Security in Smartphones - Revision history

Asokanp: Fixed an inline referencing error

2009-04-13T14:54:35Z

Fixed an inline referencing error

← Older revision		Revision as of 14:54, 13 April 2009
Line 46:		Line 46:
	Smartphone users should be diligent in installing patches and keeping their OS software up to date so that their device is protected against attackers trying to take advantage of known problems or vulnerabilities [3].		Smartphone users should be diligent in installing patches and keeping their OS software up to date so that their device is protected against attackers trying to take advantage of known problems or vulnerabilities [3].
	=== Remote locking/backups ===		=== Remote locking/backups ===
-	Since smartphones are vulnerable to getting lost or stolen, businesses should make sure that their smartphones are remotely accessible by the IT staff so that they can be locked and wiped in case such a situation arises [11]. A tool that enables this over text messaging is preferable as it will allow the device to be secured even if it does not have an active data connection [10]. Data should also be backed up on enterprise servers so that it can be retrieved to a new device in case of one of these situations.	+	Since smartphones are vulnerable to getting lost or stolen, businesses should make sure that their smartphones are remotely accessible by the IT staff so that they can be locked and wiped in case such a situation arises [10]. A tool that enables this over text messaging is preferable as it will allow the device to be secured even if it does not have an active data connection [10]. Data should also be backed up on enterprise servers so that it can be retrieved to a new device in case of one of these situations.
	=== Physical/Personal security ===		=== Physical/Personal security ===
	Smartphone users should make sure not to leave their devices unattended in public or easily accessible areas in order to prevent attackers from extracting or corrupting information on them [3]. They should also be careful about posting their phone numbers online in order to minimize the number of people who have access to their information and limit risk of attacks and spam [4].		Smartphone users should make sure not to leave their devices unattended in public or easily accessible areas in order to prevent attackers from extracting or corrupting information on them [3]. They should also be careful about posting their phone numbers online in order to minimize the number of people who have access to their information and limit risk of attacks and spam [4].

Asokanp: Re-arranged See Also topics

2009-04-13T03:55:57Z

Re-arranged See Also topics

← Older revision		Revision as of 03:55, 13 April 2009
Line 72:		Line 72:
	10. Temporale, Mike. "Smartphones: productivity booster or security time bomb?" Computing Unplugged Magazine. 5 Apr. 2009 <http://www.computingunplugged.com/issues/issue200805/00002179002>.		10. Temporale, Mike. "Smartphones: productivity booster or security time bomb?" Computing Unplugged Magazine. 5 Apr. 2009 <http://www.computingunplugged.com/issues/issue200805/00002179002>.
	== See Also ==		== See Also ==
-	1. [[~~3G Communications~~]]	+	1. [[Malware]]

-	2. [[~~Malware~~]]	+	2. [[Man in the Middle Attack]]

-	3. [[~~Man in the Middle Attack~~]]	+	3. [[Corporate Security and IT Policies]]

-	4. [[~~Corporate Security and IT Policies~~]]	+	4. [[Data Encryption for Storage Devices]]

-	5. [[~~Data Encryption for Storage Devices~~]]	+	5. [[3G Communications]]
	== External Links ==		== External Links ==
	1. [http://research.microsoft.com/en-us/um/people/helenw/papers/smartphone.pdf Smart Phone Attacks and Defenses]		1. [http://research.microsoft.com/en-us/um/people/helenw/papers/smartphone.pdf Smart Phone Attacks and Defenses]

Asokanp: Inserted references for intro

2009-04-13T03:48:04Z

Inserted references for intro

← Older revision		Revision as of 03:48, 13 April 2009
Line 1:		Line 1:
	[[Image:smartphone-security-risk-lg.jpg\|frame\|Source: http://digital-lifestyles.info/2008/06/03/smartphones-bigger-security-risk-than-lappies/]]		[[Image:smartphone-security-risk-lg.jpg\|frame\|Source: http://digital-lifestyles.info/2008/06/03/smartphones-bigger-security-risk-than-lappies/]]
-	Security in smartphones is a serious concern today with the increasing number of people who use it for personal and corporate purposes. Previously, smartphones employed a default-deny security model as every feature was built to provide specific services. Now, the devices are built to enable a variety of extraneous services to be run on them. This is equivalent to a default-allow model, which poses a major security risk. These risks are increased due to the fact that most smartphones enable connections to the internet or other networks that may be accessible to outsiders. This connectivity provides a channel for attackers to send or extract information from the devices. Smartphones are much more likely to be lost or stolen than desktops and laptops, which raises the issue of authenticating the identity of the user and being able to remotely lock and wipe the device.	+	Security in smartphones is a serious concern today with the increasing number of people who use it for personal and corporate purposes. Previously, smartphones employed a default-deny security model as every feature was built to provide specific services [1]. Now, the devices are built to enable a variety of extraneous services to be run on them. This is equivalent to a default-allow model, which poses a major security risk. These risks are increased due to the fact that most smartphones enable connections to the internet or other networks that may be accessible to outsiders [3]. This connectivity provides a channel for attackers to send or extract information from the devices. Smartphones are much more likely to be lost or stolen than desktops and laptops, which raises the issue of authenticating the identity of the user and being able to remotely lock and wipe the device.
	== Threats ==		== Threats ==
	=== Always-on data connections ===		=== Always-on data connections ===

