1 / 29

Mobile Computing and Security

Mobile Computing and Security. Mobile Devices. Traditional computing and networking vs. mobile devices (smart phones, internet tables, etc.) Widely accepted consumerization: individuals and organizations Huge amount of sensitive data (personal and corporate) Security and privacy threats.

tate-dyer
Télécharger la présentation

Mobile Computing and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Computing and Security Computer Science and Engineering

  2. Mobile Devices • Traditional computing and networking vs. mobile devices (smart phones, internet tables, etc.) • Widely accepted consumerization: individuals and organizations • Huge amount of sensitive data (personal and corporate) • Security and privacy threats Computer Science and Engineering

  3. OWASP Mobile Security Project • M1: Weak Server Side Controls • M2: Insecure Data Storage • M3: Insufficient Transport Layer Protection • M4: Unintended Data Leakage • M5: Poor Authorization and Authentication • M6: Broken Cryptography • M7: Client Side Injection • M8: Security Decisions Via Untrusted Inputs • M9: Improper Session Handling • M10: Lack of Binary Protections Computer Science and Engineering

  4. OWASP • Additional materials from OWASP: • The original (OWASP) presentation can be found here: SLIDES • The corresponding video can be found here: VIDEO Computer Science and Engineering

  5. M2: Insecure Data Storage • Threats: lost/stolen phones or malware • Exploitation difficulty: easy by users and applications • Impact: data loss, disclosure, ransom (e.g., Usernames, Authentication tokens, Passwords, Cookies, Location data, personal data, application data) • How to prevent: • Don’t store sensitive data (e.g., credentials on device) • Encrypt all data Computer Science and Engineering

  6. M3: Insufficient Transport Layer Protection • Threats: data exchange between client and server over the carrier’s network and over the internet is poorly protected • Exploitation difficulty: difficult • Impact: data disclosure and account theft • How to prevent • Enforce the use of SSL/TLS for all transport channels • Use strong, industry standard encryption algorithms and appropriate key lengths • Never allow self-signed certificates Computer Science and Engineering

  7. M4: Unintended Data Leakage • Threat: Application specific • Exploitation: Easy • Impact: technical and business • Prevention: • URL caching • Copy/paste buffer caching • Logging • Etc. Computer Science and Engineering

  8. McAfee Labs 2014 Threat Prediction 1: Mobile Malware 2: Virtual Currencies 3: Cybercrime and Cyberwarfare 4: Social Attacks 5: PC and Server Attacks 6: Big Data 7: Attacks on the Cloud Computer Science and Engineering

  9. Mobile Security Research ACM workshop on Security and privacy in smartphones and mobile devices – In conjunction with CCS conference • Device/hardware security • OS/Middleware security • Application security • Authenticating users to devices and services • Mobile Web Browsers • Usability • Privacy • Rogue application detection and recovery • Cloud support for mobile security Computer Science and Engineering

  10. Mobility and IT Risk Management • Mobile Device Management: MDM • Risk management and investment in cyber security • What type of security needed? • Mobile device policies • Risk areas: technology, policy, law Computer Science and Engineering

  11. Application Development Computer Science and Engineering

  12. Operating Systems • What is an operating system? • What operating systems do? • Why do we need security in operating systems? • Unintended errors, flaws, bugs, etc. • Malicious activities • Readings: • Silberschatz, Galvin, Gagne: Operating Systems Concepts, Chapters 14 and 15 Computer Science and Engineering

  13. What is a Secure Code? • Characteristics that contribute to security • Who defines the characteristics? • Assessment of security • What is the basis for the assessment? • IEEE Standard for Software Verification and Validation, 2005 • Bug, error, fault, … • US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html Computer Science and Engineering CSCE 548 - Farkas 13

  14. OS Security Functionalities • Identity and credential management • Access control • Information flow • Audit and integrity protection Computer Science and Engineering

