“WHY IS MOBILE SECURITY IMPORTANT?”
Mobile devices are the fastest growing consumer technology, with worldwide unit sales expected to increase from 300 million in 2010, to 650 million in 2012. Mobile applications are likewise booming. In June 2011, for the first time ever people on average spent more time using mobile applications (81 minutes) than browsing the mobile web (74 minutes) While once limited to simple voice communication, the mobile device now enables us to also send text messages, access email, browse the Web, and even perform financial transactions. Even more significant, apps are turning the mobile device into a general-purpose computing platform. In just three short years since introducing the iPhone SDK in 2008, Apple boasts over 425,000 apps available for iOS devices. Seeing similarly explosive growth, the Android Market now contains over 200,000 apps after only a short period of time. As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware, for example, is clearly on the rise, as attackers experiment with new business models by targeting mobile phones. Recently over 250,000 Android users were compromised in an unprecedented mobile attack when they downloaded malicious software disguised as legitimate applications from the Android Market. The emergence of mobile payments is another key driver of mobile threats. The value of mobile payment transactions is projected to reach almost $630 billion by 2014. The value of mobile payment transactions was projected to reach over 2,200 trillion in 2022,. Vendors, retailers, merchants, content providers, mobile operators, and banks are all actively establishing new payment services. Mobile payments create an attractive target for attackers, as they allow direct monetization of attacks. In addition to financial information, mobile devices store tremendous amounts of personal and commercial data that may attract both targeted and mass-scale attacks.
MOBILE PLATFORM COMPARISON
On the device itself, Apple‘s iOS security model runs each third-party application in an isolated environment so that the application may only access its own data and permitted system resources. All third-party applications are granted access to the same data and capabilities on the device with the exception of a few, such as location data and push notifications, which require a user to opt in for each application. In terms of app distribution, Apple‘s App Store for iOS utilizes a curated app review model in which all apps submitted by developers go through a manual review process with restrictions based on policies regarding issues such as data collection, API usage, content appropriateness, and user interface guideline compliance. This model is designed with the assumption that apps will only be downloaded from Apple‘s App Store, as some security restrictions are enforced during the review process but not necessarily enforced on the device itself. The assumption generally holds, as iOS devices prevent users from loading applications from sources other than Apple‘s App Store unless the device has been jailbroken. Jailbreaking is a process whereby the user can alter the phone‘s operating system to gain full access (or root access) to the operating system and allow applications not officially vetted by Apple, many of which take advantage of operating system capabilities otherwise restricted by Apple‘s review policies.
Android has an operating system security model that supports its open application distribution model. In the Android OS security model, an application‘s capabilities are gated by ―permissions‖ that the application declares when it is installed and cannot be changed at a later time.
When installing an application, users are presented with the list of permissions requested by the application and can determine whether the permissions are appropriate for the functionality of the app. Permissions allow applications to access specific data and capabilities on a device, including location, contacts, SMS messaging, identity information, and the ability to access the Internet. If an application‘s permissions seem overreaching, a user may choose not to install the app or may identify it as suspicious. While the Android permissions model enables developers to provide a broad range of functionality in their apps, it does rely on end users‘ ability to evaluate permissions requested by an app at the time of installation.
In terms of app distribution, the Android operating system utilizes an open application distribution model that allows users to download applications from a variety of sources, including Google‘s Android Market, Amazon‘s Appstore for Android, carrier markets such as Verizon‘s V CAST network, and other alternative app markets. Android also has a setting, often referred to as sideloading, which enables or disables the capability to download applications from other sources outside of the Android Market. Android enables multiple application distribution methods. For example, Amazon‘s Appstore for Android and Verizon‘s V CAST apps utilize a curated model with a manual review process similar to Apple‘s, while Google‘s Android Market is based on a community-enforced model where some security checks are performed when applications are submitted to the market, but it is expected that the community as a whole will participate in identifying malicious or otherwise undesirable applications. This allows Android developers to update their applications much more quickly than with the curated model.
As with PCs, there are a variety of security threats that can affect mobile devices. We split mobile threats into several categories: application-based threats, web-based threats, network-based threats and physical threats. For the sake of brevity, this list is intended to be a general overview of the most important mobile threats, not an exhaustive treatment of all possible threats.
Downloadable applications present many security issues on mobile devices, including both software specifically designed to be malicious as well as software that can be exploited for malicious purposes. Application-based threats generally fit into one or more of the following categories:
Malware is software that is designed to engage in malicious behavior on a device. For example malware can commonly perform actions without a user‘s knowledge, such as making charges to the user‘s phone bill, sending unsolicited messages to the user‘s contact list, or giving an attacker remote control over the device. Malware can also be used to steal personal information from a
mobile device that could result in identity theft or financial fraud.
Spyware is designed to collect or use data without a user‘s knowledge or approval. Data commonly targeted by spyware includes phone call history, text messages, location, browser history, contact list, email, and camera pictures. Spyware generally fits into two categories: it can be targeted, designed for surveillance over a particular person or organization, or untargeted, designed to gather data about a large group of people. Depending on how it is used, targeted spyware may or may not be considered malicious, such as in the case of a parent using a text messaging or location monitoring application on a child‘s phone.
Privacy Threats may be caused by applications that are not necessarily malicious (though they may be), but gather or use more sensitive information (e.g., location, contact lists, personally identifiable information) than is necessary to perform their function or than a user is comfortable with.
Vulnerable Applications contain software vulnerabilities that can be exploited for malicious purposes. Such vulnerabilities can often allow an attacker to access sensitive information, perform undesirable actions, stop a service from functioning correctly, automatically download additional apps, or otherwise engage in undesirable behavior. Vulnerable applications are typically fixed by
an update from the developer.
Because mobile devices are often constantly connected to the Internet and used to access web-based services, web-based threats that have historically been a problem for PCs also pose issues for mobile devices:
Phishing Scams use web pages or other user interfaces designed to trick a user into providing information such as account login information to a malicious party posing as a legitimate service. Attackers often use email, text messages, Facebook, and Twitter to send links to phishing sites.
Drive-By Downloads automatically begin downloading an application when a user visits a web page. In some cases, the user must take action to open the downloaded application, while in other cases the application can start automatically.
Browser exploits are designed to take advantage of vulnerabilities in a web browser or software that can be launched via a web browser such as a Flash player, PDF reader, or image viewer. Simply by visiting a web page, an unsuspecting user can trigger a browser exploit that can install malware or perform other actions on a device.
Mobile devices typically support cellular networks as well as local wireless networks. There are a number of threats that can affect these networks:
Network exploits take advantage of software flaws in the mobile operating system or other software that operates on local (e.g., Bluetooth, Wi-Fi) or cellular (e.g., SMS, MMS) networks. Network exploits often do not require any user intervention, making them especially dangerous when used to automatically propagate malware.
Wi-Fi Sniffing can compromise data being sent to or from a device by taking advantage of the fact that many applications and web pages do not use proper security measures, sending their data in the clear (not encrypted) so that it may be easily intercepted by anyone listening across an unsecured local wireless network.
Since mobile devices are portable and designed for use throughout our daily lives, their physical security is an important consideration. Lost or Stolen Devices are one of the most prevalent mobile threats. The mobile device is valuable not only because the hardware itself can be re-sold on the black market, but more importantly because of the sensitive personal and organization information it may contain.