7
Security issues for mobile devices Cvetko Andreeski

Security issues for mobile devices Cvetko Andreeski

Embed Size (px)

Citation preview

Page 1: Security issues for mobile devices Cvetko Andreeski

Security issues for mobile devices

Cvetko Andreeski

Page 2: Security issues for mobile devices Cvetko Andreeski

Content

• Facts about mobile devices and traffic• Mobile networks and communication• Mobile platforms security• Mobile application security• Steps to increase security of mobile devices

Page 3: Security issues for mobile devices Cvetko Andreeski

Facts about mobile devices and traffic

• Increasing number of mobile devices for individual and professional work• Broadband mobile networks 2G, 3G, 4G (max speed 1Gb/s)• Portability and adaptability• Duration of unplugged work• In 2012, the number of mobile-connected tablets increased to 36 million• There were 161 million laptops on the mobile network in 2012

Source: Cisco VNI Mobile Forecast 2013

• In 2016 we should expect purchase of 283 million tablet computers which should be more than purchased laptop computers in that year

Page 4: Security issues for mobile devices Cvetko Andreeski

Mobile communication

• Most of the mobile devices use 3G standard for communication• Only 0.9% of connections are 4G in 2012, but they make 14% of the traffic• Even the 3G standard implements KASUMI cipher there were several

possibilities to corrupt the communication• The latest example is the so called related key attack. By this attack, one

can recover the full A5/3 key• Basics of communication through 4G architecture is the Y-comm

framework. This framework implements security in the architecture from the initial stages of the design process.

• This architecture should deliver dedicated bandwidth for the users, by switching between the networks of different providers, known as vertical handover

Page 5: Security issues for mobile devices Cvetko Andreeski

Mobile platforms securityFeature Blackberry iPhone AndroidRemote wipe capability Encrypted backup files Mandatory code signing Type safe programming Ÿ Application sandbox Ÿ ŸCorporate policy enforcement Ÿ ŸFull disk and memory encryption Ÿ End-to-end data encryption Ÿ Ÿ Implemented Partially implemented Not implemented

Source: comScore, May 2013

Source: Ernst & Young, January 2012

Comparison of security features on different mobile platforms

Third party applications can fill the gap of some security features.

Page 6: Security issues for mobile devices Cvetko Andreeski

Mobile application security

• Web based application– Android – Java, Android SDK, many reversing tools for Android applications,– Android applications are not reviewed before they are send for downloading

– Android – certification and keys can be taken from one location /etc/security/cacerts.bks

– Android – available tools for data decryption – IOS – every application is reviewed before it is presented on Apple

store– IOS – enforces application sendboxing– IOS – jailbraking– IOS – possibility for reversing applications, tools for setting the hook– IOS – lot of resources (raw data from database) in cache files

Page 7: Security issues for mobile devices Cvetko Andreeski

Steps to increase security of mobile devices

• Know the risks and assets on mobile devices and communication• Follow the policy for security of mobile devices• Test the platform and applications• Avoid or limit the transfer of sensitive data over the network• Use of secure protocols for logging and sending sensitive data• Sandboxing for untrusted (or all) applications• Test the end to end communication and services