IT-5105: Information Systems & Securitiesfor 1st Semester of Regular Masters Program (2nd Batch)Lecture: 02

Security Issues in Mobile ComputingPrepared by:K M Akkas Aliakkas_khan@yahoo.com, akkas@juniv.eduAssociate ProfessorInstitute of Information Technology (IIT) Jahangirnagar University, Dhaka-1342

For M.Sc in IT, JU

Lecture-02: Security Issues in Mobile ComputingObjectives of this Lecture:2.2Quick overview of mobile devices/ Mobile computingBYOD Strategy in mobile computingLimitation in mobile computingSecurity issues and challenges in mobile computingMobile threats and attacks

Mobile computing is humancomputer interaction by which a computer is expected to be transported during normal usage. It is taking a computer and all necessary files and software out into the field".Mobile computing is any type of computing which use Internet or intranet and respective communications links, as WAN, LAN, WLAN etc. Mobile computers may form a wireless personal network or a piconetMobile computing involves mobile communication, mobile hardware, and mobile software. Communication issues include ad hoc and infrastructure networks as well as communication properties, protocols, data formats and concrete technologies. Hardware includes mobile devices or device components. Mobile software deals with the characteristics and requirements of mobile applications.Mobile Computing2.3

There are at least three different classes of mobile computing items:Portable computers: compacted lightweight units including a full character set keyboard and primarily intended as hosts for software that may be parameterized as laptops, notebooks, notepads, etc.Mobile phones: including a restricted key set primarily intended but not restricted to for vocal communications, as cell phones, smart phones, phonepads, etc.Wearable computers/body-borne computers:mostly limited to functional keys and primarily intended as incorporation of software agents, as watches, wristbands, necklaces, keyless implants, etc.Quick Overview of Mobile Devices2.4

Google Glass:It is a type of wearable technology with an optical head-mounted display (OHMD). It was developed by Google that displays information in a smartphone-like hands-free format. Using this glass, wearers communicate with the Internet via natural language voice commands. It has a touchpad, camera and display. Example of Wearable ComputersThe touchpad is located on the side of Google Glass, allowing users to control the device by swiping through a timeline-like interface displayed on the screen. Sliding backward shows current events, such as weather, and sliding forward shows past events, such as phone calls, photos, circle updates, etc.The built-in camera in the Google Glass has the ability to take photos and record 720p HD video. The Explorer version of Google Glass uses a Liquid Crystal on Silicon (LCoS) LED illuminated display that displays the target into the wearer's eye.Figure: Google glass2.5

Nike+:It is an activity tracker device which measures and records the distance and pace of a walk or run, track your time and calories via a sensor attached or embedded in a shoe. Example of Wearable Computers2.6

What is BYOD:BYOD is short for bring your own device. It is also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC).It refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications. The phenomenon is commonly referred to as IT consumerization. The term is also used to describe the same practice applied to students using personally owned devices in education settings.Many companies today have realized that by embracing the consumerization of IT, this will not only save money and increase business agility, but also improve employee productivity.BYOD Strategy in Mobile Computing2.7

What Need BYOD?Surveys have indicated that businesses are unable to stop employees from bringing personal devices into the workplace. Research is divided on benefits, with some reports indicating productivity gains by employees.Companies like Workspot inc believe that BYOD may help employees be more productive. Others say it increases employee morale and convenience by using their own devices and makes the company look like a flexible and attractive employer.Many feel that BYOD can even be a means to attract new hires, pointing to a survey that indicates 44% of job seekers view an organization more positively if it supports their device. With around 95% of employees stating they use at least one personal device for work, BYOD is a reality that company IT security managers simply cannot ignoreBYOD Strategy in Mobile Computing2.8

BYOD SecurityCertainly BYOD devices are likely to be shared with family members and friends, explicitly or implicity adopting multiple personas. This means BYOD users are even more resistant to strong device access passwords and will have a wide-variety of apps downloaded. Corporate apps and data must be protected from accidental corruption and unauthorized accessToday, employees expect to use personal smartphones and mobile devices at work, making BYOD security a concern for IT teams. Many corporations that allow employees to use their own mobile devices at work implement a BYOD security policy that clearly outlines the company's position and governance policy to help IT better manage these devices and ensure network security is not compromised by employees using their own devices at work.BYOD Strategy in Mobile Computing2.9

