Abstract
Recent advances in the hardware capabilities of mobile hand-held devices have fostered the development of open source operating systems and a wealth of applications for mobile phones and tablet devices. This new generation of smart devices, including iPhone and Google Android, are powerful enough to accomplish most of the user tasks previously requiring a personal computer. Moreover, mobile devices have access to Personally Identifiable Information (PII) from a full suite of sensors such as GPS, camera, microphone and others.
In this paper, we discuss the security threats that stem from these new smart device capabilities and the online application markets for mobile devices. These threats include malware, data exfiltration, exploitation through USB, and user and data tracking. We present our ongoing research efforts to defend or mitigate the impact of attacks against mobile devices. Our approaches involve analyzing the source code and binaries of mobile applications, kernel-level and data encryption, and controlling the communication mechanisms for synchronizing the user contents with computers and other phones including updates or new version of the operating system or applications over USB. We also explain the emerging challenges in dealing with these security issues when the end-goal is to deploy security-enhanced smart phones into military and tactical scenarios.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Wang, Z., Stavrou, A.: Exploiting smart-phone usb connectivity for fun and profit. In: ACSAC 2010: Annual Computer Security Applications Conference (2010)
Wang, Z., Murmuria, R., Stavrou, A.: Implementing & optimizing an encryption file system on android. In: SERE 2012: 6th International Conference on Software Security and Reliability, SERE 2012 (2012)
Wang, Z., Johnson, R., Stavrou, A.: Attestation & authentication for usb communications. In: IEEE International Conference on Mobile Data Management, IEEE MDM 2012 (2012)
Enck, W., McDaniel, P.: Understanding android’s security framework. In: CCS 2008: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 552–561. ACM, New York (2008)
Ongtang, M., Mclaughlin, S., Enck, W., Mcdaniel, P.: Semantically rich application-centric security in android. In: ACSAC 2009: Annual Computer Security Applications Conference (2009)
Muthukumaran, D., Sawani, A., Schiffman, J., Jung, B.M., Jaeger, T.: Measuring integrity on mobile phone systems. In: SACMAT 2008: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 155–164. ACM, New York (2008)
Enck, W., Gilbert, P., gon Chun, B., Jung, L.P.C.J., McDaniel, P., Sheth, A.N.: Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI 2010: Proceedings of the 9th Symposium on Operating Systems Design and Implementation, pp. 255–270. ACM, New York (2010)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Chen, Y., Danezis, G., Shmatikov, V. (eds.) ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)
Radmilo Racic, D.M., Chen, H.: Exploiting mms vulnerabilities to stealthily exhaust mobile phone’s battery. In: SecureComm 2006, pp. 1–10 (2006)
Kim, H., Smith, J., Shin, K.G.: Detecting energy-greedy anomalies and mobile malware variants. In: MobiSys 2008: Proceeding of the 6th International Conference on Mobile Systems, Applications, and Services, pp. 239–252. ACM, New York (2008)
Moyers, B.R., Dunning, J.P., Marchany, R.C., Tront, J.G.: Effects of wi-fi and bluetooth battery exhaustion attacks on mobile devices. In: HICSS 2010: Proceedings of the 2010 43rd Hawaii International Conference on System Sciences, pp. 1–9. IEEE Computer Society, Washington, DC (2010)
Liu, L., Yan, G., Zhang, X., Chen, S.: Virusmeter: Preventing your cellphone from spies. In: RAID 2009: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, pp. 244–264. Springer, Heidelberg (2009)
Nash, D.C., Martin, T.L., Ha, D.S., Hsiao, M.S.: Towards an intrusion detection system for battery exhaustion attacks on mobile computing devices. In: PERCOMW 2005: Proceedings of the Third IEEE International Conference on Pervasive Computing and Communications Workshops, pp. 141–145. IEEE Computer Society, Washington, DC (2005)
Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: IEEE Symposium on Security and Privacy, pp. 95–109. IEEE Computer Society (2012)
Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium, NDSS (February 2012)
David, F.M., Chan, E.M., Carlyle, J.C., Campbell, R.H.: Cloaker: Hardware supported rootkit concealment. In: SP 2008: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pp. 296–310. IEEE Computer Society, Washington, DC (2008)
Bickford, J., O’Hare, R., Baliga, A., Ganapathy, V., Iftode, L.: Rootkits on smart phones: attacks, implications and opportunities. In: HotMobile 2010: Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, pp. 49–54. ACM, New York (2010)
Phrack: Hacking windows ce, http://www.phrack.org/issues.html?issue=63&id=6
Bojinov, H., Boneh, D., Cannings, T.R., Malchev, I.: Address space randomization for mobile devices. In: Fourth ACM Conference on Wireless Network Security (WISEC 2011), pp. 127–138 (2011), http://www.odysci.com/article/1010113016076341
King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A Study of Android Application Security. In: Proceedings of the 20th USENIX Security Symposium (August 2011)
Vidas, T., Christin, N., Cranor, L.: Curbing Android permission creep. In: Proceedings of the Web 2.0 Security and Privacy 2011 Workshop (W2SP 2011), Oakland, CA (May 2011)
Bläsing, T., Batyuk, L., Schmidt, A.D., Camtepe, S., Albayrak, S.: An android application sandbox system for suspicious software detection. In: 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 55–62 (October 2010)
Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2011, pp. 15–26. ACM, New York (2011)
Richmond, M., Noble, J.: Reflections on remote reflection. In: Proceedings of the 24th Australasian Conference on Computer Science, ACSC 2001, pp. 163–170. IEEE Computer Society, Washington, DC (2001)
Linux: Rsa kernel patch, http://lwn.net/Articles/228892/
Community, L.O.S.: Linux usb authorization, http://lxr.linux.no/linux+v2.6.32.24/Documentation/usb/authorization.txt
Boneh, D., Cryptosystem, T.R., Rivest, I.R., Shamir, A., Adleman, L., Rst, W.: Twenty years of attacks on the rsa cryptosystem. Notices of the AMS 46, 203–213 (1999)
Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)
Team, G.A.: Android honeycomb encryption, http://source.android.com/tech/encryption/android_crypto_implementation.html
Whispercore: Whispercore android device encryption, http://whispersys.com/whispercore.html
Project, O.: Openssl fips 140-2 security policy
Boost: Boost c++ library, http://www.boost.org/
Librlog: Librlog, http://www.arg0.net/rlog
Sharif, M.I., Lanzi, A., Giffin, J.T., Lee, W.: Impeding malware analysis using conditional code obfuscation. In: NDSS, The Internet Society (2008)
Chess, B., McGraw, G.: Static analysis for security. IEEE Security and Privacy 2(6), 76–79 (2004)
Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Computer Security Applications Conference, ACSAC, Twenty-Third Annual, 421–430 (December 2007)
Wilhelm, J., Chiueh, T.-c.: A Forced Sampled Execution Approach to Kernel Rootkit Identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 219–235. Springer, Heidelberg (2007)
Lu, S., Zhou, P., Liu, W., Zhou, Y., Torrellas, J.: Pathexpander: Architectural support for increasing the path coverage of dynamic bug detection. In: Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO (2006)
Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically Identifying Trigger-based Behavior in Malware. In: Botnet Analysis. Springer Publications (2007)
Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: SP 2007: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 231–245. IEEE Computer Society, Washington, DC (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, Z., Johnson, R., Murmuria, R., Stavrou, A. (2012). Exposing Security Risks for Commercial Mobile Devices. In: Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2012. Lecture Notes in Computer Science, vol 7531. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33704-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-33704-8_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33703-1
Online ISBN: 978-3-642-33704-8
eBook Packages: Computer ScienceComputer Science (R0)