2Possible attack threats to mobile devices Network exploitHackers takes advantage of vulnerability or flaw of user’s web browser on mobile device in WiFi communication to attack victims.Hackers send malicious code/data from malicious logic websites to victim’s browser after user browses the malicious page and the malicious code will take over the control to get all sensitive data on the victim’s device.Social engineeringHackers use hyped contents to attract, manipulate, or persuade people into revealing confidential information through deception such as phishing for the purpose of information gathering, fraud, or access rights.
3Possible attack threats to mobile devices MalwareVirus hosted on a legitimate code, replicable spread worms, Trojan horses with action in purposeMisuse available resource and service/SMS spam or denial of service (A group of the attacking devices send volume data to one targets on the Internet to impact the target’s services)
4Possible attack threats to mobile devices Enterprise/private Data LossWork place data on a mobile device may be uploaded to home PC while synchronizing of entertainment downloading or Enterprise/private data loss due to stolen deviceData tamperIntentionally modify/corrupt device data without the permission such as device’s contact list
5Best practices protecting mobile device from potential threats Protect data loss due to mobile device loss with device ID and remotely remove all the apps, contacts, and confidential data right after the mobile phone is stolen or lostType URL instead of copying/pasting or clicking links to protect mobile phones from drive-by download attacksProtect data privacy by data Encryption, don’t cache sensitive dataDisable unnecessary device features such as Wi-Fi, Bluetooth, and infrared when they aren’t in use.Enabling the firewall, disable sharing
6Best practices protecting mobile device from potential threats Isolate personal apps and corporate appsDetect and Remove malware AppsDownload all mobile apps from trusted sources application providers and check the permission requests during installationInstall a mobile security application to protect the mobile device from attacks
7Mobile device security protection Strategies Block the app’s attempt to act beyond granted permissionsAccess Control with ID and resource access permission requirementApp signature: Each app is signed with the identity of its author and protect app from tamperingEncryption: Encrypt data for data protection in case of device loss or theftIsolation: Restrict any app to access the sensitive data on a device. Each Android app runs in its own virtual machine (process) which does not allow any access to resource belong to other VM except special permission grant.
8Android’s SecurityAndroid’s Security is supported by encryption, signature, Isolation, and access control security protection Strategies. However there still are vulnerabilities for Android mobile devices.The Android app signature system is to ensure that the app’s logic is not tampered with, enforce a user to recognize the identity of the app’s author. Although Android will only install and run a signed app, a certificate is not required by Google. Hackers can still use anonymous digital certificates to sign their malware and distribute them without any certification by Google which is required by Apple.A hacker can create and distribute malicious app since people will not be able to track down to the source and attackers add Trojan horses and malicious code to a existing legitimate app and then re-sign the updated version with an anonymous or fake certificate and distribute it. Its original digital signature is tempered and lost.
9Bring Your Own Device (BYOD) with Mobile Device Management (MDM) Enterprise BYOD policy:Use MDM tools to oversee and control mobile devices in secure operationsStore enterprise data in sandboxEncrypte enterprise data on mobile devicesKeep apps current with less vulnerabilities and flawsRoutinely back up all apps and upgrade OSAuthenticate and register all mobile devices with Secure Socket Layer (SSL) certificateAdopt app blacklisting within enterpriseManagement on the lost and stolen devicesSeparate personal and business accountsControls user access
10Mobile Malware Security Solutions Popular Mobile Malware(malicious software) are:Spyware – steals user information with user’s consent somehow.Trojan horse – steals confidential information such as credit cardAdware - displays unwanted pop-up ads with/without theft of sensitive dataThere are some malware that just degrade or disrupt device operations such as rebooting device and exhausting device power without financial profit purpose.Due to small screen size of mobile device most apps don’t show the URL address on the device screen while accessing web which takes even more difficult for mobile device user monitor and determine the destination of app on web.
11Common types of malware delivery mechanisms Drive-by malware(silent Malware)Drive-by malware delivers(downloads) itself onto a user’s devices without their consent and interaction by exploiting vulnerabilities of user browser via an invisible element such as HTML iframe tag element or by HTML embed element of image file. Such malware either tempts the victim to visit a infected website or send malware-infected messages (SMS).Software updatesMalware invites users to update software ( turned out to be a malicious one) on social network or web sits.
12Common types of malware delivery mechanisms Pop-up adsAdware lures users to click on an ad that directs user to download/install malicious code such as Trojan horse in a word or pdf file. The downloaded may also be The keylogger which monitors mouse operations or keyboard strokes to steal personal data.Man-in-the-middle(MITM)Hacker may hijack a session by eavesdropping where the hacker makes independent connections with the victims and relays messages between two parties such that both parties thought they are talking directly to each other over. The MITM hacker intercepts all conversation and injectBotnetOne attacker controls a group of sites(devices) to send a large volume of traffic to a victim resulted in a denial of service (DoS) attack. Afterwards, the hacker Demands the victim a payment to stop the attack.
13Malware detection and protection solution Filtering with blacklisting and whitelistingMany search engines place malicious website a blocked list “blacklist.” The search engine will warn to potential visitor who intends access such sites on the list. A enterprise or a personal can also setup their own blacklist. A whitelist filter only only access to these on the list if a whitelist is exclusive. The filter techniques are widely used for spam filtering.View page source codeUse Page Source (Firefox) or Source (IE) to view the actual source code to find out the injected malicious code
14Spyware detection techniques Static analysis Static analysis is a reverse engineering analysis approach to finding malicious characteristics code segments in an app without execution. The analysis focus on these obvious security threats which have been reported before. One lab in this module is given on the static analysis approach to detect spyware.b. Dynamic analysis Dynamic analysis will execute the suspicious mobile app in an isolated sandbox, such as a virtual machine or emulator to monitor and inspect the app’s dynamic behavior.c. App Permission analysisAndroid security uses permission to protect and detect by permissions in an Android mobile app’s intentions. The permissions are required to be clearly specified by app’s authors. Many spyware attacks make use of app’s vulnerability on the permission.
15Malware injectionMalware injection is the act of inserting malicious code into a vulnerable web server page with poor application input filtering such that their devices get infected with malware when users interact with such page via form or other GUI components. This injection can be detected by a filter deployed on web server to filter out invalid commands such as SQL injection commands. Malware injection works as:
172. Exploit and take over control the infected web browsers with this injected code, direct the exploited web browser to download malware to users' devicesOnce user browses the injected web page, the malicious content from Hop Point (a website controlled by the hacker) to execute inside the requested (and presumed legitimate) web page. The malware injection process instructed in “http://www.malwebsite.com/malpage.html” is loaded from here through the iframe to the browser itself which will install specific piece set of instructions for the browser to connect to a malicious site in order to download malware such as remote control utilities and backdoors as well as programs that automatically crawl the hard disk in search of information such as credit card details or bank accounts3. Finally, the victim will Silently run this downloaded malware on user device
19Mobile device loss/Theft Now, smart mobile device is not only for just calling or sending a message, it has become business and playing tool for us.We’ve stored amount of personal data and even more sensitive important company data in the mobile device. These data may be exposed: exchanges could be seen; m-commence data such as online purchasing or banking transaction might be viewed; If the phone is connected via a VPN, company networks will be exposed to malware or could be hacked.Americans lost about $30 billion worth of mobile phones last year. Phones may be lost anywhere and anytime.Nearly all who found the lost phones tried to access the information on the phone,
20Mobile device loss/Theft The loss of mobile device becomes a concern. About 2/3 of mobile device users feared not being able to recover lost content. It is one of major focus of security concerns for Android mobile device. Some security experts have pointed out that targeting smartphones could potentially be more profitable for criminals than aiming at computers
21Action on Your Stolen Mobile Phone Avoid data lossQuick restoration of all important data with a preinstalled auto-backup app (e.g., WaveSecure, MyBackup)Install a mobile tracking app to protect our mobile device(Android Lost, Where’s My Droid)Salvage ActionsReport the loss/theft to your organization and/or mobile service provider immediately to deter malicious use of your device and minimize fraudulent charges.Change account credentials. If devices are used to access remote resources such as corporate networks or social networking sites, you should contact your enterprise or organization to revoke all credentials that were stored on the lost device, all issued certificates or change your password.revoke. Locking Smartphone is the first line of defense line for protection of preventing thieves from stealing broadband service such as SMS fees, reading your , or abusing VPN connections.
22locates, locks and wipes. Locates: Locate your lost device and display the location on a Google map. Register your Android device with one of the many available "find me" services to locate and recover lost devicesLocks:Remotely locks down your lost device, that nobody can use your phone without your access, even somebody else exchanges the SIM card on your phone.Use lock apps such as Norton Mobile or AppProtector or PIN/ passwords to lock your android devices. You can also enroll in a remote find/lock service. Enterprises can ensuring company devices using either Exchange ActiveSync or the Android 2.2 Device Admin to remotely enforce password policies and routinely lock these devices and reset passwords.Wipes:Remotely wipe out important data which stored on your device.Some mobile service providers offer remote default and selective wiping, which allows you or your provider to remotely delete all data on the phone.
23Android’s SecurityAndroid’s Security is supported by encryption, signature, Isolation, and access control security protection Strategies. However there still are vulnerabilities for Android mobile devices.The Android app signature system is to ensure that the app’s logic is not tampered with, enforce a user to recognize the identity of the app’s author. Although Android will only install and run a signed app, a certificate is not required by Google. Hackers can still use anonymous digital certificates to sign their malware and distribute them without any certification by Google which is required by Apple.A hacker can create and distribute malicious app since people will not be able to track down to the source and add Trojan horses and malicious code to a existing legitimate app and then re-sign the updated version with an anonymous or fake certificate and distribute it. Its original digital signature is tempered and lost.
24Mobile Device-Encryption Android 2.2 does not support the encryption. There is no app can do full device encryption without Android OS support .Google has designed Android 3.0 for mobile device and they have taken some steps for users and the enterprise. Android 3.0 comes loaded with full encryption support for data stored on the device.We can still use some file encryption tools to protect our selected file and data.
25References A window into Mobile device security US-CERT Resource: Paul Ruggiero and Jon Foote, “Cyber Threats to Mobile Phones”,Top 10 android Security Riskshttp://www.esecurityplanet.com/views/article.php/ /Top-10-Android-Security-Risks.htm