BYOD Security (cont)BYOD security can be addressed by having IT provide detailed security requirements for each type of personal device that is used in the workplace and connected to the corporate network. For example,IT may require devices to be configured with passwords, prohibit specific types of applications from being installed on the device or require all data on the device to be encrypted. Other BYOD security policy initiatives may include limiting activities that employees are allowed to perform on these devices at work (e.g. email usage is limited to corporate email accounts only) and periodic IT audits to ensure the device is in compliance with the company's BYOD security policy.BYOD Strategy in Mobile Computing2.10

Mobile computers:Mainly smartphones, tabletsSensors: GPS, camera, accelerometer, etc.Computation: powerful CPUs ( 1 GHz, multi-core)Communication: cellular/4G, Wi-Fi, near field communication (NFC), etc.Many connect to cellular networks: billing systemCisco: 7 billion mobile devices will have been sold by 2012 [1]OrganizationQuick Overview of Mobile Devices2.11

Range & Bandwidth: Mobile Internet access is generally slower than direct cable connections, using technologies such as GPRS and EDGE, and more recently HSDPA and HSUPA 3G and 4G networks. These networks are usually available within range of commercial cell phone towers. Higher speed wireless LANs are inexpensive but have very limited range.Security standards: When working mobile, one is dependent on public networks, requiring careful use of VPN. Security is a major concern while concerning the mobile computing standards on the fleet. One can easily attack the VPN through a huge number of networks interconnected through the line.Power consumption: When a power outlet or portable generator is not available, mobile computers must rely entirely on battery power. Combined with the compact size of many mobile devices, this often means unusually expensive batteries must be used to obtain the necessary battery life.Limitations of Mobile Computing2.12

Transmission interferences: Weather, terrain, and the range from the nearest signal point can all interfere with signal reception. Reception in tunnels, some buildings, and rural areas is often poor.Potential health hazards: People who use mobile devices while driving are often distracted from driving and are thus assumed more likely to be involved in traffic accidents.[2] (While this may seem obvious, there is considerable discussion about whether banning mobile device use while driving reduces accidents or not.[3][4]) Cell phones may interfere with sensitive medical devices. Questions concerning mobile phone radiation and health have been raised.Human interface with device: Screens and keyboards tend to be small, which may make them hard to use. Alternate input methods such as speech or handwriting recognition require training.

Limitations of Mobile Computing2.13

Mobile computing with networked information systems help increase productivity and operational efficiency. This however, comes at a price.More and more users and businesses use smartphones as communication tools but also as a means of planning and organizing their work and private life. Indeed, smartphones collect and compile an increasing amount of sensitive information to which access must be controlled to protect the privacy of the user and the intellectual property of the company.Mobile computing with networked environment increases the risks for sensitive information of an organization which are open to attacks. With the explosive growth of smartphones, tablets and mobile devices, companies must find a means of providing access to their internal systems and information to their mobile workforce securely and seamlessly. All smartphones, as computers, are preferred targets of attacks. These attacks exploit weaknesses related to smartphones that can come from means of communication like SMS, MMS, wifi networks, and GSM. There are also attacks that exploit software vulnerabilities from both the web browser and operating system. Finally, there are forms of malicious software that rely on the weak knowledge of average users.

Security Issues in Mobile Computing2.14

Mobile devices are shared more oftenPersonal phones and tablets shared with familyEnterprise tablet shared with co-workersSocial norms of mobile apps vs. file systemsUniqueness/ Challenges in Mobile DevicesMobile devices have multiple personas ()Work toolEntertainment devicePersonal organizationSecurity profile per persona?Mobile devices are diverseOS immaturity for enterprise managementBYOD (bring your own device) dictates multiple OSsVendor / carrier control dictates multiple OS versionsWhile many organizations/users use Microsoft Windows to their desktops and laptops, the mobile device revolution has forced IT departments to deal with a much wider variety of operating systems, OS capabilities, management capabilities, and network access support. 2.15

Mobile devices are used in more locationsA single location could offer public, private, and cell connectionsAnywhere, anytimeIncreasing reliance on enterprise WiFiUniqueness/ Challenges in Mobile DevicesMobile devices prioritize the end user experienceIt puts the user in complete control over that device. This prevents enterprise IT shops from performing many of the functions they would like to do - silent install of apps, preventing users from removing security controls, forcibly un-installing apps regardless of where they came from - even on enterprise-owned devicesConflicts with user experience not toleratedOS architecture puts the user in controlDifficult to enforce policy, app listsThe solutions to the above challenges will vary depending on who owns the device and what it is being used for. 2.16

