................................................................................ 27 Security Aspect of Remote Wiping in Android Table of Figures Figure 1: Remote wiping process in ADM. ............................................................................... 8 Figure 2: ADM web interface. ................................................................................................... 9 Figure 3: ADM app interface. .................................................................................................... 9 Figure 4: Erase device prompt ................................................................................................. 10 Figure 5: Web traffic between web browser and Google's web server.................................... 11 Figure 6: Capturing banking instruction in CSRF ................................................................... 12 Figure 7: Asking victim to execute the instruction .................................................................. 12 Figure 8: Web traffic between Smartphone and Internet ......................................................... 13 Page 2 Security Aspect of Remote Wiping in Android 1. Introduction 1.1 Introduction From the year 2010 onwards, the world have witnessed tremendous growth in smartphone sales and adoption. According to International Data Corporation report (International Data Corporation 2014), in year 2013, worldwide market reached a milestone where vendors have shipped over a billion smartphone worldwide. That's an increase of 38.4 percent on 2012′s 725.3 million shipments and more than double the 494.4 million smartphones shipped in 2011. Subsequently this also further increase the penetration rates of smartphone among worldwide population. 1.2 Rise of smartphone The roots of the contemporary smartphone industry are rooted in the feature phones industry that preceded it and still somewhat vibrant in many countries (Head 2013). The shift from the earlier mobile devices, known as “feature phones” due to mostly being a sum of their features, to devices labelled as “smartphones” with more cross functional usability has been gradual and relatively seamless. Feature phone is generally known as mobile device which is not running the four most popular smartphone operating system (OS) (Smith 2012, p. 2); iOS, Android, BlacBerry, and Windows Phone. As new technological advances, the mobile device industry will however keep shifting more and more towards these the so called smartphones. This can be observed when global annual smartphone sales surpassed sales of feature phones for the first time in 2013. Many observed that smartphone industry starts to grow rapidly after the release of Apple's iPhone back in 2007 (Paik & Zhu 2013, p. 10; Müller et al. 2013, p. 1). The term “smartphone” was allegedly coined around 1997 (Müller et al. 2013, p. 1) and the first mobile device that could be considered as smartphone shipped in 1999 (Raento, Oulasvirta & Eagle 2009, p. 429) while the first smartphone that began penetrate mobile device market was arguably Nokia 6600 introduced back in 2003 that sold 2 million units in four months (Nuttall, cited in Raento, Oulasvirta & Eagle 2009, p. 430) though the trend of radical changes that is common in mobile device industry nowadays was said to be started since the introduction of commercial 3G mobile device by NTT DoCoMo in 2001 (Hsieh & Hsieh 2013, p. 309). Page 3 Security Aspect of Remote Wiping in Android Many may ask, what exactly is a “smartphone”? Carayannis and Clark (2011, p. 212) raised the issue on difficulty of finding an accurate description of the capabilities of this device. Carayannis and Clark continued by stating smartphone should have following property: intelligent, wireless, rich-media technologies, in the service of smarter business. The properties stated are considered to be too generic as feature phone also can be considered to be “wireless” and the property of “smarter business” means they can only applicable to researchers' own paper. Raento, Oulasvirta, and Eagle (2009, p. 427) defined smartphone as “programmable mobile device” and equipped with relatively sophisticated sensing capabilities, increasing storage capacity, and built-in networking to access the Internet. Although the capabilities listed are pretty reliable to differentiate from “feature phone”, but the term “programmable” is confusing. Raento, Oulasvirta, and Eagle referred the programmability as ability that allows subtle control over events taking place in the phone did not take the liberty to explain the keyword “control” and “events”. Raento, Oulasvirta, and Eagle pointed out programmability of mobile device allows research tools to be created flexibly. This is not applicable for general consumer who uses smartphone for personal or business use. However, from consumer's perspective, programmability can be interpreted as the ability to install additional application, or commonly known as “app” in smartphone industry, to extend the functionality of a smartphone. Thus, another property of a smartphone is extensibility (see Table 1 for comparison). Features Feature Phone PDA Smartphone Personal organiser Limited Yes Yes Telephony Yes No Yes Sensors (e.g. gyroscope, accelerometer, compass, No proximity, etc) No Yes Storage capacity Limited Limited Large Internet access No No Yes Table 1: Comparison for different types of mobile device At the same time, computing power has been doubling on average every 1.5 years since 1975, outperforming even the Moore's Law (Intel Corporation 2006). This trend also given rise to ever escalating computing power at lower cost (Markoff 2007). As an effect, smartphone price is also on a downward spiral (The Economist 2009). Indeed, acquiring the latest top of the range smartphone has never been drastically cheaper, however consumer can always purchase previously most powerful smartphone that is still considered powerful enough at Page 4 Security Aspect of Remote Wiping in Android much lower price years later. Today, a smartphone has become a necessity for many of us: we use it as an alarm, make schedules, check emails, saving memos, and communicate through social apps (Park et al. 2013, p. 2). Most of these functions can be found in another type of mobile device called Personal Digital Assistant (PDA). PDA basically provides electronic version of personal organiser (e.g. diary, calendar, address book, to-do lists, note and memo pads, and clock) (Anderson & Blackwood 2004, p. 4). Smartphone on other hand is a mobile device that includes PDA functionality, since PDA mostly is not equipped with telephony or cellular capability (Punja & Mislan 2008, p. 1) (see Table 1). 