Potential for Data Loss from Security Protected Smartphones
©2014
Textbook
56 Pages
Summary
Smartphones have been widely accepted by mass market users and enterprise users. However, the threats related to Smartphones have emerged. Smartphones carry substantial amounts of sensitive data. There have been successful attacks in the wild on jail broken phones. Therefore, smartphones need to be treated like a computer and have to be secured from all types of attacks. There is proof of concept attacks on Apple iOS and Google Android. This project aims to analyze some of the attacks on Smartphones and find possible solutions in order to defend the attacks. Thereby, this project is based on a proof of concept malware for testing antivirus software.
Excerpt
Table Of Contents
5.2.5 Loss of device ... 42
5.2.6 Social Engineering ... 43
Chapter 6 Analysis of cloud based security solutions
... 45
Chapter 7 Conclusion
... 47
References
... 49
List of figures
Figure 1 Terminal window requesting access as root user ... 29
Figure 2 reset terminal window to go back to the prompt ... 30
Figure 3 'safebot' application is running as 'root' ... 31
Figure 4 Symantec mobile security is running as an application ... 32
Figure 5 Computer's device manager displaying an installed Symantec driver ... 34
Figure 6 Symantec mobile security is running as user `app_39' at application layer ... 35
Figure 7 Task manager displayling Symantec's Smc.exe running as SYSTEM User ... 35
Figure 8 Safebot malware is running as root user ... 36
Figure 9 Shows how a cloud-based email and web security service works [60] ... 45
List of Tables
Table 1 Comparison of features of computer antivirus products for home users ... 14
Table 2 Comparison of features of Smartphone antivirus for home users ... 16
Table 3 Summary of the key features of some enterprise antivirus products ... 19
8
Chapter 1
Introduction
1.1 Background
The way of communication and information exchange has changed rapidly over the past
decade and yet it's a beginning of a new era of communication and information exchange. It
started with Graham Bell's invention of the Telephone and it took about 140 years to drift
from Graham Bell's Telephone system to Martin Cooper's Cell phone. Cell phones or mobile
phones made people's life much easier than before. Mobile phones enabled voice and text
communication on the go. However, since the release of iPhone in 2007, Smartphone has
changed the way people communicate and exchange information. Smartphone is no more
limited to voice and text messaging. With 3G mobile broadband and Wi-Fi access,
Smartphone enables the use of internet on the go. Internet accounts such as email, Facebook,
twitter and many more can be accessed using a Smartphone. Smartphone is accepted by
enterprises for work as they believe that it increases employee productivity. Employees can
access information required for work anywhere.
However, as technology evolves, the threats and risks associated to the Smartphone have
also emerged. The use of internet on Smartphone requires protective measures like antivirus
as used by a normal computer. A normal computer does not have to be directly internet
facing. It can be in a private LAN and can access internet that is processed and protected by a
firewall or an Intrusion Prevention System. A computer accessing Internet from a private
LAN is less vulnerable to internet threats than the computers that are directly facing the
internet. However, every Smartphone that uses mobile broad band is an internet facing
device which makes it more vulnerable to internet related risks. The sales of Smartphone are
growing exponentially and the threat landscape has also changed. Thus it has become vital to
have the best protective measures to protect the Smartphone.
Chapter 2 analyses the components of computer and Smartphone antivirus for home users
and enterprise users. It also compares some core components of some antivirus products.
Chapter 3 analyses some security features of Apple iOS and Google Android.
9
Chapter 4 uses a `proof of concept' Smartphone malware to test against antivirus software.
Chapter 5 discusses the various attacks on Smartphones, the implications of the attack and
possible protective measures against the attacks.
Chapter 6 analyses cloud based security solutions to protect Smartphones for enterprise
users.
Below are some definitions that would help readers to understand the project.
Smartphone: It is a high end mobile phone that is capable of providing GPS navigation and
internet access via mobile broadband and Wi-Fi access. It has a high resolution camera and touch
screen with advanced computing capabilities. It can play multimedia files and display the
standard web pages instead of the mobile optimized web pages. It allows access to most of the
resources that are available on a computer like email, social networking and banking. It also
allows to access company related work via enterprise developed applications.