Mobile theft: 1 in 20 Mobile devices stolen in 2010Malware detected: 155% by which mobile malware increased 2011. Fraudulent spam: 70% of Mobile device spam is fraudulent financial services77% growth in Google Android malware from Jun 2010 to Jan 2011350% by which WiFi hotspots are set to increase by 2015, providing more opportunities for man-in-the middle attacks10 Billion Android app downloads reached by the end of 2011 over 90% of the top 100 have been hacked.Due to the above facts, mobile devices are twice as appealing to hackers both corporate and personal data.Some Security Challenges in Mobile Devices2.17

Security Challenges Faced by Enterprises2.18

For M.Sc in IT, JU

Drivers for Adopting Mobile

Barriers to Adopting Mobile

Drivers Vs. Barriers for Adopting Mobile DevicesAccording to IBM Market Insights team, increasing workforce efficiency and productivity is the top driver for adopting mobile, but security is the leading barrier and inhibitor for mobile adoptionThe leading security concern for mobile is the handling of confidential data. Around one-half are concerned about identity and access management and vulnerability to virus and malware. 2.19

Chart1

0.65

0.59

0.52

0.41

0.34

0.33

0.02

Total

Sheet1

Column1Total

Increased workforce efficiency/productivity65%

Responding to internal user/employee demand59%

Ease of use of mobile device/applications52%

Responding to external customer/partner demand41%

Increased customer reach34%

Competitive differentiation33%

Other2%

Unweighted row1117

To resize chart data range, drag lower right corner of range.

Chart1

0.62

0.43

0.38

0.29

0.25

0.16

0.04

0.05

Total

Sheet1

Column1Total

Mobile security62%

Integration of mobile with existing infrastructure and data43%

Difficulty of extending existing applications to mobile38%

Inadequate IT skills to deploy/fully adopt mobile29%

Difficulty of distributing applications across multiple mobile platforms25%

Increased volume of data from mobile16%

Other4%

None5%

To resize chart data range, drag lower right corner of range.

Figure below shows how IBM visualizes mobile security. There are really three points of control- (i) device security, (ii) mobile application security, (iii) secure access to applications and data.Secure endpoint device and data Secure access to enterprise applications and dataDevelop, test and deliver safe applicationsInternetWiFiTelecom ProviderWeb sitesMobile appsSecurity GatewayCorporate Intranet & SystemsAchieve Visibility and Enable Adaptive Security PostureVisualizing Mobile Security2.20

Like viruses and spyware that can infect your PC, there are a variety of security threats (both physical and software-based threats) that can affect mobile devices or can compromise the data on smartphones, tablets and similar mobile devices. Mobile security threats include everything from mobile forms of malware and spyware to the potential for unauthorized access to a devices data, particularly in the case of accidental loss or theft of the device.Mobile devices make attractive targets:People store much personal info on them: email, calendars, contacts, pictures, etc.Sensitive organizational info tooCan fit in pockets, easily lost/stolenBuilt-in billing system: SMS/MMS (mobile operator), in-app purchases (credit card), etc.Many new devices have near field communications (NFC), used for contactless payments, etc.Your device becomes your credit cardLocation privacy issues

Mobile Device Threats & Attacks2.21

Kinds of Mobile Security Threats:We divide mobile security threats into several categories:Application-based threats, Web-based threats,Network-based threats Physical threats.Mobile Device Threats & Attacks2.22

Application-Based Threats:Downloadable applications can present many types of security issues for mobile devices. Malicious apps may look fine on a download site, but they are specifically designed to commit fraud. Even some legitimate software can be exploited for fraudulent purposes. This type of threats take advantage of vulnerabilities in the mobile operating system or a mobile application to gain access and/or control of the device, phishing scams, Web browser and network-based exploits, Wi-Fi packet sniffing for accessing mobile device data in transit, and more.

Mobile Device Threats & Attacks2.23

Application-based threats generally fit into one or more of the following categories:Malware:It is software that performs malicious actions while installed on your phone. Without your knowledge, malware can make charges to your phone bill, send unsolicited messages to your contact list, or give an attacker control over your device.Mobile malware and spyware security threats can access a devices private data without a users knowledge or consent and can also perform malicious actions without the user knowing, including transferring control of the device to a hacker, sending unsolicited messages to the devices contacts, making expensive phone calls on smartphones, and more.Spyware It is designed to collect or use private data without your knowledge or approval. Data commonly targeted by spyware includes phone call history, text messages, user location, browser history, contact list, email, and private photos. This stolen information could be used for identity theft or financial fraud.Privacy ThreatsThis may be caused by applications that are not necessarily malicious, but gather or use sensitive information (e.g., location, contact lists, personally identifiable information) than is necessary to perform their function.Vulnerable ApplicationsThey are apps that contain flaws which can be exploited for malicious purposes. Such vulnerabilities allow an attacker to access sensitive information, perform undesirable actions, stop a service from functioning correctly, or download apps to your device without your knowledge.Mobile Device Threats & Attacks2.24

