Mobile Computing and Security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Mobile Computing and Security PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on
  • Presentation posted in: General

Mobile Computing and Security. Mobile Devices. Traditional computing and networking vs. mobile devices (smart phones, internet tables, etc.) Widely accepted consumerization: individuals and organizations Huge amount of sensitive data (personal and corporate) Security and privacy threats.

Download Presentation

Mobile Computing and Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Mobile computing and security

Mobile Computing and Security

Computer Science and Engineering


Mobile devices

Mobile Devices

  • Traditional computing and networking vs. mobile devices (smart phones, internet tables, etc.)

  • Widely accepted consumerization: individuals and organizations

  • Huge amount of sensitive data (personal and corporate)

  • Security and privacy threats

Computer Science and Engineering


Owasp mobile security project

OWASP Mobile Security Project

  • M1: Weak Server Side Controls

  • M2: Insecure Data Storage

  • M3: Insufficient Transport Layer Protection

  • M4: Unintended Data Leakage

  • M5: Poor Authorization and Authentication

  • M6: Broken Cryptography

  • M7: Client Side Injection

  • M8: Security Decisions Via Untrusted Inputs

  • M9: Improper Session Handling

  • M10: Lack of Binary Protections

Computer Science and Engineering


Owasp

OWASP

  • Additional materials from OWASP:

    • The original (OWASP) presentation can be found here: SLIDES

    • The corresponding video can be found here: VIDEO

Computer Science and Engineering


M2 insecure data storage

M2: Insecure Data Storage

  • Threats: lost/stolen phones or malware

  • Exploitation difficulty: easy by users and applications

  • Impact: data loss, disclosure, ransom (e.g., Usernames, Authentication tokens, Passwords, Cookies, Location data, personal data, application data)

  • How to prevent:

    • Don’t store sensitive data (e.g., credentials on device)

    • Encrypt all data

Computer Science and Engineering


M3 insufficient transport layer protection

M3: Insufficient Transport Layer Protection

  • Threats: data exchange between client and server over the carrier’s network and over the internet is poorly protected

  • Exploitation difficulty: difficult

  • Impact: data disclosure and account theft

  • How to prevent

    • Enforce the use of SSL/TLS for all transport channels

    • Use strong, industry standard encryption algorithms and appropriate key lengths

    • Never allow self-signed certificates

Computer Science and Engineering


M4 unintended data leakage

M4: Unintended Data Leakage

  • Threat: Application specific

  • Exploitation: Easy

  • Impact: technical and business

  • Prevention:

    • URL caching

    • Copy/paste buffer caching

    • Logging

    • Etc.

Computer Science and Engineering


Mcafee labs 2014 threat prediction

McAfee Labs 2014 Threat Prediction

1: Mobile Malware

2: Virtual Currencies

3: Cybercrime and Cyberwarfare

4: Social Attacks

5: PC and Server Attacks

6: Big Data

7: Attacks on the Cloud

Computer Science and Engineering


Mobile security research

Mobile Security Research

ACM workshop on Security and privacy in smartphones and mobile devices – In conjunction with CCS conference

  • Device/hardware security

  • OS/Middleware security

  • Application security

  • Authenticating users to devices and services

  • Mobile Web Browsers

  • Usability

  • Privacy

  • Rogue application detection and recovery

  • Cloud support for mobile security

Computer Science and Engineering


Mobility and it risk management

Mobility and IT Risk Management

  • Mobile Device Management: MDM

  • Risk management and investment in cyber security

    • What type of security needed?

    • Mobile device policies

  • Risk areas: technology, policy, law

Computer Science and Engineering


Application development

Application Development

Computer Science and Engineering


Operating systems

Operating Systems

  • What is an operating system?

  • What operating systems do?

  • Why do we need security in operating systems?

    • Unintended errors, flaws, bugs, etc.

    • Malicious activities

  • Readings:

    • Silberschatz, Galvin, Gagne: Operating Systems Concepts, Chapters 14 and 15

Computer Science and Engineering


Mobile computing and security

What is a Secure Code?

  • Characteristics that contribute to security

    • Who defines the characteristics?

  • Assessment of security

    • What is the basis for the assessment?