Asokanp: Re-arranged sections

2009-04-13T03:46:06Z

Re-arranged sections

← Older revision		Revision as of 03:46, 13 April 2009
Line 2:		Line 2:
	Security in smartphones is a serious concern today with the increasing number of people who use it for personal and corporate purposes. Previously, smartphones employed a default-deny security model as every feature was built to provide specific services. Now, the devices are built to enable a variety of extraneous services to be run on them. This is equivalent to a default-allow model, which poses a major security risk. These risks are increased due to the fact that most smartphones enable connections to the internet or other networks that may be accessible to outsiders. This connectivity provides a channel for attackers to send or extract information from the devices. Smartphones are much more likely to be lost or stolen than desktops and laptops, which raises the issue of authenticating the identity of the user and being able to remotely lock and wipe the device.		Security in smartphones is a serious concern today with the increasing number of people who use it for personal and corporate purposes. Previously, smartphones employed a default-deny security model as every feature was built to provide specific services. Now, the devices are built to enable a variety of extraneous services to be run on them. This is equivalent to a default-allow model, which poses a major security risk. These risks are increased due to the fact that most smartphones enable connections to the internet or other networks that may be accessible to outsiders. This connectivity provides a channel for attackers to send or extract information from the devices. Smartphones are much more likely to be lost or stolen than desktops and laptops, which raises the issue of authenticating the identity of the user and being able to remotely lock and wipe the device.
	== Threats ==		== Threats ==
		+	=== Always-on data connections ===
		+	While "always-on" data connections provide a great advantage to businesses by enabling real-time communications, it also leaves smartphones vulnerable to viruses and malware [10].
		+	=== Mobile malware infections ===
		+	Software in smartphones are newer than their desktop counterparts and hence less robust against attacks [5]. 3G and Wi-Fi connectivity and increased use of e-mail and web services on smartphones in addition to SMS and MMS services have made it easy for mobile malware to propagate over-the-air [7]. It has left smartphones open to man-in-the-middle type of attacks where an attacker could send a spoof message saying a software update is available from a trusted web server and instead send malicious code [5]. The worst threat to smartphone security are worms. They are able to propagate quickly through a large number of systems via malware delivery vectors, such as Bluetooth (Worm.SymbOS.Cabir) and MMS (Worm.SymbOS.Comwar), and disrupt the functioning of mobile networks or transform a mobile network into a widely distributed network controlled by a malicious user [8].
		+	=== Developer-friendly mobile platforms ===
		+	Malware writers are discouraged by diverse, closed developer environments [7]. Open system development platforms, such as was employed by Symbian OS, on the other hand provide them with the tools necessary to create malware, thus leaving smartphones using the OS wide open to malicious attacks [7].
	=== Tradeoff between security and performance ===		=== Tradeoff between security and performance ===
	GSM and CDMA authentication algorithms are not very effective to start with and many carriers chose not to implement all the available security controls in favour of better performance [1].		GSM and CDMA authentication algorithms are not very effective to start with and many carriers chose not to implement all the available security controls in favour of better performance [1].
Line 12:		Line 18:

