slide1
Download
Skip this Video
Download Presentation
Mobile Computing and Security

Loading in 2 Seconds...

play fullscreen
1 / 29

Mobile Computing and Security - PowerPoint PPT Presentation


  • 139 Views
  • Uploaded on

Mobile Computing and Security. Mobile Devices. Traditional computing and networking vs. mobile devices (smart phones, internet tables, etc.) Widely accepted consumerization: individuals and organizations Huge amount of sensitive data (personal and corporate) Security and privacy threats.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Mobile Computing and Security' - tate-dyer


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Mobile Computing and Security

Computer Science and Engineering

mobile devices
Mobile Devices
  • Traditional computing and networking vs. mobile devices (smart phones, internet tables, etc.)
  • Widely accepted consumerization: individuals and organizations
  • Huge amount of sensitive data (personal and corporate)
  • Security and privacy threats

Computer Science and Engineering

owasp mobile security project
OWASP Mobile Security Project
  • M1: Weak Server Side Controls
  • M2: Insecure Data Storage
  • M3: Insufficient Transport Layer Protection
  • M4: Unintended Data Leakage
  • M5: Poor Authorization and Authentication
  • M6: Broken Cryptography
  • M7: Client Side Injection
  • M8: Security Decisions Via Untrusted Inputs
  • M9: Improper Session Handling
  • M10: Lack of Binary Protections

Computer Science and Engineering

owasp
OWASP
  • Additional materials from OWASP:
    • The original (OWASP) presentation can be found here: SLIDES
    • The corresponding video can be found here: VIDEO

Computer Science and Engineering

m2 insecure data storage
M2: Insecure Data Storage
  • Threats: lost/stolen phones or malware
  • Exploitation difficulty: easy by users and applications
  • Impact: data loss, disclosure, ransom (e.g., Usernames, Authentication tokens, Passwords, Cookies, Location data, personal data, application data)
  • How to prevent:
    • Don’t store sensitive data (e.g., credentials on device)
    • Encrypt all data

Computer Science and Engineering

m3 insufficient transport layer protection
M3: Insufficient Transport Layer Protection
  • Threats: data exchange between client and server over the carrier’s network and over the internet is poorly protected
  • Exploitation difficulty: difficult
  • Impact: data disclosure and account theft
  • How to prevent
    • Enforce the use of SSL/TLS for all transport channels
    • Use strong, industry standard encryption algorithms and appropriate key lengths
    • Never allow self-signed certificates

Computer Science and Engineering

m4 unintended data leakage
M4: Unintended Data Leakage
  • Threat: Application specific
  • Exploitation: Easy
  • Impact: technical and business
  • Prevention:
    • URL caching
    • Copy/paste buffer caching
    • Logging
    • Etc.

Computer Science and Engineering

mcafee labs 2014 threat prediction
McAfee Labs 2014 Threat Prediction

1: Mobile Malware

2: Virtual Currencies

3: Cybercrime and Cyberwarfare

4: Social Attacks

5: PC and Server Attacks

6: Big Data

7: Attacks on the Cloud

Computer Science and Engineering

mobile security research
Mobile Security Research

ACM workshop on Security and privacy in smartphones and mobile devices – In conjunction with CCS conference

  • Device/hardware security
  • OS/Middleware security
  • Application security
  • Authenticating users to devices and services
  • Mobile Web Browsers
  • Usability
  • Privacy
  • Rogue application detection and recovery
  • Cloud support for mobile security

Computer Science and Engineering

mobility and it risk management
Mobility and IT Risk Management
  • Mobile Device Management: MDM
  • Risk management and investment in cyber security
    • What type of security needed?
    • Mobile device policies
  • Risk areas: technology, policy, law

Computer Science and Engineering

application development
Application Development

Computer Science and Engineering

operating systems
Operating Systems
  • What is an operating system?
  • What operating systems do?
  • Why do we need security in operating systems?
    • Unintended errors, flaws, bugs, etc.
    • Malicious activities
  • Readings:
    • Silberschatz, Galvin, Gagne: Operating Systems Concepts, Chapters 14 and 15

Computer Science and Engineering

slide13

What is a Secure Code?

