Embed Size (px)
Citation preview
Mobile Device Security
Benjamin KirchmeierUniversity of Idaho
Definitions
• Mobile Device– Computing and communications– Handheld or smaller– I/O: touch or thumb-based keyboard– Requires no wired connection
• Smartphone– Voice + Data features
The Global Mobile Market
• 2005: 750,000,000 cell phone sales• 2009: 1,211,236,600 cell phone sales• 2009: 172,373,100 smartphone sales
Smartphones comprise 14% of total global sales
Gartner (February 23, 2010)http://www.gartner.com/it/page.jsp?id=1306513
The UI Mobile Market
Staff and Faculty Exchange Use via Mobile Device
About 10% of UI employees‡ use a mobile device to access their UI email
‡ Personal and Sponsored Employee accounts total 5,126.* Based on 7-day login and device information from UI Exchange Servers.
Smaller, Faster, Cheaper
Smartphone• 128MB-512MB RAM• 1GB – 64GB+ Storage• 1000 MHz processor• $200 (w/ Contract of course)
Primary advantages• Convenience• Security• Fits in pocket
Cray 1 Supercomputer(ca. 1976)• 8MB RAM• 80 MHz processor• $8.8 million
Primary advantages• 133 Megaflops• All colors available
Device Technologies
• Bluetooth– IEEE 801.15.1– 30’ range
• SMS– 160 character limit– Viver virus (Kaspersky; Symbian, 2007)
• MMS– Text, images, audio, video– Binary data– Commwarrior-A (F-secure; Symbian, 2005)
Development for Mobile Devices
• Binary Runtime Environment for Wireless (BREW)• Java 2 Micro Edition (J2ME)• Python• Java• Objective-C
• [micro] Web Browsers – HTML, JavaScript, Flash• [micro] Operating Systems – Linux, iOS (OS X)
Malicious Mobile Device Code
• Timofonica (2000)– Visual Basic– Infected computers– Spammed phones
• Cabir (2004)– Symbian-based– Source code released underground– Propagated via Bluetooth– User interaction required
Malicious Mobile Device Code: Cabir
1. User clicks on caribe.sis
2. Installer confirms action
3. Cabir Installed!
Once installed, it searches for “discoverable” Bluetooth devices
Photos: http://www.f-secure.com/v-descs/cabir.shtml
Predicting Future Outbreaks
• Are security experts crying wolf?• Since 2004, about 420 viruses identified• Primary Vectors
– Bluetooth– MMS
• The Tipping Point– Location– Mobility– Communication Patterns
Splode Demo
The Game Trail via YouTube: http://www.youtube.com/watch?v=rNU3g_LHDGkSplode available in the AppStore: http://itunes.apple.com/us/app/splode/id376476787
Basic Best Practices
• Only install software you trust• Disable Bluetooth• Use PINs longer than four numbers
– No birthdates!• Different passwords for different
devices/services• Pair Bluetooth devices privately or not at all• Update your device’s OS and programs
regularly
The Bottom Line
• Increasing mobile device adoption• Mobile malicious code was discovered in
2004• Bluetooth and MMS will most likely spread
future infections• Critical mass for widespread infection: not yet
Trusting Published Mobile Software
Google Android Market Terms of Service
• 5. Use of the Services by You– 5.1 In order to access certain Services, you may be required to provide
information about yourself (such as identification or contact details) as part of the registration process for the Service, or as part of your continued use of the Services. You agree that any registration information you give to Google will always be accurate, correct and up to date.
– 5.4 You agree that you will not engage in any activity that interferes with or disrupts the Services (or the servers and networks which are connected to the Services).
• 7. Privacy and your personal information– 7.1 For information about Google’s data protection practices, please read
Google’s privacy policy at http://www.google.com/privacy.html. This policy explains how Google treats your personal information, and protect your privacy, when you use the Services.
