Mobile Security and Privacy
The protection of smartphones, tablets, other portable computing devices, and the networks they connect to, from threats and vulnerabilities associated with wireless computing
Mobile security and privacy research has brought public attentions since the prevalence of cellphone and cellular networks. Notare et al. (1999) proposed a distributed security management system for telecommunications networks against cloned cellphones (same number and series of a genuine phone) in 1999. Thereafter, research in this area can be divided into two eras. The first era focuses on normal cellphones and voice services, such as cellphone authentication (Manabe et al., 2009), cellphone identification (Celiktutan et al., 2007), and cellphone cloning issue (Singh et al., 2007).
Since the debut of iPhone in 2007 and later the Android phones, research in mobile security and privacy is gradually shifting from cellphones to smartphones, which enriches more diverse application scenarios concentrating on mobile apps and mobile networks. The potential threats in mobiles may be caused by social engineering, compromised devices, malware, web browser or OS vulnerability, vulnerable application, and data interception. Especially, repackaging is one type of common attacks for smartphones targeting mobile apps, in which an attacker could modify a legitimate app to include malicious code and publish on third-party app stores. Correspondingly, the countermeasures have been developed to protect the mobile security and privacy, for example, multifactor authentication scheme that could avoid attacker easily guessing password or brute-force attack; detecting malware behaviors could play a significant role in reducing attack risks.
Different from traditional computer systems, the primary design objectives for mobile devices are low power consumption and portability. Hence, there are five key aspects of device- and application-level security features of mobile platform that distinguish mobile security from conventional computer security (La Polla et al., 2013): mobility, strong personalization, strong connectivity, technology convergence, and reduced capabilities.
The mobile web is the most used platform other than mobile operating system (OS) platform. Similar to traditional web services on personal computers, mobile web applications that employ lightweight pages also suffer from security threats, such as phishing scams, drive-by downloads, browser exploits, cross-site scripting (XSS), SQL injection, etc. On the other hand, cyberattacks can exploit software vulnerabilities via mobile web browser to compromise mobile devices (Coursen, 2007), such as PDF reader or image viewer.
Mobile devices can provide Internet connection and device-to-device communications at any time and in any place thanks to the wireless networks technologies, including Wi-Fi, cellular networks, Bluetooth, and near-field communication (NFC). Though these wireless networks provide convenience for users, using them in a public setting may cause potential risks. For example, Wi-Fi sniffing happens frequently with free Wi-Fi networks in airports, malls, and other public places when the mobile device is connecting to a malicious wireless access point (Beyah and Venkataraman, 2011) and, hence, causes mobile devices’ data exposure to attackers including account and personal information (Sujithra and Padmavathi, 2012). Mobile networks may also suffer from overbilling attacks in which additional fees, such as fees of data traffic a user never used, are charged to the victim’s accounts and transferred to the attacker’s wallet.
As of the first quarter of 2018, more than 7 million of mobile apps are on the markets, where Android users were able to choose between 3.8 million apps and Apple users can choose 2 million available apps in Apple App Store (Statista, 2018). Among such huge mobile apps, there are many individual-developed third-party apps with malicious intent. Once those malicious apps, which may contain virus, Trojan, or botnet, are installed and gain access to the mobile devices, they could cause serious security breaches and incidents. As reported in Bradley (2011), more than 50 apps have been found to be infected by an Android malware called DroidDream in the official Google Play Store, which can stealthily gain root access to the device and further download additional malicious programs without user’s knowledge and permission. As an example of smart malware, a multifarious malware for iOS devices, called iSAM (Damopoulos et al., 2011), has recently been designed, which integrates several typical malicious features of malware such as collecting confidential data stealthily and denial of application and network services, sending a large number of malicious SMS.
Most contemporary mobile devices use PIN, graphical pattern, or biometrics-based authentication such as fingerprint scan or face recognition. Those authentication methods are either vulnerable to malicious hacking, or the credentials are easily to be disclosed to others intentionally or voluntarily. PIN and pattern can suffer from smudge attack (Aviv et al., 2010), in which the password can be inferred by the smudge left on the screen surface when your fingertip touch on the screen. The brute-force attacks could be another threat to the PIN-based password. Though the biometrics-based authentication is superior because of the uniqueness of individuals, the biometric credentials are easy to be duplicated or counterfeited as anyone can obtain your fingerprint from a cup that you have hold. What is even worse is that an attacker can obtain such biometric information from a distance. Chaos Computer Club announced that one of its members had been able to replicate the fingerprint of German Minister of Defense Ursula von der Leyen, using only photographs taken of her finger (CCC, 2014).
