Smart Phones & Tablets – Security vs Usability

31 07 2012

Let’s start with some interesting facts on Smart Phone and Tablets

  • In June 2011, for first time ever people spent more time using mobile applications (81 mins) than browsing mobile web (74 mins) (Lookout Mobile Security)[1]
  • In 2011, for the first time, smartphone and tablet shipments exceed those of desktop and notebook shipments (Meeker)[2]
  • As of July 19th, 2012, total number of applications available on Android Market is “485422” (Appbrain)[3]
  • As of July 21st 2012, Estimated number of applications downloaded from Android Market  are 9,613,765,347 (Androlib)[4]
  • Total Active Apps available for download on iTunes: 684,396 (Biz)[5]
  • 83 percent of young people sleep next to their cell phones (Pearcy) [6]
  • The value of mobile payment transactions is projected to reach almost $630 billion by 2014, up from $170 billion in 20105 (Lookout Mobile Security)[7]

How many of you used smartphone in last one hour and how many of you have it next to you while reading this blog?  How many of you are reading this blog on smartphone or tablet?

Don’t you think that the exponential growth in the Mobile Application and usage of Smart Phones is also attracting cybercriminals who want to take advantage by spreading Mobile Malware, Virus or using smart phones to steal information or get access to sensitive data? Hackers will try to spread virus over mobile network as smart phones besides making phone calls are used for SMS, MMS, Email, Mobile Application including personal and business and Mobile Commerce including internet banking. This gives hacker’s multitude of options of exploit networks, phone/tablet and mobile applications.

You may be surprised that Smart Phones have more threats of security breach compared to your desktop or laptop. Unlike desktops or laptops, Smart Phones do not receive patches and upgrades commonly. Users don’t change their O/S or Mobile server frequently – in most cases it never gets changes. Contrary to laptop or tablet, smartphones are always on and running.

There are growing number of viruses, worms and Trojan horses that are targeting smart phones. Though so far none of the new attacks have done extensive damage, it may be a matter of time before it occurs. The nature of these attacks may be impacting an individual user e.g. using their personal information to make calls, use their payment information in case of Mobile Commerce or internet banking over phone. It can also impact the organization either by stealing the company related data residing on smart phones and tablets, or using the smart phones to get on to their network. Besides this attackers can also generate attacks to degrade or overload mobile networks eventually resulting in Denial of Services or causing phones to make hoax calls – dial and disconnect.

Some of the threats faced by Smart Phones & Tablets are

  • Application Based Threats – Malware, Spyware, Privacy Threats, Vulnerable Applications
  • Web-Based Threats– Phishing Scams, Social Engineering, Drive-By Downloads, Browser exploits
  • Network Threats – Network Exploits, Wi-Fi Sniffing, Man In the Middle attacks, Bluetooth Sniffing and SMS hijacking
  • Physical Threats – Lost or Stolen Devices, Data Breach, Loss of Personal or intellectual property and trade secrets

Both iOS and Android, the two leading smartphone O/S have their own unique security model. iOS is extremely proprietary while Android is open. This very fact has its own implications and these vulnerabilities have been exploited on both of them. E.g the DroidDream malware that emerged in the Android Market in Q1, 2011 utilized two exploits, Exploid and RageAgainstTheCage to break out of the Android security sandbox, gain root control of the operating system and install applications without user intervention (Strazzere)[8]. As a result of DroidDream, Google ended up pulling more than 50 apps from Android Market. Similarly, JailbreakMe 3.0 for Apple iOS device, even though non-malicious web page, it exploits two vulnerabilities to jailbreak a device. (Jean)[9] Mac hacker Charlie Miller has found a way to sneak a fully-evil app onto your phone or tablet, right under Apple’s nose. (Greenberg) [10]

Despite the threats and security concerns, there is no denying that the growth of Smart Phones and tablets is on rise and we are going to see more and more applications and functionalities available on these devices. Now you might be thinking about the classic two factor conundrum – Usability vs Security. Below are some of the steps that will help us striking a balance between Usability and Security

Data Protection – Do not store any sensitive data e.g passwords, personal data on phone. Ensure that applications are storing all the confidential data on server rather than on phone. For the data stored on phone use the encryption API or software provided by OS or third party. When the application is closed, ensure that the data from the cache is also cleared.  Data Management and secure key management helps in protecting the sensitive data not only on phone but also on any external/flash media e.g. SD cards, Flash Media

Credentials and Tokens – Rather than using password only authentication, consider using authorization tokens (e.g. OAuth 2.0 Model) on the device. These tokens can be encrypted in transmit using SSL/TLS. Ensure that these tokens are time bound and ensure that either password or keys are not visible in cache or logs.