1.3 Risk of smartphone Due to broad uses of smartphones for everyday life, many users knowingly and unknowingly save in their phone much of their personal information such as e-mail passwords, schedules, business documents, and personal photographs in their smartphones. Though the portability of smartphone is convenient to carry, such compact device is also prone to loss and theft. It is estimated there are 150,000 mobile device reported lost or stolen every year in Australia (AMTA 2011). More than 30,000 mobile device have been stolen in London alone at 2013 (Lynn & Davey 2014). Loss of smartphone be it accidental or theft expose user to loss of any data stored on the device especially personal information. With the advent of cloud storage service (e.g. Dropbox, Apple's iCloud, and Google Drive) available to smartphone where data can be backed up automatically at frequently using smartphone's always-on Internet connection, there is a fair chance that user could retrieve back the information. But more serious issue is the information leakage or breach results from loss of smartphone which could be detrimental if it falls in the wrong hands. More often than not, the cost of the hardware or any purchased software is actually trivial compared to the cost of information contained. In a study or social experiment conducted by Symantec (2012) where 50 smartphones were intentionally lost and then monitored for any access attempt. The report showed 96 percent of the lost smartphones were accessed by the finders of the devices due inherent curiosity of human nature. The report also highlighted the difficulty for owner to regain possession of its lost smartphone as only 50 percent of the “lost” smartphones in study were recovered through finders' attempt to contact despite the fact owner's contact information was clearly shown on the phone. Page 5 Security Aspect of Remote Wiping in Android 1.3 Introducing remote wipe To mitigate the issue of data leakage, remote wiping feature has been introduced to smartphone OS. This feature essentially allows owner to send a command remotely from another location to its lost smartphone, and once the smartphone receives the command, it will wipe the whole device or selected data. The command that is used to initiate the wiping operation has been affectionately called “kill pill” (Caldwell 2011, p. 8) or “poison pill” (Hansen 2010 , p. 3; Burnett, Friedman & Rodriguez 2011, p. 57). Reader well-versed in business terms might refer “poison pill” as “shareholder rights plan” initiated to impose financial burdens on a hostile buyer to acquire the firm (Ryngaert 1988, p. 377; Davis 1991, p. 583). But this definition is totally unrelated in this case. The term used here refers to a pill that once swallowed would enable a person to end their life if they wished to do so (Rurup et al. 2005, p. 520). So, in the context of smartphone, “kill pill” essentially instruct the smartphone to “kill” itself by destroying data. Blackberry phone is well known to be used among US government official, so naturally the phone operation must conform to government’s strict security policies. Remote wiping feature has been introduced to Blackberry OS since version 4.2 which was estimated to be released almost a decade ago. Version 4.0 was shipped in early December 2004 (Evers & Johnston 2005, p. 3). On the other hand, remote wiping is introduced to Apple iPhone OS (now called iOS) 3.0 through a service called “Find My iPhone” (Ogg 2009). However, at that time, “Find My iPhone” service is only available to now-defunct MobileMe subscriber. MobileMe was replaced by iCloud and discontinued from June 2012 onwards (Mayers & Lee 2011). It was not until the release of iOS 4.2 released back in November 2010 (Apple 2010) when Apple decides to offer “Find My iPhone” service for free (Aomoth 2010). In August 2013, Google announced availability of Android Device Manager (ADM) to devices running Android 2.2 or above (Poiesz 2013). ADM allows user to remotely ring, track, and wipe its lost phone through Google Account website. ADM is subsequently updated to allow user to remotely lock its phone by adding screen lock. ADM is then made available to be accessible from an app so user can perform for instance, remote wipe through user's other phone which is linked to the same account (Google n.d.). This announcement signify capability Page 6 Security Aspect of Remote Wiping in Android of finding and managing lost phone as official feature in Android which previously only available through third-party app. Page 7 Security Aspect of Remote Wiping in Android 2. Research Question 2.1 Theoretical attack on ADM Figure 1: Remote wiping process in ADM. Figure above show the process of initiating remote wipe through Android Device Manager. The steps are outlined below: 1. User access to ADM either through web browser (see Figure 2) or Google official app (see Figure 3). Then user choose “Erase” option to initiate remote wiping. 2. After user confirmation (see Figure 4), Google will send the wiping command. 3. Once the user's lost smartphone receives the command, data erasure shall commence. Page 8 Security Aspect of Remote Wiping in Android Figure 2: ADM web interface. Figure 3: ADM app interface. Page 9 Security Aspect of Remote Wiping in Android Figure 4: Erase device prompt Given the destructive nature of remote wiping feature, it has to be implemented securely so that the erasure action on the smartphone itself can only be triggered by the owner or authorised person. Supposedly the ADM is weakly implemented which allows an adversary to send the wipe command to any smartphone, essentially wiping any smartphone that it wants. Page 10 Security Aspect of Remote Wiping in Android Figure 5: Web traffic between web browser and Google's web server In these theoretical attacks, an adversary can spoof the command from two sources. The first method is to spoof the request made by the user through ADM website or app. In this case, attacker is targeting communication between the user and Google web server (see Figure 5). In Internet environment, hacker has been using a technique called cross site request forgery (CSRF) to spoof the request. To illustrate this technique, imagine a user called Bob is transferring funds using online banking from account A to account B, both which are his own accounts. Bob somehow managed to capture the command “TRANSFER FUND FROM MY ACCOUNT TO ACCOUNT B WITH $100” that is sent to the web server to instruct the bank to execute that transaction (see Figure 6). At the same time, Alice also login to the same online banking website. Bob sends a web link (URL) to Alice which contains the command. When Alice opens the link, the same instruction is sent to the web server (see Figure 7). Unbeknownst to Alice, she had just transferred $100 from her own account to Bob's account B. Page 11 Security Aspect of Remote Wiping in Android Figure 6: Capturing banking instruction in CSRF Figure 7: Asking victim to execute the instruction Another way of spoofing the command is through “replay” attack. This is targeting communication between Google web server and the smartphone (see Figure 8). Page 12 Security Aspect of Remote Wiping in Android Figure 8: Web traffic between Smartphone and Internet If an adversary managed to capture the “wiping” command sent by Google, adversary can send the same command to another smartphone to wipe it. “Replay attack” is capturing a message or a piece of a message that is then used at a later time (Syverson 1994, p. 187). Froma another perspective, this attack also can be launched to “replay” the request made by user to Google to wipe its smartphone. 