Security in Smartphones

From Computing and Software Wiki

(Difference between revisions)
Jump to: navigation, search
(Creating Security in Smartphones wiki page as part of 4C03 research project.)
m (Fixed an inline referencing error)
 
(5 intermediate revisions not shown)
Line 1: Line 1:
[[Image:smartphone-security-risk-lg.jpg|frame|Source: http://digital-lifestyles.info/2008/06/03/smartphones-bigger-security-risk-than-lappies/]]
[[Image:smartphone-security-risk-lg.jpg|frame|Source: http://digital-lifestyles.info/2008/06/03/smartphones-bigger-security-risk-than-lappies/]]
-
Security in smartphones is a serious concern today with the increasing number of people who use it for personal and corporate purposes. Previously, smartphones employed a default-deny security model as every feature was built to provide specific services.  Now, the devices are built to enable a variety of extraneous services to be run on them. This is equivalent to a default-allow model, which poses a major security risk. These risks are increased due to the fact that most smartphones enable connections to the internet or other networks that may be accessible to outsiders. This connectivity provides a channel for attackers to send or extract information from the devices. Smartphones are much more likely to be lost or stolen than desktops and laptops, which raises the issue of authenticating the identity of the user and being able to remotely lock and wipe the device.
+
Security in smartphones is a serious concern today with the increasing number of people who use it for personal and corporate purposes. Previously, smartphones employed a default-deny security model as every feature was built to provide specific services [1].  Now, the devices are built to enable a variety of extraneous services to be run on them. This is equivalent to a default-allow model, which poses a major security risk. These risks are increased due to the fact that most smartphones enable connections to the internet or other networks that may be accessible to outsiders [3]. This connectivity provides a channel for attackers to send or extract information from the devices. Smartphones are much more likely to be lost or stolen than desktops and laptops, which raises the issue of authenticating the identity of the user and being able to remotely lock and wipe the device.
== Threats ==
== Threats ==
 +
=== Always-on data connections ===
 +
While "always-on" data connections provide a great advantage to businesses by enabling real-time communications, it also leaves smartphones vulnerable to viruses and malware [10].
 +
=== Mobile malware infections ===
 +
Software in smartphones are newer than their desktop counterparts and hence less robust against attacks [5]. 3G and Wi-Fi connectivity and increased use of e-mail and web services on smartphones in addition to SMS and MMS services have made it easy for mobile malware to propagate over-the-air [7]. It has left smartphones open to man-in-the-middle type of attacks where an attacker could send a spoof message saying a software update is available from a trusted web server and instead send malicious code [5]. The worst threat to smartphone security are worms. They are able to propagate quickly through a large number of systems via malware delivery vectors, such as Bluetooth (Worm.SymbOS.Cabir) and MMS (Worm.SymbOS.Comwar), and disrupt the functioning of mobile networks or transform a mobile network into a widely distributed network controlled by a malicious user [8].
 +
=== Developer-friendly mobile platforms ===
 +
Malware writers are discouraged by diverse, closed developer environments [7]. Open system development platforms, such as was employed by Symbian OS,  on the other hand provide them with the tools necessary to create malware, thus leaving smartphones using the OS wide open to malicious attacks [7].
 +
=== Tradeoff between security and performance ===
 +
GSM and CDMA authentication algorithms are not very effective to start with and many carriers chose not to implement all the available security controls in favour of better performance [1].
 +
=== Unencrypted transmissions ===
 +
Smartphones that boast "end to end" encrypted communications are not entirely truthful. The communications are encrypted from the phone to the phone company or service provider's servers, but beyond that they may be transmitted unencrypted over the public internet [1].
 +
=== Administrators with root access ===
 +
Although service providers and software packages provide a measure of access control, administrators with root access to smartphone application servers can always gain access to users' information [1].
 +
=== Unauthorized access ===
 +
If a corporate user's smartphone is lost or stolen, it poses a major security problem as not only is the data stored on the device compromised, but also account/VPN information and other data exposed over the network by client-server based applications [10].
 +
 +
Most smartphones do not require authentication when plugged in via USB and provide easy access to whatever data is stored on them [1].
 +
=== Remote phone monitoring ===
 +
Software, such as FlexiSPY, have made it child's play to remotely monitor smartphones [1, 9]. It takes about 5 minutes to install, after which it collects data on all communications (eg. phone calls, text messages) and sends it to a web account from where it can be viewed conveniently [9]. It also has a remote listening feature that allows you to hear phone calls via a remote microphone [9].
 +
=== Residual data ===
 +
The power of smartphones to support a wide variety of media and the availability of large capacity removable memory cards have enabled users to carry a large amount of sensitive data on their devices. With new smartphones becoming available on the market every so often, users are frequently upgrading to the latest and greatest device. This means that all the confidential data will need to be deleted from the outdated device. In most devices, when a file is deleted, the markers for the beginning and end of the data on the storage media are removed, with the actual data persisting until it is overwritten [1]. Such data is termed orphaned data and wipes that do not guarantee against this pose a confidentiality threat [1].
== Defense Mechanisms ==
== Defense Mechanisms ==
-
== Security Issues in Smartphones Versus in Desktops ==
+
=== Mix of process and technology ===
 +
The best defense mechanism employs a mix of process and technology [1]. It involves securing the device, securing the network and additional security for accessing corporate networks and mail servers [2].
 +
=== Start-up passcode ===
 +
Use devices that allow you to protect your data with passwords and set them to require passwords on start-up and also to lock automatically when not in use for a specified length of time [1]. Select strong passwords that are not easy to guess and do not choose options that allow passwords to be remembered on the device [3].
 +
=== Configuring access control ===
 +
Take the time to explore the security options on your smartphone and take advantage of them. If your smartphone has encryption software, make use of it to encrypt any information you are storing on your device [3]. This will prevent an attacker from being able to view your data even if he/she has physical access to it [3].
 +
 
