Professional Documents
Culture Documents
5 Mobilethreatsattacks
5 Mobilethreatsattacks
ATTACKS
Possible attack threats to mobile devices
• Network exploit
• Hackers takes advantage of vulnerability or flaw of user’s web
browser on mobile device in WiFi communication to attack victims.
• Hackers send malicious code/data from malicious logic websites to
victim’s browser after user browses the malicious page and the
malicious code will take over the control to get all sensitive data on
the victim’s device.
• Social engineering
• Hackers use hyped contents to attract, manipulate, or persuade
people into revealing confidential information through deception
such as phishing for the purpose of information gathering, fraud, or
access rights.
Possible attack threats to mobile devices
• Malware
• Virus hosted on a legitimate code, replicable spread worms, Trojan
horses with action in purpose
• Data tamper
• Intentionally modify/corrupt device data without the permission
such as device’s contact list
Best practices protecting mobile device from potential
threats
• Protect data loss due to mobile device loss with device ID
and remotely remove all the apps, contacts, and
confidential data right after the mobile phone is stolen or
lost
• Type URL instead of copying/pasting or clicking links to
protect mobile phones from drive-by download attacks
• Protect data privacy by data Encryption, don’t cache
sensitive data
• Disable unnecessary device features such as Wi-Fi,
Bluetooth, and infrared when they aren’t in use.
• Enabling the firewall, disable sharing
Best practices protecting mobile device from potential
threats
• Isolate personal apps and corporate apps
• Detect and Remove malware Apps
• Download all mobile apps from trusted sources
application providers and check the permission requests
during installation
• Install a mobile security application to protect the mobile
device from attacks
Mobile device security protection Strategies
• Block the app’s attempt to act beyond granted
permissions
• Access Control with ID and resource access
permission requirement
• App signature: Each app is signed with the identity of
its author and protect app from tampering
• Encryption: Encrypt data for data protection in case of
device loss or theft
• Isolation: Restrict any app to access the sensitive data
on a device. Each Android app runs in its own virtual
machine (process) which does not allow any access to
resource belong to other VM except special permission
grant.
Android’s Security
• Android’s Security is supported by encryption, signature, Isolation,
and access control security protection Strategies. However there still
are vulnerabilities for Android mobile devices.
• The Android app signature system is to ensure that the app’s logic is
not tampered with, enforce a user to recognize the identity of the
app’s author. Although Android will only install and run a signed app,
a certificate is not required by Google. Hackers can still use
anonymous digital certificates to sign their malware and distribute
them without any certification by Google which is required by Apple.
• A hacker can create and distribute malicious app since people will
not be able to track down to the source and attackers add Trojan
horses and malicious code to a existing legitimate app and then re-
sign the updated version with an anonymous or fake certificate and
distribute it. Its original digital signature is tempered and lost.
Bring Your Own Device (BYOD) with Mobile Device
Management (MDM)
Enterprise BYOD policy:
• Use MDM tools to oversee and control mobile devices in
secure operations
• Store enterprise data in sandbox
• Encrypte enterprise data on mobile devices
• Keep apps current with less vulnerabilities and flaws
• Routinely back up all apps and upgrade OS
• Authenticate and register all mobile devices with Secure
Socket Layer (SSL) certificate
• Adopt app blacklisting within enterprise
• Management on the lost and stolen devices
• Separate personal and business accounts
• Controls user access
Mobile Malware Security Solutions
• Popular Mobile Malware(malicious software) are:
• Spyware – steals user information with user’s consent somehow.
• Trojan horse – steals confidential information such as credit card
• Adware - displays unwanted pop-up ads with/without theft of
sensitive data
• There are some malware that just degrade or disrupt device
operations such as rebooting device and exhausting device power
without financial profit purpose.
• Due to small screen size of mobile device most apps don’t show the
URL address on the device screen while accessing web which takes
even more difficult for mobile device user monitor and determine the
destination of app on web.
Common types of malware delivery mechanisms
• The Android app signature system is to ensure that the app’s logic is
not tampered with, enforce a user to recognize the identity of the
app’s author. Although Android will only install and run a signed app,
a certificate is not required by Google. Hackers can still use
anonymous digital certificates to sign their malware and distribute
them without any certification by Google which is required by Apple.
• A hacker can create and distribute malicious app since people will
not be able to track down to the source and add Trojan horses and
malicious code to a existing legitimate app and then re-sign the
updated version with an anonymous or fake certificate and distribute
it. Its original digital signature is tempered and lost.
Mobile Device-Encryption
• Android 2.2 does not support the encryption. There is no
app can do full device encryption without Android OS
support .
• Google has designed Android 3.0 for mobile device and
they have taken some steps for users and the enterprise.
Android 3.0 comes loaded with full encryption support for
data stored on the device.
• We can still use some file encryption tools to protect our
selected file and data.
References
A window into Mobile device security
http://www.symantec.com/content/en/us/about/media/pdfs
/symc_mobile_device_security_june2011.pdf
http://www.continuitycentral.com/feature0919.html
http://www.usatoday.com/tech/news/story/2012-03-
22/lost-phones/53707448/1]
US-CERT Resource: Paul Ruggiero and Jon Foote,
“Cyber Threats to Mobile Phones”, http://www.us-
cert.gov/reading_room/cyber_threats_to_mobile_phones.
pdf)
Top 10 android Security
Riskshttp://www.esecurityplanet.com/views/article.php/39
28646/Top-10-Android-Security-Risks.htm