Malware [1]: Malware is malicious software that can steal user sensitive data such as key
strokes, browsing history, form data, credit card details, files, etc.
Trojan horse [2]: A Trojan horse is good looking software to disguise users that has a malicious
software or code hidden in it that can steal data.
Root kit [3]: Root kit is malicious software that has System level privileges and kernel access of
the machine and cannot be detected by antivirus software.
10
1.2 Project objectives
This project considers some of the threats to a Smartphone and discusses the possible
protective measures. The project discusses about security solutions and security best practices for
mass market users and enterprises. The project also discusses possible threats to a Smartphone,
the source of the threat, the likelihood impact and protective measures. In the end, the project
provides a brief summary and conclusion.
1.3 Methods used
The project considers various components of a computer antivirus and a Smartphone
antivirus and compares the components to find conclusions. The project analyses the security
features provided by Apple iOS and Google Android platforms. Understanding the security
architecture of these platforms is important as it helps to find out the missing links to find
effective security solutions. One major part of the project tests some trial version Smartphone
antivirus products against a `Proof of Concept' malware on a phone with root access. The
project analyses various antivirus products available to secure Smartphones. To analyse various
antivirus products, the project refers to the technical information available on the website of the
antivirus vendor. Whitepapers are also referred for additional information. The next chapter
discusses the various components of a computer and Smartphone antivirus.
11
Chapter 2 Understanding the Antivirus Application
2.1 Introduction
Definition of Antivirus [4]: It is software that checks for malicious code based on signatures or
behaviour of the malicious code.
It is important to understand how the antivirus software for computer and antivirus
software for Smartphone works. This will help to analyse if a particular feature that is available
in computer antivirus software could be included to enhance security of Smartphone. This
chapter discusses the components of a computer antivirus and Smartphone antivirus for mass
market and enterprise users.
2.2 Components of a conventional or computer Antivirus
Conventional antivirus software used on PC and Laptops can be categorized on the type of users.
1.
Home users: The antivirus software for home users or mass market users usually contains
features concentrating on internet security. The antivirus software for home users combines
the Antivirus, Antispyware and Internet security features. Norton also includes Backup
feature in the antivirus software. The internet security feature usually checks for malicious
websites. The antivirus vendors update the malicious website database regularly. The home
user antivirus combines these features in one product so that users get multiple security
features in one product.
2.
Enterprise users: The Enterprise antivirus has the antivirus and antispyware features and
additional features such as Application and device control, Host Integrity, System lock down,
Application White listing and black listing, Network access control, etc. Usually enterprises
have a proxy firewall to filter web traffic at the network level to reduce the load on the end
computers. Enterprise antivirus is capable of allowing or blocking applications, allowing or
blocking removable devices. As per the organization policy, organizations might want to
restrict use of certain applications. In some instances of research or software development,
computers are locked down to allow only certain application due to strict development or
research environment. Even updates might not be allowed to be installed once the system is
12
locked down. Enterprises have their own backup strategy so the backup is not coupled with
the antivirus product.
Below are some of the components of conventional antivirus product used on computers
x Antivirus and Antispyware Protection [5]: It identifies and mitigates the threats that try
to or have gained access to the computer by using the signatures. It looks for Virus,
Trojan, Spyware, Adware, Key loggers, worms, and root kits. This feature also provides
protection for email attachments.
x Proactive or Real Time Threat Protection [6]: It provides zero day protection for
unknown threats based on anomaly. A threat might not get detected by the antivirus or
antispyware feature if the product does not have the signature for the threat. Proactive
scan has a process running at all times which looks for suspicious behaviour like key
loggers, password stealers, etc.
x Intrusion Prevention System [7]: The intrusion detection engine uses deep packet
inspection to check for port scans and denial-of-service attacks and protects against
known buffer overflow attacks. Intrusion Prevention System also supports the automatic
blocking of malicious traffic from infected computers to prevent further infection of
computers in the network. Based on the Intrusion Prevention System alert information,
administrators can review the logs and patch the systems to prevent intrusions and
vulnerability exploits.
x Firewall [8]: The firewall contains the rules to allow or block traffic based on IP address,
ports applications, services, protocol (e.g. TCP, UDP, ICMP, etc.), and direction
(inbound or outbound) to allow or block traffic.
