smartphone - University of Idaho
advertisement
Mobile Device Security Benjamin Kirchmeier University of Idaho Definitions • Mobile Device – Computing and communications – Handheld or smaller – I/O: touch or thumb-based keyboard – Requires no wired connection • Smartphone – Voice + Data features The Global Mobile Market • 2005: 750,000,000 cell phone sales • 2009: 1,211,236,600 cell phone sales • 2009: 172,373,100 smartphone sales Smartphone % Marketshare Symbian BlackBerry iPhone Linux Android Gartner (February 23, 2010) http://www.gartner.com/it/page.jsp?id=1306513 Smartphones comprise 14% of total global sales The UI Mobile Market Staff and Faculty Exchange Use via Mobile Device Device Usage* iPhone iPod iPad Android PocketPC Palm * Based on 7-day login and device information from UI Exchange Servers. About 10% of UI employees‡ use a mobile device to access their UI email ‡ Personal and Sponsored Employee accounts total 5,126. Smaller, Faster, Cheaper Smartphone Cray 1 Supercomputer • • • • (ca. 1976) 128MB-512MB RAM 1GB – 64GB+ Storage 1000 MHz processor $200 (w/ Contract of course) Primary advantages • Convenience • Security • Fits in pocket • 8MB RAM • 80 MHz processor • $8.8 million Primary advantages • 133 Megaflops • All colors available Device Technologies • Bluetooth – IEEE 801.15.1 – 30’ range • SMS – 160 character limit – Viver virus (Kaspersky; Symbian, 2007) • MMS – Text, images, audio, video – Binary data – Commwarrior-A (F-secure; Symbian, 2005) Development for Mobile Devices • • • • • Binary Runtime Environment for Wireless (BREW) Java 2 Micro Edition (J2ME) Python Java Objective-C • [micro] Web Browsers – HTML, JavaScript, Flash • [micro] Operating Systems – Linux, iOS (OS X) Malicious Mobile Device Code • Timofonica (2000) – Visual Basic – Infected computers – Spammed phones • Cabir (2004) – – – – Symbian-based Source code released underground Propagated via Bluetooth User interaction required Malicious Mobile Device Code: Cabir 1. User clicks on caribe.sis 2. Installer confirms action 3. Cabir Installed! Once installed, it searches for “discoverable” Bluetooth devices Photos: http://www.f-secure.com/v-descs/cabir.shtml Predicting Future Outbreaks • Are security experts crying wolf? • Since 2004, about 420 viruses identified • Primary Vectors – Bluetooth – MMS • The Tipping Point – Location – Mobility – Communication Patterns Splode Demo The Game Trail via YouTube: http://www.youtube.com/watch?v=rNU3g_LHDGk Splode available in the AppStore: http://itunes.apple.com/us/app/splode/id376476787 Basic Best Practices • Only install software you trust • Disable Bluetooth • Use PINs longer than four numbers – No birthdates! • Different passwords for different devices/services • Pair Bluetooth devices privately or not at all • Update your device’s OS and programs regularly The Bottom Line • Increasing mobile device adoption • Mobile malicious code was discovered in 2004 • Bluetooth and MMS will most likely spread future infections • Critical mass for widespread infection: not yet Trusting Published Mobile Software Google Android Market Terms of Service • 5. Use of the Services by You – 5.1 In order to access certain Services, you may be required to provide information about yourself (such as identification or contact details) as part of the registration process for the Service, or as part of your continued use of the Services. You agree that any registration information you give to Google will always be accurate, correct and up to date. – 5.4 You agree that you will not engage in any activity that interferes with or disrupts the Services (or the servers and networks which are connected to the Services). • 7. Privacy and your personal information – 7.1 For information about Google’s data protection practices, please read Google’s privacy policy at http://www.google.com/privacy.html. This policy explains how Google treats your personal information, and protect your privacy, when you use the Services. – 7.2 You agree to the use of your data in accordance with Google’s privacy policies. http://www.android.com/terms.html Google Privacy Policy 5 Privacy Principles • Use information to provide our users with valuable products and services • Develop products that reflect strong privacy standards and practices • Make the collection of personal information transparent • Give users meaningful choices to protect their privacy • Be a responsible steward of the information we hold http://www.google.com/privacy.html Google Privacy Policy • • • • Affiliated Google Services on other sites Third Party Location Data Unique application number In addition to the above, we may use the