Mobile OS Security

1
Mobile OS Security
Vivek-Vijayan University of Tennessee at
Chattanooga
2
Eminent Threats

• Web based and network based attacks The mobile
  device is connected to the internet, browsing
  websites with malicious content.
• Malware traditional viruses, worms and trojan
  horses.
• Social engineering attacks phishing. Also used
  to install malware.
• Resource and service availability abuse botnet,
  spamming, overcharging (SMS and calls).
• Attacks on the integrity of the devices data
  malicious encryption with ransom, modification of
  data such as address book.

3
Five Pillars

• Traditional Access Control
• Application Provenance
• Encryption
• Isolation
• Permissions-based access control

4

• Traditional Access Control This mechanism seeks
  to protect devices using techniques such as
  passwords and idle-time screen locking.
• Application Provenance is an approach where each
  application is stamped with the identity of its
  author and made tamper resistant (eg digital
  signature). Thus enabling a user to decide to use
  or not to use the application based on the
  identity of the author.
• Encryption is a approach to conceal data on the
  device to address device loss or theft.
• Isolation limits applications ability to access
  sensitive data or systems on a device.
• Permission-based access control grants set of
  permissions to each application, limiting each
  application to access device data/systems within
  the scope of the permission. Blocks the
  application if it attempts to perform actions
  exceeding the permissions given.

5
Traditional Access Control

• Apple iOS
• I OS provides traditional access control security
  options, which include password configuration
  options such as account lockout options.
• Example The strength of the passcode can be
  chosen by the administrator and the
  administrator can also specify how frequently
  the user can update the passcodes, and the
  maximum number of failed login attempts before
  the device wipes itself.
• Android
• Android provides password configuration options,
  which include specifying the strength of the
  device passcode, phones lockout time span,
  failed login attempts before device wipes data,
  indication of password expiration, enabling
  administrators to compel users to update their
  passwords on a regular basis .

6
Effectiveness

• Apples iOS
• The access control feature of the iOS provides a
  reasonable level of security for the devices data
  in the event of loss or theft.
• The iOS is in par with traditional windows based
  desktops in this scenario.
• Android
• The password policy system is sufficient to
  protect devices against casual attacks.
• The previous versions of Android do not encrypt
  data stored on removable SD memory card, thus
  allowing the attacker to eject the SD memory
  card, and obtain the data by bypassing all
  password controls.

7
Application Provenance

• Apple iOS
• Before releasing the software to iPhone, iPod,
  and iPad users. The developer goes through a
  registration process with apple and pay an annual
  licensing fee. The developers then digitally
  sign each app with an apple-issued digital
  certificate before its release. This signing
  process of the developer into the app proves that
  the app author is an apple-approved developer and
  the apps logic cannot be tampered with after its
  creation by the developer.
• Through App Store
• The developer submits the app for a cerifitcation
  by apple approval process takes one or two
  weeks and then the app is deployed into the app
  store.
• If the app is found malicious or any violation of
  license agreement occurs, the app is removed from
  the appstore, but no automated mechanism has been
  implemented to remove the app from the devices
  (iphone/ipad) after it has been installed.

8

• Android
• Google undermines both the goals of ensuring that
  the apps logic is not tampered with and to allow
  the user of the app to determine the identity of
  the apps author.
• Android OS only installs and runs apps that have
  been properly signed with a digital cerificate.
  Unlike apple software developers need not apply
  to google to obtain a code-signing certificate,
  thus the developer can generate their own signing
  certificates.
• This results in an malware author generating
  anonymous digital certificate, and no certificate
  or malware signed with google that can be tracked
  back to the author.
• Through googles android market
• For developers to sell their apps on android
  marketplace, a 25 fee is charged via credit
  card, thus allowing google to associate the payee
  with the digital ceritificate, which may reduce
  the chances of distribution of malicious apps (if
  the developer uses his own credit card).

9
Effectiveness

• Apple iOS
• Apples approach is effective as
• - The developer must register and pay to
  obtain a signing certificate from apple,
  which makes it more easy to identify if any
  malicious activities are performed.
• - Each and every application is
  tested before submission to the app- store.
• - Apples code signing model prevents
  tampering with published apps.
• Android
• Since no single authority evaluates or verifies
  all Android apps, attackers are more likely to
  release attacks without worrying of getting
  caught.

10
Encryption

• Apple iOS
• The iOS uses a hardware accelerated AES-256
  encryption to encrypt all data stored in the
  flash memory of the device.
• The iOS protects specific additional data items,
  such as email using an additional layer of
  encryption.
• Within 10 seconds of the device locking, the
  decryption keys for files in device are
  discarded.
• Android
• Android recently began offering built in
  encryption in 3.0, earlier versions of android
  contain no encryption capability, instead to rely
  on islolation and permissions to safeguard data.
  A simple jailbreak of an android phone, or theft
  of devices SD card can lead to significant loss
  of data.

11
Isolation

• Apple iOS
• iOS operating system isolates each app from every
  app on the system.
• The apps are not allowed to modify or view each
  others data, or even know if other apps exist on
  the OS, nor can they access the OS kernel, nor
  install privileged drivers or obtain root level
  administrator access to the device.
• The apps are also isolated from the phones SMS,
  email in-out box and other email attachments.
• Android
• Like iOS, Android employs a strong isolation
  system. It not only isolates apps from each other
  but also prevents apps from accessing or
  modifying the OS kernel, ensuring the app doesnt
  get admin control over a device.

12

• Blackberry (BB10)
• introduces us to Blackberry Balance. Balance
  allows organizations to create isolation between
  personal and work environments on a device.
  Additional logical security is used to keep
  personal applications, files and network separate
  from the work environment.
• When Balance is enabled, workspace is
  automatically encrypted, leaving personal
  environment unencrypted.
• Windows Phone 8
• WP8 uses the Unified Extensible Firmware
  Interface for secure boot, ensuring devices do
  not load rooted or unauthorized system images.
• WP8 apps run in isolated chambers, which are
  similar to sandbox. Chambers keep applications
  and their data separate from one another.
• The data between the applications is shared in
  the cloud and not on the device.

13
Permission Based Access Control

• Apple iOS
• The iOS denies access under all circumstances to
  many of the devices sensitive subsystems. Thus
  increasing the security of iOS based devices
  since it removes the user from security
  decision-making process.
• The above process also limits each applications
  functionality, potentially limiting the utility
  of certain classes of iOS apps.
• Android
• The Android permission system relies on the user
  to make all policy decisions and decide whether
  an apps requested combination of permission is
  safe or not.

14
(No Transcript)
15
sources

• http//www.tomsitpro.com/articles/mobile_security-
  mobile_management,2-64-9.html
• http//www.slideshare.net/vladimirjirasek/mobile-s
  ecurity-summit-10-mobile-risks
• http//searchconsumerization.techtarget.com/tip/Da
  ta-and-device-encryption-on-iOS-Android-Windows-Ph
  one-and-BlackBerry