Tags
android, assessment, mobile, OWASP, security, Smartphones, software, Soundcomber, Tablets, Taintdroid, technology, Top 10 mobile risks
Why should you think twice before gifting your employees with the latest smartphone
Mobile devices (smartphones and tablets) have emerged as a huge market, growing at a staggering rate and all set to upstage the sweet old PC as majority market share. This also has brought about a BYOD (Bring Your Own Device) revolution. As more and more people start accessing confidential data of the organization, download angry birds , and store pics of thanksgiving dinner , the line between professional and personal data is steadily blurring! And that should sound an enormous alarm bell for anybody remotely worried about professional and personal lives. Anybody worried about security breaches to their organization. Anybody worried about data privacy. And you can count me in that crowd 🙂
Analyzing the BYOD trend and its implications, it can be looked in 2 stages:
1. Study of the threat model and ways in which these devices can be attacked.
2. A gist of the android architecture (most popular and open for study) security risks and their mitigation techniques.
(Although I am writing with an ‘android’ perspective, I am sure similar problems are present in other platforms also)
I. Chinks in the armor (Threat model): Ways to ransack the device and what makes them so susceptible (and lucrative) to attacks !
1. Varied attack vectors : These attack vectors include Bluetooth, Internet ( Wi-Fi , GPRS, 3G ) , USBs, phishing attacks and not to forget pick-pocketing and lost devices.
2. Limited resources : Mobile devices have limited battery supply , limited memory , limited CPU usage – in short , every resource available on the desktop , is scaled down in a mobile device. This makes it easier for worms to crash the system a perfect analogy being lesser water required to overflow a smaller bucket than a bigger bucket. Further traditional antivirus tools are resource hungry processes. Thus using traditional security mechanisms is clearly not going to work , even though mobile hardware capacities are increasing rapidly.
3. Goldmine of personal and sensitive information : Since they are ‘mobile’ , they end up being with users almost 24x7x365. Many users also access sensitive organization data from their mobile devices . Eg – official email accounts, files and documents. And since they are gold-mines of personal information, users are always a bit hesitant to handover the security to a network admin.
These factors put together make securing mobile devices a bit of a challenge.
II. Android Platform security assessment – risks and associated mitigation techniques:
Android, as a platform , is one of the most popular ones. It’s open source and hence easy to poke around for black and white hat hackers. A 2012 IEEE paper on Google Android estimates that “2 years are sufficient for smart-phone viruses to evolve to a level that computer viruses only reached after 20 years”. Google splits up android architecture in 3 levels – Applications, Libraries, Kernel as shown below :
Each of these layers have their own sets of risks associated . Listed below are the security issues affecting 1 or more layers of the platform. While some of them have received considerable spotlight and solutions, some areas are still open for exploration !
1. Viruses , Trojans , worms and other malwares – Malicious apps generally attack the file system , SMS and MMS services, phone contacts, email ids and personal data. This scenario is more challenging that normal computers as they do not have access to phone contacts, SMS and MMS services. There are some good existing anitmalware tools which are specifically designed for operating on limited resources of mobile devices. Eg – Mocana, Lookout and DroidHunter.
2. Network attacks – Getting exposed to an untrusted network while traveling or sipping a cuppa coffee is every user’s nightmare. However, this issue is very similar to those faced by laptops and computers. Being redirected to insecure and malicious sites is fortunately tackled by using traditional defenses like firewalls and proxies. There are some good host-based Intrusion Detection Systems specifically for androids , eg – Andromaly and Droid Hunter.
3. Android permission and access control – This is somewhat an under studied area even now. Every android app has to explicitly declare its required resources and gain permission at installation time. Once installed , further modifications cannot be done by the app. But that is in theory. In practice , when we download an app, many users install it without realizing if he/she is over empowering the app. And its difficult for a layman to guess why should an app access/not access other apps, give permissions which it is asking for and why. There has been some recent nifty ideas on run time information flow (Taintdroid) which alerts the user when an app tries to access sensitive information like phone contacts. However, a lot of work has to be done to protect the humongous amounts of sensitive information is present in a mobile device, in a feasible manner.
4. Data and Phone calls encryption – Just when you though that all risks where due to the devices acting as data storage and traditional phone calls where harmless, the SoundComber team came up with a stealthy attack on them . Using on board sensors of smartphones and an automated IVRS, they “pulled out” sensitive data such as credit card and PIN numbers. Recent work done in UPenn , shows that without even asking a user to interact with an IVRS, information about keys typed can be extracted just by recording the sounds created when user types on the keypad. As of now, there are no feasible defense mechanisms. Encrypting raw sound signals is possible in theory , but the real time requirements of phone calls and video transfers make the heavy signal processing techniques for encrypting them nearly impossible. Well, unless you pre-record your telephone conversations and let it process for minutes after that !
5. Remote management – I think this area encompasses all the risks associated with losing or misplacing phones. In the eventuality of device thefts , there has to be some mechanism to remotely configure and manage the device. For a stolen device, the sensitive data needs to be locked or transferred to a backup and then removed for the stolen device. As of now there are no such tools or mitigation methods to protect corporate and personal data from a stolen device.
UPDATE : OWASP has recently released the top 10 mobile software security vulnerabilities . A quick glance into the top 10 categories listed as on Jan 24, 2013 :
To sum it up, mobile device security is a major concern for organizations.
Because of their small size, memory capability, and the ease with
which information can be downloaded and removed from a
facility, mobile devices pose a risk to organizations when used
and transported outside physical boundaries. Familiarity with the
different device types, areas of concern, and proposed solutions to
mitigate the risks when using a mobile device are important for an
organization to grasp prior to rolling out mobile devices to
employees.
References :
1. Computer world report – http://www.computerworld.com/s/article/9234190/Mobile_devices_will_drive_IT_spending_in_2013_IDC_says
2. http://www.webpronews.com/smartphone-sales-jumped-nearly-50-in-the-third-quarter-of-2012-2012-11
3. https://www.cs.indiana.edu/~kapadia/papers/soundcomber-ndss11.pdf
5. http://www.tygar.net/papers/Keyboard_Acoustic_Emanations_Revisited/ccs.pdf
6. http://developer.android.com/guide/components/index.html
7. https://www.owasp.org/index.php/OWASP_Mobile_Security_Project