  15. Trusted Operating System • Code has been rigorously developed and analyzed • Key characteristics: • Functional correctness • Enforcement of integrity • Limited privilege • Appropriate confidence level Computer Science and Engineering

  16. Mobile Operating Systems • Four main MOSs: Symbian, Android, BlackBerry OS, iOS • Others: Windows Mobile (WinMob), Windows Phone 7 (WP7), bada, webOS, and MeeGo • Interesting read: • Fortinet, Fortinet’s FortiGuard Labs Reports 96.5% of all Mobile Malware Tracked is Android Based, Symbian is Distant Second at 3.45%; iOS, BlackBerry, PalmOS, and Windows Together Represent Less Than 1%, February 2014, https://www.fortinet.com/press_releases/2014/fortiguard-quarterly-labs-reports.html Computer Science and Engineering

  17. Mobile Application Development • Diverse and evolving MOSs • Different software development platforms and unique programming languages, custom API • Mashup services: support mobile application development without specific software development kits • Limited capabilities: mainly Internet-related resources but not other functionalities (e.g., database access, address book, etc.) Computer Science and Engineering

  18. Current Mobile Application Support • Use web browsers to support platform-independent applications • Use cross-platform mobile development tools (XMT) to support applications for different platforms from the same code base • Smartphone application characteristics: • Installation • Application structure • GUI elements Computer Science and Engineering

  19. Malware Detections Computer Science and Engineering

  20. Difficulties • Resource constraints: • Computational power • Energy resources • Change in the motivation: instant access to confidential and valuable information • 2011: 428 million mobile devices sold worldwide • Users are increasingly dependent on mobile phones • Increased functionalities Computer Science and Engineering

  21. Mobile Malware • Software malware: software system security vulnerability, e.g., viruses, worms, botnets, etc. • Spyware and grayware • Malware detection methods: • Static analysis • Dynamic analysis Computer Science and Engineering

  22. Static Analysis • Preliminary analysis to evaluate suspicious applications • Methods: • Analyze system calls • Taint control and data flow • Source code analysis for anomaly detection Computer Science and Engineering

  23. Dynamic Analysis • Executing the application in an isolated environment • Monitor dynamic behavior • Methods: • System-wide • Sandbox • Application Permission Analysis • Application intentions - Internet permissions • Back-end activities Computer Science and Engineering

  24. Cloud-Based Detections • Smartphones do not carry full featured security mechanisms • E.g., file scanner takes 30 mins and reduces battery life by 2% on an Android HTC G1 • Application scanning is more than 11 times slower on mobile device than in a computer • Solution: run security checks on remote computers • Cloud-based security services Computer Science and Engineering

  25. Cloud-based malware protection 1 • Paranoid Android • Smartphone: tracer to record mobile application info to enable rerun of the apps on a different platform • Cloud-service: uses the data sent by the tracer to replay the application execution and check security features: • Memory scanners, System call anomalies, Dynamic malware analysis, Commercial antivirus checking • Proxy: store inbound traffic • Cost of processing: increased CPU load (15%), energy usage (30%), tracer execution is costly (user space installation) Computer Science and Engineering

  26. Cloud-based malware protection 2 • Crowdroid • Behavior-based detection • Lightweight application that • Monitors system calls made by the application • Preprocesses the calls • Send the call info to the cloud • Cloud: classification of the application, whether malicious or not Computer Science and Engineering

  27. Protection Tips • Increase users’ awareness • Install mobile security applications to protect phone • Download applications fro trusted, official sources only • Read reviews and ratings before downloading • Always read permission requests during installation • Turn off wifi when not used • Keep applications up to date • Encrypt all confidential data • Monitor battery life • Delete all sensitive data remotely if the phone is stolen Computer Science and Engineering

  28. Why Mobile Malware Important? • Underground economy • Constrained security resources • Users’ role and responsibilities Computer Science and Engineering

  29. Next Class • Trust management Computer Science and Engineering

More Related