– 7.2 You agree to the use of your data in accordance with Google’s privacy policies.
http://www.android.com/terms.html
Google Privacy Policy
5 Privacy Principles
• Use information to provide our users with valuable products and services
• Develop products that reflect strong privacy standards and practices
• Make the collection of personal information transparent• Give users meaningful choices to protect their privacy• Be a responsible steward of the information we hold
http://www.google.com/privacy.html
Google Privacy Policy
• Affiliated Google Services on other sites• Third Party • Location Data• Unique application number
In addition to the above, we may use the information we collect to:• Provide, maintain, protect, and improve our services (including
advertising services) and develop new services; and• Protect the rights or property of Google or our users.
http://www.google.com/privacypolicy.html
Apple AppStore Terms and Conditions
• D. Privacy Policy– Personal information is data that can be used to uniquely
identify or contact a single person.– You may be asked to provide your personal information
anytime you are in contact with Apple or an Apple affiliated company. Apple and it’s affiliates may share this personal information with each other and use it consistent with this Privacy Policy. They may also combine it with other information to provide and improve our products, services, content, and advertising.
http://www.apple.com/legal/itunes/us/terms.html
Apple AppStore Terms and Conditions
Collection and Use of Non-Personal InformationWe also collect non-personal information − data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:
– Non-personal information: occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used.
– Additional Non-personal information: customer activities on Apple websites, MobileMe service, and iTunes Store and from our other products and services.
– “If we do combine non-personal information with personal information the combined information will be treated as personal information for as long as it remains combined.”
Marketing, Marketing, Marketing!!
• Popular Apps authorized for sale by Google and Apple transmit data without users’ knowledge
• Data transmitted to both developer sites and other involved entities
• Data can include personal identifiable information (PII) plus additional information
• All data is used primarily to market goods and services
• Security not a priority (encrypted vs. rapid deployment)
Data? What data?
• Real names• Home address• Telephone numbers• Credit Card numbers• IP Address(es)• Browser Type• Pages Visited• Time spent within specific apps or browser• GPS information
Oops! Market and AppStore Blunders
• Android Market– TweetDeck beta, August 2010
• AppStore– Aurora Feint, July 2008
“Signed” mobile device applications ≠ trusted
TaintDroid
October 4-6, 2010TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones
USENIX Operating Systems Design and Implementation (OSDI)
• Researchers from Intel, Penn State, and Duke• Developed custom-built firmware• Provides data transmission transparency to end users• Available soon: http://appanalysis.org/
appanalysis.org TaintDroid Demo
http://appanalysis.org/demo/
PSNs, UDIDs, IMEIs, and Smartphones. Oh my!
• PSNs, UDIDs, and IMEIs manage device identity
• Pentium III’s (PSN)– Burned into each CPU– Hoped to boost online commerce– Attract business (and government) interest– Permit better asset tracking/resource allocation– Ultimately considered an “unnecessary intrusion”
PSNs, UDIDs, IMEIs, and Smartphones. Oh my!
• UDIDs created by Apple for its mobile devices– Guaranteed to be unique per device
• “Ensure[s] … devices continue to comply with required policies.”
http://www.apple.com/iphone/business/docs/iPhone_Business.pdf
• Developers encouraged to utilize UDID– Store high scores for games– Aggregate app-specific user ID with UDID– Apple does not proctor use of the UDID API– No restrictions for company UDID ‘sharing’
Wireshark• Network protocol analyzer• Used to intercept packets from mobile devices before
they’re sent onto the internet• Reveals plain-text packets which include UDID, IMEI, and
other information• Available here: http://www.wireshark.org/download.html
Sniffing iPhone Packets Demo
• Amazon• Sends UDID and other
information in an unencrypted (http) format
• CBS News• Sets cookies to expire in 20
years
* Detailed images can be found in this reference: http://www.pskl.us/wp/?p=476
Android Demo
“Disney” Wallpapers• Sends IMEI to
developer’s database• Uses wps.ysler.com as
a repository for content.• Copyright issues?
*More information available http://appanalysis.org/
Primary ReferencesiPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs). Retrieved October 1, 2010 from Preset Kill Limit Web site: http://www.pskl.us/wp/?p=476
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. Retrieved October 1, 2010 from AppAnalysis.org Web site: http://appanalysis.org/pubs.html
iDefense.com. (2009). Mobile Malicious Code Trends. In Graham, James (Ed.), Cyber Fraud: Tactics, Techniques and Procedures (Chapter 15). Auerbach Publications.
Understanding the spreading patterns of mobile phone viruses. P. Wang, M. C. Gonzalez, C. A. Hidalgo and A. –L. Barabasi. Science, 324, 1071-1076 (2009).