Some products offer additional features such as-
x Host Integrity [9]: It is a component that checks a host's integrity that attempts to
connect to a network based on the Host Integrity rules. A Host Integrity rule defines the
required software and the version or patches a host should have before it connects to the
network. If the host does not fulfil the host integrity policy requirements, it is assigned an
IP address of quarantine VLAN (Virtual Local Area Network) and is flagged to the
administrator's attention to install the required software and patches.
13
x System Lock Down [10]: It is a feature that allows the administrators to restrict the files
that can be executed on a computer. Administrators create an image of the operating
system with a set of programs that are allowed to execute on the computer. A list of hash
values of these programs is created and provided to the antivirus software that monitors
all the programs. Any program whose hash value is not present in the list is not allowed
to execute.
x Application white listing and black listing [11]: Administrators can add an application
to the white list, so that antivirus does not detect programs that look like malicious to the
antivirus software. There are some malicious applications like screenshot capturing tools
that administrators use for monitoring. Even if the application is legitimate,
administrators can black list applications if the use of application is not permitted by
corporate policies.
x Application and device control: This feature allows the administrator to block
applications based on hash vales from execution without having to do a complete
lockdown. Device control is a feature that allows that allows blocking or allowing
devices based on device class or can get even granular to block only a specific device of a
particular class.
x Network Access control [12]: It allows controlling the network access of devices based
on the IP address or the software running on the computer. Network Access control is
usually used with Host Integrity to control network access at host or operating system
level.
x Proactive removable device scanning: The antivirus software proactively displays a
notification to the user to scan a removable devise such as USB pen drive whenever it is
connected.
14
The table below compares some key features of a computer antivirus for some popular home
user antivirus products.
Features
Norton [13]
McAfee [14]
Kaspersky [15] Webroot [16]
Antivirus & Antispyware
Yes
Yes Yes Yes
E mail protection Yes
Yes No No
Proactive threat protection
Yes
Yes Yes Yes
Firewall Yes
Yes Yes No
Internet security Yes
Yes Yes No
Pc tune-up Yes
Yes Yes Yes
Online and offline Backup
Yes
Yes No Yes
Parental controls No
Yes Yes No
Identity Protection Yes
No Yes Yes
Table 1 Comparison of features of computer antivirus products for home users
2.3 Components of a Smartphone antivirus
Smartphone antivirus has lesser components as compared to computer antivirus. One
reason could be the operating system architecture of the Smartphone. Android and iOS are
designed with security in mind so that users don't have to rely too much on third party software's
for security. Computer antivirus concentrates more on malware, Trojan and Internet security.
Smartphone's antivirus application concentrates on features like - call/text blocking, Antitheft,
parental control and Backup.
15
Below are some of the components of a typical Smartphone Antivirus.
x Antivirus: This component scans for known threats like, Malware, Trojan malicious
code.
x Firewall: Monitors web traffic and filters malicious web pages.
x Antitheft [17]: This feature enables to get the phone location in case it is lost or stolen,
using the GPS feature of the phone. It gives the GPS location of the device to the user
which helps the user to track the phone. User can configure an action after maximum
failed login attempts. The phone can be configured to reset itself to factory settings and
wipe personal data like contacts, application settings, files from SD card. The phone can
also be configured to lock itself if the SIM card is changed.
x Parental control [18]: This feature allows parents to monitor and block SMS or calls to
unwanted numbers.
x Backup [19]: This feature allows to backup contacts and other data to the web, it also
allows restoring data to new phones.
x Call/text Blocking [20]: A user can configure the antivirus to block phone calls like
telemarketing and spam SMS messages from certain unwanted numbers.
x Application Audit [21]: This feature is not found in many Smartphone antivirus
products. It monitors activity of all the applications and maintains a list of the
permissions the application has, it also maintains the details of the applications that can
send sensitive data and could charge bill to the user for its services.
