Mobile OS Security - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Mobile OS Security

Description:

Eminent Threats. Web based and network based attacks: The mobile device is connected to the internet, browsing websites with malicious content. Malware: – PowerPoint PPT presentation

Number of Views:150
Avg rating:3.0/5.0
Slides: 16
Provided by: utcEduFa
Learn more at: https://www.utc.edu
Category:
Tags: apps | mobile | security

less

Transcript and Presenter's Notes

Title: Mobile OS Security


1
Mobile OS Security
Vivek-Vijayan University of Tennessee at
Chattanooga
2
Eminent Threats
  • Web based and network based attacks The mobile
    device is connected to the internet, browsing
    websites with malicious content.
  • Malware traditional viruses, worms and trojan
    horses.
  • Social engineering attacks phishing. Also used
    to install malware.
  • Resource and service availability abuse botnet,
    spamming, overcharging (SMS and calls).
  • Attacks on the integrity of the devices data
    malicious encryption with ransom, modification of
    data such as address book.

3
Five Pillars
  • Traditional Access Control
  • Application Provenance
  • Encryption
  • Isolation
  • Permissions-based access control

4
  • Traditional Access Control This mechanism seeks
    to protect devices using techniques such as
    passwords and idle-time screen locking.
  • Application Provenance is an approach where each
    application is stamped with the identity of its
    author and made tamper resistant (eg digital
    signature). Thus enabling a user to decide to use
    or not to use the application based on the
    identity of the author.
  • Encryption is a approach to conceal data on the
    device to address device loss or theft.
  • Isolation limits applications ability to access
    sensitive data or systems on a device.
  • Permission-based access control grants set of
    permissions to each application, limiting each
    application to access device data/systems within
    the scope of the permission. Blocks the
    application if it attempts to perform actions
    exceeding the permissions given.

5
Traditional Access Control
  • Apple iOS
  • I OS provides traditional access control security
    options, which include password configuration
    options such as account lockout options.
  • Example The strength of the passcode can be
    chosen by the administrator and the
    administrator can also specify how frequently
    the user can update the passcodes, and the
    maximum number of failed login attempts before
    the device wipes itself.
  • Android
  • Android provides password configuration options,
    which include specifying the strength of the
    device passcode, phones lockout time span,
    failed login attempts before device wipes data,
    indication of password expiration, enabling
    administrators to compel users to update their
    passwords on a regular basis .

6
Effectiveness
  • Apples iOS
  • The access control feature of the iOS provides a
    reasonable level of security for the devices data
    in the event of loss or theft.
  • The iOS is in par with traditional windows based
    desktops in this scenario.
  • Android
  • The password policy system is sufficient to
    protect devices against casual attacks.
  • The previous versions of Android do not encrypt
    data stored on removable SD memory card, thus
    allowing the attacker to eject the SD memory
    card, and obtain the data by bypassing all
    password controls.

7
Application Provenance
  • Apple iOS
  • Before releasing the software to iPhone, iPod,
    and iPad users. The developer goes through a
    registration process with apple and pay an annual
    licensing fee. The developers then digitally
    sign each app with an apple-issued digital
    certificate before its release. This signing
    process of the developer into the app proves that
    the app author is an apple-approved developer and
    the apps logic cannot be tampered with after its
    creation by the developer.
  • Through App Store
  • The developer submits the app for a cerifitcation
    by apple approval process takes one or two
    weeks and then the app is deployed into the app
    store.
  • If the app is found malicious or any violation of
    license agreement occurs, the app is removed from
    the appstore, but no automated mechanism has been
    implemented to remove the app from the devices
    (iphone/ipad) after it has been installed.

8
  • Android
  • Google undermines both the goals of ensuring that
    the apps logic is not tampered with and to allow
    the user of the app to determine the identity of
    the apps author.
  • Android OS only installs and runs apps that have
    been properly signed with a digital cerificate.
    Unlike apple software developers need not apply
    to google to obtain a code-signing certificate,
    thus the developer can generate their own signing
    certificates.
  • This results in an malware author generating
    anonymous digital certificate, and no certificate
    or malware signed with google that can be tracked
    back to the author.
  • Through googles android market
  • For developers to sell their apps on android
    marketplace, a 25 fee is charged via credit
    card, thus allowing google to associate the payee
    with the digital ceritificate, which may reduce
    the chances of distribution of malicious apps (if
    the developer uses his own credit card).

9
Effectiveness
  • Apple iOS
  • Apples approach is effective as
  • - The developer must register and pay to
    obtain a signing certificate from apple,
    which makes it more easy to identify if any
    malicious activities are performed.
  • - Each and every application is
    tested before submission to the app- store.
  • - Apples code signing model prevents
    tampering with published apps.
  • Android
  • Since no single authority evaluates or verifies
    all Android apps, attackers are more likely to
    release attacks without worrying of getting
    caught.

10
Encryption
  • Apple iOS
  • The iOS uses a hardware accelerated AES-256
    encryption to encrypt all data stored in the
    flash memory of the device.
  • The iOS protects specific additional data items,
    such as email using an additional layer of
    encryption.
  • Within 10 seconds of the device locking, the
    decryption keys for files in device are
    discarded.
  • Android
  • Android recently began offering built in
    encryption in 3.0, earlier versions of android
    contain no encryption capability, instead to rely
    on islolation and permissions to safeguard data.
    A simple jailbreak of an android phone, or theft
    of devices SD card can lead to significant loss
    of data.

11
Isolation
  • Apple iOS
  • iOS operating system isolates each app from every
    app on the system.
  • The apps are not allowed to modify or view each
    others data, or even know if other apps exist on
    the OS, nor can they access the OS kernel, nor
    install privileged drivers or obtain root level
    administrator access to the device.
  • The apps are also isolated from the phones SMS,
    email in-out box and other email attachments.
  • Android
  • Like iOS, Android employs a strong isolation
    system. It not only isolates apps from each other
    but also prevents apps from accessing or
    modifying the OS kernel, ensuring the app doesnt
    get admin control over a device.

12
  • Blackberry (BB10)
  • introduces us to Blackberry Balance. Balance
    allows organizations to create isolation between
    personal and work environments on a device.
    Additional logical security is used to keep
    personal applications, files and network separate
    from the work environment.
  • When Balance is enabled, workspace is
    automatically encrypted, leaving personal
    environment unencrypted.
  • Windows Phone 8
  • WP8 uses the Unified Extensible Firmware
    Interface for secure boot, ensuring devices do
    not load rooted or unauthorized system images.
  • WP8 apps run in isolated chambers, which are
    similar to sandbox. Chambers keep applications
    and their data separate from one another.
  • The data between the applications is shared in
    the cloud and not on the device.

13
Permission Based Access Control
  • Apple iOS
  • The iOS denies access under all circumstances to
    many of the devices sensitive subsystems. Thus
    increasing the security of iOS based devices
    since it removes the user from security
    decision-making process.
  • The above process also limits each applications
    functionality, potentially limiting the utility
    of certain classes of iOS apps.
  • Android
  • The Android permission system relies on the user
    to make all policy decisions and decide whether
    an apps requested combination of permission is
    safe or not.

14
(No Transcript)
15
sources
  • http//www.tomsitpro.com/articles/mobile_security-
    mobile_management,2-64-9.html
  • http//www.slideshare.net/vladimirjirasek/mobile-s
    ecurity-summit-10-mobile-risks
  • http//searchconsumerization.techtarget.com/tip/Da
    ta-and-device-encryption-on-iOS-Android-Windows-Ph
    one-and-BlackBerry
Write a Comment
User Comments (0)
About PowerShow.com