Challenges in Mobile and Wireless Security

Mobile devices, such as smartphones are the most often used devices nowadays. This underlies the fact that the devices have evolved a lot in the last few years, now functioning as small little computers.
Since it is carried around with us the entire time it automatically holds and collects a lot of personal information such as text messages, phone logs, pictures or GPS location-­based data on it. Consequently, security and privacy concerns have also risen.

This development also affects the business world. Today, most companies offer their employees to bring their own device (BYOD). Thus, administrators can not hand out securely pre­configured phones anymore, instead they have to deal with a lot of different mobile phones and platforms all of them having different possibilities and restrictions. Furthermore, smartphones do not replace a computer or a laptop. They rather function as an additional device which is an extra effort in setting up the enterprise’s security. Especially since “most consumer mobile devices were never designed to be enterprise computing tools” [1].

Bring your own device also has another effect by mixing up personal and the company’s confidential data. Employees link their work email to the device which means they might store data received through attachments on it. Given that mobile devices are often synchronized with other devices, such as a laptop or tablet, the data is spread around even more. Also business contacts are stored alongside the personal ones. As a result, strong device protection is very important, not only for business related phones, considering the fact that many devices get stolen or lost. Unfortunately, many users do not use a password lock making it very easy for third parties to access the picked up device and information, especially as most of the data is stored unencrypted. So additionally the stored data should be secured in some way, for example by encrypting it, making it only accessible to authorized people.
Besides protecting the device, the communication performed through it has to be secured too. Since mobile devices are omnipresent and Wi­Fi is also getting more and more common, employees are not tied to a desk anymore and they can get their work done from anywhere. This means they have to be able to access the required resources from outside the corporate network, often through insecure public networks. Therefore, it has to be provided that only authorized users and devices can actually access and use the needed services. In addition, it also has to be guaranteed that no one is interfering or analyzing the traffic and if so the attacker can still be blocked through the firewall.

One of the most important features of a smartphone is installing third­party applications to extend the functionalities. However, this openness also brings some dangers to the end user and its data. Similar to viruses for computers there are also apps which carry malicious code and since the mobile phone is an always-­on device with access to and from the internet it is a favoured target for attackers. As recent news show several iOS applications contain backdoors [2] and Android apps downloaded from third­party app stores carry “auto­rooting adware” [3]. Also entire operating systems, due to the growth in size and therefore complexity, contain vulnerabilities, such as the iPhone for example which got hacked recently through several zero­day exploits [4]. Platform providers must prevent such threats by publishing patches regularly and rapidly. Moreover, they also have to carefully decide which applications can access which services and make sure that applications do not interfere or tamper with others, so called sandboxing has to be applied.
Besides that, most of the apps one wants to install, especially on Android, are asking for a lot of permissions which they might not even need to function properly, such as access to the address book or the file storage. Some applications, for example banking apps, even load the device with more sensitive data which accordingly has to be protected against unauthorized snooping again. Therefore, it has to be always considered, especially for business use, which apps one is installing.

There are three important parties involved in the installation process. First, the marketplace operator, for example the Google Playstore which acts as an signing authority only allowing trusted and secure apps to be published. Second, the service providers or developers, who should be considered trusted and not have malicious intents. And third, the user or the administrator in an enterprise, lastly deciding which app and therefore which permissions should be installed. The latter could for example be done through policies, allowing only certain applications.

All of the above mentioned issues can be considered as ‘outside attacks’ meaning that an unauthorized third party is trying to steal information stored on the mobile device. On the other side there are also ‘inside attacks’ where the user himself tries to access restricted functions.
For example, in desire to the platform providers it should not be possible to jailbreak the phone meaning that the user would gain full root access to previous blocked services [5]. This would mean the user could modify the Operating System to his means or even replace it with another one. Furthermore, manufacturers have to provide protection against device tampering. As an example, the user should not be able to modify the radio frequency parameters to avoid any harm to the device or eventually to himself. In addition, mobile operators do not want users to tamper with a subsidized device or pre­loaded software limiting it in some way which would finally lead to financial loss. Consequently, most of the customers are bound to a two-­years contract and they might are not allowed to use VoIP services. Lastly, app developers want their applications’ source code to be secure. Otherwise, one could easily extract it and finally sell or modify it. Any app misuse to gain benefit in some way is also not wished­ for.

As we can see there are several different parties, all of them having to address different security aspects.
The so called Internet of things is the next big step to be expected. Considering that more and more devices are connected to the internet and communicating with each other security is a very important aspect. It seems to be even more complex and necessary as for today's mobile phones.

References:

[1] TechTarget Security Media Group, “Technical Guide on Mobile Device Security”

[2] Zhaofeng Chen, “iBackDoor: High­-Risk Code Hits iOS Apps”

[3] Michael Bentley, “Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire”

[4] Lorenzo Franceschi-­Bicchierai, “Somebody Just Claimed a $1 Million Bounty for Hacking the iPhone”

[5] Wikipedia, “iOS Jailbreaking”

[6] Websense, “A 3­Step Plan for Mobile Security”

[7] BlackBerry, “The CIO’s Guide to Mobile Security”

[8] N. Asokan, “Mobile Platform Security”

Show Comments