2.2 Formulating research questions The potential ways of abusing ADM is not just limited to CSRF or replay attack. Various ways shall be discussed in details in the section on the experiment setup. The purpose of this research is to explore the potential misuse of ADM. Therefore, the question of this thesis seeks to answer is: 1. Can remote wipe operation in Android Device Manager (ADM) be abused to wipe other's Android phone? Since there are two perspective that the abuse can happen as shown in Figure 5 and Figure 8. In answering the above question, it can be divided into two sub-questions: 1.1. Can the remote wipe request made to Android Device Manager (ADM) system be abused? 1.2. Can the remote wipe command sent by Android Device Manager (ADM) system be Page 13 Security Aspect of Remote Wiping in Android abused? If the Android smartphone can be wiped through ADM without user's request, then this will be a finding that show security weakness in ADM. In the event of such security weakness could not be found, the limitation various attack techniques used will be discussed. There is also another possibility that the wipe “command” itself could not be captured due to certain implementations in place to prevent such message from being identified and extracted. Those implementations shall be discussed as well. There is another important question needs to be explored as well. After a lost smartphone has been successfully wiped through ADM, is there any data left especially personal information? There is a possibility that there could be traces of personal information left even after being wiped. Therefore, this thesis also seeks to answer: 2. Can personal data be recovered after being remotely wiped? If such traces of personal data are found left in the storage of the phone even after being wiped through ADM, then this will be a finding that user's data is not protected from data leakage in ADM. In the event of such data could not be found, it still does not show the data does not exist, but it could be the limitation of the tools used. In that case, we can evaluate the popular tools used to recover data in Android platform, thus creating a benchmark. The aim of answering all the questions mentioned above is an attempt to determine any security weakness in ADM. Regardless of such weakness can be found or not, it is hoped that this research assist the existing smartphone industry not just Android platform to formulate best practises in implementing the remote wiping feature. Page 14 Security Aspect of Remote Wiping in Android 3. Research Scope Although this research may be abstracted and applied as a means of discussing the remote wiping process in any platform, it will only focus upon mobile phone, specifically the smartphone. As discussed in <<Literature Review section>>, remote wiping feature can be found smartphone platform, but this research will only focus upon Android platform. Current smartphone market are largely dominated by four operating systems (OS) namely Google's Android, Apple's iOS, Microsoft's Windows Phone, and BlackBerry (IDC 2014). Google Android is chosen simply because it has the largest market share among those four most popular smartphone OS in terms of unit shipment. It is estimated that Android controls 78% (Gartner 2014) to 81% (IDC 2014) of the smartphone market share. Remote wiping feature is usually implemented by the operating system thus it is a software-level implementation. There is also existence of hardware-level implementation introduced by Intel called Anti-Theft technology (Intel AT). Intel AT allows user to remotely lock down its laptop equipped with supported hardware. The laptop including the hard drive stays locked down even the hard drive has been removed (Caldwell 2011, p. 8; Intel 2010). Although Intel AT and remote wiping shares the same purpose which is to prevent the data stored inside the lost device from being accessed, since Intel hardware is mostly found in desktop and laptop but rarely found in smartphone, it is beyond the scope of this research. Most importantly, Intel AT will be discontinued January 2015 onwards (Intel 2013). In another embodiment, remote wipe feature can be implemented in any wireless data communication channel supported by the smartphone, such as Wi-Fi, Bluetooth, cellular network, and so on. As discussed in <<Literature review>>, there are several patents granted to telecommunication companies and mobile phone manufacturers. Those patents mostly focus on remote wiping in the context of cellular network infrastructure. This research involves intercepting traffic between a smartphone and the server which sends the “wipe” command. Gathering data exchange in a cellular network is not without its challenges. The first issue is that requirement of specialised hardware (McGowan, Dover & Kerber 1999). In order to capture the data, researcher needs to set up a radio transmitter that function as a base transceiver station (BTS) (Androulidakis 2011, p. 284). Since a mobile phone will connect to any base station with stronger signal, a mobile phone can be manipulated to connect to researcher's Page 15 Security Aspect of Remote Wiping in Android “fake” base station by placing it near to the phone. By all means, such hardware can be acquired with proper funding. However, the biggest challenge is performing the interception without breaking the law (Glendrange, Hove & Hvideberg 2010, p. 3). Since the mobile phone automatically connect to a base station, how does researcher ensure that the “fake” base station is only connected by researcher-controlled smartphone? There is a possibility that outsider's mobile phone which is not part of the experiment somehow got connected to the “fake” base station. Thus, in such scenario, researcher is considered to be eavesdropping somebody else traffic which is illegal in Australia (Telecommunications (interception And Access) Act 1979). Researcher might stumble upon this legal implication even though it is not researcher's intention. In contrast, in Wi-Fi environment, researcher can set up an