 +
Businesses should ensure that the tools they use to manage their devices supports encryption of the smartphones' onboard storage memory and should employ remote setup and configuration capabilities to safeguard their devices and data [10].
 +
=== Whitelisting and digital signatures ===
 +
Users should be taught to be wary of downloadable software since they may contain malicious code [4]. They should be taught only to allow mobile software executables and installers that have digital signatures issued by certification programs like Symbian Signed, Microsoft Mobile2Market and Research In Motion Ltd.'s Controlled APIs for BlackBerry to run on their devices [7]. Create white lists and black lists of approved and restricted mobile software respectively and enforce it either by educating users of the dangers of allowing untrustworthy software to run on their devices or by using software [1, 7, 10].
 +
=== VPN use ===
 +
Using VPN is an effective method to overcome any security deficiencies in the cellular connections of smartphones [2].
 +
=== Neutral service vendor ===
 +
Corporate users should know where messages and other data reside when sent from a smartphone and ensure that the service provider is a neutral vendor and will not disclose data to competitors [1].
 +
=== Disable remote connectivity ===
 +
Make sure to disable Bluetooth and any other wireless technologies that enable connections to other devices or computers when not in use to avoid unauthorized access of your device [3].
 +
=== Device-resident/Network mobile security programs ===
 +
Install antivirus and SMS antispam software from sources like AirScanner, F-Secure CCorp., McAfee Inc., Symantec Corp., Trend Micro Inc. and Sophos in order to protect your device against mobile specific threats such as mobile OS Trojans and spam SMSs [7].
 +
 