Web-based ThreatsBecause mobile devices are constantly connected to the Internet and frequently used to access web-based services, web-based threats pose persistent issues for mobile devices:Phishing Scams use email, text messages, Facebook, and Twitter to send you links to websites that are designed to trick you into providing information like passwords or account numbers. Often these messages and sites are very different to distinguish from those of your bank or other legitimate sources.Drive-By Downloads can automatically download an application when you visit a web page. In some cases, you must take action to open the downloaded application, while in other cases the application can start automatically.Browser exploits take advantage of vulnerabilities in your mobile web browser or software launched by the browser such as a Flash player, PDF reader, or image viewer. Simply by visiting an unsafe web page, you can trigger a browser exploit that can install malware or perform other actions on your device.

Mobile Device Threats & Attacks2.25

Network ThreatsMobile devices typically support cellular networks as well as local wireless networks (WiFi, Bluetooth). Both of these types of networks can host different classes of threats:Network exploits take advantage of flaws in the mobile operating system or other software that operates on local or cellular networks. Once connected, they can install malware on your phone without your knowledge.Wi-Fi Sniffing intercepts data as it is traveling through the air between the device and the WiFi access point. Many applications and web pages do not use proper security measures, sending unencrypted data across the network that can be easily read by someone who is grabbing data as it travels.

Mobile Device Threats & Attacks2.26

Physical ThreatsMobile devices are small, valuable and we carry them everywhere with us, so their physical security is also an important consideration.When it comes to physical mobile security threats, phones that lack passwords, screen locks or other forms of authentication are vulnerable to unauthorized access, which can compromise sensitive information stored on the mobile device. And if the device gets lost or stolen, hackers can bypass many forms of authentication in order to gain access to the devices sensitive information.Lost or Stolen Devices are one of the most prevalent mobile threats. The mobile device is valuable not only because the hardware itself can be re-sold on the black market, but more importantly because of the sensitive personal and organization information it may contain.

Mobile Device Threats & Attacks2.27

Many mobile devices lost, stolen each year113 mobile phones lost/stolen every minute in the U.S. [15]56% of us misplace our mobile phone or laptop each month [15]Lookout Security found $2.5 billion worth of phones in 2011 via its Android app [16]Symantec placed 50 lost smartphones throughout U.S. cities [17]96% were accessed by finders80% of finders tried to access sensitive data on phone

Mobile Device Lost/Theft2.28

What to Do If Your Phone Is StolenThe not so humble smartphone has become a significant part of our everyday lives. Whether you're a CEO, a busy parent, a social media addict, or all three, your phone is most likely the control center amongst the chaos, helping you to organize your finances, stay in touch with your family and interact with your friends.It contains your emails, contacts, photos, financial details and more, so having it stolen can be extremely distressing. These days, it's not just the hardware itself that's valuable to criminals, the data on your phone is worth just as much as its resale price on the black market. According to Consumer Reports, 3.1 million smartphones were stolen last year alone in the US, nearly double the number stolen in 2012. So what should you do if your phone is stolen?

Mobile Device Lost/Theft2.29

If you do have mobile security appIf your phone has been stolen and you have a mobile security app, the first thing you should do is try to locate, lock and possibly wipe your phone. These immediate actions give you a fighting chance of finding your smartphone before you suspend your service. With mobile security, youll have the breathing room you need to contact the police and your carriers.Mobile Device Lost/Theft2.30

Lock your deviceMobile security features like Lock and Wipe allow you to remotely lock your device to stop thieves from accessing your personal data. You may even be able to post a custom message to the home screen that could help you get it back!If you are positive that your device is gone for good, then you have the option to remotely wipe your smartphone to ensure that your important information doesn't fall into the wrong hands.Mobile Device Lost/Theft2.31

Locate your deviceMobile security apps like Lookout also allow you to easily locate your phoneusing GPS. Its as simple as logging into your account using a web browser and finding its location. Once you've located your device (and it's definitely not hiding under the couch cushions) give this information to the police. For your safety, leave it to the experts to retrieve.Mobile Device Lost/Theft2.32

