Mobile Security Issues
Abhishek Dubey and Anmol Misra
The Android platform suffers from "traditional" security concerns, just like any other mobile OS. The issues discussed below are common to all mobile platforms, not just the Android. Some of these issues are also found on traditional devices (laptops), whereas some are specific to mobile devices.
Many of us have, at some point, lost a cellular device. Before the advent of smartphones, it meant losing one's contact information. On a typical (Android) smartphone today, however, the following is true for most of us:
- E-mails saved on the mobile device
- Auto sign-in to Facebook, Twitter, YouTube, Flickr, and more
- Bank account information
- Location and GPS data
- Health data
Unless the device is encrypted, the loss of a cell phone implies a potential data disclosure risk, as well. Plug in a cellphone to a computer, and various tools (including forensic tools) will do the rest.
Android's latest version is 3.2. However, most devices in use today are running anything from Android 1.5 to Android 2.3, with 2.2 and 2.3 being the most popular releases. Furthermore, these devices are updated/modified by the respective manufacturers. Thus, it is difficult to apply patches in a timely manner given the lack of uniformity of the OS used. Compare this to the iPhone, where IOS 3 and IOS 4 are the only versions available today.
Removable external storage compounds the data security issue. It is much easier to lose SD cards than to lose a cell phone. In most cases, data is not encrypted, thus giving very easy access to the user's data. SD cards also travel through multiple devices, thus increasing the risk of malicious software ending up on the device. Finally, removable storage is often more fragile, which can lead to data loss/corruption.
Although a very popular feature, touch screen keyboards can give goose bumps to a security professional. They provide a perfect opportunity for shoulder surfing, if you are accessing sensitive data in a train or in a coffee shop. Tablets are even worse culprits, with full-size soft keyboards and letters being reflected back to the user in plaintext for few seconds. Smudges on the screen may also aid an attacker.
One of the most popular applications on Android is Google Maps. Many other applications are also interactive and can use the user's location information. They can store this information in its cache, display ads based on this data, or show us the nearest coffee shot. Bottom line: This data is available for any application that has the right permissions. Over a period of time, this data can reveal sensitive information about a user's habits, essentially acting as a GPS tracking in the background.
Mobile applications are still vulnerable to the same attacks as traditional, full-fledged information technology (IT) applications. SQL Inject (SQLi), Cross-Site Request Forgery (XSRF), and Cross-Site Scripting (XSS) are not only possible on mobile platforms and applications but can lead to more serious attacks, given the nature of data available on a mobile device. Weak Secure Sockets Layer (SSL) or lack of encryption, phishing, authentication bypass, and session fixation are all issues likely to be present in mobile applications.
Much of the underlying code used by cell phones for GSM or CDMA communication has not changed much over the years. These device drivers were written without security practices in mind and thus are vulnerable to old-school attacks (e.g., buffer overflows). New devices continue to rely on this code. In fact, new code is being added on the top of existing code.
Read more IT Performance Improvement
Certain names and logos on this page and others may constitute trademarks, servicemarks, or tradenames of
Taylor & Francis LLC. Copyright © 20082013 Taylor & Francis LLC. All rights reserved.