access point (AP) in such a way that a phone needs to be manually triggered to connect the AP, thus preventing unwanted phone to connect it. Thus, in this environment, researcher can make sure that only researcher's mobile phone is intercepted. All in all, in analysing remote wipe command, it will only be attempted to extract from Internet connection through Wi-Fi. As mentioned in section (research question), one of the main aim of this research is to explore the possibility of triggering “wiping” action by third-party in Android phone through ADM without owner’s knowledge. This can be achieved through several hacking techniques. In June 2014, many Australians found their iPhones had been remotely locked through Apple’s Find My iPhone service, which is Apple’s counterpart of ADM. Although this highlights the fact that similar incident could happen on ADM as well, but it should be noted that the cause of that incident probably is due to user account compromise (Turner 2014). User account compromise is not considered as a weakness in implementation of remote wiping in any OS, thus this factor is out of scope of this research. On the side note, user can prevent adversary from using his or her Google account (used in ADM) even though that account has been compromised. This can be achieved through two-factor authentication currently offered by Google (Higgins 2013). Page 16 Security Aspect of Remote Wiping in Android 4. Literature Review The advent of remote wiping feature had been a decade ago when it was introduced to Blackberry OS. The underlying process could be similar so the purpose of this literature review is to explore how remote wiping of mobile phone is done and what is the wiping method. Literature searching is conducted on Google Scholar, ScienceDirect, and IEEEXplore using the following search terms; remote (wipe OR wiping), (sanitize OR sanitization) mobile phone, secure (erase OR delete) (flash OR NAND). Flash or NAND is used because that is the current storage method in mobile phone. 4.1 Discussion on patents There are several patents on designing a system that allow user to remote wipe its lost phone. Angelo, Novoa, and Olarig (2003) designed a security system made up of user's portable device and security station. The security station can be a computer or a data centre. When user losses portable device, user can report to security station. Security station will then send security message wirelessly to portable device where upon receive, will perform digital selfdestruction. The patent addresses potential security issue in each process, first by authenticating the user who reported, having more than one person in operating the security station to authorise sending the security message to address issue of rogue employee. The process then moves on to use of various combinations of asymmetric key pair, symmetric keys, and digital signature to secure the security message and authenticate the security station. In most basic form, the patent suggested security station should encrypt the security message using device's private key, then upon receive, device will decrypt using its public key to authenticate the source of security message. Private key is suggested to be encrypted using user's password as security station could be compromised. Concern of replay attack whereby adversary intercepts a security message and retransmit to the same device, can be addressed by including unique value which is changes every time possibly by using time-based one time password algorithm, TOTP). Blackberry Limited (formerly known as Research In Motion, RIM), holds similar patent on remote wiping (Brown et al. 2011). Given the nature of Blackberry product, the designed system shown in the patent focus on Mobile Device Management (MDM) and Bring Page 17 Security Aspect of Remote Wiping in Android Your Own Device (BYOD) in enterprise environment. The system allows each data types (e.g. message, calendar, address book, etc.) to be set with authorisation level. So, when issue remote wipe or encrypt command, the command includes indicator of authorisation level of issuer (be it the user or IT support), so only the person with or exceed authorisation level is able to modify the selected data types. The command can be issued only to selected data types. The authorisation level is by server to construct IT policy that will be transmitted to mobile device. The patent also mentions authentication of the server that issues the command. Server first encrypts the command message and successful decryption by client device thus authenticates the source of command. Then mobile device will flag the desired data to be wiped or encrypted. The security of the flag is mentioned that it should not be removable so adversary cannot circumvent the wipe command. Blackberry Limited also holds another patent whereas remote wiping can be triggered through voice mail. The purpose of the design is to extend features found in voicemail system. In the case of lost device, owner can call the lost device and being prompted to leave voicemail message. The system will authenticate the user with password and once valid password is entered, voicemail system will provide variety of options. From the options, owner can choose wipe option, once selected, voicemail server will request network server (either provided by carrier or owner's enterprise) to send wipe command to the lost device. There is no mention of verification between voicemail server and network server as the patent assume both servers should be trusted entity of each other. Verification between network server and mobile device is also not mentioned. The next patent although is not related to remote wipe, but it is a lost device management. The patent is hold by Acco Brands, a manufacturer of office product (Cavacuiti & Merrem 2003). The purpose of the system is to alert user when user's portable device is spaced apart from user by distance exceeding predetermined threshold. The system involves a transmitter attached to the portable device and a receiver which user carry. The transmitter will transmit the signal to the receiver in interval and receiver will calculate the distance. If the distance is too far, receiver will alert the user. There is consideration of encoding the signal to uniquely identify the transmitter. The system does not involve what will happen to the Page 18 Security Aspect of Remote Wiping in Android mislocated portable device. This patent has been implemented in Acco's Kensington Proximo1, although there are other similar third-party products made by start-up company such as Tile2, SticknFind3, and Gecko4. Sony Ericsson, a mobile phone company (currently known as Sony Mobile, a wholly owned subsidiary of Sony) holds a patent in remote disabling mobile device (Gajdos & Kretz 