SMARTPHONE SECURITY EVALUATION - The Malware Attack Case

Alexios Mylonas, Stelios Dritsas, Bill Tsoumas, Dimitris Gritzalis

2011

Abstract

The adoption of smartphones, devices transforming from simple communication devices to ‘smart’ and multipurpose devices, is constantly increasing. Amongst the main reasons are their small size, their en¬hanced functionality and their ability to host many useful and attractive applications. However, this vast use of mobile platforms makes them an attractive target for conducting privacy and security attacks. This sce¬na¬rio increases the risk introduced by these attacks for personal mobile devices, given that the use of smar¬t¬phones as business tools may extend the perimeter of an organization’s IT infrastructure. Furthermore, smart¬¬phone platforms provide application developers with rich capabilities, which can be used to compro¬mi¬¬se the security and privacy of the device holder and her environment (private and/or organizational). This paper examines the feasibility of malware development in smartphone platforms by average programmers that have access to the official tools and programming libraries provided by smartphone platforms. Towards this direction in this paper we initially propose specific evaluation criteria assessing the security level of the well-known smartphone platforms (i.e. Android, BlackBerry, Apple iOS, Symbian, Windows Mobile), in terms of the development of malware. In the sequel, we provide a comparative analysis, based on a proof of concept study, in which the implementation and distribution of a location tracking malware is attempted. Our study has proven that, under circumstances, all smartphone platforms could be used by average de¬ve¬lo¬pers as privacy attack vectors, harvesting data from the device without the users knowledge and consent.

