General security

Mobile Security – Basic Challenges

Rorot
December 21, 2012 by
Rorot

[highlight color="blue"]Interested in formal iPhone forensics training? Check out our 3 day iPhone and iOS forensics course now available. [/highlight]

"Data stored on the device is worth more than the device"

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Introduction

The above quote might well apply to desktops and laptops as well. But it's much more probable that your mobile device might be used by someone or lost, compared to your laptop or desktop. This fact changes the entire scenario. With the advent of mobile phones and smart phones, the game has enormously changed in the last few years with respect to the ease with which tasks are accomplished. This article focuses on various security-related aspects which are involved with increased use of mobiles. Before jumping into the security concerns, here is a small introduction about how the mobile technology has slowly taken over the whole world.

The first hand-held mobile device was demonstrated by two Motorola employees in 1973. After 10 years, i.e. in 1983, the first mobile was commercially made available. From 1990 to the early 2000s, mobile phones spread rapidly; people used it mainly for communication. In the last 10 years, with the rapid increase in internet usage, mobiles started accommodating the features of personal computers and finally took a new shape with the introduction of "smart phones." Today mobiles have penetrated into each and every corner of this world, serving a variety of tasks including mobile applications, GPS navigation, storage, entertainment, etc. In this article we will mainly focus on mobile applications and their security concerns.

Mobile applications

Mobile phone applications extend the functionality of mobile phones. Everything is readily available and the tasks which were previously accomplished in a desktop world are now available on mobile just with a single click. People now use mobile applications to assist them in several day-to-day activities and enterprises are in a mad rush to develop the mobile apps to reach out to the users in a better way.

What is a mobile app anyway?

A mobile app is a software application developed to run on mobiles. Each mobile operating system has a corresponding distribution platform from where these mobile apps can be downloaded. For example, Android apps can be downloaded from Google Play and iPhone apps can be downloaded from the Apple App Store. So an individual or a company can develop a mobile application and upload it to the distribution platform and advertise it so that users can download and use it. The general demand and the ease of development of these mobile apps have resulted in their enormous growth. So these days we have a mobile app for everything – fox example, mobile banking, online shopping, ticket purchases, games etc. The real question is how secure are the mobile apps that deal with sensitive information. So let's have a look at general mobile security-related issues which are common to all the platforms.

Mobile Security

Mobile security is increasingly playing a crucial role as more sensitive and personal information is now stored in the mobile phones. Security is considered as a crucial and central aspect during the unveiling of any Smartphone. Moreover, with the corporate world embracing the mobiles in a big way, the focus is very much on the security of these devices. Attacks that have been seen on PCs are now slowly making their way onto the mobiles. At a higher level, mobile-related attacks can be classified into these categories:

Attacks based on OS--Exploiting the loopholes present at OS level. So the concerned vendor has to release a patch to fix the issue.

Attacks based on mobile apps--Exploiting the security holes present in mobile application, which are a result of poor coding/development.

Attacks based on communication networks--Attacks on GSM, Wi-Fi, Bluetooth, etc.

Malware-related attacks--Malware attacks on mobiles have been rising continuously. A successful attack can steal the photos on your mobile, hijack the camera click, hack the emails, and delete the files on the mobile.

Let's now move on and talk a little bit more about the current issues related to mobile security. The following is a list of the main issues in the field of mobile security. Please note that this is not the complete list and it is not in any particular order. Let's have brief look into the security issues which revolve around the mobile devices currently.

Physical security

Physical security is one of the biggest challenges to the designers of mobile phones and their applications. Mobile phones are lost, stolen, and borrowed (many times by others to make a call or view the photos). When a mobile device is lost, the real concern is not about the cost of the mobile but the amount of sensitive data that is present on that mobile. Imagine that the personal phone which is provided by your employer for enterprise activities falls into the hands of the wrong person, who tweaks the data present in it. Imagine a situation where your neighbor asks your mobile for a quick call and then downloads a malware onto that phone (by the way, it just takes a few seconds to do that). These issues are rather less when you are dealing with a desktop, because it would be unusual if you lose your desktop computer. So the bottom line is that mobile applications and systems are to be designed assuming that untrusted parties will be granted access to the phone.

No such thing as "logging" into mobile

In the desktop world, each user supplies a username and password and logs into the system where he gets access to his environment. Each user has a different environment and thus the privileges and data that each user has are separated. This ensures that one account doesn't have access to the data of other account. But this concept is not valid in a mobile world because there is nothing like logging into a mobile for each user. So sharing and accessing of data between applications is a big concern.


Secure storage of data on the phone


In addition to the sensitive files present on your mobile (photos, contacts, documents, etc.), mobile applications also store sensitive information like authentication tokens, password-related files etc. It's very important that these files are protected. One way is by storing them securely on the mobile so that they are not accessible or usable. For instance, password files must be stored in encrypted fashion so that even after accessing those files they are of not much use.

