Mobile Computing and Security
Computer Science and Engineering
1
Mobile Devices
• Traditional computing and networking vs. mobile
devices (smart phones, internet tables, etc.)
• Widely accepted consumerization: individuals and
organizations
• Huge amount of sensitive data (personal and corporate)
• Security and privacy threats
Computer Science and Engineering
2
OWASP Mobile Security
Project
•
•
•
•
•
•
•
•
•
•
M1: Weak Server Side Controls
M2: Insecure Data Storage
M3: Insufficient Transport Layer Protection
M4: Unintended Data Leakage
M5: Poor Authorization and Authentication
M6: Broken Cryptography
M7: Client Side Injection
M8: Security Decisions Via Untrusted Inputs
M9: Improper Session Handling
M10: Lack of Binary Protections
Computer Science and Engineering
3
OWASP
• Additional materials from OWASP:
– The original (OWASP) presentation can be found
here: SLIDES
– The corresponding video can be found here: VIDEO
Computer Science and Engineering
4
M2: Insecure Data
Storage
• Threats: lost/stolen phones or malware
• Exploitation difficulty: easy by users and applications
• Impact: data loss, disclosure, ransom (e.g., Usernames,
Authentication tokens, Passwords, Cookies, Location data,
personal data, application data)
• How to prevent:
– Don’t store sensitive data (e.g., credentials on device)
– Encrypt all data
Computer Science and Engineering
5
M3: Insufficient Transport
Layer Protection
• Threats: data exchange between client and server over the
carrier’s network and over the internet is poorly protected
• Exploitation difficulty: difficult
• Impact: data disclosure and account theft
• How to prevent
– Enforce the use of SSL/TLS for all transport channels
– Use strong, industry standard encryption algorithms and
appropriate key lengths
– Never allow self-signed certificates
Computer Science and Engineering
6
M4: Unintended Data
Leakage
•
•
•
•
Threat: Application specific
Exploitation: Easy
Impact: technical and business
Prevention:
– URL caching
– Copy/paste buffer caching
– Logging
– Etc.
Computer Science and Engineering
7
McAfee Labs 2014
Threat Prediction
1: Mobile Malware
2: Virtual Currencies
3: Cybercrime and Cyberwarfare
4: Social Attacks
5: PC and Server Attacks
6: Big Data
7: Attacks on the Cloud
Computer Science and Engineering
8
Mobile Security Research
ACM workshop on Security and privacy in smartphones and
mobile devices – In conjunction with CCS conference
– Device/hardware security
– OS/Middleware security
– Application security
– Authenticating users to devices and services
– Mobile Web Browsers
– Usability
– Privacy
– Rogue application detection and recovery
– Cloud support for mobile security
Computer Science and Engineering
9
Mobility and IT Risk
Management
• Mobile Device Management: MDM
• Risk management and investment in cyber security
– What type of security needed?
– Mobile device policies
• Risk areas: technology, policy, law
Computer Science and Engineering
10
Application Development
Computer Science and Engineering
11
Operating Systems
• What is an operating system?
• What operating systems do?
• Why do we need security in operating systems?
– Unintended errors, flaws, bugs, etc.
– Malicious activities
• Readings:
– Silberschatz, Galvin, Gagne: Operating Systems
Concepts, Chapters 14 and 15
Computer Science and Engineering
12
What is a Secure Code?
• Characteristics that contribute to security
– Who defines the characteristics?
• Assessment of security
– What is the basis for the assessment?