  • Characteristics that contribute to security
    • Who defines the characteristics?
  • Assessment of security
    • What is the basis for the assessment?
  • IEEE Standard for Software Verification and Validation, 2005
    • Bug, error, fault, …
  • US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html

Computer Science and Engineering

CSCE 548 - Farkas

13

os security functionalities
OS Security Functionalities
  • Identity and credential management
  • Access control
  • Information flow
  • Audit and integrity protection

Computer Science and Engineering

trusted operating system
Trusted Operating System
  • Code has been rigorously developed and analyzed
  • Key characteristics:
    • Functional correctness
    • Enforcement of integrity
    • Limited privilege
    • Appropriate confidence level

Computer Science and Engineering

mobile operating systems
Mobile Operating Systems
  • Four main MOSs: Symbian, Android, BlackBerry OS, iOS
  • Others: Windows Mobile (WinMob), Windows Phone 7 (WP7), bada, webOS, and MeeGo
  • Interesting read:
    • Fortinet, Fortinet’s FortiGuard Labs Reports 96.5% of all Mobile Malware Tracked is Android Based, Symbian is Distant Second at 3.45%; iOS, BlackBerry, PalmOS, and Windows Together Represent Less Than 1%, February 2014, https://www.fortinet.com/press_releases/2014/fortiguard-quarterly-labs-reports.html

Computer Science and Engineering

mobile application development
Mobile Application Development
  • Diverse and evolving MOSs
  • Different software development platforms and unique programming languages, custom API
  • Mashup services: support mobile application development without specific software development kits
    • Limited capabilities: mainly Internet-related resources but not other functionalities (e.g., database access, address book, etc.)

Computer Science and Engineering

current mobile application support
Current Mobile Application Support
  • Use web browsers to support platform-independent applications
  • Use cross-platform mobile development tools (XMT) to support applications for different platforms from the same code base
  • Smartphone application characteristics:
    • Installation
    • Application structure
    • GUI elements

Computer Science and Engineering

malware detections
Malware Detections

Computer Science and Engineering

difficulties
Difficulties
  • Resource constraints:
    • Computational power
    • Energy resources
  • Change in the motivation: instant access to confidential and valuable information
    • 2011: 428 million mobile devices sold worldwide
    • Users are increasingly dependent on mobile phones
    • Increased functionalities

Computer Science and Engineering

mobile malware
Mobile Malware
  • Software malware: software system security vulnerability, e.g., viruses, worms, botnets, etc.
  • Spyware and grayware
  • Malware detection methods:
    • Static analysis
    • Dynamic analysis

Computer Science and Engineering

static analysis
Static Analysis
  • Preliminary analysis to evaluate suspicious applications
  • Methods:
    • Analyze system calls
    • Taint control and data flow
    • Source code analysis for anomaly detection

Computer Science and Engineering

dynamic analysis
Dynamic Analysis
  • Executing the application in an isolated environment
  • Monitor dynamic behavior
  • Methods:
    • System-wide
    • Sandbox
  • Application Permission Analysis
    • Application intentions - Internet permissions
    • Back-end activities

Computer Science and Engineering

cloud based detections
Cloud-Based Detections
  • Smartphones do not carry full featured security mechanisms
  • E.g., file scanner takes 30 mins and reduces battery life by 2% on an Android HTC G1
  • Application scanning is more than 11 times slower on mobile device than in a computer
  • Solution: run security checks on remote computers
  • Cloud-based security services

Computer Science and Engineering

cloud based malware protection 1
Cloud-based malware protection 1
  • Paranoid Android
  • Smartphone: tracer to record mobile application info to enable rerun of the apps on a different platform
  • Cloud-service: uses the data sent by the tracer to replay the application execution and check security features:
    • Memory scanners, System call anomalies, Dynamic malware analysis, Commercial antivirus checking
  • Proxy: store inbound traffic
  • Cost of processing: increased CPU load (15%), energy usage (30%), tracer execution is costly (user space installation)

Computer Science and Engineering

cloud based malware protection 2
Cloud-based malware protection 2
  • Crowdroid
  • Behavior-based detection
  • Lightweight application that
    • Monitors system calls made by the application
    • Preprocesses the calls
    • Send the call info to the cloud
  • Cloud: classification of the application, whether malicious or not

Computer Science and Engineering

protection tips
Protection Tips
  • Increase users’ awareness
  • Install mobile security applications to protect phone
  • Download applications fro trusted, official sources only
  • Read reviews and ratings before downloading
  • Always read permission requests during installation
  • Turn off wifi when not used
  • Keep applications up to date
  • Encrypt all confidential data
  • Monitor battery life
  • Delete all sensitive data remotely if the phone is stolen

Computer Science and Engineering

why mobile malware important
Why Mobile Malware Important?
  • Underground economy
  • Constrained security resources
  • Users’ role and responsibilities

Computer Science and Engineering

next class
Next Class
  • Trust management

Computer Science and Engineering

ad