2006). The patent is about the process of disabling a mobile device through cellular network connection (e.g. GSM and CDMA). Verification is performed using asymmetric keys (control centre encrypts with its private key, mobile device decrypt using control centre's public key), but only for mobile device to verify identity of control centre. After verification is done, control centre sends disabling data to mobile device. Disabling data can be comprised of instruction to disable at least one functionality of the phone or enabling certain functionality such as tracking and software update or enabling back disabled functionality. The patent mentions remote wiping and wiping through overwriting with only zeros or ones. But the wiping is only for removing program instructions to permanently disable certain functionality. Verification of user's identity can be done through username/password. (SyncML) (overide disable command) Nokia, a mobile phone company, holds a patent in remotely disable personal data in mobile device (Kenney 2005). The system assume deployment in cellular network infrastructure. The system allow user to request the operator of cellular network to disable/erase the lost cellular phone.. Upon successful verification of the person reported (through password or security question), cellular network will broadcast disable signal to the phone. The disable signal can be made up of commands to disable keypad, blank screen, sound alarm, and erase data. After the commands have been executed by phone, phone will reply signal to verify the commands have been successfully disabled. Verification between device and cellular network is not considered. 1 http://www.kensington.com/kensington/us/us/s/3068/proximo.aspx http://www.thetileapp.com/ 3 https://www.sticknfind.com/ 4 http://geckotag.me/ 2 Page 19 Security Aspect of Remote Wiping in Android Toshiba Japan holds a patent in which the system allows remote wiping command to be triggered via e-mail. The designed system allows device owner to send an email that will be received by the device for remote wiping. The user has to initially set-up a password and security level in its device. The security level is to set which data should be erased if remote wipe command is received or it can be simply locking the device. In the case of lost device, owner will send an email with password in the header field, then when the device receive the email, check whether is there any password attached in header field. If there is no password, it will be treated as normal email. If there is password attached, device compares it to the password stored in memory (previously set by owner), and if the password is valid, proceed with erasing data. AT&T, a telecommunication company based in US, holds a patent where a system allows remote disablement of mobile device (Sennett & Daly 2013). The patent focus around infrastructure of cellular network given the nature of its holder. The system mainly focus on method to send disable command to the mobile device. The command is sent in a form of disable signal through any communication link in PSTN. The signal can be sent with unique address so it may only receive by intended device or received by all device but processed only by intended device. Upon receiving of disable signal, mobile device will broadcast authentication request in which cellular network respond with authentication signal. This is confirm sender of disable signal is authorised to order a disablement. The mobile device can be any device which meets the criteria specified in the patent. The disablement only targets the CPU and memory storage but the mobile device may be designed in such a way that it relies on CPU and memory to access the network. The disablement can be permanent/non-reversible or non-destructive by erasing flash memory or firmware. The disablement can be a 'lockout' which the mobile device can be enabled back with valid password. Good Technology, a provider of MDM solution holds a patent involving a system to protect data in portable electronic device (Muratov & Foley 2007). The data is encrypted and valid password must be entered upon powering on (if exceeding grace period) to decrypt the data. If password attempt exceed user-defined limit or the device is not synced within a userdefined period, the encrypted data is erased. The encryption key gets regenerated each time user enters valid password. The patent did not specify encryption algorithm although Blowfish Page 20 Security Aspect of Remote Wiping in Android is mentioned. It is also not mandatory to hash the password, although MD5 is mentioned. Erasure method is also not mentioned, although bit-wiping is mentioned but not bit-wiping algorithm. Onyon, Stannard, and Ridgard (2007) holds a patent regarding mobile phone auto destruct. The patent is about a system that allow user to remotely wipe or encrypt lost device. The system allows user to initially activate remote wipe feature on a phone through a website or an app. User can request web server to issue wipe command to lost device but it also can be sent to the device via specially formatted SMS or email or network connection. There is no mention of specific wireless communication link. Alternative method is to let the device poll the server at an interval if any remote wipe command is pending. The verification between device and server is through digital certificate where initial set-up may be configured with server's certificate. The system also consider situation where attack repeated reboot the phone upon receipt of wipe command. The system also allow override function where upon receive wipe command, device prompts for override code, and terminate wipe command if entered correctly. System also allow user to configure scope of data to be wipe. SyncML 4.2 Number of overwrites Most of the patents mentioned above did not describe wiping method, except for a few which mentioned overwriting data with zeros or ones, or 'bit-wiping'. It is popularly agreed that erasing data should involve overwriting the original data to make it unrecoverable (Gutmann 1996; Garfinkel & Shelat 2003, p. 19) or sanitising it (Hughes & Coughlin 2006; Wei et al. 2011, p. 2). Data sanitisation can be performed using a software running in operating system (OS) or firmware based such as ATA's Secure Erase (Hughes & Coughlin 2002). US National Institute of Standards and Technology (NIST) (Kissel et al. 2012, pp. 28-29) and Australian government (2014, p. 147) recommends ATA's Secure Erase command if available, otherwise overwrite at least once in its entirety. Some (Garfinkel & Shelat 2003, p. 21; Joukov, Papaxenopoulos & Zadok 2006, p. 62) agreed overwriting once is adequate enough. Number of times data should be overwritten has been subject of controversy (Wright, Kleiman & Sundhar 2008) especially when Gutmann (1996) suggested 35 times or passes. Gutmann (2003) later clarified that a few passes should be fine and 35 passes is only suggested due to consideration of wide range of hard drive encoding methods. Garfinkel and Shelat (2003, p. Page 21 Security Aspect of Remote Wiping in Android 21) argued Gutmann's demonstration of possibility in recovering data even after overwriting it once was possible because older hard drives have some gap between 'tracks' but the gap is nonexistent in modern high-density hard drives. 