Goal of Attacks
Denial of service
Due to the portability and small-sized design, mobile devices usually have capability-limited hardware and battery, which restrict the computing, transmission, and power supply of the mobile device. Therefore, denial of service (DoS) attack is prone to target these shortages of mobile devices to disable one service, reduce the capability, or even make the whole device unusable by utilizing different attack techniques such as broadcasting highly malicious traffic stream, sending huge messages, or increasing power consumption. Battery power exhaustion attack is one of those DoS attacks that drains the battery faster than usual to forcefully shut down the device. The power of the device runs out up to 22 times faster than its normal condition by exploiting the wireless networks protocol vulnerabilities (Racic et al., 2006). The water torture attack (Johnston and Walker, 2004) is another example of battery exhaustion attack carried out at the physical (PHY) layer that forces the device to send bogus frames. In addition, low-end mobile devices can be forced to shut down by receiving huge amount of SMS.
Many mobile apps collect user data without users’ permission such as address book or location information. A social media app was found to download users’ full address books including names, phone numbers, and email addresses without users’ knowledge or consent when enabling “find friends" feature. It is reported that mobile apps on iPhone and iPad send personal information to advertising networks without the user consent too (Whitney, 2010). Another most concerned privacy leakage is the location-related information. With the social networks apps becoming prevalent in our daily life, location-specific content have become more accessible and personalized to users’ own context. Location tracking attack refers to attacker attempts to reveal the mobile device’s location over time through examining their communications or hacking GPS information. Furthermore, if the business information is stored on the device, such invasions not only hurt the user’s privacy but also increase the likelihood of security compromise to enterprise security.
Sniffing sensor information
Comparing to traditional cellphones that are mainly used for communications, modern smartphone is a sensor-rich device that can provide extended functions equipped with multiple sensors, e.g., camera, microphone, GPS, inertial motion unit (IMU), compass, step recorder, etc. Once the attacker can access those sensors without authorization, all the user’s actions will be sniffed and recorded. The stealthy video capture spyware can secretly start the built-in camera to record the private video, and it consumes little power that will not draw any attention from the user (Xu et al., 2009). Another example of compromised sensor is the microphone; Soundcomber (Schlegel et al., 2011) managed to extract private data, such as the touch sound of PIN or phone number, from the microphone.
Secure Protection Guidelines
One-time validation of a user’s identity, referred to as static authentication, has shown its vulnerability to attacks. Specifically, malicious adversaries may access the mobile device that has been logged in by an authentic user when the authentic user is not nearby. Continuous authentication represents a new security mechanism which continuously monitors the user’s trait and uses it as a basis to reauthenticate periodically throughout the login session. Hence, it has been adopted to overcome the limitations of traditional static authentication. These continuously monitored traits include typing habit and hand morphology (Feng et al., 2013), graphic touch gesture feature (Zhao et al., 2013), and cardiac motion and geometric information (Lin et al., 2017). Multifactor authentication is another alternative approach to enhance the security of the single trait authentication, which offers multifactor protections in case one credential has been compromised. For example, a set of behavioral biometrics of micro-movements and orientation patterns during hand movement, orientation, and grasp has been proposed for mobile authentication (Sitová et al., 2016). Controls such as one-time passwords, grid-based authentication, and digital-certificate-based authentication schemes can also help augment existing security solutions.
To protect our mobile devices, it is essential to detect the mobile malware and illegal activities including anomaly, misuse, or specification-based system. Basically, there are two kinds of detection techniques as static analysis and dynamic analysis. In static analysis, malicious codes are detected by unpacking and decompiling the application. “DroidMOSS” developed by Zhou et al. (2012) could generate fingerprint for an application and perform similarity test for two “same” apps; then DroidMOSS made sure the application is not affected or repacked with malware to avoid application-based threats on mobile devices, while the dynamic analysis identified the malicious behaviors by running the application on an emulator or a device. For example, monitoring power consumption is an easy way to detect whether malware are on your smartphone. Since the detection and analysis tasks utilize heavy resources of mobile devices, some of these tasks can be moved to the cloud for processing in the future.
Application development guidelines
The awareness of secure programming guidelines is vital to the secure application development by preventing the occurrence of common errors in programming. Some useful guidelines include performing secure logging and error handling; following the principle of least privilege; validating input data; implementing secure data storage; and avoiding insecure mobile OS features, etc. (Jain and Shanbhag, 2012).
Hardware-associated protection implements a trusted execution environment by designing a hardware-enforced isolated execution environment for security-critical code, which provides protective mechanism in storing and processing sensitive data (Zhang et al., 2016). Techniques such as secure and authenticated boot (Ekberg et al., 2013) are employed to maintain a root of trust on the device. The most popular approach for mobiles is TrustOTP (trust one-time passwords) (Sun et al., 2015) that builds upon the ARM’s TrustZone (Brasser et al., 2016) technology. Because it is a hardware-based protection, TrustOTP can prevent attacks that are in the mobile OS and even works when the mobile OS crashes.