Mobile browsing environment

In a mobile browser, it is not possible to see the entire URL; sometimes the URL can't be seen at all. This paves the way for hackers to unleash phishing-related attacks. So the display space on a mobile device increases the possibility of phishing attacks manyfold. The fact that people are more inclined to follow links on mobile blindly adds to this problem. So in this mobile browsing environment, it's impossible to expect a normal user to verify every link before following it.

Isolating the applications

The range of mobile applications that we install today is diverse: social applications to connect to family and friends, enterprise applications to manage your work, banking applications to transfer funds, gaming applications for entertainment, and many more. So it's very important that a social networking app does not gain access to your corporate app or that a gaming app does not gain access to the banking app. In short, application isolation is crucial. This would depend on the factors like OS permissions in different platforms and how these permissions are granted. Exploiting the existing mechanisms to gain unauthorized access is one area where hackers are actively targeting.

Update Process

Operating systems require patches/updates to resolve any security issues that are discovered. OS's like Windows look continuously for updates and install them. But when it comes to mobile OS the patching process is not as simple as that. When a bug is reported in a particular OS, the OS vendor comes with a patch. He then publishes this information to all the carriers (like AT&T, Sprint, and Airtel etc.). Now these carriers will not be proactive in installing these updates because there is every chance that during patching processes other applications might break down. Hence if these carriers find such cases with the patching, they hold it on for some time without applying the patch/update immediately.

Proper Authentication

The authentication process is very important in mobile phones because, as explained earlier, it is just a matter of seconds before someone asks your phone and does something malicious and you have no idea about it. In the cases where a company offers extranet access to its corporate network through mobiles, there should be a means of multifactor authentication because if that mobile falls into the hands of the wrong guys, it would expose the internal network of the company. Multifactor authentication needs to be implemented and improved in order to solve many issues.

Poor coding of mobile apps

Poor coding or development practices of the developers could lead to severe consequences. For example: hard coding of sensitive data like passwords, transmission of information in unencrypted channel, weak server side controls, improper session handling, etc. Many of the vulnerabilities that apply to the web will apply to mobile applications as well.

Bluetooth and other attacks

Bluetooth and other drivers pose a security threat to the overall security posture of the mobiles. We have seen in the past about the vulnerabilities reported on Bluetooth and other third-party drivers. Since these have system access, by exploiting a critical vulnerability an attacker might even get access to everything on a mobile. So even if the underlying operating system has excellent built-in mechanisms that do not easily grant system access, these vulnerable third-party drivers would be a setback at any time.

Malware Attacks

Many surveys point out that malware attacks on mobile phones is on the rise. If you are someone who browses through tech news every now and then, you must have seen some news about android phones getting infected by malware in a big way. Malware is something which harms the system in which in resides. With a new computing environment, a new class of threats in new forms arise. It is very important that these issues are addressed proactively leveraging on our experiences of the 1990s. Reports have also been published which forecast the situation to be worse in the coming year and some say that 2013 will be the" year of mobile malware"!

Jailbreaking the phones

Many users jailbreak the phone in order to run applications for free or to run applications which are not authorized by the vendor. Jailbreaking a phone removes the restrictions imposed on a device by its vendor. Hence jailbroken devices are more susceptible to computer viruses and malware. Downloading the apps from an unauthorized third-party store will only put your mobile at risk.

New features like NFC pose a serious threat

NFC (Neat Field Communication) is a technology that allows you to beam the content to nearby devices and lets you use your mobile as a wallet to purchase items. It has been demonstrated in Black hat conferences that by brushing a tag with an embedded NFC chip over an android phone, it is possible to take over the control of the phone. So with increase in technology, you will need to address more complex attack scenarios. In future, many more advanced technologies like these are expected to come and they bring a whole lot of new issues to address.

User awareness

User awareness is major factor in controlling many of the attacks and, when it comes to mobiles, it's even more important. There are many things from the user end which he should be careful about: having a passcode for the device and looking out for the permissions granted to application (a gaming application may not need access to dialling), not following the links sent by unknown persons.

As the time progresses, the industry has more challenges to face and answer. For instance new ideas pose a security threat like BYOD (Bring Your Own Device) where employees bring their personal mobile devices to their work place. Since there are huge number of devices out there, each having its own security issues, it's a huge task for any organization to guarantee the corporate equivalent of privacy on these devices. These are some of the basic issues that are involved in current mobile security. If anyone of you has more points to make, I sincerely ask that you comment and share with the community.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


Rorot
Rorot

Rorot (@rorot333) is an Information Security Professional with 5.5 years of experience in Penetration testing & Vulnerability assessments of web and mobile applications. He is currently a security researcher at Infosec Institute. Twitter: @rorot333 Email: rorot33@gmail.com