 +
Networks should install antivirus software on the internet server through which MMS passes in order to protect their users from worms that propagate via MMS [8].
 +
=== Keep software up to date ===
 +
Smartphone users should be diligent in installing patches and keeping their OS software up to date so that their device is protected against attackers trying to take advantage of known problems or vulnerabilities [3].
 +
=== Remote locking/backups ===
 +
Since smartphones are vulnerable to getting lost or stolen, businesses should make sure that their smartphones are remotely accessible by the IT staff so that they can be locked and wiped in case such a situation arises [10]. A tool that enables this over text messaging is preferable as it will allow the device to be secured even if it does not have an active data connection [10]. Data should also be backed up on enterprise servers so that it can be retrieved to a new device in case of one of these situations.
 +
=== Physical/Personal security ===
 +
Smartphone users should make sure not to leave their devices unattended in public or easily accessible areas in order to prevent attackers from extracting or corrupting information on them [3]. They should also be careful about posting their phone numbers online in order to minimize the number of people who have access to their information and limit risk of attacks and spam [4].
 +
=== Proper disposal ===
 +
Outdated smartphones should be thoroughly wiped before disposal. Tools to ensure that residual data is removed should be used [1]. If the device memory cannot be erased, it should be destroyed in order to protect the confidentiality of any data stored on it [1].
== References ==
== References ==
 +
1. Espenschied, Jon. "Ten dangerous claims about smart phone security." Computerworld. 27 Mar. 2007. 5 Apr. 2009 <http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014118>.
 +
 +
2. Hughes, Steven. "How do you handle mobile security?" SmartphoneMag.com. 1 Aug. 2007. 5 Apr. 2009 <http://www.smartphonemag.com/cms/blogs/38/how_do_you_handle_mobile_security>.
 +
 +
3. McDowell, Mindi, and Matt Lytle. "Cybersecurity for Electronic Devices." US-CERT. 20 Aug. 2008. United Stated Computer Emergency Readiness Team. 5 Apr. 2009 <http://www.us-cert.gov/cas/tips/ST05-017.html>.
 +
 +
4. McDowell, Mindi. "Defending Cell Phones and PDAs Against Attack." US-CERT. 27 Jan. 2009. United Stated Computer Emergency Readiness Team. 5 Apr. 2009 <http://www.us-cert.gov/cas/tips/ST06-007.html>.
 +
 +
5. Mills, Elinor. "Mobile: The holy grail at security conference." CNET News. 20 Mar. 2009. 5 Apr. 2009 <http://news.cnet.com/security/?keyword=smartphones>.
 +
 +
6. "Mobile device security:Findings." Provider Notes. 13 Feb. 2007. University of Pennsylvania. 5 Apr. 2009 <http://prowiki.isc.upenn.edu/wiki/Mobile_device_security:Findings>.
 +
 +
7. Phifer, Lisa. "Smartphone security: The growing threat of mobile malware." SearchSecurity. 11 Mar. 2008. 5 Apr. 2009 <http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1337531,00.html>.
 +
 +
8. Shevchenko, Alisa. "An overview of mobile device security." Viruslist.com. 21 Sept. 2005. 5 Apr. 2009 <http://www.viruslist.com/en/analysis?pubid=170773606>.
 +
 +
9. "SPY FAQ." FlexiSPY. 5 Apr. 2009 <http://www.flexispy.com/faq.htm#03>.
 +
 +
10. Temporale, Mike. "Smartphones: productivity booster or security time bomb?" Computing Unplugged Magazine. 5 Apr. 2009 <http://www.computingunplugged.com/issues/issue200805/00002179002>.
== See Also ==
== See Also ==
 +
1. [[Malware]]
 +
 +
2. [[Man in the Middle Attack]]
 +
 +
3. [[Corporate Security and IT Policies]]
 +
 +
4. [[Data Encryption for Storage Devices]]
 +
 +
5. [[3G Communications]]
== External Links ==
== External Links ==
 +
1. [http://research.microsoft.com/en-us/um/people/helenw/papers/smartphone.pdf Smart Phone Attacks and Defenses]
 +
 +
2. [http://www.flexispy.com/ FlexiSPY]
 +
--[[User:Asokanp|Asokanp]] 20:00, 12 April 2009 (EDT)
--[[User:Asokanp|Asokanp]] 20:00, 12 April 2009 (EDT)

Current revision as of 14:54, 13 April 2009

Security in smartphones is a serious concern today with the increasing number of people who use it for personal and corporate purposes. Previously, smartphones employed a default-deny security model as every feature was built to provide specific services [1]. Now, the devices are built to enable a variety of extraneous services to be run on them. This is equivalent to a default-allow model, which poses a major security risk. These risks are increased due to the fact that most smartphones enable connections to the internet or other networks that may be accessible to outsiders [3]. This connectivity provides a channel for attackers to send or extract information from the devices. Smartphones are much more likely to be lost or stolen than desktops and laptops, which raises the issue of authenticating the identity of the user and being able to remotely lock and wipe the device.

Contents

Threats

Always-on data connections

While "always-on" data connections provide a great advantage to businesses by enabling real-time communications, it also leaves smartphones vulnerable to viruses and malware [10].

Mobile malware infections

Software in smartphones are newer than their desktop counterparts and hence less robust against attacks [5]. 3G and Wi-Fi connectivity and increased use of e-mail and web services on smartphones in addition to SMS and MMS services have made it easy for mobile malware to propagate over-the-air [7]. It has left smartphones open to man-in-the-middle type of attacks where an attacker could send a spoof message saying a software update is available from a trusted web server and instead send malicious code [5]. The worst threat to smartphone security are worms. They are able to propagate quickly through a large number of systems via malware delivery vectors, such as Bluetooth (Worm.SymbOS.Cabir) and MMS (Worm.SymbOS.Comwar), and disrupt the functioning of mobile networks or transform a mobile network into a widely distributed network controlled by a malicious user [8].

Developer-friendly mobile platforms

Malware writers are discouraged by diverse, closed developer environments [7]. Open system development platforms, such as was employed by Symbian OS, on the other hand provide them with the tools necessary to create malware, thus leaving smartphones using the OS wide open to malicious attacks [7].

Tradeoff between security and performance

GSM and CDMA authentication algorithms are not very effective to start with and many carriers chose not to implement all the available security controls in favour of better performance [1].

Unencrypted transmissions

Smartphones that boast "end to end" encrypted communications are not entirely truthful. The communications are encrypted from the phone to the phone company or service provider's servers, but beyond that they may be transmitted unencrypted over the public internet [1].

Administrators with root access

Although service providers and software packages provide a measure of access control, administrators with root access to smartphone application servers can always gain access to users' information [1].

Unauthorized access

If a corporate user's smartphone is lost or stolen, it poses a major security problem as not only is the data stored on the device compromised, but also account/VPN information and other data exposed over the network by client-server based applications [10].

Most smartphones do not require authentication when plugged in via USB and provide easy access to whatever data is stored on them [1].

Remote phone monitoring

Software, such as FlexiSPY, have made it child's play to remotely monitor smartphones [1, 9]. It takes about 5 minutes to install, after which it collects data on all communications (eg. phone calls, text messages) and sends it to a web account from where it can be viewed conveniently [9]. It also has a remote listening feature that allows you to hear phone calls via a remote microphone [9].

Residual data

The power of smartphones to support a wide variety of media and the availability of large capacity removable memory cards have enabled users to carry a large amount of sensitive data on their devices. With new smartphones becoming available on the market every so often, users are frequently upgrading to the latest and greatest device. This means that all the confidential data will need to be deleted from the outdated device. In most devices, when a file is deleted, the markers for the beginning and end of the data on the storage media are removed, with the actual data persisting until it is overwritten [1]. Such data is termed orphaned data and wipes that do not guarantee against this pose a confidentiality threat [1].

Defense Mechanisms

Mix of process and technology

The best defense mechanism employs a mix of process and technology [1]. It involves securing the device, securing the network and additional security for accessing corporate networks and mail servers [2].

Start-up passcode

Use devices that allow you to protect your data with passwords and set them to require passwords on start-up and also to lock automatically when not in use for a specified length of time [1]. Select strong passwords that are not easy to guess and do not choose options that allow passwords to be remembered on the device [3].

Configuring access control

Take the time to explore the security options on your smartphone and take advantage of them. If your smartphone has encryption software, make use of it to encrypt any information you are storing on your device [3]. This will prevent an attacker from being able to view your data even if he/she has physical access to it [3].

Businesses should ensure that the tools they use to manage their devices supports encryption of the smartphones' onboard storage memory and should employ remote setup and configuration capabilities to safeguard their devices and data [10].

Whitelisting and digital signatures

Users should be taught to be wary of downloadable software since they may contain malicious code [4]. They should be taught only to allow mobile software executables and installers that have digital signatures issued by certification programs like Symbian Signed, Microsoft Mobile2Market and Research In Motion Ltd.'s Controlled APIs for BlackBerry to run on their devices [7]. Create white lists and black lists of approved and restricted mobile software respectively and enforce it either by educating users of the dangers of allowing untrustworthy software to run on their devices or by using software [1, 7, 10].

VPN use

Using VPN is an effective method to overcome any security deficiencies in the cellular connections of smartphones [2].