Stay safe as you get your device backOnce you have more information on your device's whereabouts, rope in law enforcement and don't try to be a vigilante. The tips below for people who don't have Lookout installed will still be helpful for you, too.Mobile Device Lost/Theft2.33

Whether or not you have a mobile security app, Contact your providerIf your cell phone is lost or stolen and you dont have a mobile security app, the first thing to do is contact your network provider, who will be able to block your phone in order to stop anyone else from using it.This is particularly important if you have a pay monthly contract, as you will be liable for any calls made (or expensive apps downloaded) before you report your phone stolen. Most of the major US network providers allow you to suspend your service and request a new SIM online or by calling their customer service department.Mobile Device Lost/Theft2.34

Reporting a lost or stolen phone to VerizonVerizon Wireless allows you to temporarily suspend your service if your device has been lost or stolen, and your line will automatically reconnect in 30 days giving you the chance to find or replace your smartphone.

Reporting a lost or stolen phone to T-MobileT-Mobile allows users to suspend their service online and has a program that allows you to transfer your contacts and personal information to a new device.

Reporting a lost or stolen phone to AT&TAT&T allows users to not only suspend their service, but to block the device from using voice, text, and data on the AT&T network if another SIM is inserted.

Reporting a lost or stolen phone to SprintSprint asks users to call them immediately on 888-211-4727 to suspend service if you suspect that your phone has been lost or stolen.Mobile Device Lost/Theft2.35

Notify policeIf your cell phone has been stolen it's also important to notify the police, as insurance providers will usually need a crime reference number in order to process any claims.If you use your smartphone to shop or bank, you may also need a police report to dispute any fraudulent charges made on your debit or credit card accounts using the stolen device.Make a report at your local station, being sure to give them your device's International Mobile Equipment Identity (IMEI) number, which your network should be able to provide you with. (You can also find this on your account settings page if you do have Lookout installed.) This could help the police get your phone back to you if it were to be recovered.Mobile Device Lost/Theft2.36

Change passwords and PINsAccording to a nationwide surveyby Consumer Reports, 34% of Americans don't passcode protect their cell phones.If you're one of the people that make up this statistic, then it is absolutely essential that you change any passwords or PINs that are stored on your cell phone, as well as passwords to apps that automatically log in when you launch them on your device.Bank details, user names, passwords and PINs, when used along with the personal data readily available on your phone (your birthday and address, for example) can easily be used by thieves looking to capitalize on your misfortune.If you use your mobile device to shop or bank (with a banking or store app, for example) then it's also a good idea to contact your financial institution and credit card company, as it may be necessary to cancel any cards stored on your smartphone.Mobile Device Lost/Theft2.37

Prevention is better than cureIn the future, the single most important thing you can do to prevent anyone from getting to your personal data if your phone is lost or stolen is set a passcode. Not only does it make your device a less attractive target for cell phone theft, it means no expensive international calls can be made at your expense; your personal information will stay personal no matter who ends up with your cell. Set a complex password that you'll remember but thieves won't guess (don't use common passcodes like 1234 or 0000), and set your screen to auto-lock within five minutes. Backing up your data is also a great way to ensure you don't lose important contacts, photos, music and more. Many service providers offer this service free of charge. As well as this simple precautionary measure, downloading a mobile security app such as Lookout is a great way to add an extra layer of protection. From locating your phone to remotely locking and wiping it, Lookout makes defending your personal data simple.

Mobile Device Lost/Theft2.38

*******There is a broad spectrum of security challenges from managing the data, the application, to the device. Mobile application security must be able to detect security risks and vulnerabilities by understanding how data enters an application and where it goes. By understanding data and call flow information inside an application, developers can better ensure that when data leaves the application it is appropriately secured.

**Drivers for Adopting Mobile ComputingQ. What drives your organization to adopt Mobile Computing? Please check all that apply.

Barriers to Adopting Mobile ComputingQ. What are the major barriers to adopting Mobile Computing in your organization? Please select up to three.

1. On the left you have device security, protecting both the device and the data.

2. On the top right you have mobile application security which includes secure application development and analyzing applications for security risk. Note the reference to web sites; you also need to protect the server-side web-based application.

3. The bottom right highlights the need for to provide secure access to applications and data.

They are all interlinked and interconnected.

To achieve visibility and enable an adaptive security posture you need security intelligence. For example, if you see an incorrect login attempt for a mobile device 50 time, you might choose to lock down the device.*