4.3 API-based overwriting However many researchers argued that simple overwriting might not be applicable in mobile phone environment due to difference in file system layout and storage technology. Mobile phone storage is usually flash-based as opposed to magnetic spinning hard drive. Difficulty of data overwriting is due to use of wear levelling in Flash Translation Layer (FTL) to distribute write access across flash storage (Spreitzenbarth & Holz 2010, p. 166). Specifically, flash-based writes new or newer data to another valid physical location while original location is simply marked as 'invalid' (Shin 2012, pp. 257-258). This is known as outof-place update which contrast to in-place update that writes new data to on top of original. Thus, original content is preserved even with overwrite request. Spreitzenbarth and Holtz (2010, pp. 170-172) developed a secure deletion tool running on Symbian. The tool is demonstrated by overwriting personal data (contacts, calendar entries, and SMS message) using Symbian API (Application Programming Interface). To evaluate the effectiveness of the tool, forensic acquisition is performed on the phone and personal data allegedly could not be found. However, since only official API is used thus there was no modification to the platform, Spreitzenbarth and Holtz did not address how wear-levelling would affect the operation of the developed tool. Spreitzenbarth and Holtz also did not specify how thorough data recovery is performed. Reardon et al. (2012) also proposed secure deletion method using the OS API on Android. Reardon et al. developed an app that monitors the amount of free space and fill it with random data. This is to ensure those unwanted data which has been marked as invalid is filled with random data to achieve random deletion. Reardon et al. tested the effect of their app on deletion latency, storage device lifetime and power consumption. Although performance difference was calculated but the effectiveness of the proposed method was not shown. Albano et al. (2011) proposed using standard linux commands (e.g. cp, rm, dd) to selectively modify data in Android, without using any cryptographic primitives or kernel modules that will raise suspicion during a forensics analysis. Their process involved first copying mtd5 partition Page 22 Security Aspect of Remote Wiping in Android (which stores user's installed app and data) to external SD, zero the mtd5 while selectively modify/delete the data in external SD, move the data in external SD back to mtd5 and zero the external SD. However, the proposed method requires Busybox to be installed (which provides the standard linux commands mentioned). Installing Busybox requires the user to have root privilege. Rooting Android device not only void the warranty but also may be abused by malware to cause more harm (Pieterse & Olivier 2013, p. 4). Kang, Park, and Kim (2013) proposed more efficient method of data wiping in mobile phone by overwriting only part of the data that will render it unidentifiable instead of overwriting the whole data. Kang, Park, and Kim demonstrated their method on JPEG, BMP, FLV, DOC and XLS while comparing the time taken for their method against entire file wiping method on Android phone. However, it could not be determined whether authors' data recoverability test and performance test are conducted on the same device, especially type of data storage. 4.4 Flash translation layer Shin (2012) explored the feasibility of implementing secure deletion in different FTL scheme based on the scheme design. The factors considered including effectiveness and performance. Shin concluded although some current scheme allow effective implementation but limited by low performance. Shin finally proposed the need of new FTL scheme which allow effective and good performance implementation. Wei et al. (2011) developed a new FTL scheme that overwrite unused copies of data with zeros. The developed FTL scheme works by re-program unused cell to flip remaining ones to zeros. However, Wei et al. pointed out their approach could result in program disturb subsequently results in bit errors. Reardon et al (2012, p. 9) criticised this approach because reprogramming operates outsides of specification although Wei et al. (2011, p. 9)argued that impact of reprogramming varies between devices and some might have no effect. 4.5 File system Rather than modifying the FTL scheme, many researchers instead focus on file system instead. Log-structured file system especially YAFFS (Yet Another Flash File System) is chosen due to wide usage in flash storage of Android phone. YAFFS is the default file system for Android since the release of first Android device (Hoog 2011, p. 141) until Google announced the move to EXT4 starting Android 2.3 (Google 2010). Lee et al. (2010) proposed Page 23 Security Aspect of Remote Wiping in Android a scheme randomly generate keys to encrypt file, store them in file headers while making sure those file headers are in a same block using “unbalanced binary hash tree” algorithm. With this scheme, a file can be securely deleted by erasing the file header block (which stores the key). Lee et al. (2011) extended the scheme to perform standard data sanitisation methods prescribed by US government agencies. So, Lee at al. designed a scheme that will overwrite the data before erase operation (previous work was erase operation only) without involving additional operations in which previous work had to performed. So, they claimed their design is more secure and efficient than previous work albeit through theoretical calculation and without actual implementation. On the other hand, Reardon et al. (2013) criticised the scheme proposed by Lee et al. (2010) for just purely conceptual and will cause too much wear on flash memory. Reardon et al. also pointed out their previous work (Reardon et al. 2012) also too costly in terms of flash memory wear and execution time. Reardon et al. proposed a scheme that is similar to Lee et al. scheme (2010) where each data block is encrypted with a key and the key is purged when the data block is no longer in used. The proposed scheme encrypted each block of data with distinct 128-bit AES key in counter mode. IV (initialisation vector) is not used due to distinct key. The scheme is implemented in UBIFS (Unsorted Block Image File System), another log-structured file system. The modified file system is then implemented in Android. Reardon et al. conducted various tests including wear analysis, power consumption, and I/O performance. 