Smart Phone Security?

14 02 2012

By Robert Bettinger

How valuable is the information on your smart phone?  Some people have their entire lives loaded on a device that was designed to be easy to conceal in your pocket.  With access to the device, someone could know your banking info, see who your friends are, and impersonate you digitally.  Still, not everyone takes mobile devices security as seriously as they ought to.

The evolution of smart phones is a classic example of free market economics at work.  In a free market system, success is driven by popular vote rather than an objective rating system.  Just like in high school, the candidate with the “sexiest features” wins.  When smart phones started targeting general consumers, the apps that were available were gimmicky for the most part.  While work was underway for more complicated and useful apps such as banking, the first generation of apps was predominantly entertainment related.  Security was not seen as a “sexy” feature since there wasn’t much personal information stored on the device.

As businesses began to see the reach of the smart phone market, more and business related apps became available.  With the increased popularity of social networks such as Facebook and LinkedIn, the line between business/productivity apps and entertainment apps are blurring.  One common theme is arising though: they are all providing greater access to your information through your phone.

While security was not seen as essential at the beginning of the smart phone craze, its importance continues to increase with time.  Still, mobile operating systems lack what some might argue are essential features for protecting valuable user data.  Some features that are included give users a false sense of security.

From an access control perspective, smart phones present a couple of challenges.  Smart phones have storage that can be accessed from other devices, so the data needs to be protected using a scheme that is effective regardless of access method.  The device itself also needs to protect against unauthorized use.  The first issue is addressed with data encryption; the second, with lock screens. 

Data Encryption

Encryption is a buzzword that is seen as synonymous with security to many people.  Still, this is a feature that has only recently been implemented in Android (starting with Honeycomb 3.0)[1] and iOS devices (starting with 4.0)[2].  The implementation thus far in iOS is so poor that it can be cracked via brute force in about 20 to 40 minutes [2].  Encryption in Android is better, though the only 4.4% of Android devices are running a version that supports it.  Based on comScore numbers for the end of 2011, the Android and iOS phones that have no or poorly implemented encryption makes up 74.8% of smart phones in use [3].

Lock Screens

The weakness in iOS’s encryption scheme derives from the weak four digit passcode requirements that the encryption is based on [3].  While a four digit passcode is admittedly weak, it is not the least secure lock screen that is commonly used today.  Android has a pattern lock screen available that appears it would have greater security.  In theory, a pattern lock can be easier to crack than even a 4 digit passcode.

Consider that a four digit passcode has 4 digits, each with 10 possible values.  The equation used to calculate the number of possible values is 10n, or 104 for this specific example.  That is 10,000 possible passcodes.  A pattern lock is a little bit different for calculating possibilities, though.  With a pattern lock, there are 9 possible starting points.  But since the next value has to be touching the current position, there are only an average of 4.44 possible next values.  This changes the calculation from a straight exponent to something a little more complex: 9 * 4.44n-1.  A pattern lock code with only 4 points then has approximately 788 possible values.  To get to the same level of security, a minimum of 6 points need to be used for a pattern lock.  Another vulnerability is that the oils on your fingers can leave a recognizable pattern on the screen giving a potential adversary unnecessary help in determining your lock pattern [4].

Conclusions

Mobile operating systems are moving in a more secure direction.  Some of this is being driven by corporations wanting to use smart phones without compromising existing security policies.  There is also pressure from consumers that want to protect the ever increasing amount of personal data that is accessible from and stored on these devices.  Still, security on mobile devices is not yet at the same level of personal computers, and the security that is available is highly dependent on users being knowledgeable to properly implement.

______________________

[1] http://developer.android.com/sdk/android-3.0-highlights.html

[2] http://venturebeat.com/2011/05/25/russians-crack-apples-ios-encryption/

[3] http://desiibond.blogspot.com/2012/02/android-ios-gain-marketshare.html

[4] http://www.extremetech.com/computing/116635-how-to-properly-secure-your-iphone-or-android-device

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: