«Mobile device security Kevin Curran*, Vivian Maynes and Declan Harkin Faculty of Computing and Engineering, University of Ulster, Northern Ireland, ...»
Int. J. Information and Computer Security, Vol. 7, No. 1, 2015 1
Mobile device security
Kevin Curran*, Vivian Maynes and
Faculty of Computing and Engineering,
University of Ulster,
Northern Ireland, UK
Abstract: None of the early internet designers has ever foreseen the
pervasiveness of its involvement in everyday life. That is why we have so many security and privacy issues today. The landscape is moving all the time with new smartphones hitting the market and new features being rolled out almost weekly. The standard desktop operating system is quickly being overtaken by computing on mobile devices however many of us are unaware of the security vulnerabilities on mobile devices. This paper highlights the security mechanisms deployed to make mobile devices safe for use. Such mechanisms include the choice of mobile device by the user, encryption, authentication, remote wipe capabilities, lost phone hotline, firewalls, utilisation of third party software, intrusion prevention software, anti-virus software and finally Bluetooth.
Keywords: security; mobile security; mobile; network security; malware.
Reference to this paper should be made as follows: Curran, K., Maynes, V. and Harkin, D. (2015) ‘Mobile device security’, Int. J. Information and Computer Security, Vol. 7, No. 1, pp.1–13.
Biographical notes: Kevin Curran holds a BSc (Hons), PhD, SMIEEE, FBCS CITP, SMACM and FHEA. He is a Reader in Computer Science and Group Leader for the Ambient Intelligence Research Group. He has made significant contributions to advancing the knowledge of computer networking evidenced by over 800 published works. He is a regular contributor to BBC radio and TV news in the UK and quoted in trade and consumer IT magazines on a regular basis. He is an IEEE Technical Expert for Security and a member of the EPSRC Peer Review College.
Vivian Maynes is a graduate in Computer Science of the University of Ulster.
She is currently working in the information technology industry with research interests including distributed systems, network security and internet technologies.
Declan Harkin is a graduate in Computer Science of the University of Ulster.
He is currently working in industry. His research interests include security and programming languages.
Copyright © 2015 Inderscience Enterprises Ltd.
2 K. Curran et al.
1 Introduction Most people do not take time to consider privacy on their mobile devices. It is a fact that only 50% of people put a lock code on their phone therefore any stolen phone can allow thieves to also burrow into their online accounts (Information Week, 2011). Most people store access codes in their e-mail account. A thief would easily siphon off passwords from that. Accessing your online bank account or PayPal can allow a thief to transfer money or buy an online anonymous currency like BitCoin and you will never see that money again. For the first time in our history, banks and other financial institutions are beginning to offload the blame for an account being hacked onto the customer. They are claiming that customers should have had greater protection mechanism in place. Securing your actual communications is a different matter. If you have a lot to lose by being snooped upon like a drug dealer or a spy then it is important. If you are the other 90% of the population then it can be harder to see the need for secure communications – especially voice communications. There is more of a need for secure messaging. Say you wish to talk movies with your friend and he is working and also using a corporate phone or iPad, then having a secure password protected app or program can simply prevent problems with his/her boss. It would also be important for people having affairs. There are smartphone messaging apps out there on the app market like SafeSlinger which claim to prevent even the NSA snooping.
No one mobile OS is inherently more secure than another. They each have strengths and quite often the more popular one can be more secure but due to popularity, that is where most hacker attacks are aimed. Basically it is a numbers game. But I will say at this time that Android needs to improve its app security. Apple has an easier time as they have a more stringent entry test to getting an app into their app store. Google by default allow most people to post an app to the store but they are trying to become better at identifying rogue apps. One could also say Windows phone is secure as most of the popular leading apps were either written by Microsoft or paid third parties! BlackBerry before its demise due to the BlackBerry messenger app was considered an excellent secure messaging system. We do know however that there is a global private key and we have to simply assume that the NSA know this key so no message anymore can be considered safe. In fact, BlackBerry themselves however in their BlackBerry solution technical overview document advise users to ‘consider pin messages as scrambled, not encrypted’.
If you are paranoid, then do not use e-mail services such as yahoo, Gmail or Hotmail.
In all likelihood the NSA have sent national security letters to each of those providers and got the keys (or more likely, installed wire taps upstream of their data centres and are recording all the traffic to later decrypt quite easily…..) There are products such as sold by Go-Trust Technology Inc. who sell and Android App which uses a hardware secure element embedded in a microSD to safeguard sensitive information by encrypting SMS text messages, photos, videos, data files and contacts. Hardware encryption can be effective. No real details have been released but there is every chance that a hardware-based solution like this can be quite secure. It is still recommended to select a proper VPN and/or TOR over this system however. It is not recommended to jailbreak a phone as it may leave that phone more vulnerable to attack. A jailbroken phone will not Mobile device security 3 quite often get the necessary updates to protect it against new vulnerabilities.
Downloading random apps is always a risk. Security suites on mobile phones are still limited. The proper assessment of their capabilities has not really been carried out. It is well known that phones have been compromised whilst a leading mobile ‘security suite’ has been loaded on the phone. Easiest way to protect is to simply install the leading well know apps and to steer clear of ‘recent uploads’. A time stamp is important as most malware on phones is discovered but the first people to download it are the ones compromised.
What follows is an outline of security mechanisms deployed to make mobile devices safe for use.
2 Mobile device security
A mobile device is a piece of equipment that can come in different forms. The data these devices hold could be photos or document files containing sensitive material (e.g., bank details, personal photos, credit card numbers even home address) (Fling, 2009;
Holzer and Ondrus, 2009). The ranges of mobile devices that are available include mobile computers, personal digital assistants/enterprise digital assistants, pagers, personal navigation devices (PNDs), mobile phones and portable media players. More than half the global population now use a mobile phone (ITU, 2008). The advanced features of mobile devices that have made them so attractive to the end user include: internet web browsing, e-mailing, Bluetooth, wireless communication, digitising notes, file sharing and mobile field management capabilities. As mobile devices advance in terms of technology the security risk also increases (Chickowski, 2009). It is evident that the corporate organisations that fabricate the mobile device are not incorporating the correct security mechanisms within the equipment to minimise security risk (Hegarty et al., 2010; Wasserman, 2010; Jacobs, 2011).
There is different ways you can protect a mobile device, from placing it in your pocket to using encryption software. All of these devices have some type of security that restricts foreign bodies from obtaining their information. Data protection is crucial in today’s world of technology. Even with the advancements in mobile devices such as card readers, chip and pin, and online payment security, data is still never 100% secure. Most or all mobile devices have the ability to enable a four-to-eight digit PIN in order to use the device. When the device is switched off onto standby, the pin security is enabled. So when you try to access the device again you will be a prompt for a pin request. If someone stole or came across your device and they seen that it was pin protected they probably would not try and hack it for the data but wipe it and sell it for a quick pound.
Figure 1 presents breach statistics for 2008 on portable devices (Lingfen et al., 2010).
Here we can see that more than 32% of data breaches were the result of a lost or stolen laptop, mobile phone, or other portable media device while only 14% of data breaches were the result of a hacking event. It may seem therefore that the actual problem lies with regards to data security…. outside the firewall.
4 K. Curran et al.
Figure 1 Incidents by breach type (see online version for colours)
The starting point for protection for devices as mobile phones would be to introduce IT policies. This is a written agreement with the users of the devices and statement what can and cannot be used on them. Some examples of policies are acceptable use, password, backup, network access, incident response, remote access, virtual private network (VPN), guest access, wireless, third party connection, network security and encryption policies (ITU, 2008). BlackBerry mobiles are bound to some of these. They are pushed to their handhelds over the air during wireless activation. Through these policies employers can set their own security needs like passwords, timeouts on the device and have read only parameters; only permitting voice calls on locked handhelds for instance. They can even deactivate the Bluetooth and control how the data is encrypted. There also can be application policies. Letting the employer control third party applications and which resources they can access. All policy settings are synchronised and assigned to the BlackBerry smartphone over-the-air. As a result, BlackBerry Enterprise Server administrators who need to facilitate large deployments can easily change IT policies on a corporate level without requiring users to cradle their BlackBerry smartphones. This policy ensures that administrators can control each BlackBerry smartphone, An IT policies has digital signatures to ensure that only the designated BlackBerry Enterprise Server can send updates to a BlackBerry smartphone. When sending information through a wireless connection on the BlackBerry, the information is routed through BlackBerry’s RIM infrastructure. The information is encrypted with either AES or 3DES and the keys are only known to the handheld or the BES. BES decrypts the information the sends it to the messaging server like Microsoft exchanged or Qmail which runs on Linux operating system. There are other types of encryption available like IPSec tunnelling to VPN and Wi-Fi data encryption using WPA/WPA2 and WEP keys. These methods are to stop people eavesdropping on messages during transfer (B’far, 2005; Burns, 2008).
Mobile device security 5 The Symbian platform uses several algorithms, including data encryption standard (DES), 3DES, Rivest’s Cipher 2 (RC2) 64 block cipher. The Symbian device will determine how the information should be encrypted and will furthermore select the required encrypted channel, if it wishes to send data. It will then use its built in functions to encrypt to the proper format for transfer. But the information on the device will not remain encrypted unless third party encryption software is installed and configured to do so. To protect data on Symbian devices they introduced a program called Symbian-signed. This is where software publishers could digitally sign applications that had been tested by Symbian. There are three different levels: Open-signed which is used for limited or internal use, Express-signed where it is self tested and certified-signed, this version is independently tested. These use the digital signatures to tie the software to publisher identities. Express and certified must use publisher Ids issued by TC trustCenter. The ‘for Symbian OS’ logo is awarded to applications that are Symbian Signed. Symbian Signed promotes best practice in the design of applications and content to run on Symbian OS-based phones. Symbian Signed is endorsed and supported by network operators, handset manufacturers and developers (Chickowski, 2009).
Windows-based devices are managed using Microsoft’s System Centre Mobile Device Manager (SCMDM) 2008 on Windows Mobile 6.1 operating system. Just like the BlackBerry, this server is capable of over the air device activity for, policy enforcement, Software installation and monitoring/reporting. To create an account for WM6.1 the client will have to enter his or hers e-mail address and a unique PIN number. The device uses secure socket layer (SSL) to connect to the server. This gateway authenticates the user and completes the interacting with the management server. These SCMDM server functions can be distributed for instance using a separate Microsoft CA to issue device certificates. Once the device and the gateway are configured to each other they are protected by an auto-configured IPSec, ‘mobile VPN’ tunnel. SCMDM installs and enforces IT-defined active directory group policies. Once connected the device can be monitored centrally and up dated through SCMDM. If a mobile device is never lost or stolen, the SCMDM can be used to remotely wipe the device next time it connects to the enterprise network. A mobile device with WM6.1 installed can use 3G or WI-FI connectivity to automatically reconnect to the SCMDM from their mobile VPN tunnel (Dumaresq and Villenueve, 2010).
Google Android is a multi-tasking system. Each application runs in its own process.