Todays post will contain my key points/conclusions from all of the articles I've been reading and writing notes on (6000 words of notes). The conclusions will involve key articles i've been reviewing that gave me the most relevant information, centring around trends and key points that pop up throughout the articles. One point I will make is i still have several articles left to review and further key points are bound to appear on the list.
Justification of my sources has been noted down in my notes and most of the justification revolves around the articles coming from veritable sources and the fact that the articles have used a wide array of research and evidence to back up their points.
A Standard for developing secure mobile applications (Dye & Scarfone, 2013)
This article provided an overview/analysis of a standard for developing a secure mobile platform. The standard had been developed by the NSA so it was very security focused. This article was extremely useful to me as it firstly gave an overview of why mobile devices are being targeted, and outlined various mistakes that developers make when writing mobile applications. It went into a lot of detail around what apps should and shouldn't do, and explained key differences in desktop applications and mobile applications. It also provided an overview of the skills and challenges faced when testing applications for vulnerabilities.
A Secure Software Architecture for Mobile Computing (Reza & Mazumder, 2012)
This articles focuses on the architecture of smart phones and compares the security of the most common operating systems. It was useful as it provided information regarding the limitations of smart phones, comparisons between apples Walled In security architecture and Androids permission and open source approach. The article's focused remained on Android as it predicted this to be the most widely used OS in the future. The article helped me understand the key differences between android and iOS, with all key points it provided repeated throughout other articles.
Emerging Security Threats for Mobile Platforms (Delac & Silco & Krolo, 2011)
This article focused on the threats mobile devices are beginning to face. It look towards the technical features of mobile devices that has brought on these security issues. The articles was useful to me as it discussed the Goals, Vectors and Malware types of a mobile attack, this gave me a great understanding of why mobile devices are being targeted and how their being targeted. The article went on to focus on the security architectures and features of the various OS's, detailing pitfalls in their architectures. The article provided key terms relating to types of attacks that will be useful when it comes to writing my lit review.
A Survey on Security for Mobile Devices (Polla & Martinelli & Sgandurra, 2013)
This article discusses the threats/risks faced to mobile devices, and key differences between Desktops and mobiles and why this makes mobiles much more attractive to an attacker. The articles is useful to me as it provides key figures and terms relating to mobile malware. It focus's on new threats and current threats and shows why smart phones are being targeted and the potential risks that could occur from these attacks. It puts into notion the different types of data that a smartphone could hold and the implications of this data being leaked.
Vetting Mobile Apps (Quirolgico & Voas & Kuhn, 2013)
This Article focus's on the types of vulnerabilities that a mobile app could have, it also discusses in great depth a process for Vetting mobile applications. It discusses a process whereby security personal should be involved from the beginning of the process right through to the launch of the app., with security personal being used to produce threat analysis documents and testing the application using static or dynamic vulnerability analysis. The article was very useful to me as it discusses the challenges faces in vetting applications but also why its so important that applications do it and not leave it to the limited vetting process provided by the app stores. The article also provided some key terms and has backed up a lot of the information I had previous discovered.
Android Architecture: Attacking the weak points (Mansfiled-Devine, 2012)
The article focus's on the weak points of Android Architecture, it looks into why Android is being targeted by malicious developers and ways that they are targeting it. The main new points that appeared with the article was a discussion on attacks using advertising in applications. It discussed why users wouldn't want to use apples advertising campaign iAd to launch malicious attacks due to a $300,000 sign on fee and apple insisting on verifying your identity, whereby googles adMob is the much more preferred due to it's $50 sign on fee and no background check. The article also focus's on applications and the permission they request, and puts forth the notion that application developers often make an app ask for permission it doesn't need just in case it might. The article provides key figures I can use in my lit review.
Privacy and Security Benefits of Jailbreaking iOS (Dimitrov & Chow, 2013)
This article dicusses why people should be jailbreaking their iPhones. It was extremely useful to me as it showed some of the positives of Jailbreaking iPhones by showing some of the features available to someone who does this. But i feel that their argument was flawed, the article is very one sided and a little oblivious at some times, while there are positives and there are new features available i don't feel that everyone would use their jailbroken iPhones to understand more about the iOS infrastructure.
A Risk Assessment Method for Smartphones (Theoharidou & Myloans & Gritzalis, 2012)
This article presents a newish method for risk assessing smartphones as a single entity. It looks into areas of Smartphone architecture, the types of data on the phone, the various events that could happen to your data and how that would effect you. This was a useful article for understanding how the risk assessment process works, and it gave great ideas as to what types of assets there are on a phone. It also gave me the idea of designing a 5 item likert scale for my meetings this week to have the interviewees rate the types of attacks that could occur on a smartphone.
Key Points/Trends within the Articles
· Mobile applications are must
more vulnerable to desktop applications because of the specifications of the
mobile device, a mobile device has limited memory and battery which may mean it
is susceptible to buffer overflow attacks and Denial of Service. A mobile device can also connect to a wide variety of networks (3G/4G, Wi-Fi (WLANs), GPRS/UMTS, Bluetooth (PAN)) and because of this it makes it much more susceptible to attacks than a Desktop application.
Applications may contain malware written in by the developer to cause harm to the device but most likely the application is the malware itself, the application may be secretly sending information to a 3rd party server without the user knowing via a permission granted to it by the user.
Mobile app stores have testing procedures in place (apple runs static scans and googles bouncer runs dymanic scans) but due to the amount of applications they have being submitted to them on a daily basis, they can't do in depth testing that is required to test all of the possible areas an app could be vulnerable. The testing procedures also have known vulnerabilities, Bouncer only scans a program for 5 minutes, therefore if an app is idle for 5 minutes and no malicious activity occurs then the app will be allowed onto the Google play store.
Mobile application vetting is a necessary process that should be implemented by Companies creating their own applications. Vetting apps is a process that starts at the beginning of the Software development lifecycle. It should start with a security assessment and threat analysis, and code should then be provided to security professionals to test as soon as possible. The tests should encompass both dynamic and static scanning. The challenge with app vetting is finding professionals who have the necessary skills to analyse and understand the report produced by the vulnerability scanner.
iOS has been shown through the article to be the more secure of the Operating systems, this is due to its walled garden approach whereby only apple devices can run iOS because the OS relys heavily on the system its running on. Apple also has a much more stringent policy on app scanning and is much quicker than Android at removing malicious apps that get past its vetting process. Apple devices don't allow applications from any other market than it's own official app store, the same can't be said with Android or from jailbroken/rooted devices. Both operating systems work on a permission based access model. A user has to grant access to an application and the permission it needs before it can be installed. The problem with this approach is that most users don't understand why an application wouldn't need permission for a specific feature, and therefore wouldn't realise that an app could be using this feature for malicious activity.
The reasons why and why not to jailbreak/root your device has become apparent through analysis of my trusted sources. There are many reasons why and cool features that computing professional would go crazy for, but by jailbreaking a device you are breaking the contract you have with your handset provider and neutralising all the defences the OS provides. Now for an IT professional this wouldn't be a problem as they would understand what defences they would need to enable and customise, but a normal non-IT professional wouldn't understand half of the new features provided and therefore would be welcoming an attacker to exploit them. The research also showed that most malicious activity that has occurred on a device has come from that device being rooted/jailbroken.
These were just a few of the Key points i found when analysing my trusted sources, as i said in the beginning the key points will continue to grow as i analyse more and more articles.
The next article will include my revised research questions.
Thank you very much for reading!! Stayed tune for more. You Stay Classy Bournemouth.
