20
MOBILE - SECURITY Cyber and Information Security (Network and Communication Security) Geo S. Mariyan (Master in Computer Science) University of Mumbai.
| Date post: | 21-Mar-2017 |
| Category: |
Technology |
| Upload: | geo-marian |
| View: | 123 times |
| Download: | 1 times |
MOBILE - SECURITY
Cyber and Information Security (Network and Communication
Security) Geo S. Mariyan(Master in Computer Science)
University of Mumbai.
Introduction• Mobile security is the protection of smartphones, tablets, laptops and other
portable computing devices, and the networks they connect to, from threats and vulnerabilities associated with wireless computing. Mobile security is also known as wireless security.
• Mobile security / Mobile phone security has become increasingly important in mobile computing.
• It is of particular concern as it relates to the security of personal and business information now stored on smart phones.
• Rapid advances in low-power computing, communications, and storage technologies continue to broaden the horizons of mobile devices, such as cell phones and personal digital assistants (PDAs).
Security Issue: Mobile Virus• A cell-phone virus is basically the same thing as a computer virus. An
unwanted executable file that "infects" a device and then copies itself to other devices.
1. A computer virus or worm spreads through e-mail attachments and Internet downloads.
2. A cell-phone virus or worm spreads via Internet downloads, MMS attachments and Bluetooth transfers.
• Current phone-to-phone viruses almost exclusively infect phones running the Symbian operating system.
• Standard operating systems and Bluetooth technology will enable cell phone viruses to spread either through SMS or by sending Bluetooth requests when cell phones are physically close enough.
SPREADING OF VIRUS
Phones that can only make and receive calls are not at risk. Only smart phones with a Bluetooth connection and data capabilities can receive a cell-phone virus.
These viruses spread primarily in three ways:1. Internet download - The user downloads an infected file to the
phone by way of a PC or the phone's own Internet connection.
2. Bluetooth wireless connection - The user receives a virus via Bluetooth when the phone is in discoverable mode, meaning it can be seen by other Bluetooth-enabled phones.
3. Multimedia Messaging Service - The virus is an attachment to an MMS text message
CURRENT STATUS OF MOBILE MALWARE• Mobile malware is malicious software that targets mobile phones or wireless-enabled
Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information.
• As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.
• Malicious software ("malware") that is designed specifically to target a mobile device system, such as a tablet or smartphone to damage or disrupt the device.
• Most mobile malware is designed to disable a mobile device, allow a malicious user to remotely control the device or to steal personal information stored on the device.
Virus might access and/or delete all of the contact information and calendar entries in your phone. It might send an infected MMS message to every number in your phone book.
The top three areas of concern for mobile users are receiving inappropriate content, fraudulent increases in phone bills and loss of important information stored on the handset.
THREATS OF MOBILE PHONE VIRUS
Mobile Payment Application Security.
•Mobile payment applications need a secure mechanism to protect the credit card information of the users.
•Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, in an electronic communication.
•Credit and debit card payment and online fraud are highly profitable criminal activities that are increasingly dominated by card-not-present transactions.
Mobile Database Application (MDA)
• A mobile database is a part of a replica of the central database
• The user make modifications of the mobile database at first
• Synchronization occurs between the server and the mobile device to ensure the data are the same
• In order to complete the synchronization, a publication is needed. A publication is the meta-data package of information about which data is replicated.
• With the publication, the database server can synchronize with the mobile database correctly. The publication can only be accessed by the users after they are authenticated.
Information Risks• The mobile device may be stolen by malicious attacker. Then the attacker may try to
access the data stored in the device.
• The sensitive data transferred through the network may be intercepted by the malicious attacker.
• The users who have no accounts of mobile applications may try to access the server without permissions. Or they may try to log in with others’ accounts to obtain the personal information of them.
• The malicious users of the mobile applications may try to modify the data in the server even if they are not granted with sufficient permissions or they may try to access the data which are not allowed them to obtain.
Methods to Ensure Security and Privacy in Mobile Applications
a) Secure Network Connection
b) Encrypted Local Data
c) User Authentication
d) Grant Minimum Sufficient Permissions
e) Separate User Accounts
f) Applications Provided Security Mechanisms
Secure Network Connection
• Network Security is the process of taking physical and software preventative measures to protect underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computer
• In order to ensure that the sensitive data transferred through the network will not be obtained by malicious attacker, we can choose a secure network connection.
• We can make use of https instead of http because all the traffic are encrypted so that the data can be protected.
Encrypted Local Data
• Because the mobile device may be lost or stolen, so it is also necessary to take some mechanisms to ensure that the data in the device are also safe.
• Therefore, we can encrypt the data in the mobile device.
User Authentication• User authentication is a process that allows a device to verify the identify of someone
who connects to a network resource. There are many technologies currently available to a network administrator to authenticate users.
• If the mobile application is a mobile database application, then it means that the user must be authenticated by the database server.
• Only after they are authenticated then they can access the publication to synchronize the mobile database with the database server.
• And also, user should also be authenticated at the Web Server to protect them from accessing the Web Server just by the same URL.
Grant Sufficient Minimum Permissions
Analysis
• The users should be granted with sufficient minimum permissions to ensure the security and privacy in mobile applications.
• For example, the user who can only view the data should not be granted with the write permission because they may try to make modifications as their wishes.
Separate User Accounts
• Sometimes we may provide a user with two accounts in order to ensure the security and privacy in the mobile applications.
• For example, a user can view all the data but only modify part of them. Therefore, we can design two accounts.
• The first one is a read-only account and it can view all the data. While the other one is a read-write account but it can only view and modify part of the data.
Application Provided Security &
Privacy Mechanism
• The mobile application can provide other security and privacy mechanisms.
• For example, the application may encrypt and sign the data before they enter into the secure communication link.
• Another example is that the user can only access a replica of the main table of the central database so that even if they successfully attack the replica through the mobile application, the data in the central database can still be protected.
Conclusion• The best way to protect yourself from cell-phone viruses is the same way you protect yourself
from computer viruses: Never open anything if you don't know what it is.
The following aspects are the basic points to ensure security and privacy in mobile applications:
1. Secure Network Connection
2. Encryption of Sensitive Data
3. User Authentication
Almost all the applications need to pay attention to the above-mentioned points so that they can protect the sensitive data.Here are some steps you can take to decrease your chances of installing a virus:
Turn off Bluetooth discoverable mode. Set your phone to "hidden" so other phones can't detect it and send it the virus.
Check security updates to learn about file names you should keep an eye out for.
Security sites with detailed virus information include: F-Secure, McAfee & Symantec
Reference•Wikipedia• Network Security: Charlie Kaufman,
Radia Perlman, Mike Speciner, Prentice Hall, 2nd Edition (2002)•Mobile Security and Privacy: By Man
Ho Au, Raymond Choo
