Presentation on theme: "Mobile Device Security"— Presentation transcript:
1Mobile Device Security Adam C. Champion and Dong XuanCSE 4471: Information SecurityBased on materials from Tom Eston (SecureState), Apple, Android Open Source Project, and William Enck (NCSU)
2Organization Quick Overview of Mobile Devices Mobile Threats and AttacksCountermeasures
3Overview of Mobile Devices Mobile computers:Mainly smartphones, tabletsSensors: GPS, camera, accelerometer, etc.Computation: powerful CPUs (≥ 1 GHz, multi-core)Communication: cellular/4G, Wi-Fi, near field communication (NFC), etc.Many connect to cellular networks: billing systemCisco: 7 billion mobile devices will have been sold by 2012 Organization
4Organization Quick Overview of Mobile Devices Mobile Threats and AttacksCountermeasures
5Mobile Threats and Attacks Mobile devices make attractive targets:People store much personal info on them: , calendars, contacts, pictures, etc.Sensitive organizational info too…Can fit in pockets, easily lost/stolenBuilt-in billing system: SMS/MMS (mobile operator), in-app purchases (credit card), etc.Many new devices have near field communications (NFC), used for contactless payments, etc.Your device becomes your credit cardLocation privacy issuesNFC-based billing system vulnerabilities
6Mobile Device Loss/Theft Many mobile devices lost, stolen each year113 mobile phones lost/stolen every minute in the U.S. 56% of us misplace our mobile phone or laptop each month Lookout Security found $2.5 billion worth of phones in 2011 via its Android app Symantec placed 50 “lost” smartphones throughout U.S. cities 96% were accessed by finders80% of finders tried to access “sensitive” data on phone
7Device Malware iOS malware: very little Juniper Networks: Major increase in Android malware from 2010 to 2011 Android malware growth keeps increasing ($$$)Main categories: TrojansMonitoring apps/spywareAdwareBotnetsWe’ll look at notable malware examples
8Device Search and Seizure People v. Diaz: if you’re arrested, police can search your mobile device without warrant Rationale: prevent perpetrators destroying evidenceQuite easy to break the law (overcriminalization) Crime severity: murder, treason, etc. vs. unpaid citations“Tens of thousands” of offenses on the books Easy for law enforcement to extract data from mobile devices (forensics) 
9Location DisclosureMAC, Bluetooth Addresses, IMEI, IMSI etc. are globally uniqueInfrastructure based mobile communicationPeer-t-Peer ad hoc mobile communication
10Organization Quick Overview of Mobile Devices Mobile Threats and AttacksCountermeasures
11Mobile Access ControlVery easy for attacker to control a mobile device if he/she has physical accessEspecially if there’s no way to authenticate userThen device can join botnet, send SMS spam, etc.Need access controls for mobile devicesAuthentication, authorization, accountabilityAuthentication workflow:Request accessSupplication (user provides identity, e.g., John Smith)Authentication (system determines user is John)Authorization (system determines what John can/cannot do)
12Authentication: Categories Authentication generally based on:Something supplicant knowsPassword/passphraseUnlock patternSomething supplicant hasMagnetic key cardSmart cardToken deviceSomething supplicant isFingerprintRetina scan
13Authentication: Passwords Cheapest, easiest form of authenticationWorks well with most applicationsAlso the weakest form of access controlLazy users’ passwords: 1234, password, letmein, etc.Can be defeated using dictionary, brute force attacksRequires administrative controls to be effectiveMinimum length/complexityPassword agingLimit failed attempts
14Authentication: Smart Cards/ Security Tokens More expensive, harder to implementVulnerability: prone to loss or theftVery strong when combined with another form of authentication, e.g., a passwordDoes not work well in all applicationsTry carrying a smart card in addition to a mobile device!
15Authentication: Biometrics More expensive/harder to implementProne to error:False negatives: not authenticate authorized userFalse positives: authenticate unauthorized userStrong authentication when it worksDoes not work well in all applicationsFingerprint readers becoming more common on mobile devices (Atrix 4G)
16Authentication: Pattern Lock Swipe path of length 4–9 on 3 x 3 gridEasy to use, suitable for mobile devicesProblems: 389,112 possible patterns; (456,976 possible patterns for 4-char case-insensitive alphabetic password!)Attacker can see pattern from finger oils on screen
17Authentication: Comparison PasswordsSmart CardsBiometricsPattern LockSecurityWeakStrongEase of UseEasyMediumHardImplementationWorks for phonesYesNoPossible– Deeper problem: mobile devices are designed with single-userassumption…
18Smartphone Privileges DiffUser (1)Current smartphone access control focus: 1 user (admin)Hard to achieve fine-grained mobile device management:Control app installation/gamingParental controlsLend phone to friendWe design DiffUser, differentiated user access control model Different users use smartphone in different contextsUser classification: admin, “normal,” guestSmartphone PrivilegesAdminNormalGuestPersonal InfoSMS✔✘ContactsResource AccessWiFiLimit‼GPSBluetoothAppsApp InstallLimitSensitive AppsSource: , Table 1.
19DiffUser (2) Implement our system on Android using Java Override Android’s “Home” Activity for multi-user authentication, profile configurationSource: , Figure 2. From left to right: “normal” user screen;user login and authentication; user profile configuration.
20Mobile Device Information Leakage Types of mobile device information sources:Internal to device (e.g., GPS location, IMEI, etc.)External sources (e.g., CNN, Chase Bank, etc.)Third-party mobile apps can leak info to external sources Send out device ID (IMEI/EID), contacts, location, etc.Apps ask permission to access such info; users can ignore!Apps can intercept info sent to a source, send to different destination!Motives:Monitor employees’ activity using accelerometers (cited in )Ads, market research (include user location, behavior, etc.)MaliceHow do we protect against such information leakage?
21Information Flow Tracking (IFT) IFT tracks each information flow among internal, external sourcesEach flow is tagged, e.g., “untrusted”Tag propagated as information flows among internal, external sourcesSound alarm if data sent to third partyChallengesReasonable runtime, space overheadMany information sources“trusted”“untrusted”Information leakage on mobile devices
22TaintDroid Enck et al., OSDI 2010  IFT system on Android 2.1 System firmware (not app)Modifies Android’s Dalvik VM, tracks info flows across methods, classes, filesTracks the following info:Sensors: GPS, camera, accelerometer, microphoneInternal info: contacts, phone #, IMEI, IMSI, Google acctExternal info: network, SMSNotifies user of info leakageSource: 
23D2Taint (1)MotivationMobile device users access many information sources, e.g.Online banks (like Chase)Social networking (like Facebook)News websites (like CNN)Different info sources: different sensitivity levelsApplications’ diverse variable access patterns challenge tag propagationUsers’ info source access patterns change over timeNeed to track many information flows with moderate space, runtime overhead
24D2Taint (2) Differentiated and dynamic tag strategy  Information sources partitioned into differentiated classes based on arbitrary criteriaExample (criterion=“info sensitivity level”):Classes: “highly sensitive”, “moderately sensitive”, “not sensitive”Sources: Chase → “highly sensitive”; Facebook → “moderately sensitive”; CNN → “not sensitive”Each class’s sources stored in a location info tableSource indices (0, 1, …) ↦ source names (chase.com, …)
25D2Taint (3) D2Taint uses fixed length tag (32 bits) Tag includes segments corresponding to classesEach segment stores representations of information sources in its classRepresentation: info source’s class table indexNote: source table grows over timeInformation source representation does not uniquely ID source
26D2Taint (4) D2Taint implemented on Android 2.2, Nexus One smartphones Evaluate D2Taint: 84 popular free apps from Google Play71/84 leak some data to third partiesE.g., Android system version, screen resolutionOften, third parties are cloud computing servicesTaintDroid cannot detect external data leakage1 bit in tag for “network”Cannot track multiple external sources at once12/84 leak highly sensitive data, e.g., IMEI/EID (detected by both D2Taint, TaintDroid)D2Taint has overhead similar to TaintDroid’s
27Location Privacy Protection Strong regulationCorporateIndividualDynamic MAC and Bluetooth addresses?CollisionHow often to change?Proxy-based communicationsDummy device as proxyGroup communications
28Summary Mobile devices are increasingly popular There are many threats and attacks against mobile devices, e.g., loss/theft, sensitive information leakage, and location privacy compromiseMobile access control, information leakage protection, and location privacy protection, etc.
29References (1)Cisco, “Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2011–2016”, 14 Feb. 2012, ns705/ns827/white_paper_c htmlSamsung, “Exynos 5 Dual,” 2012, product/application/detail?productId=7668&iaId=2341Nielsen Co., “Two Thirds of All New Mobile Buyers Now Opting for Smartphones,” 12 Jul. 2012, now-opting-for-smartphones/K. De Vere, “iOS leapfrogs Android with 410 million devices sold and 650,000 apps,” 24 Jul. 2012, 410-million-devices-sold/K. Haslem, “Macworld Expo: Optimised OS X sits on ‘versatile’ Flash,” 12 Jan. 2007, Macworld,Wikipedia, “iOS,” updated 2012,Apple Inc., “iPhone Developer University Program,”Apple Inc, “iOS Security,” iOS_Security_May12.pdfAndroid Open Source Project, “Android Security Overview,” security/index.htmlPresentation organization inspired by T. Eston, “Android vs. iOS Security Showdown,” 2012,
30References (2)A. Rubin, 15 Feb. 2012, https://plus.google.com/u/0/ / posts/Btey7rJBaLFH. Lockheimer, “Android and Security,” 2 Feb. 2012, 2012/02/android-and-security.htmlAndroid Open Source Project,M. DeGusta, “Android Orphans: Visualizing a Sad History of Support,” 26 Oct. 2011,`Lookout, Inc., “Mobile Lost and Found,” 2012, https://www.mylookout.com/resources/ reports/mobile-lost-and-found/K. Haley, “Introducing the Smartphone Honey Stick Project,” 9 Mar. 2012,Juniper Networks, Inc., “Global Research Shows Mobile Malware Accelerating,” 15 Feb. 2012, mobile-malware-accelerating-nyse-jnpr
31References (3)F-Secure, “Mobile Threat Report Q2 2012,” 7 Aug. 2012, mobile-threat-report-q2-2012ndroid-malware-angry-birds-space-game/Via Forensics LLC, “Forensic Security Analysis of Google Wallet,” 12 Dec. 2011, https://viaforensics.com/mobile-security/forensics-security-analysis-google-wallet.htmlProxmark,libnfc,D. Goodin, “Android, Nokia smartphone security toppled by Near Field Communication hack,” 25 Jul. 2012,B. Andersen, “Australian admits creating first iPhone virus,” 10 Nov. 2009,R. Radia, “Why you should always encrypt your smartphone,” 16 Jan. 2011,Heritage Foundation, “Solutions for America: Overcriminalization,” 17 Aug. 2010,Wikipedia,C. Quentin,
32References (4)A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and A. M. Smith, “Smudge Attacks on Smartphone Touch Screens,” Proc. USENIX WOOT, 2010.X. Ni, Z. Yang, X. Bai, A. C. Champion, and Dong Xuan, “DiffUser: Differentiated User Access Control on Smartphones,” Proc. IEEE Int’l. Workshop on Wireless and Sensor Networks Security (WSNS), 2009.W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones,” Proc. USENIX OSDI, 2010,W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones,”B. Gu, X. Li, G. Li, A. C. Champion, Z. Chen, F. Qin, and D. Xuan, “D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources,” Technical Report, 2012.