information we collect to: • Provide, maintain, protect, and improve our services (including advertising services) and develop new services; and • Protect the rights or property of Google or our users. http://www.google.com/privacypolicy.html Apple AppStore Terms and Conditions • D. Privacy Policy – Personal information is data that can be used to uniquely identify or contact a single person. – You may be asked to provide your personal information anytime you are in contact with Apple or an Apple affiliated company. Apple and it’s affiliates may share this personal information with each other and use it consistent with this Privacy Policy. They may also combine it with other information to provide and improve our products, services, content, and advertising. http://www.apple.com/legal/itunes/us/terms.html Apple AppStore Terms and Conditions Collection and Use of Non-Personal Information We also collect non-personal information − data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it: – Non-personal information: occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used. – Additional Non-personal information: customer activities on Apple websites, MobileMe service, and iTunes Store and from our other products and services. – “If we do combine non-personal information with personal information the combined information will be treated as personal information for as long as it remains combined.” Marketing, Marketing, Marketing!! • Popular Apps authorized for sale by Google and Apple transmit data without users’ knowledge • Data transmitted to both developer sites and other involved entities • Data can include personal identifiable information (PII) plus additional information • All data is used primarily to market goods and services • Security not a priority (encrypted vs. rapid deployment) Data? What data? • • • • • • • • • Real names Home address Telephone numbers Credit Card numbers IP Address(es) Browser Type Pages Visited Time spent within specific apps or browser GPS information Oops! Market and AppStore Blunders • Android Market – TweetDeck beta, August 2010 • AppStore – Aurora Feint, July 2008 “Signed” mobile device applications ≠ trusted TaintDroid October 4-6, 2010 TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones USENIX Operating Systems Design and Implementation (OSDI) • • • • Researchers from Intel, Penn State, and Duke Developed custom-built firmware Provides data transmission transparency to end users Available soon: http://appanalysis.org/ appanalysis.org TaintDroid Demo http://appanalysis.org/demo/ PSNs, UDIDs, IMEIs, and Smartphones. Oh my! • PSNs, UDIDs, and IMEIs manage device identity • Pentium III’s (PSN) – – – – – Burned into each CPU Hoped to boost online commerce Attract business (and government) interest Permit better asset tracking/resource allocation Ultimately considered an “unnecessary intrusion” PSNs, UDIDs, IMEIs, and Smartphones. Oh my! • UDIDs created by Apple for its mobile devices – Guaranteed to be unique per device • “Ensure[s] … devices continue to comply with required policies.” http://www.apple.com/iphone/business/docs/iPhone_Business.pdf • Developers encouraged to utilize UDID – – – – Store high scores for games Aggregate app-specific user ID with UDID Apple does not proctor use of the UDID API No restrictions for company UDID ‘sharing’ Wireshark • Network protocol analyzer • Used to intercept packets from mobile devices before they’re sent onto the internet • Reveals plain-text packets which include UDID, IMEI, and other information • Available here: http://www.wireshark.org/download.html Sniffing iPhone Packets Demo • Amazon • Sends UDID and other information in an unencrypted (http) format • CBS News • Sets cookies to expire in 20 years * Detailed images can be found in this reference: http://www.pskl.us/wp/?p=476 Android Demo “Disney” Wallpapers • Sends IMEI to developer’s database • Uses wps.ysler.com as a repository for content. • Copyright issues? *More information available http://appanalysis.org/ Primary References iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs). Retrieved October 1, 2010 from Preset Kill Limit Web site: http://www.pskl.us/wp/?p=476 TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. Retrieved October 1, 2010 from AppAnalysis.org Web site: http://appanalysis.org/pubs.html iDefense.com. (2009). Mobile Malicious Code Trends. In Graham, James (Ed.), Cyber Fraud: Tactics, Techniques and Procedures (Chapter 15). Auerbach Publications. Understanding the spreading patterns of mobile phone viruses. P. Wang, M. C. Gonzalez, C. A. Hidalgo and A. –L. Barabasi. Science, 324, 1071-1076 (2009).
