Addressing smartphones security and safety

Posted on June 28, 2011 10:44 am

Your blogger’s focus today is to address most of smartphones users security and safety concerns. Last Friday, a friend of mine based in Estonia had his phone hacked. Although he recovered data, I was left wondering why there are so many problems facing Smartphone users today. In most cases, any computing device that contains sensitive information and accesses the Internet, security is a major issue. Security is a major issue for smart phone users today. Losing Mobile phones or having it stolen is the most common problem in developing world.When your mobile phone land in someone else’s hands is a security issue that can be disastrous. In my case, I would prefer to lose my iPhone 4 or any other that I own which would be a loss of hardware, but not lose goldmine of personal, business and work information sitting on the phone usually in my e-mail inbox which I’ve configured in my phones falling into the wrong hands of crooks and criminals.In case someone comes to borrow your mobile device for a quick phone call be careful and vigilant otherwise you can land in total mess. Such a scenario equates to granting an anonymous third party temporary access your device that holds very sensitive data about yourself may it be private pictures, emails, text messages to mention but a few.Ask yourself, how long would it take to download malware on the phone? It can only take less than the time one need to make a fake phone call. When it comes to the desktop and laptop, physical security has always meant no security because even the latest versions of Microsoft’s 7 windows operating system still seem vulnerable same case to Apple iOS.I have also realized that even Unix environments has this issue as well, where a user can simply boot into single-user mode and change the root password. Physical access to a mobile or any other device no longer means breaking into building and it is tough for the IT globally because historically it’s just a matter of time before someone is able to break through any physical security measures to access data on a disk. A solution to this menacing problem is to design systems assuming physical access that will be granted to untrusted parties, and not to assume that any physical security layer will stand the test of time. Securing data on disk relates closely to the previous issue, which is the physical loss of a mobile phones. Losing a mobile device will be a non-issue if the data stored on that device is inaccessible to unauthorized parties.However, most of the information on many mobile applications is stored locally, including password files and authentication tokens, which all need to be protected as well. The ability to store sensitive information locally in a secure manner, and also to keep it accessible to the applications that need it to function properly, is an important requirement for secure mobile computing. Strong authentication that uses a combination of letters, numbers, special characters, and a space is now the industry standard. But it is difficult trying to use same standard on a mobile keyboard is difficult. The need to uphold strong authentication requirements is imperative, especially if the access is to sensitive data. Enforcing such standards on a mobile keyboard makes even the most paranoid security professional rethink their password strategy.On a mobile phones no such thing as logging into a mobile device as a separate user unlike the case with desktops and laptops. You just enter a four-digit PIN, then your logged into the system. Under such circumstances, if one application is used purely for business purposes, and the others are personal use, there is no distinction from one application to the next.

The challenge is that each application may need a different security model so the data from one does get exposed to the other and because there is one user profile, your phone may or may not to be able to support the distinction. As my blud in Estonia realized, a safe Browsing Environment is a must and not an option when it comes to mobile phone usage. It is one of the biggest exposures to a mobile device is the user’s browsing behavior. The technical issues he had could have been addressed but one of the basic issues is the lack of display space on his iPhone mobile device. Lack of real estate on a mobile device simply makes a phisher’s life easier. Take an example, the inability of some smart phones to view an entire URL on a mobile browser, or in some cases the inability to view the URL at all, makes all those phishing links significantly more effective. Furthermore, the fact that links are followed a lot more on mobile devices also makes a scammer’s life a lot easier and this has been the case with many incidents.Also, be wary that the use of social networking sites on mobile devices combined with the heavy reliance on URL links posted on most social networking sites like Facebook,Twitter and others make it next to impossible for most user’s to determine which links are safe and which are insecure.Mobile browser security model in most phones will have to pay special attention to such common but burdensome issues otherwise consumers will find themselves in problems.As we have witnessed with recent survey on most secure Operating systems which Blackberry leads and is regarded as most secure followed by apple iOS the Google’s Android, securing an operating system is no easy task, but it is a task that every mobile software vendor needs to undertake for the sake of securing the user’s security.The task is difficult due to all the constraints mentioned in this series, but how well the mobile device vendors address security issues will directly translate to a strong user experience and that is the reason as to why Blackberry fans always stick with the brand as compared to Android,Windows and Symbian where they keep changing phones one after the other. In my own development experience,I have learned that security often correlates to data loss and system downtime.Basically,if strong security can prevent a user from making a phone call on their mobile device, then the user experience will be tremendously weakened. I want to dwell on mobile application security location privacy and security as well as few others. There is no doubt Rupert Murdoch, his son James and former editor News of the World Rebekah Brooks were grilled yesterday and are facing public wrath because of invading people’s privacy through phone hacking scam that has engulfed Murdoch media business. Privacy is one of those things that is hard to pinpoint with users. Most mobile users want privacy but most of them give it away by using products such as Google Latitude and applications that requires someone location before downloading. Google Latitude allows a user to control who they share their location with.Phone owners loss of location privacy is a moot point.This is because most mobile phone users always assume their location privacy was lost as soon as they started carrying a mobile device especially smartphones like iPhone,Nexus S and others.

This may or may not be true,but use of a GPS, location software, or simply one’s Facebook or Google+ page to alert friends about one’s whereabouts introduces a new level operating system security issues that has never really been a concern for desktop and most laptop operating systems. Mobile application layer is where users install items if the framework architecture was designed correctly but device drivers such as Bluetooth and video drivers will need full access to the system in order to perform their functions properly. Most users I’ve come across do not download device drivers on a weekly basics meaning that any device driver that has not been secured properly could be under attack. A study carried out last month by a German university said that many mobile operating systems have built in a variety of strong security protection schemes again system-level access to the OS like Android but if third-party drivers provide a method to get around these protection schemes via their potentially insecure code, the device will be exposed to attackers.Bluetooth driver allows an attacker to get system access on a phone, the manufacturer of that phone like Apple, Samsung, Sony Ericsson to mention but a few or the operating system vendors like Google and Microsoft will be assumed guilty by the user, not the vendor of the device driver. Another security issue that must be taken into account is the multifactor authentication also referred to as MFA on mobile devices is strongly needed. Mobile phones as compared to Mac Book Air or any kind of Laptop can fall into the hands of any person. In order to address this issue, many mobile web applications should be built in soft multiple factor that is authentic and invisible to the user. MFA soft forms can be spoofed by attackers through authenticating users via the use of a similar browser, the same source IP range, and also HTTP headers.When a phisher is able to collect a user’s credentials, the attacker will be able to replay the user’s browser information to the mobile web application and pose as the user despite the MFA. Having thick client mobile applications is most appropriate way multifactor can then authenticate on mobile web applications that will uniquely identify a mobile device. Most of mobile web applications that I have seen attempt MFA by creating a device signature associated with the user’s mobile phone. The signature is a combination of HTTP headers and properties of the device’s connection. When a user attempts to log in, the device signature will be recomputed and compared to the value stored within the mobile web application’s database. In case the signature does not match, the user must complete a challenge sequence involving out-of-band confirmation through e-mail, SMS, or a phone call. For Rupert Murdoch and his businesses, the price of breaching peoples’ mobile security to gather exclusive news is going to be expensive and PR disaster.My advise is that try and keep your mobile phones safely and secure.

Contador Harrison