Tutorial on Smartphone Security

Similar documents
Android Security. Device Management and Security. by Stephan Linzner & Benjamin Reimold

Secure Your Mobile Workplace

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

Analysis of advanced issues in mobile security in android operating system

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Mobile Device Management

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Protecting against Mobile Attacks

Securing mobile devices in the business environment

Ibrahim Yusuf Presales Engineer at Sophos Smartphones and BYOD: what are the risks and how do you manage them?

Protecting your Data, Devices, and Digital Life in a BYOD World: A Security Primer GLENDA ROTVOLD AND SANDY BRAATHEN NBEA APRIL 2, 2015

Running Head: AWARENESS OF BYOD SECURITY CONCERNS 1. Awareness of BYOD Security Concerns. Benjamin Tillett-Wakeley. East Carolina University

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Enterprise Mobile Threat Report

CEH Version8 Course Outline

Chris Boykin VP of Professional Services

Trust Digital Best Practices

Android vs. Apple ios Security Showdown Tom Eston

Studying Security Weaknesses of Android System

Security Best Practices for Mobile Devices

Answers to these questions will determine which mobile device types and operating systems can be allowed to access enterprise data.

10 Quick Tips to Mobile Security

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

10 best practice suggestions for common smartphone threats

Report on Consumer Behaviors and Perceptions of Mobile Security. Presented by NQ Mobile & NCSA January 25, 2012

2015 MDRT Annual Meeting e Handout Material. What is Your Smartphone Leaking?

CYBERCRIMINAL IN BRAZIL SHARES MOBILE CREDIT CARD STORE APP

Mobile Device Management and Security Glossary

Kaspersky Security for Mobile

platforms Android BlackBerry OS ios Windows Phone NOTE: apps But not all apps are safe! malware essential

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

Tom Schauer TrustCC cell

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Security Threats for Mobile Platforms

Kaspersky Security 10 for Mobile Implementation Guide

CHECK POINT Mobile Security Revolutionized. [Restricted] ONLY for designated groups and individuals

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

IAIK. Motivation 2. Advanced Computer Networks 2015/2016. Johannes Feichtner IAIK

Security and the Smartphone Revolution

ZNetLive Malware Monitoring

Tufts University. COMP116 Introduction to Computer Security. Recovery After Losing the Physical Device

Kaspersky Security for Mobile Administrator's Guide

Feature List for Kaspersky Security for Mobile

ios Security Decoded Dave Test Classroom and Lab Computing Penn State ITS Feedback -

Defending Behind The Device Mobile Application Risks

GlobalSign Malware Monitoring

Guideline on Safe BYOD Management

Introduction to Cyber Security

Mobile Operating Systems & Security

Windows Phone 8 Security Overview

BYPASSING THE ios GATEKEEPER

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Internet threats: steps to security for your small business

BYOD Policy for [AGENCY]

Future of Mobile App Security. Vincent Sritapan Program Manager Cyber Security Division Science and Technology Directorate

The following information was provided by SANS and discusses IT Security Awareness. It was last updated in 2015.

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Enterprise Mobile Security. Managing App Sideloading Threats on ios

Protect Yourself in the Cloud Age

Research Information Security Guideline

Certified Secure Computer User

Information Security Threat Trends

ONE DEVICE TO RULE THEM ALL! AUDITING MOBILE DEVICES / BYOD NSAA IT CONFERENCE OCTOBER 2, 2014

Dr. David Turahi Director for IT&IMS - MOICT Uganda

How To Protect Your Mobile Device From Attack

Smartphone Hacks and Attacks: A Demonstration of Current Threats to Mobile Devices

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

The Incident Response Playbook for Android and ios

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

Google Identity Services for work

Norton Mobile Privacy Notice

6. ecommerce Security and Payment Systems. Alexander Nikov. Teaching Objectives. Video: Online Banking, Is It Secure?

Bring Your Own Device. Individual Liable User Policy Considerations

Adobe Flash Player and Adobe AIR security

User Manual for Version Mobile Device Management (MDM) User Manual

Mobile Security Framework; Advances in Mobile Governance in Korea. TaeKyung Kim

Transcription:

Tutorial on Smartphone Security Wenliang (Kevin) Du Professor wedu@syr.edu

Smartphone Usage

Smartphone Applications

Overview» Built-in Protections (ios and Android)» Jailbreaking and Rooting» Security Risks» Malware» Suggestions

Protections: Apple versus Google» Approval Processes» Access Control» Data Protection

Approval Process Apps Code review, testing, etc. Apple App Distribution Installation Apps Other 3 rd Party stores

Apple s App Development Process App Developer Registration Issued by Apple Certificate Accountability, Code Integrity App development

Public Key Encryption and PKI» Traditional Encryption: Secret Key Encryption > The same key is used for encryption and decryption > The key must be secret > Algorithms: AES, DES» Public Key Encryption > Public Key: public, used for encryption > Private key: secret, used for decryption > Algorithms: RSA

Public Key Encryption M1 Public Key: KeyPub Private Key: KeyPriv KeyPub Enc(M2) M2 Decryption using KeyPriv M3 Algorithm: RSA, ElGamal

Digital Signature using Public Key Verify M is written by Alice. Public Key: KeyPub Private Key: KeyPriv KeyPub Alice M, Signature M, Signature Verify M is NOT written by Alice. (M, KeyPriv) Signature KeyPub Algorithm: RSA, ElGamal, DSA

Digital Signature using Public Key Du Du s Private Key Digital Signature S Du s Public Key Everybody can verify whether the code is written by Du or not. Question: How do you know the public key is Du s?

