For more than 50 years, Auerbach Publications has been printing cutting-edge books on all topics IT.

Read archived articles or become a new subscriber to IT Today, a free newsletter.

This free newsetter offers strategies and insight to managers and hackers alike. Become a new subscriber today.


Partners




Contact

Interested in submitting an article? Want to comment about an article?

Contact John Wyzalek editor of IT Performance Improvement.

 

Evolution of Mobile Threats

Abhishek Dubey and Anmol Misra

As mobile devices have evolved from basic to smartphones, threats to mobile devices have evolved in parallel. Smartphones have a larger attack surface compared to basic phones in the past. In addition, the usage patterns of mobile devices have also evolved. Basic phones were primarily used for text messaging and phone calls. Today smartphones are used for everything one can imagine using a computer for—performing routine banking transactions, logging onto Facebook, directions, maintaining health and exercise records, and so forth.

For a long time, Nokia's Symbian OS was the primary target of attackers due to its penetration in the mobile market. As the market share of Symbian continues to decline and there is a corresponding increase in the share of Android devices and iPhones, attackers are targeting these platforms today.

Symbian is still the leading platform for phones outside the United States and will be a target of attackers in the foreseeable future. However, Android and iPhone attacks are increasing in number and sophistication. This reflects the fact that bad guys will always go after the most popular platform. As Android continues to gain in popularity, threats against it will continue to rise.

Looking at the threat landscape for Android devices, it is clear that attacks against Android users and applications have increased quite a bit over the last couple of years. As Android adoption picks up, so does the focus of attackers to target the platform and its users. Android malware has seen an upward trend, as well.

This trend does not only apply to Android devices. Mobile phones have increased in their functionality as well as attack surfaces. The type of data we have on a typical smartphone and the things we do with our phone today are vastly different from just a few years ago.

Attacks on basic phones targeted Short Message Service (SMS), phone numbers, and limited data available to those devices. An example of such an attack is the targeting of premium SMS services. Attackers send text messages to premium rate numbers or make calls to these numbers. An attack on an Android or smart-phone is different and more sophisticated—for example, a malicious application accessing a user's sensitive information (personal data, banking information, chat logs) and sending it to potential attackers. Smartphones are susceptible to a plethora of application-based attacks targeting sensitive information.

The following is a sample data set on a typical smartphone:

  1. Corporate and personal e-mails
  2. Contacts (along with their e-mail and personal addresses)
  3. Banking information
  4. Instant Messaging logs
  5. Pictures
  6. Videos
  7. Credit card Information
  8. Location and GPS data
  9. Health information
  10. Calendar and schedule information

Attacks on a smartphone running on the Android platform could result in leakage of the above data set. Some possible attacks that are more devastating include social engineering, phishing, spoofing, spyware, and malware—for example, a mobile application subscribing a user to a premium service. The user would then incur data and usage charges, in addition to subscription fees. Smartphone browsers are miniature compared to their desktop counterparts. Therefore, encryption functionality on a smartphone OS as well as browser can be limited and can take more time to respond compared to on a PC—for example, revoking certificates from mobile browsers.

Until now, we have focused on attacks on applications and protocols used for communication on the Web. Another class of attacks is on the cellular technology itself. GSM and CDMA are the most widely used communication standards. Carriers use one or the other standard for providing cellular service (i.e., calls, SMS). As the adoption of cellular devices increase, these standards have come under increasing scrutiny from researchers and attacks from malicious users.

GSM is used on a majority of cellular phones in the world (200+ countries, 4 billion+ users). GSM uses A5/1 encryption to provide over-the-air communication privacy (i.e., to encrypt SMS and telephone conversations). Although it was initially kept a secret, it was reversed engineered, and some details became public knowledge through leaks. In the early 1990s, A5/1 was shown to be broken in research papers/academia. By 2009, researcher Karsten Nohl demonstrated an attack that could allow someone to determine the encryption key used for protecting SMS and telephone conversations. Even more interesting was the fact that this could be accomplished with relatively inexpensive equipment. A5/1 uses a 64-bit key and can be attacked using hardware available today. Given two encrypted, known plaintext messages, the secret key can be found in a precomputed table. Given the increasing use of cellular devices for Radio Frequency Identification (RFID)/Near Field Communication (NFC), this can result in the compromise of not only SMS and voice communications but also of data (e.g., credit card payments).

Many users are not aware of the risks and threats to their mobile devices, which are similar to those on a PC. Although the majority of users use some kind of protection on their desktops or laptops (e.g., antivirus software), they are oblivious to the need to protect their mobile devices. The majority of users are not technically savvy enough to understand the implications of performing certain actions on their cellular devices. Jail-breaking or rooting is an example. Users are also placing their trust in applications they install from an application repository, whether it be the App Store (iPhone) or the Android Market. Malware applications were found on the Android Market disguised as popular applications. For a typical user, a $0.99 application download is becoming routine practice, and if a user regularly downloads and installs an application, the security or behavior of an application might go unnoticed.

Increasingly, workers are bringing their own devices to work and shunning their company-sponsored devices. The use of Android devices and iPhones continues to rise in the business environment. However, corporate policies have not kept up with users as they still focus on securing "full-fledged" PC devices more than mobile devices. This exposes their environment to attacks that leverage mobile devices and users. In fact, it might be easier to compromise mobile devices in many cases than their desktop counterparts, where corporate dollars are still being spent. Threats yet to materialize but not considered as such by researchers/business enterprises are those coming from state-sponsored entities, such as government intelligence agencies. One can imagine attacks possible in cyber-warfare, such as the spreading of mobile malware, which could clog the communication medium.

Read more IT Performance Improvement

This article is an excerpt from:

Explaining the Android security model and architecture, the book describes Android permissions, including Manifest permissions, to help readers analyze applications and understand permission requirements. It also rates the Android permissions based on security implications and covers JEB Decompiler.

The authors describe how to write Android bots in JAVA and how to use reversing tools to decompile any Android application. They also cover the Android file system, including import directories and files, so readers can perform basic forensic analysis on file system and SD cards. The book includes access to a wealth of resources on its website: www.androidinsecurity.com. It explains how to crack SecureApp.apk discussed in the text and also makes the application available on its site.

About the Authors

Abhishek Dubey has a wide variety of experience in information security, including reverse engineering, malware analysis, and vulnerability detection. He is currently working as a Lead/Senior Engineer of the Security Services and Cloud Operations team at Cisco. Prior to joining Cisco, Abhishek was Senior Researcher in the Advanced Threat Research Group at Webroot Software.

Anmol Misra is currently Program Manager of the Critical Business Security External (CBSE) team at Cisco. The CBSE team is part of the Information Security Team (InfoSec) at Cisco and is responsible for the security of Cisco's Cloud Hosted Services. Prior to joining Cisco, Anmol was a Senior Consultant with Ernst & Young LLP. In his role, he advised Fortune 500 clients on defining and improving Information Security programs and practices. He helped large corporations to reduce IT security risk and achieve regulatory compliance by improving their security posture.