• IEEE Standard for Software Verification and Validation,
2005
– Bug, error, fault, …
• US National Security Agency: System Security
Engineering CMM (SSE CMM), http://www.ssecmm.org/index.html
Computer Science and Engineering
CSCE 548 - Farkas
13
13
OS Security Functionalities
•
•
•
•
Identity and credential management
Access control
Information flow
Audit and integrity protection
Computer Science and Engineering
14
Trusted Operating System
• Code has been rigorously developed and analyzed
• Key characteristics:
– Functional correctness
– Enforcement of integrity
– Limited privilege
– Appropriate confidence level
Computer Science and Engineering
15
Mobile Operating Systems
• Four main MOSs: Symbian, Android, BlackBerry OS,
iOS
• Others: Windows Mobile (WinMob), Windows Phone 7
(WP7), bada, webOS, and MeeGo
• Interesting read:
– Fortinet, Fortinet’s FortiGuard Labs Reports 96.5% of all Mobile Malware
Tracked is Android Based, Symbian is Distant Second at 3.45%; iOS,
BlackBerry, PalmOS, and Windows Together Represent Less Than 1%,
February 2014, https://www.fortinet.com/press_releases/2014/fortiguardquarterly-labs-reports.html
Computer Science and Engineering
16
Mobile Application
Development
• Diverse and evolving MOSs
• Different software development platforms and unique
programming languages, custom API
• Mashup services: support mobile application
development without specific software development
kits
– Limited capabilities: mainly Internet-related
resources but not other functionalities (e.g., database
access, address book, etc.)
Computer Science and Engineering
17
Current Mobile
Application Support
• Use web browsers to support platform-independent
applications
• Use cross-platform mobile development tools (XMT) to
support applications for different platforms from the
same code base
• Smartphone application characteristics:
– Installation
– Application structure
– GUI elements
Computer Science and Engineering
18
Malware Detections
Computer Science and Engineering
19
Difficulties
• Resource constraints:
– Computational power
– Energy resources
• Change in the motivation: instant access to confidential
and valuable information
– 2011: 428 million mobile devices sold worldwide
– Users are increasingly dependent on mobile phones
– Increased functionalities
Computer Science and Engineering
20
Mobile Malware
• Software malware: software system security
vulnerability, e.g., viruses, worms, botnets, etc.
• Spyware and grayware
• Malware detection methods:
– Static analysis
– Dynamic analysis
Computer Science and Engineering
21
Static Analysis
• Preliminary analysis to evaluate suspicious applications
• Methods:
– Analyze system calls
– Taint control and data flow
– Source code analysis for anomaly detection
Computer Science and Engineering
22
Dynamic Analysis
• Executing the application in an isolated environment
• Monitor dynamic behavior
• Methods:
– System-wide
– Sandbox
• Application Permission Analysis
– Application intentions - Internet permissions
– Back-end activities
Computer Science and Engineering
23
Cloud-Based Detections
• Smartphones do not carry full featured security
mechanisms
• E.g., file scanner takes 30 mins and reduces battery life
by 2% on an Android HTC G1
• Application scanning is more than 11 times slower on
mobile device than in a computer
• Solution: run security checks on remote computers
• Cloud-based security services
Computer Science and Engineering
24
Cloud-based malware
protection 1
• Paranoid Android
• Smartphone: tracer to record mobile application info to enable
rerun of the apps on a different platform
• Cloud-service: uses the data sent by the tracer to replay the
application execution and check security features:
– Memory scanners, System call anomalies, Dynamic malware
analysis, Commercial antivirus checking
• Proxy: store inbound traffic
• Cost of processing: increased CPU load (15%), energy usage
(30%), tracer execution is costly (user space installation)
Computer Science and Engineering
25
Cloud-based malware
protection 2
• Crowdroid
• Behavior-based detection
• Lightweight application that
– Monitors system calls made by the application
– Preprocesses the calls
– Send the call info to the cloud
• Cloud: classification of the application, whether
malicious or not
Computer Science and Engineering
26
Protection Tips
•
•
•
•
•
•
•
•
•
•
Increase users’ awareness
Install mobile security applications to protect phone
Download applications fro trusted, official sources only
Read reviews and ratings before downloading
Always read permission requests during installation
Turn off wifi when not used
Keep applications up to date
Encrypt all confidential data
Monitor battery life
Delete all sensitive data remotely if the phone is stolen
Computer Science and Engineering
27
Why Mobile Malware
Important?
• Underground economy
• Constrained security resources
• Users’ role and responsibilities
Computer Science and Engineering
28
Next Class
• Trust management
Computer Science and Engineering
29