Securing Data in Transit – Smartphone support various communication networks and they can join a particular network randomly. For sending any data one can use signed certificates by CA providers or use strong encryption algorithm like AES with appropriate key length. To avoid man in the middle attach, avoid establishing a connection without verifying end point. Last but not least, do not send any sensitive information using SMS or MMS. For securing data and communication, one can integrate the solution in Network based technologies e.g. NAC to identify the appropriate access rights based on the user identification and security profile of handheld device.

Mobile Device Management – Besides using the OS password and application remote kill possibilities, consider implementing a Mobile Device Management solution that can implement various policies like phone lock or data wipe after ‘N’ number of failed login attempt. Using MDM solution you can lock, wipe, track, manage applications downloaded and do a remote restore if required. This provides a safety not only against any loss or theft but also helps managing the applications that can reside on phone along with implementation of corporate mobile polices.

Anti-Virus and Anti-Malware – You might be thinking, what about various Anti-Malware or Anti-spyware solutions. The good news is that there is plenty of options available including on device personal firewall. Anti-spam software can be used to protect against any unwanted SMS or MMS messages. However one needs to be careful, as they do have a negative impact on the performance of phones and applications. Smartphones are highly optimized and somewhat tight on resources – RAM, CPU and Battery. Running Anti-Virus, malware tools can have significant impact on the performance and consumption of resources. During the scan, CPU utilization goes up to 80% and wide fluctuations in batter up to 264mA (Stephanow & Subramanian). This consumption is directly associated with the amount of data, hence back to the point discussed above – one must be careful in identifying which data needs to reside on phone. One shall try to have the data available on the cloud or back end server, reason it is easier to secure a server; not only maintain the data integrity but also securing it in case of any loss or theft of phone.

Conclusion: By implementing some or all of the above mentioned steps, organizations and individuals can secure their smartphones and ensure that they are enjoying increased productivity without worrying about the securing their data, applications and phones.

________

  1. Androlib. (n.d.). http://www.androlib.com/appstats.aspx. Retrieved from http://www.androlib.com.
  2. appbrain. (n.d.). http://www.appbrain.com/stats/number-of-android-apps. Retrieved from http://www.appbrain.com.
  3. Biz, A. (n.d.). App Store Statistics. Retrieved from http://148apps.biz/app-store-metrics/.
  4. Greenberg, A. (n.d.). iPhone Security Bug Lets Innocent-Looking Apps Go Bad. Retrieved from http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/.
  5. Jean. (n.d.). Analysis of the jailbreakme v3 font exploit. Retrieved from http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit.
  6. Lookout Mobile Security. (n.d.). MOBILE THREAT REPORT. Retrieved from https://www.mylookout.com/mobile-threat-report: https://www.mylookout.com/mobile-threat-report
  7. Meeker, M. (n.d.). techcrunch.com/2011/02/10/meeker-mobile-slides/.
  8. OWASP. (n.d.). OWASP Mobile Security Project. Retrieved from https://www.owasp.org/index.php/OWASP_Mobile_Security_Project.
  9. Pearcy, A. (n.d.). http://www.prdaily.com/Main/Articles/Infographic_83_percent_of_young_people_sleep_next_9391.aspx. Retrieved from prdaily.com.
  10. Stephanow, P., & Subramanian, L. (n.d.). An Architecture To Provide Cloud Based Security Services for Smartphones.
  11. Strazzere, T. (n.d.). Update: Android Malware DroidDream: How it Works. Retrieved from http://blog.mylookout.com/blog/2011/03/02/android-malware-droiddream-how-it-works.

 

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: