For more than 50 years, Auerbach Publications has been printing cutting-edge books on all topics IT.

Read archived articles or become a new subscriber to IT Today, a free newsletter.

This free newsetter offers strategies and insight to managers and hackers alike. Become a new subscriber today.


Partners




Contact

Interested in submitting an article? Want to comment about an article?

Contact John Wyzalek editor of IT Performance Improvement.

 

Mobile Security Issues

Abhishek Dubey and Anmol Misra

The Android platform suffers from "traditional" security concerns, just like any other mobile OS. The issues discussed below are common to all mobile platforms, not just the Android. Some of these issues are also found on traditional devices (laptops), whereas some are specific to mobile devices.

Device

Many of us have, at some point, lost a cellular device. Before the advent of smartphones, it meant losing one's contact information. On a typical (Android) smartphone today, however, the following is true for most of us:

  • E-mails saved on the mobile device
  • Auto sign-in to Facebook, Twitter, YouTube, Flickr, and more
  • Bank account information
  • Location and GPS data
  • Health data

Unless the device is encrypted, the loss of a cell phone implies a potential data disclosure risk, as well. Plug in a cellphone to a computer, and various tools (including forensic tools) will do the rest.

Patching

Android's latest version is 3.2. However, most devices in use today are running anything from Android 1.5 to Android 2.3, with 2.2 and 2.3 being the most popular releases. Furthermore, these devices are updated/modified by the respective manufacturers. Thus, it is difficult to apply patches in a timely manner given the lack of uniformity of the OS used. Compare this to the iPhone, where IOS 3 and IOS 4 are the only versions available today.

External Storage

Removable external storage compounds the data security issue. It is much easier to lose SD cards than to lose a cell phone. In most cases, data is not encrypted, thus giving very easy access to the user's data. SD cards also travel through multiple devices, thus increasing the risk of malicious software ending up on the device. Finally, removable storage is often more fragile, which can lead to data loss/corruption.

Keyboards

Although a very popular feature, touch screen keyboards can give goose bumps to a security professional. They provide a perfect opportunity for shoulder surfing, if you are accessing sensitive data in a train or in a coffee shop. Tablets are even worse culprits, with full-size soft keyboards and letters being reflected back to the user in plaintext for few seconds. Smudges on the screen may also aid an attacker.

Data Privacy

One of the most popular applications on Android is Google Maps. Many other applications are also interactive and can use the user's location information. They can store this information in its cache, display ads based on this data, or show us the nearest coffee shot. Bottom line: This data is available for any application that has the right permissions. Over a period of time, this data can reveal sensitive information about a user's habits, essentially acting as a GPS tracking in the background.

Application Security

Mobile applications are still vulnerable to the same attacks as traditional, full-fledged information technology (IT) applications. SQL Inject (SQLi), Cross-Site Request Forgery (XSRF), and Cross-Site Scripting (XSS) are not only possible on mobile platforms and applications but can lead to more serious attacks, given the nature of data available on a mobile device. Weak Secure Sockets Layer (SSL) or lack of encryption, phishing, authentication bypass, and session fixation are all issues likely to be present in mobile applications.

Legacy Code

Much of the underlying code used by cell phones for GSM or CDMA communication has not changed much over the years. These device drivers were written without security practices in mind and thus are vulnerable to old-school attacks (e.g., buffer overflows). New devices continue to rely on this code. In fact, new code is being added on the top of existing code.

Read more IT Performance Improvement

This article is an excerpt from:

Explaining the Android security model and architecture, the book describes Android permissions, including Manifest permissions, to help readers analyze applications and understand permission requirements. It also rates the Android permissions based on security implications and covers JEB Decompiler.

The authors describe how to write Android bots in JAVA and how to use reversing tools to decompile any Android application. They also cover the Android file system, including import directories and files, so readers can perform basic forensic analysis on file system and SD cards. The book includes access to a wealth of resources on its website: www.androidinsecurity.com. It explains how to crack SecureApp.apk discussed in the text and also makes the application available on its site.

About the Authors

Abhishek Dubey has a wide variety of experience in information security, including reverse engineering, malware analysis, and vulnerability detection. He is currently working as a Lead/Senior Engineer of the Security Services and Cloud Operations team at Cisco. Prior to joining Cisco, Abhishek was Senior Researcher in the Advanced Threat Research Group at Webroot Software.

Anmol Misra is currently Program Manager of the Critical Business Security External (CBSE) team at Cisco. The CBSE team is part of the Information Security Team (InfoSec) at Cisco and is responsible for the security of Cisco's Cloud Hosted Services. Prior to joining Cisco, Anmol was a Senior Consultant with Ernst & Young LLP. In his role, he advised Fortune 500 clients on defining and improving Information Security programs and practices. He helped large corporations to reduce IT security risk and achieve regulatory compliance by improving their security posture.