Digital Certificate and PKI M: Public Key Name: Kevin Du Example: VeriSign M, VeriSign s Private Key Digital Signature S M Verification By everybody VeriSign s Public Key Usually preloaded in browsers and OS Digital Ceritificate: Public Key Name: Kevin Du Some other information VeriSign s Signature

The Whole Process

Weakness of PKI» We trust CAs (Certificate Authority)» CAs can be compromised > July 10 July 20, 2011: DigiNotar s system was hacked > 500 rogue certificates were issued by hackers Google, Skype, Mozilla, Microsoft > Microsoft remove this CA from its OS > Google and Mozilla block all DigiNotar s digital certificate > DigiNotar filed for bankruptcy in September 2011.

Apple s App Development Process App Developer Registration Issued by Apple Certificate Accountability, Code Integrity App development

Google s App Development Process Issued by a trusted party Certificate Accountability, Code Integrity App Developer App development Anonymous Certificate (self-signed) No Accountability, No Code Integrity Only for Android Market, Not for 3 rd party market

Access Control» We ve Learned: Downloaded programs are dangerous > Virus, Worms > Trojan, Backdoors» Apps are downloaded programs.» Need to control their access.

Unix Security Basics: Users» Normal Users > uid: user ID > Users are separated from each other» Root Users (Administrator, Superuser) > uid = 0 > Root has all the privileges > if (uid ==0) do privileged operations

Unix File Permission -rwxr-x--- 2 richard staff 12040 Aug 20 1996 mydata.txt owner group others

Access Control GPS System Resources Isolations - Isolations among Apps - Isolation between App and System

Isolation among Apps Uid = 6001 Uid = 6009 Uid = 7003 File permission: rw-rw---- Each App runs as a separate user (normal user) Access control is enforced by the underlying Linux

Security Check Break The Isolation among Apps Uid = 1020 Uid = 6009 Data sharing among apps Use the functionalities of other apps

Isolation Between App and System GPS Hardware OS Kernel Each app runs as a normal user Only root can directly access system resources System Resources

Security Check Allow Apps to Access System Resources GPS Hardware OS Kernel System Resources Privileged Deputy (e.g. system services)

Access Control GPS System Resources How to cross the isolation boundary? - Between Apps - Between App and System Permissions Controlled

Permission-Based Access Control GPS, Internet Alert: Ask once SMS, Email, Call: Ask every time Many Others: Granted Installation Execution Can only use A B C User A B C Declare Permissions (Android defines 100+ permissions)

Permission Examples in Android ACCESS_FINE_LOCATION BLUETOOTH CALL_PHONE CAMERA INTERNET READ_CONTACTS WRITE_CONTACTS READ_CALENDAR READ_SMS SEND_SMS Access GPS Connect to Bluetooth device Directly make phone calls Use camera Access to the Internet Read user s contacts data Write contacts data Read user s calendar data Read SMS messages Send SMS messages

Android s Permission System This is where the problem is. I need: INTERNET Device ID Wireless fraud Accept!

Malware: Malicious Software» Malware: Malicious Software > Information Stealer (spyware) > Money Stealer (e.g. make phone calls) > Control the phone (e.g. bot)» How do malware attack?

How Malware Attacks Systems Privilege Escalation (Jailbreaking/Rooting) Malicious Apps Abusing the given privileges Stealing personal info. Making expensive phone call Malicious web sites Malicious PDF files Suggestion: patch your system, read reviews, check developer s reputation.

Example: Attacks Through Browser» The user visits a malicious or infected website» Code in the page exploit a vulnerability in WebKit, the engine of browsers (CVE-2010-1807)» The attack then exploits a Skype vulnerability (CVE-2011-1717) > allows local users to read sensitive files including contacts, conversation transcripts, voicemail, and so on.

Unapproved Apps Apps with More power Jailbreaking and Rooting Custom OS More control Custom OS Jailbreak Rooting Apple s Control Google s Control They are legal, but they bring more security risks. Suggestion: don t do it if you don t have to.

A Typical Attack on Android Legitimate Developer Android Market, or 3 rd -Party Markets Cases: MYOURNET (21 apps) Droid Dream (>58 apps) Suggestions: Read reviews Check developers Check permissions Install virus scan Malicious Developer Victim

Example: Fake Angry Birds Space» Faked one available on various Android app marketplaces, not Google s market» Trojan Horse: Andr/KongFu-L» Use GingerBreak exploit to gain root access» Install malicious code

WebView Attack on Web: A Design Flaw 3 rd Party App: Not by FB Malicious App Contents Damage: - Delete Friends - Steal info. In Facebook - Post messages Affect most systems - ios, Android, Windows Phone Suggestion: Use 1 st party or trusted 3 rd party apps to access Web accounts

Data Protection

Recent Studies (March 2012)» American lost $30B worth of smartphones.» Only 50% lost phones are returned.» Nearly all who found the lost phones tried to access the information on the phone.» 22% of the respondents lost their phones.» 70% didn t use password protection.

Consequence of Device Loss Cloud Services Email Facebook Company WiFi Amazon Online Banking Data Other Accounts Lock the phone does not help much. Remote wipe has limited power.

Data Encryption iphone 3GS iphone 4 Password, PIN Encryption is useless PIN: easily crackable 4 digit PIN = 14 bits Strong encryption: 128 bits Suggestion: don t lose your phone

Apple v.s. Google» Tight Control: Apple > Control on ios code > Code checking, accountability > Control on the app market» Loose Control: Google > Open source: public scrutiny, contribution by others > No code checking, no accountability > So far, Android has more malwares than ios

Summary of Suggestions» Don t root/jailbreak if not necessary» Be more careful when downloading Android Apps» Avoid 3 rd -party Android market» Paid apps turned free: check the developers» PIN doesn t protect your data much

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information