Introduction
The mobile application security market
has seen a massive boom in the last couple of years owing to the availability
of affordable smart phones from a variety of vendors and the advent of Bring
Your Own Device (BYOD) into work.
The usage of these applications has provided users with easy and active access
to manage financial transactions, online procurement of various types of goods,
access to entertainment and ability to stay connected online. It has helped
businesses to increase productivity and flexibility for users. This in turn has
made mobile applications vulnerable to hostile online threats from hackers
which lead to loss of personal and professional information related to their
financials, credit card details, personally identifiable information (PII),
email addresses, passwords and making them victims of ever-growing cyber
criminals. Thus mobile applications need to be continuously scanned and tested
for security risks and exposures.
Improvements in hardware and software have
enabled more complex tasks to be performed on mobile devices; this
functionality has also increased the attractiveness of the platform as a target
for attackers. Android’s “open application” model has captured multiple
instances of malicious applications with hidden functionality that secretly
harvests user data.
Many organizations are concerned about data
integrity, and increased regulation and data protection requirements have
placed further obligations on organizations to properly secure data that
interacts with mobile devices. As a result, higher levels of security and data
protection assurance are required.
Mobile penetration tests are unlike traditional
penetration tests in many ways. In a traditional penetration test, there is a
significant platform variance between operating systems, patch levels and
hardware-specific drivers, balanced by a relatively common platform CPU (Intel
or Intel-compatible). While application sandboxing is used in some traditional
platform, it is relatively uncommon while being a primary security mechanism
used in mobile devices.
Mobile devices fall into a category of device
classified as an embedded device, representing systems with a finite amount of
storage and memory running on a non-extensible hardware platform with a CPU
that deviates from the common Intel platforms. While mobile systems have been
expanding in terms of RAM and persistent storage, these devices generally lack
the capabilities of traditional platform systems. With this variation, we need
to adjust our attack technique accordingly.
For Example, traditional exploit tool such as
Metasploit does not work against mobile devices such as the iPad unless
specifically written to do so. Further, while some mobile devices exhibit
vulnerable behavior in the retrieval of system updates typically exploited with
tools such as Evilgrade, it is not possible to deliver a malicious executable
to a Windows Phone since they do not typically run unsigned software.
Despite this platform disparity, we can re-use
core competencies like performing threat modeling, risk analysis, bug tracking,
and report preparation in web application security and same is applied in the
analysis and evolution of vulnerabilities against mobile device effectively.
The implementation and delivery of attacks to mobile devices changes but the
process remain constant.
There are several entry points
like Wi-Fi, applications, Bluetooth, flash memory etc. by which device can get
affected or attacker can intrude into it.
Major Flaws of Mobile Security
- Physical Security
- Mobile phones will get lost or stolen, period. Whether it is a personal handset or one issued by an employer, the fact that a mobile phone will eventually land in someone else’s hands is a security issue thus putting our data within the device applications at risk.
- Strong Authentication with Poor Keyboard
- Authentication standards are developed which is defined as a password that uses a combination of letter, digits and special character. However trying to user same on mobile device is difficult.
- Strong authentication is required if application is deal with sensitive data such as one’s bank account; however, enforcing those standards on a mobile keyboard is difficult.
- No logging information
- Traditional client operating systems support multiple users; however, their architectures grant each user a different operating environment. For example, a desktop operating system will require a separate username/password for each user logging into the machine, thus ensuring the data from one account is not readily available to the other.
- On a mobile device, the world is different. There is no such thing as logging into a mobile device as a separate user (not yet anyway). After entering a four-digit PIN, the user is logged into the system.
- Unsafe Browsing Environment
- The basic issue is the lack of display space on the mobile device. The lack of real estate on a mobile device simply makes a phisher’s life easier.
- For example, the inability to view an entire URL on a mobile browser, or in some cases the inability to view the URL at all, makes all those phishing links significantly more effective.
- Virus, Worms, Trojans, Spyware, and Malware
- As with any device that accesses the Internet, the threat of mobile viruses, worms, Trojans, spyware, and malware needs to be addressed.
- With new computing environment coming every other day, new attack classes will emerge. For example, previous worms that spread through SMS messages and Bluetooth connections are definitely a new attack class, even if they used traditional concepts.
No comments:
Post a Comment