- Aviv AJ, Gibson KL, Mossop E, Blaze M, Smith JM (2010) Smudge attacks on smartphone touch screens. Woot 10:1–7Google Scholar
- Bradley T (2011) Droiddream becomes android market nightmare. PCWorldGoogle Scholar
- Brasser F, Kim D, Liebchen C, Ganapathy V, Iftode L, Sadeghi AR (2016) Regulating arm trustzone devices in restricted spaces. In: Proceedings of the 14th annual international conference on mobile systems, applications, and services. ACM, pp 413–425Google Scholar
- CCC (2014) Fingerprint biometrics hacked again. http://www.ccc.de/en/updates/2014/ursel. Accessed by 13 May 2017
- Celiktutan O, Avcibas I, Sankur B (2007) Blind identification of cellular phone cameras. In: Security, steganography, and watermarking of multimedia contents IX, international society for optics and photonics, vol 6505, p 65051HGoogle Scholar
- Damopoulos D, Kambourakis G, Gritzalis S (2011) iSAM: an iPhone stealth airborne malware. In: IFIP international information security conference. Springer, pp 17–28Google Scholar
- Ekberg JE, Kostiainen K, Asokan N (2013) Trusted execution environments on mobile devices. In: Proceedings of the 2013 ACM SIGSAC conference on computer & communications security. ACM, pp 1497–1498Google Scholar
- Feng T, Zhao X, Carbunar B, Shi W (2013) Continuous mobile authentication using virtual key typing biometrics. In: 2013 12th IEEE international conference on trust, security and privacy in computing and communications (TrustCom). IEEE, pp 1547–1552Google Scholar
- Lin F, Song C, Zhuang Y, Xu W, Li C, Ren K (2017) Cardiac scan: a non-contact and continuous heart-based user authentication system. In: Proceedings of the 23rd annual international conference on mobile computing and networking (MobiCom 17), Snowbird, pp 315–328Google Scholar
- Manabe H, Yamakawa Y, Sasamoto T, Sasaki R (2009) Security evaluation of biometrics authentications for cellular phones. In: Fifth international conference on intelligent information hiding and multimedia signal processing, 2009 (IIH-MSP’09). IEEE, pp 34–39Google Scholar
- Notare MA, da Silva Cruz FA, Riso BG, Westphall CB (1999) Wireless communications: security management against cloned cellular phones. In: Wireless communications and networking conference, 1999 (WCNC 1999), vol 3. IEEE, pp 1412–1416Google Scholar
- Racic R, Ma D, Chen H (2006) Exploiting mms vulnerabilities to stealthily exhaust mobile phone’s battery. In: SecureComm, vol 6. Citeseer, pp 1–10Google Scholar
- Schlegel R, Zhang K, Zhou Xy, Intwala M, Kapadia A, Wang X (2011) Soundcomber: a stealthy and context-aware sound trojan for smartphones. In: NDSS, vol 11, pp 17–33Google Scholar
- Statista (2018) Number of apps available in leading app stores as of 1st quarter 2018. https://www.statista.com/ statistics/276623/number-of-apps-available-in-leading- app-stores/
- Sujithra M Padmavathi G (2012) Mobile device security: a survey on mobile device threats, vulnerabilities and their defensive mechanism. Int J Comput Appl 56(14): 24–29Google Scholar
- Sun H, Sun K, Wang Y, Jing J (2015) Trustotp: transforming smartphones into secure one-time password tokens. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security. ACM, pp 976–988Google Scholar
- Whitney L (2010) Apple sued over privacy in iPhone, iPad apps. https://www.cnet.com/news/apple-sued-over-privacy-in-iphone-ipad-apps/
- Xu N, Zhang F, Luo Y, Jia W, Xuan D, Teng J (2009) Stealthy video capturer: a new video-based spyware in 3G smartphones. In: Proceedings of the second ACM conference on wireless network security. ACM, pp 69–78Google Scholar
- Zhao X, Feng T, Shi W (2013) Continuous mobile authentication using a novel graphic touch gesture feature. In: 2013 IEEE sixth international conference on biometrics: theory, applications and systems (BTAS). IEEE, pp 1–6Google Scholar
- Zhou W, Zhou Y, Jiang X, Ning P (2012) Detecting repackaged smartphone applications in third-party android marketplaces. In: Proceedings of the second ACM conference on data and application security and privacy. ACM, pp 317–326Google Scholar