  • IEEE Standard for Software Verification and Validation, 2005

    • Bug, error, fault, …

  • US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html

Computer Science and Engineering

CSCE 548 - Farkas

13


Os security functionalities

OS Security Functionalities

  • Identity and credential management

  • Access control

  • Information flow

  • Audit and integrity protection

Computer Science and Engineering


Trusted operating system

Trusted Operating System

  • Code has been rigorously developed and analyzed

  • Key characteristics:

    • Functional correctness

    • Enforcement of integrity

    • Limited privilege

    • Appropriate confidence level

Computer Science and Engineering


Mobile operating systems

Mobile Operating Systems

  • Four main MOSs: Symbian, Android, BlackBerry OS, iOS

  • Others: Windows Mobile (WinMob), Windows Phone 7 (WP7), bada, webOS, and MeeGo

  • Interesting read:

    • Fortinet, Fortinet’s FortiGuard Labs Reports 96.5% of all Mobile Malware Tracked is Android Based, Symbian is Distant Second at 3.45%; iOS, BlackBerry, PalmOS, and Windows Together Represent Less Than 1%, February 2014, https://www.fortinet.com/press_releases/2014/fortiguard-quarterly-labs-reports.html

Computer Science and Engineering


Mobile application development

Mobile Application Development

  • Diverse and evolving MOSs

  • Different software development platforms and unique programming languages, custom API

  • Mashup services: support mobile application development without specific software development kits

    • Limited capabilities: mainly Internet-related resources but not other functionalities (e.g., database access, address book, etc.)

Computer Science and Engineering


Current mobile application support

Current Mobile Application Support

  • Use web browsers to support platform-independent applications

  • Use cross-platform mobile development tools (XMT) to support applications for different platforms from the same code base

  • Smartphone application characteristics:

    • Installation

    • Application structure

    • GUI elements

Computer Science and Engineering


Malware detections

Malware Detections

Computer Science and Engineering


Difficulties

Difficulties

  • Resource constraints:

    • Computational power

    • Energy resources

  • Change in the motivation: instant access to confidential and valuable information

    • 2011: 428 million mobile devices sold worldwide

    • Users are increasingly dependent on mobile phones

    • Increased functionalities

Computer Science and Engineering


Mobile malware

Mobile Malware

  • Software malware: software system security vulnerability, e.g., viruses, worms, botnets, etc.

  • Spyware and grayware

  • Malware detection methods:

    • Static analysis

    • Dynamic analysis

Computer Science and Engineering


Static analysis

Static Analysis

  • Preliminary analysis to evaluate suspicious applications

  • Methods:

    • Analyze system calls

    • Taint control and data flow

    • Source code analysis for anomaly detection

Computer Science and Engineering


Dynamic analysis

Dynamic Analysis

  • Executing the application in an isolated environment

  • Monitor dynamic behavior

  • Methods:

    • System-wide

    • Sandbox

  • Application Permission Analysis

    • Application intentions - Internet permissions

    • Back-end activities

Computer Science and Engineering


Cloud based detections

Cloud-Based Detections

  • Smartphones do not carry full featured security mechanisms

  • E.g., file scanner takes 30 mins and reduces battery life by 2% on an Android HTC G1

  • Application scanning is more than 11 times slower on mobile device than in a computer

  • Solution: run security checks on remote computers

  • Cloud-based security services

Computer Science and Engineering


Cloud based malware protection 1

Cloud-based malware protection 1

  • Paranoid Android

  • Smartphone: tracer to record mobile application info to enable rerun of the apps on a different platform

  • Cloud-service: uses the data sent by the tracer to replay the application execution and check security features:

    • Memory scanners, System call anomalies, Dynamic malware analysis, Commercial antivirus checking

  • Proxy: store inbound traffic

  • Cost of processing: increased CPU load (15%), energy usage (30%), tracer execution is costly (user space installation)

Computer Science and Engineering


Cloud based malware protection 2

Cloud-based malware protection 2

  • Crowdroid

  • Behavior-based detection

  • Lightweight application that

    • Monitors system calls made by the application

    • Preprocesses the calls

    • Send the call info to the cloud

  • Cloud: classification of the application, whether malicious or not

Computer Science and Engineering


Protection tips

Protection Tips

  • Increase users’ awareness

  • Install mobile security applications to protect phone

  • Download applications fro trusted, official sources only

  • Read reviews and ratings before downloading

  • Always read permission requests during installation

  • Turn off wifi when not used

  • Keep applications up to date

  • Encrypt all confidential data

  • Monitor battery life

  • Delete all sensitive data remotely if the phone is stolen

Computer Science and Engineering


Why mobile malware important

Why Mobile Malware Important?

  • Underground economy

  • Constrained security resources

  • Users’ role and responsibilities

Computer Science and Engineering


Next class

Next Class

  • Trust management

Computer Science and Engineering


  • Login