4.6 Summary From the patents discussed, there is a consensus among inventors of using asymmetric cryptography to authenticate server which sends the remote wipe command. This is can be practically implemented through Transport Layer Security (TLS) which has been commonly implemented to secure the traffic between client and web server in the form of HTTPS (Hypertext Transfer Protocol Secure) (Rescorla 2000). TLS is the successor of Secure Sockets Layer (SSL) (Geer 2003, p. 14). Then, there are several articles which suggest using OS API or standard linux command to perform the wiping without modification to the platform or the underlying architecture such as file system. Although there was suggestion on more efficient implementation, it is doubted that the wiping time is practical. Then there are several modification proposals to FTL and file system. However, the proposals are more suitable for file deletion activity occurs during daily mobile phone usage, compared to remote wiping which involves erasing the whole data in mobile phone. Page 24 Security Aspect of Remote Wiping in Android The availability of ADM (Android Device Manager) means that virtually all Android phone is equipped with remote wipe feature. Without any security in place, in worst case scenario, this can results in mass remote wipe. Although this is not likely to happen, but it is still necessary to inspect the security aspect of the remote wipe feature. Third-party Android app which offers remote wiping feature has been available for years and yet as far as author concern, there has not been studies conducted on the feature in Android platform. Page 25 Security Aspect of Remote Wiping in Android Legal Authorities Telecommunications (Interception and Access) Act 1979 (Cwlth), s 7. Page 26 Security Aspect of Remote Wiping in Android References Albano, P, Castiglione, A, Cattaneo, G & De Santis, A 2011. 'A novel anti-forensics technique for the android OS', in International conference on broadband and wireless computing, communication and applications (BWCCA), IEEE, pp. 380-385. AMTA 2011, Lost and stolen phones, Australian Mobile Telecommunications Association, viewed 6 June 2014, <http://www.amta.org.au/pages/Lost.and.stolen.phones>. Anderson, P & Blackwood, A 2004, 'Mobile and PDA technologies and their future use in education', JISC Technology and Standards Watch, vol. 4, no. 3, pp. 3-33. Androulidakis, I 2011, 'Intercepting Mobile Phone Calls and Short Messages Using a GSM Tester', in Computer networks, Springer, Berlin, pp. 281-288. Angelo, M, Novoa, M & Olarig, S 2003, After the fact protection of data in remote personal and wireless devices, US20030065934A1, USA. Aomoth, D 2010, App of the week: Find my iPhone, TIME, viewed 15 June 2014, <http://techland.time.com/2010/11/23/app-of-the-week-find-my-iphone/>. Apple 2010, iOS 4.2 software update, Apple, Inc, viewed 15 June 2014, <http://support.apple.com/kb/DL1061>. Australian Signals Directorate 2014, 2014 information security manual, . Brown, MK, Brown, MS, Little, HA & Totzke, SW 2011, Selectively wiping a remote device, US008056143B2, USA. Burnett, RD, Friedman, M & Rodriguez, RP 2011, 'Managing laptop security', Journal of Corporate Accounting & Finance, vol. 22, no. 5, pp. 53-61. Caldwell, T 2011, 'The mobile ‘kill pill’ – poison or panacea?', Computer Fraud & Security, vol. 2011, no. 10, pp. 8-12. Carayannis, E & Clark, S 2011, 'Do smartphones make for smarter business? the smartphone CEO study', Journal of the Knowledge Economy, vol. 2, no. 2, pp. 201-233. Cavacuiti, J & Merrem, R 2003, Loss prevention system for portable electronic devices, US20030043036A1, USA. Davis, GF 1991, 'Agents without principles? the spread of the poison pill through the intercorporate network', Administrative Science Quarterly, vol. 36, no. 4, pp. 583-613. Evers, J & Johnston, CJ 2005, 'Chapter 1: System Architecture', in Professional blackberry, Wiley Publication, Indianapolis, USA, pp. 3-18. Gajdos, T & Kretz, M 2006, Method for disabling a mobile device, EP1725056A1, EU. Garfinkel, SL & Shelat, A 2003, 'Remembrance of data passed: A study of disk sanitization practices', IEEE Security & Privacy, vol. 1, no. 1, pp. 17-27. Gartner 2014, Gartner says annual smartphone sales surpassed sales of feature phones for the first time in 2013, Gartner Inc, viewed 8 June 2014, <http://www.gartner.com/newsroom/id/2665715>. Geer, D 2003, 'Taking steps to secure web services', Computer, vol. 36, no. 10, pp. 14-16. Page 27 Security Aspect of Remote Wiping in Android Glendrange, M, Hove, K & Hvideberg, E 2010, 'Decoding GSM', Master's thesis, Norwegian University of Science and Technology, Trondheim, Norway. Google n.d., Android device manager, Accounts Help, viewed 21 April 2014, <https://support.google.com/accounts/answer/3265955?hl=en>. Google 2010, Saving data safely, viewed 29th April 2014, <http://androiddevelopers.blogspot.com/2010/12/saving-data-safely.html>. Gutmann, P 2003, Secure deletion of data from magnetic and solid-state memory, viewed 27th March 2014, <https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html>. Gutmann, P 1996. 'Secure deletion of data from magnetic and solid-state memory', in Proceedings of the sixth USENIX security symposium, USENIX, . Hansen, CK 2010, 'Technology trends in mobile communications how mobile are your data?', Invited Paper for the IEEE Reliability Society Annual Technology Report.IEEE Transactions on Reliability, vol. 59, pp. 458-460. Head, M 2013, 'Word of mouth in social learning: The effects of word of mouth advice in the smartphone market', Master's thesis, Aalto University, Töölö, Helsinki, Finland. Higgins, P 2013, How to enable two-factor authentication on twitter (and everywhere else), EFF, viewed 15 June 2014, <https://www.eff.org/deeplinks/2013/05/howto-two-factorauthentication-twitter-and-around-web>. Hoog, A 2011, Android forensics: Investigation, analysis and mobile security for google android, Syngress, Waltham, MA. Hsieh, J & Hsieh, Y 2013, 'Appealing to internet-based freelance developers in smartphone application marketplaces', International Journal of Information Management, vol. 33, no. 2, pp. 308-317. Hughes, GF & Coughlin, TM 2006, Tutorial on disk drive data sanitization, Center for Magnetic Recording Research (CMRR), UC San Diego. Hughes, GF & Coughlin, TM 2002, 'Secure erase of disk drive data', IDEMA Insight Magazine, p. 22. IDC 2014, Smartphone OS market share, Q1 2014, International Data Corporation, viewed 7 June 2014, <http://www.idc.com/prodserv/smartphone-os-market-share.jsp>. Intel 2013, Laptop security and intel anti-theft technology, Intel Corporation, viewed 7 June 2014, <http://www.intel.com/content/www/us/en/architecture-and-technology/anti-theft/antitheft-general-technology.html>. Intel 2010, Intel anti-theft technology, Intel Corporation, viewed 7 June 2014, <http://download.intel.com/pressroom/kits/vpro/core/pdf/IntelAT_ProductBrief.pdf>. Intel Corporation 2006, Moore's law and intel innovation, Intel Corporation, viewed 5 June 2014, <http://www.intel.com/content/www/us/en/history/museum-gordon-moore-law.html>. International Data Corporation 2014, Worldwide smartphone shipments top one billion units for the first time, according to IDC, International Data Corporation, viewed 22nd March 2014, <http://www.idc.com/getdoc.jsp?containerId=prUS24645514>. Page 28 Security Aspect of Remote Wiping in Android Joukov, N, Papaxenopoulos, H & Zadok, E 2006. 