Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 6: Security in Mobile Computing - Coggle Diagram
Chapter 6: Security in Mobile Computing
Mobile Devices
Impact on users
People using mobile devices like never before
Banking, shopping, email, social networking, etc
Impact on security
Sensitive data now being stored/input on devices
Economic incentive for attackers is growing
Security in Mobile Computing
Mobile devices make attractive targets
People store much personal info on them: email,
calendars, contacts, pictures
Can fit in pockets, easily lost/stolen
Built-in billing system: SMS/MMS (mobile operator),
in-app purchases (credit card)
Location privacy issues
Mobile Malware
Malicious code
Software program that generates threats to the computers and data stored on it
Mobile Device Malware
Mobile device has become a breeding ground for
Malware
Used or manipulated to harvest
personal identifiable data
Some malware are used to propagate unsolicited
advertisement
Real Dangers of Malware
Bank account password are stolen
Private information is captured
Phone data is deleted
Device is "bricked" and needs replacing
Phone forced to send message to premium numbers
Best Practices to Avoid Malwares
Only install application from reputable and trusted
sources
Avoid installing application from 3rd party websites
Ensure the application installed are produced by the
“official publisher”
Avoid granting excessive or unnecessary permission to
application
Personally Identifiable Information
Information that can be used to isolate users or identify users based on several factors
Common Information used to personally identify users
Email address
MAC address
IMEI number (phone serial number)
IMSI number (cellular identification number)
Bluetooth Address
Phone Number
Normal Communication using Official
Application
User
Middleware
Application Server
Application Server
Application Server
Communication using Unofficial Application
User
3rd Party
Proxy
Middleware
Application Server
Application Server
Application Server
Wireless Connection Security
Security Issues in Wireless Network
everybody with a receiving device can monitor all incoming and outgoing traffic if the signal is within the communication range
security and privacy issues within wireless network is very crucial when compared with wired network
Securing WiFi connection
improper WiFi configuration could compromise
the security and the privacy of wireless communication
most WiFi network is auto-configured, it is easy for anybody with malicious intention to masquerade as a legitimate
Step to secure WIFI connection
Avoid connecting to open and unencrypted WiFi connection
Use stronger WPA encryption whenever connected to a WiFi
network
Malicious party intentionally set upa public WiFi for the sole purpose of harvesting sensitive information from unsuspecting users
Use a (Virtual Private Network) VPN service whenever
possible
Connect to website that implements secure HTTPS connection
with TLS and SSL only
Do not access sensitive application (e.g Banking application) from public WiFi network
“Evil Twin” WiFi Attack
Popular method to gain access towards private user data
Attacker would bring his own WiFi AP, and set the AP name to masquerade a legitimate WiFi to confuse users
Users who connect to the attackers WiFi AP might be
compromised
Bluetooth Security Threats
Eavesdropping Attack
Involved a minimum of two victims
Attacker sits in the middle and connect
two dummy devices to both victim devices
MAC Address Spoofing Attack
Intention to steal data from the device
Victim MAC address is cloned to Attacker device. The
Attacker device effectively masquerade as the Victim
Data sent to the Victim will be received by the
Attacker
Denial-of-Service-Attack
Prevent victims from communicating with each other
“Big NAK” Attack (NAK – Negative AcKnowledgement)
Attacker sends request for information to victim
Victim sends information
Attacker sends negative AcKnowledgement pretending not to
receive information. The victims resends back the information
The loop restarts until the Victim battery drained
Blue-Snarfing
Method of gaining unauthorized access to a Bluetooth device without the consent of the user.
Attacker also has the ability to alter the content of
calendar, phonebook and multimedia files
Authentication & Authorization
Authentication
Determines the identity of the user
Allow legitimate user to use device or application
Require prove of authentication (password, unlock pattern, facial
recognition)
Authorization
Second-level access control
Determine what the user can do or cannot do
Password Authentication
Advantages
Cheapest, easiest form of authentication
Works well with most applications
Drawbacks
Lazy users’ passwords: 1234, password, letmein,
Can be defeated using dictionary, brute force attacks
Requires administrative controls to be effective
Minimum length/complexity
Password aging
Limit failed attempts
Biometrics
Body becomes the key and can be used for access control
Helps to improve complexity of the access control system
Measures and analyses a person’s unique characteristics
and uses it for authentication
Physiological based biometric trait
Fingerprint, Face, Iris or retina
Behavioural-based biometric trait
Speech
Advantages
Traits cannot be forgotten or misplaced and cannot be lost
More difficult to forge
Requires only the person to be present at the time.
Difficult to be cracked
Authentication: Pattern Lock
Swipe path of length 4–9 on 3 x 3 grid
Easy to use, suitable for
mobile devices
Advantage
389,112 possible patterns; (456,976 possible patterns for 4-char case-insensitive alphabetic password!)
Drawbacks
Attacker can see pattern from finger oils on screen
Authentication: Comparison
Password
Security: Weak
Ease of Use: Easy
Implementation: Easy
Works on phones: Yes
Biometrics
Security: Strong
Ease of Use: Hard
Implementation: Hard
Works on phones: Possible
Pattern Lock
Security: Weak
Ease of Use: Easy
Implementation: Easy
Works on phones: Yes