Security in a Mobile World
The list of mobile-specific security exploits that were discussed at this week’s BlackHat Technical Security conference got me a paranoid again. I did a bit of security related work a while ago. I didn’t attend the conference, so no- this isn’t a blog about the conference- sorry!
Security has always been an afterthought. Back in the day when I did some Internet related standards work, the section on “Security Considerations” was typically the most sparse chapter in the specification.
With the proliferation of connected devices ranging from smart phones, tablets, TVs, STBs, game consoles to cars, toasters, washing machines, refrigerators, we are susceptible to security threats more than ever. But are we taking it seriously enough?
There is no denying that mobile computing is the present and the future, so I’d like to specifically discuss mobile devices and in particular, smart phones and tablets in this context.
The Network:
Wireless networks are ubiquitous –homes, the coffee shops, airports, airplanes, trains, maybe your entire city. Of course, this was true even in the “pre-smartphone, laptop era”. But now, there is a huge difference in terms of the number of actively connected devices. Anything you want to do, “there’s is an app for that”. A lot more people are performing a whole lot more of sensitive transactions (banking, ticketing, shopping) from their mobile devices.
It’s not an unknown fact that wireless networks are not very secure. Sure, with 802.11n we have come a long way from the vulnerable WEP and WPA security of 802.11a /b/g days, but there is no guarantee that all the wireless networks we traverse are upgraded to the latest and greatest and besides, many folks who setup their home wireless networks may not take the necessary precautions to secure their network. In places where there is no sufficient monitoring of the wireless networks, it wouldn’t be hard for someone to set up a rogue Access Point that unsuspecting users would connect to or for an attacker to launch a Denial of Service attack by exploiting RF interference.
The Device:
If you are thinking that the issues I mentioned thus far are old-school, then you may be interested in the more sophisticated form of “baseband attacks” . In this case, an attacker could potentially gain control of the device memory through malicious code installed on the device’s radio signal transmitter/receiver by posing as a legitimate cell tower!
I’d like to draw some comparisons between the iOS and Android platforms.
Both the Android and the iOS platforms have a sandbox model for running applications, which limits the extent of damage by a malware-app.
Apple to its credit has a rigorous code signing process that ensures that certificates issued by Apple are used to sign apps. Android on the other hand allows for self-signed certificates and so there is no guarantee of the identity of the signer of the app.
The approval process by Apple, while in no means intended to scrutinize app code for security breaches, at least provides some level of assurance about the quality of the application. There is no Android Marketplace approval process.
Apple disallows installation of any app that is not downloaded through its App Store (and consequently signed by Apple) and in order to allow that, one would have to jailbreak the device. On the Android, it’s very easy to install apps that are not available on the Android marketplace- just check the “Unknown Sources” box under settings to allow installation of any app and you are done.
Of course, there are security holes in both the iOS and Android kernels that can be exploited quite easily on jailbroken phones with root-level access. Attackers can then use many freely available tools to disable kernel-level security patches on jailbroken phones in order to launch their attacks.
Another point to note is that mobile devices are often connected to laptops ( and desktops?) for purposes of backup/restore/sync services. This makes the mobile devices as vulnerable as the platform that they are hooked up to.
The Services:
Furthermore, the growing relevance of cloud based services for mobile devices poses significant security risks. What prevents an attacker from harnessing the “infinite” resources on the cloud for launching DDoS attacks?
Final Thoughts
There is significant variation in the demographic of mobile device users ranging from the tech-savvy geek to the grandmother who has never used a computer to the teenager who is always online. Educating such a diverse population of the security risks involved is a daunting task. This implies that security has to be integrated into the platform -the device, the infrastructure/networks and the services. The end-user is an integral part of the solution but the hardest to manage. In addition to the consumer space, many businesses allow access to corporate services from (personal) mobile devices, making the corporate resources susceptible to security attacks by compromised devices. Security is an expensive investment for both individuals and enterprises. It’s similar to insurance- You never realize how absolutely important it is until your systems are compromised. Now that I’ve shared my thoughts, I think I will relax a little!
18 comments
Trackback e pingback
No trackback or pingback available for this article
Nice article. Its realy good. Many info help me.
Do you have more great atricels like this one?
Wow! Great thiknnig! JK
I have not checked in here for a though since I thought it was finding boring, but the last couple of posts are fantastic good quality so I guess I¡¦ll add you back to my daily bloglist. You deserve it my friend 🙂
Hiya, I’m truly glad I’ve discovered this information. Today bloggers publish just about gossips and net and this is truly annoying. A excellent web page with intriguing content material, that is what I have to have. Thanks for keeping this web-site, I’ll be visiting it. Do you do newsletters? Can’t come across it.
Thank you, Chi! Glad you find this blog intriguing. I hope you continue to find my future articles useful. I do not do newsletters at the present time.
I¡¦ve been exploring for slightly for any high-quality articles or weblog posts on this kind of house . Exploring in Yahoo I at last stumbled upon this internet site. Studying this details So i¡¦m glad to exhibit that I’ve a really just suitable uncanny feeling I located out just what I necessary. I most with no a doubt will make sure to do not disregard this web page and delivers it a look routinely.
It’s an important pity you actually don’t have a very good donate link! I’d most likely donate to this spectacular blog! As i presume for the time being i’ll settle for book-marking and even including ones own Rss feed to help you a Google and yahoo credit account. As i start looking forwards to help you innovative posts and will eventually publish it website through a Facebook . com group:
Thank you , Merri! Much appreciated! I’m happy that you find my blog posts useful. Would be great if you shared the articles to folks who you think might benefit.
Im going to start up a blog on the same theme in the near future, that is why Im so interested in your posting. Would you mind if I used some of your thoughts for my personal weblog? Ill certainly refer to you as the original source and set up the link pointing back to your web blog. Appreciate it!ige levels
Nice writing and web-site as well. I truly like the way you might have put points together here.
Good stuff I’ve bookmarked http://www.priyaontech.com/2011/08/security-in-a-mobile-world/ on Digg.com so that i could share it with some peeps. Anyway i like the post “Security in a Mobile World” I just used it as the entry title in my Digg.com bookmark, Kudos!.
hey there, your internet site is great. I do thank you for work
I like Your Article about Security in a Mobile World Perfect just what I was looking for! .
I am extremely impressed with your writing skills and also with the layout on your blog.
Is this a paid theme or did you customize it yourself?
Anyway keep up the excellent quality writing, it is rare to see a nice blog like this one these days..
Best Regards Nick
Looks good, i went ahead and bookmarked it on Digg under “Security in a Mobile World”. Keep up with the good stuff.
Hi there, You have done an incredible job. I’ll certainly digg it and in my opinion suggest to my friends. I’m confident they’ll be benefited from this site.
Hmm i hope you do not get offended with this question, but how much does a site like yours earn?