	Most smartphones do not require authentication when plugged in via USB and provide easy access to whatever data is stored on them [1].		Most smartphones do not require authentication when plugged in via USB and provide easy access to whatever data is stored on them [1].
-	~~=== Always-on data connections ===~~
-	~~While "always-on" data connections provide a great advantage to businesses by enabling real-time communications, it also leaves smartphones vulnerable to viruses and malware [10].~~
-	~~=== Residual data ===~~
-	The power of smartphones to support a wide variety of media and the availability of large capacity removable memory cards have enabled users to carry a large amount of sensitive data on their devices. With new smartphones becoming available on the market every so often, users are frequently upgrading to the latest and greatest device. This means that all the confidential data will need to be deleted from the outdated device. In most devices, when a file is deleted, the markers for the beginning and end of the data on the storage media are removed, with the actual data persisting until it is overwritten [1]. Such data is termed orphaned data and wipes that do not guarantee against this pose a confidentiality threat [1].
	=== Remote phone monitoring ===		=== Remote phone monitoring ===
	Software, such as FlexiSPY, have made it child's play to remotely monitor smartphones [1, 9]. It takes about 5 minutes to install, after which it collects data on all communications (eg. phone calls, text messages) and sends it to a web account from where it can be viewed conveniently [9]. It also has a remote listening feature that allows you to hear phone calls via a remote microphone [9].		Software, such as FlexiSPY, have made it child's play to remotely monitor smartphones [1, 9]. It takes about 5 minutes to install, after which it collects data on all communications (eg. phone calls, text messages) and sends it to a web account from where it can be viewed conveniently [9]. It also has a remote listening feature that allows you to hear phone calls via a remote microphone [9].
-	=== ~~Mobile malware infections~~ ===	+	=== Residual data ===
-	~~Software in smartphones are newer than their desktop counterparts and hence less robust against attacks [5]. 3G and Wi-Fi connectivity and increased use~~ of ~~e-mail and web services on~~ smartphones ~~in addition~~ to ~~SMS~~ and ~~MMS services~~ have ~~made it easy for mobile malware~~ to ~~propagate over-the-air [7]~~. ~~It has left~~ smartphones ~~open~~ to ~~man-in-~~the~~-middle type of attacks where an attacker could send a spoof message saying a software update is available from a trusted web server~~ and ~~instead send malicious code [5]~~. ~~The worst threat~~ to ~~smartphone security are worms~~. ~~They are able to propagate quickly through~~ a ~~large number of systems via malware delivery vectors~~, ~~such as Bluetooth (Worm.SymbOS.Cabir)~~ and ~~MMS (Worm.SymbOS.Comwar), and disrupt~~ the ~~functioning of mobile networks or transform a mobile network into a widely distributed network controlled by a malicious user [8].~~	+	The power of smartphones to support a wide variety of media and the availability of large capacity removable memory cards have enabled users to carry a large amount of sensitive data on their devices. With new smartphones becoming available on the market every so often, users are frequently upgrading to the latest and greatest device. This means that all the confidential data will need to be deleted from the outdated device. In most devices, when a file is deleted, the markers for the beginning and end of the data on the storage media are removed, with the actual data persisting until it is overwritten [1]. Such data is termed orphaned data and wipes that do not guarantee against this pose a confidentiality threat [1].
-	~~=== Developer-friendly mobile platforms ===~~	+
-	~~Malware writers~~ are ~~discouraged by diverse~~, ~~closed developer environments~~ [7]. Open system development platforms, such as was employed by Symbian OS, on the other hand provide them with the tools necessary to create malware, thus leaving smartphones using the OS wide open to malicious attacks [7].	+
	== Defense Mechanisms ==		== Defense Mechanisms ==
	=== Mix of process and technology ===		=== Mix of process and technology ===
	The best defense mechanism employs a mix of process and technology [1]. It involves securing the device, securing the network and additional security for accessing corporate networks and mail servers [2].		The best defense mechanism employs a mix of process and technology [1]. It involves securing the device, securing the network and additional security for accessing corporate networks and mail servers [2].
-	~~=== VPN use ===~~
-	~~Using VPN is an effective method to overcome any security deficiencies in the cellular connections of smartphones [2].~~
-	~~=== Neutral service vendor ===~~
-	~~Corporate users should know where messages and other data reside when sent from a smartphone and ensure that the service provider is a neutral vendor and will not disclose data to competitors [1].~~
	=== Start-up passcode ===		=== Start-up passcode ===
	Use devices that allow you to protect your data with passwords and set them to require passwords on start-up and also to lock automatically when not in use for a specified length of time [1]. Select strong passwords that are not easy to guess and do not choose options that allow passwords to be remembered on the device [3].		Use devices that allow you to protect your data with passwords and set them to require passwords on start-up and also to lock automatically when not in use for a specified length of time [1]. Select strong passwords that are not easy to guess and do not choose options that allow passwords to be remembered on the device [3].
-	~~=== Whitelisting and Digital Signatures ===~~
-	Users should be taught to be wary of downloadable software since they may contain malicious code [4]. They should be taught only to allow mobile software executables and installers that have digital signatures issued by certification programs like Symbian Signed, Microsoft Mobile2Market and Research In Motion Ltd.'s Controlled APIs for BlackBerry to run on their devices [7]. Create white lists and black lists of approved and restricted mobile software respectively and enforce it either by educating users of the dangers of allowing untrustworthy software to run on their devices or by using software [1, 7, 10].
-	~~=== Proper disposal ===~~
-	Outdated smartphones should be thoroughly wiped before disposal. Tools to ensure that residual data is removed should be used [1]. If the device memory cannot be erased, it should be destroyed in order to protect the confidentiality of any data stored on it [1].
	=== Configuring access control ===		=== Configuring access control ===
	Take the time to explore the security options on your smartphone and take advantage of them. If your smartphone has encryption software, make use of it to encrypt any information you are storing on your device [3]. This will prevent an attacker from being able to view your data even if he/she has physical access to it [3].		Take the time to explore the security options on your smartphone and take advantage of them. If your smartphone has encryption software, make use of it to encrypt any information you are storing on your device [3]. This will prevent an attacker from being able to view your data even if he/she has physical access to it [3].