References

  1. Adleman, L. (1990). An Abstract Theory of Computer Viruses. In S. Goldwasser, Advances in Cryptology - CRYPTO' 88 (pp. 354-374). Berlin: Springer/ Heidelberg.
  2. Apple. (2011a). iOS Dev Center. Retrieved February 18, 2011, from http://developer.apple.com/devcenter/ios/
  3. Apple. (2011b). iOS Developer Program. Retrieved February 18, 2011, from http://developer.apple.com/ programs/ios/
  4. CISCO. (2011). Cisco 2010 Annual Security Report. Retrieved February 18, 2011, from http:// www.cisco.com/en/US/prod/vpndevc/annual_security _report.html
  5. Cohen, F. (1989). Computational aspects of computer viruses. Computers & Security, 8(4), 325-344.
  6. Gartner. (2010). Gartner Press Releases. Retrieved February 18, 2011, from http://www.gartner.com/it/ page.jsp?id=1466313
  7. Gartner. (2011). Gartner Press Releases. Retrieved February 18, 2011, from http://www.gartner.com/it/ page.jsp?id=1529214
  8. Google. (2011a). Exercising Our Remote Application Removal Feature. Retrieved February 18, 2011, from http://android-developers.blogspot.com/ 2010/06/ exercising-our-remote-application.html
  9. Google. (2011b). Platform Versions. Retrieved February 18, 2011, from http://developer.android.com/ resources/ dashboard/platform-versions.html
  10. Google. (2011c). Security and Permissions. Retrieved February 18, 2011, from http://developer.android.com/ guide/topics/security/ security.html
  11. GSMA. (2011). Mobile Privacy. Retrieved February 18, 2011, from http://www.gsmworld.com/our-work/ public-policy/ mobile_privacy.htm
  12. Hogben, G., Dekker, M. (2011). Smartphone security: Information security risks, opportunities and recommendations for users. Retrieved from:
  13. Hypponen, M. (2006). Malware goes mobile. Scientific American, 295(5), 70-77.
  14. Kephart, J., White, S. (1991) Directed graph epidemiological models of computer viruses. 1991 IEEE Symposium on Research in Security and Privacy, 343-359.
  15. Lineberry, A., Richardson, D., Wyatt, T. (2010). These aren't the permissions you 're looking for. Retrieved from https://www.defcon.org/images/defcon-18/dc-18- presentations/Lineberry/DEFCON-18-Lineberry-NotThe-Permissions-You-Are-Looking-For.pdf
  16. McAfee. (2010). 2011 Threats predictions. Retrieved from http://www.mcafee.com/us/resources/reports/rp-threatpredictions-2011.pdf
  17. Microsoft. (2010a). Security Policy Settings. Retrieved February 18, 2011, from http://msdn.microsoft.com /en-us/library/bb416355.aspx
  18. Microsoft. (2010b). Windows Mobile Code Signing. Retrieved February 18, 2011, from http://msdn.microsoft.com/en-us/windowsmobile/ dd569132.aspx
  19. Microsoft. (2010c). Windows Mobile Device Security Model. Retrieved February 18, 2011, from http:// msdn.microsoft.com/en-us/library/ bb416353.aspx
  20. Microsoft. (2010d). Windows Phone 7 Series Developer General FAQ. Retrieved February 18, 2011, from http://social.msdn.microsoft.com/Forums/en/windows phone7series/thread/2892a6f0-ab26-48d6-b63ce38f62eda3b3
  21. Nokia. (2011a). Capabilities. Retrieved February 18, 2011, from http://wiki.forum.nokia.com/index.php/ Capabilities
  22. Nokia. (2011b). Developer certificate. Retrieved February 18, 2011, from http://wiki.forum.nokia.com/index.php/ Developer_certificate
  23. Nokia. (2011c). Symbian Signed. Retrieved February 18, 2011, from https://www.symbiansigned.com/app/page
  24. PAMPAS. (2011). Pioneering Advanced Mobile Privacy and Security. Retrieved February 18, 2011, from http://www.pampas.eu.org/
  25. RIM. (2011d). Java Code Signing Keys. Retrieved February 18, 2011, from http://us.blackberry.com/ developers/javaappdev/codekeys.jsp
  26. RIM. (2011e). Security Overview. Retrieved February 18, 2011, from http://docs.blackberry.com/en/developers/ deliverables/21091/Security_overview_1304155_11.jsp
  27. Seriot, N. (2010). iPhone Privacy. Retrieved from http:// seriot.ch/resources/talks_papers/iPhonePrivacy.pdf
  28. Sindhu, U., Balaouras, S., Hayes, N., Coit, L. (2010). The Security of B2B: Enabling An Unbounded Enterprise. Retrieved February 18, 2011, from
  29. http://www.forrester.com/rb/Research/security_of_b2b_en abling_unbounded_enterprise/q/id/56670/t/2
  30. Smartphone Experts (2011). CrackBerry.com - The #1 Site for BlackBerry Users & Abusers. Retrieved February 18, 2011, from http://crackberry.com/
  31. Sophos (2011). Pirated Mac App Store apps pose major risk. Retrieved February 18, 2011, from http://nakedsecurity.sophos.com/2011/01/07/app-store - developers-leave-purchased-apps-vulnerable-to-piracy/
  32. Symbian Freak. (2011). S60 3rd ed. FP1 Hacked! Retrieved February 18, 2011, from http://www. symbian- freak.com/news/008/03/s60_3rd_ed_has_ been_hacked.htm
  33. Theoharidou, M., Xidara, D., Gritzalis, D. (2008). A Common Body of Knowledge for Information Security and Critical Information and Communication Infrastructure Protection. International Journal of Critical Infrastructure Protection, 1(1), 81-96.
  34. Weiser, M. (1991). The computer for the 21st century. Scientific American, 265 (3), 94-104.
Download


Paper Citation


in Harvard Style

Mylonas A., Dritsas S., Tsoumas B. and Gritzalis D. (2011). SMARTPHONE SECURITY EVALUATION - The Malware Attack Case . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011) ISBN 978-989-8425-71-3, pages 25-36. DOI: 10.5220/0003446800250036


in Bibtex Style

@conference{secrypt11,
author={Alexios Mylonas and Stelios Dritsas and Bill Tsoumas and Dimitris Gritzalis},
title={SMARTPHONE SECURITY EVALUATION - The Malware Attack Case},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)},
year={2011},
pages={25-36},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003446800250036},
isbn={978-989-8425-71-3},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2011)
TI - SMARTPHONE SECURITY EVALUATION - The Malware Attack Case
SN - 978-989-8425-71-3
AU - Mylonas A.
AU - Dritsas S.
AU - Tsoumas B.
AU - Gritzalis D.
PY - 2011
SP - 25
EP - 36
DO - 10.5220/0003446800250036