'Secure deletion myths, issues, and solutions', in Proceedings of the second ACM workshop on storage security and survivability, ACM, pp. 61-66. Kang, S, Park, K & Kim, J 2013, 'Cost effective data wiping methods for mobile phone', Multimedia Tools and Applicationspp. 1-13. Kenney, T 2005, Systems and methods that provide user and/or network personal data disabling commands for mobile devices, US20050186954A1, USA. Kissel, R, Scholl, M, Skolochenko, S & Li, X 2012, Guidelines for media sanitization, NIST Special Publication 800-88. Lee, B, Son, K, Won, D & Kim, S 2011, 'Secure data deletion for USB flash memory.', Journal of Information Science & Engineering, vol. 27, no. 3, pp. 933-952. Lee, J, Yi, S, Heo, J, Park, H, Shin, SY & Cho, Y 2010, 'An efficient secure deletion scheme for flash file systems.', Journal of Information Science & Engineering, vol. 26, no. 1, pp. 2738. Lynn, G & Davey, E 2014, 'Black market' for stolen smartphones exposed, BBC, viewed 6 June 2014, <http://www.bbc.com/news/uk-england-london-26979061>. Markoff, J 2007, Intel says chips will run faster, using less power, The New York Times, viewed 5 June 2014, <http://www.nytimes.com/2007/01/27/technology/27chip.html?_r=0&ei=5087&em=&en=59 a4d10473c4a8c8&ex=1170046800&pagewanted=print>. Mayers, S & Lee, M 2011, 'From MobileMe to iCloud', in Learn OS X lion, Apress, New York, pp. 245-253. McGowan, R, Dover, RD & Kerber, KD 1999, Method and apparatus for intercepting calls in a communications system, US5937345, USA. Müller, MU, Medyckyj-Scott, D, Cowie, A, Heuer, T & Roudier, P 2013. 'Current status and future directions of mobile GIS', in Proceedings of the SIRC NZ 2013 - (GIS and remote sensing research conference), University of Otago, Dunedin, New Zealand, pp. 1-6. Muratov, AV & Foley, RE 2007, Method and system for protecting data within portable electronic devices, US007159120B2, USA. Ogg, E 2009, Updated: IPhone OS 3.0 now available, CNET, viewed 15 June 2014, <http://www.cnet.com/news/updated-iphone-os-3-0-now-available/>. Onyon, R, Stannard, L & Ridgard, L 2007, Remote cell phone auto destruct, US20070056043Al, USA. Paik, Y & Zhu, F 2013, The impact of patent wars on firm strategy: Evidence from the global smartphone market, Harvard Business School. Park, M, Choi, Y, Eom, J & Chung, T 2013, 'Dangerous wi-fi access point: Attacks to benign smartphone applications', Personal and Ubiquitous Computingpp. 1-14. Pieterse, H & Olivier, MS 2013. 'Security steps for smartphone users', in Information security for south africa, 2013, IEEE, pp. 1-6. Page 29 Security Aspect of Remote Wiping in Android Poiesz, B 2013, Find your lost phone with android device manager, Android Official Blog, viewed 21 April 2014, <http://officialandroid.blogspot.com/2013/08/find-your-lost-phonewith-android.html>. Punja, SG & Mislan, RP 2008, 'Mobile device analysis', Small Scale Digital Device Forensics Journal, vol. 2, no. 1, pp. 1-16. Raento, M, Oulasvirta, A & Eagle, N 2009, 'Smartphones an emerging tool for social scientists', Sociological Methods & Research, vol. 37, no. 3, pp. 426-454. Reardon, J, Capkin, S & Basin, D 2013, Data node encrypted file system: Efficient secure deletion for flash memory, Department of Computer Science, ETH Zurich. Reardon, J, Marforio, C, Capkin, S & Basin, D 2012. 'User-level secure deletion on logstructured file systems', in Proceedings of the 7th ACM symposium on information, computer and communications security, ACM, pp. 63-64. Rescorla, E 2000, HTTP over TLS, RFC 2818, viewed 4 May 2014, <https://tools.ietf.org/html/rfc2818>. Rurup, ML, Onwuteaka-Philipsen, BD, Wal, Gvd, Heide, Avd & Maas, PJvD 2005, 'A "suicide pill" for older people: Attitudes of physicians, the general population, and relatives of patients who died after euthanasia or physician-assisted suicide in the netherlands', Death Studies, vol. 29, no. 6, pp. 519-534. Ryngaert, M 1988, 'The effect of poison pill securities on shareholder wealth', Journal of Financial Economics, vol. 20, no. 1, pp. 377-417. Sennett, DWA & Daly, BK 2013, Remote disablement of a communication device, US008375422B2, USA. Shin, I 2012, 'Secure file delete in NAND-based storage', International Journal of Security & its Applications, vol. 6, no. 2, pp. 257-260. Smith, A 2012, 46% of american adults are smartphone owners: Smartphone users now outnumber users of more basic mobile phones within the national adult population, Pew Research Center’s Internet & American Life Project, Washington. Spreitzenbarth, M & Holz, T 2010. 'Towards secure deletion on smartphones.', in 5th conference of the GI special interest group “Sicherheit, schutz und zuverlässigkeit”, Gesellschaft für Informatik e.V. (GI), pp. 165-176. Symantec 2012, Symantec smartphone honey stick project, Symantec Corporation, viewed 2 June 2014, <https://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=symantecsmartphone-honey-stick-project>. Syverson, P 1994. 'A taxonomy of replay attacks [cryptographic protocols]', in Proceedings of computer security foundations workshop VII (CSFW 7), IEEE, pp. 187-191. The Economist 2009, The boom in smart-phones: Cleverly simple, The Economist, viewed 5 June 2014, <http://www.economist.com/node/14563636>. Turner, A 2014, Apple iCloud users urged to change passwords as hackers target iDevices, The Sydney Morning Herald, viewed 12 June 2014, <http://www.smh.com.au/digital- Page 30 Security Aspect of Remote Wiping in Android life/computers/gadgets-on-the-go/apple-icloud-users-urged-to-change-passwords-as-hackerstarget-idevices-20140611-zrwzy.html>. Wei, MYC, Grupp, LM, Spada, FE & Swanson, S 2011. 'Reliably erasing data from flashbased solid state drives', in 9th USENIX conference on file and storage technologies (FAST), USENIX, pp. 1-13. Wright, C, Kleiman, D & Sundhar, S 2008, 'Overwriting hard drive data: The great wiping controversy', in Information systems security, Springer, pp. 243-257. Page 31