Neutral service vendor

Corporate users should know where messages and other data reside when sent from a smartphone and ensure that the service provider is a neutral vendor and will not disclose data to competitors [1].

Disable remote connectivity

Make sure to disable Bluetooth and any other wireless technologies that enable connections to other devices or computers when not in use to avoid unauthorized access of your device [3].

Device-resident/Network mobile security programs

Install antivirus and SMS antispam software from sources like AirScanner, F-Secure CCorp., McAfee Inc., Symantec Corp., Trend Micro Inc. and Sophos in order to protect your device against mobile specific threats such as mobile OS Trojans and spam SMSs [7].

Networks should install antivirus software on the internet server through which MMS passes in order to protect their users from worms that propagate via MMS [8].

Keep software up to date

Smartphone users should be diligent in installing patches and keeping their OS software up to date so that their device is protected against attackers trying to take advantage of known problems or vulnerabilities [3].

Remote locking/backups

Since smartphones are vulnerable to getting lost or stolen, businesses should make sure that their smartphones are remotely accessible by the IT staff so that they can be locked and wiped in case such a situation arises [10]. A tool that enables this over text messaging is preferable as it will allow the device to be secured even if it does not have an active data connection [10]. Data should also be backed up on enterprise servers so that it can be retrieved to a new device in case of one of these situations.

Physical/Personal security

Smartphone users should make sure not to leave their devices unattended in public or easily accessible areas in order to prevent attackers from extracting or corrupting information on them [3]. They should also be careful about posting their phone numbers online in order to minimize the number of people who have access to their information and limit risk of attacks and spam [4].

Proper disposal

Outdated smartphones should be thoroughly wiped before disposal. Tools to ensure that residual data is removed should be used [1]. If the device memory cannot be erased, it should be destroyed in order to protect the confidentiality of any data stored on it [1].

References

1. Espenschied, Jon. "Ten dangerous claims about smart phone security." Computerworld. 27 Mar. 2007. 5 Apr. 2009 <http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9014118>.

2. Hughes, Steven. "How do you handle mobile security?" SmartphoneMag.com. 1 Aug. 2007. 5 Apr. 2009 <http://www.smartphonemag.com/cms/blogs/38/how_do_you_handle_mobile_security>.

3. McDowell, Mindi, and Matt Lytle. "Cybersecurity for Electronic Devices." US-CERT. 20 Aug. 2008. United Stated Computer Emergency Readiness Team. 5 Apr. 2009 <http://www.us-cert.gov/cas/tips/ST05-017.html>.

4. McDowell, Mindi. "Defending Cell Phones and PDAs Against Attack." US-CERT. 27 Jan. 2009. United Stated Computer Emergency Readiness Team. 5 Apr. 2009 <http://www.us-cert.gov/cas/tips/ST06-007.html>.

5. Mills, Elinor. "Mobile: The holy grail at security conference." CNET News. 20 Mar. 2009. 5 Apr. 2009 <http://news.cnet.com/security/?keyword=smartphones>.

6. "Mobile device security:Findings." Provider Notes. 13 Feb. 2007. University of Pennsylvania. 5 Apr. 2009 <http://prowiki.isc.upenn.edu/wiki/Mobile_device_security:Findings>.

7. Phifer, Lisa. "Smartphone security: The growing threat of mobile malware." SearchSecurity. 11 Mar. 2008. 5 Apr. 2009 <http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1337531,00.html>.

8. Shevchenko, Alisa. "An overview of mobile device security." Viruslist.com. 21 Sept. 2005. 5 Apr. 2009 <http://www.viruslist.com/en/analysis?pubid=170773606>.

9. "SPY FAQ." FlexiSPY. 5 Apr. 2009 <http://www.flexispy.com/faq.htm#03>.

10. Temporale, Mike. "Smartphones: productivity booster or security time bomb?" Computing Unplugged Magazine. 5 Apr. 2009 <http://www.computingunplugged.com/issues/issue200805/00002179002>.

See Also

1. Malware

2. Man in the Middle Attack

3. Corporate Security and IT Policies

4. Data Encryption for Storage Devices

5. 3G Communications

External Links

1. Smart Phone Attacks and Defenses

2. FlexiSPY

--Asokanp 20:00, 12 April 2009 (EDT)

Personal tools