	Businesses should ensure that the tools they use to manage their devices supports encryption of the smartphones' onboard storage memory and should employ remote setup and configuration capabilities to safeguard their devices and data [10].		Businesses should ensure that the tools they use to manage their devices supports encryption of the smartphones' onboard storage memory and should employ remote setup and configuration capabilities to safeguard their devices and data [10].
		+	=== Whitelisting and digital signatures ===
		+	Users should be taught to be wary of downloadable software since they may contain malicious code [4]. They should be taught only to allow mobile software executables and installers that have digital signatures issued by certification programs like Symbian Signed, Microsoft Mobile2Market and Research In Motion Ltd.'s Controlled APIs for BlackBerry to run on their devices [7]. Create white lists and black lists of approved and restricted mobile software respectively and enforce it either by educating users of the dangers of allowing untrustworthy software to run on their devices or by using software [1, 7, 10].
		+	=== VPN use ===
		+	Using VPN is an effective method to overcome any security deficiencies in the cellular connections of smartphones [2].
		+	=== Neutral service vendor ===
		+	Corporate users should know where messages and other data reside when sent from a smartphone and ensure that the service provider is a neutral vendor and will not disclose data to competitors [1].
	=== Disable remote connectivity ===		=== Disable remote connectivity ===
	Make sure to disable Bluetooth and any other wireless technologies that enable connections to other devices or computers when not in use to avoid unauthorized access of your device [3].		Make sure to disable Bluetooth and any other wireless technologies that enable connections to other devices or computers when not in use to avoid unauthorized access of your device [3].
Line 45:		Line 43:

	Networks should install antivirus software on the internet server through which MMS passes in order to protect their users from worms that propagate via MMS [8].		Networks should install antivirus software on the internet server through which MMS passes in order to protect their users from worms that propagate via MMS [8].
		+	=== Keep software up to date ===
		+	Smartphone users should be diligent in installing patches and keeping their OS software up to date so that their device is protected against attackers trying to take advantage of known problems or vulnerabilities [3].
	=== Remote locking/backups ===		=== Remote locking/backups ===
	Since smartphones are vulnerable to getting lost or stolen, businesses should make sure that their smartphones are remotely accessible by the IT staff so that they can be locked and wiped in case such a situation arises [11]. A tool that enables this over text messaging is preferable as it will allow the device to be secured even if it does not have an active data connection [10]. Data should also be backed up on enterprise servers so that it can be retrieved to a new device in case of one of these situations.		Since smartphones are vulnerable to getting lost or stolen, businesses should make sure that their smartphones are remotely accessible by the IT staff so that they can be locked and wiped in case such a situation arises [11]. A tool that enables this over text messaging is preferable as it will allow the device to be secured even if it does not have an active data connection [10]. Data should also be backed up on enterprise servers so that it can be retrieved to a new device in case of one of these situations.
	=== Physical/Personal security ===		=== Physical/Personal security ===
	Smartphone users should make sure not to leave their devices unattended in public or easily accessible areas in order to prevent attackers from extracting or corrupting information on them [3]. They should also be careful about posting their phone numbers online in order to minimize the number of people who have access to their information and limit risk of attacks and spam [4].		Smartphone users should make sure not to leave their devices unattended in public or easily accessible areas in order to prevent attackers from extracting or corrupting information on them [3]. They should also be careful about posting their phone numbers online in order to minimize the number of people who have access to their information and limit risk of attacks and spam [4].
-	=== ~~Keep software up to date~~ ===	+	=== Proper disposal ===
-	~~Smartphone users~~ should be ~~diligent in installing patches and keeping their OS software up~~ to ~~date so~~ that ~~their device~~ is ~~protected against attackers trying~~ to ~~take advantage~~ of ~~known problems or vulnerabilities~~ [3].	+	Outdated smartphones should be thoroughly wiped before disposal. Tools to ensure that residual data is removed should be used [1]. If the device memory cannot be erased, it should be destroyed in order to protect the confidentiality of any data stored on it [1].
	== References ==		== References ==
	1. Espenschied, Jon. "Ten dangerous claims about smart phone security." Computerworld. 27 Mar. 2007. 5 Apr. 2009 <http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014118>.		1. Espenschied, Jon. "Ten dangerous claims about smart phone security." Computerworld. 27 Mar. 2007. 5 Apr. 2009 <http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014118>.