Mobile security

Mobile security, or more specifically mobile device security, has become increasingly important in mobile computing. Of particular concern is the security of personal and business information now stored on smartphones.

More and more users and businesses use smartphones to communicate, but also to plan and organize their users' work and also private life. Within companies, these technologies are causing profound changes in the organization of information systems and therefore they have become the source of new risks. Indeed, smartphones collect and compile an increasing amount of sensitive information to which access must be controlled to protect the privacy of the user and the intellectual property of the company.

All smartphones, as computers, are preferred targets of attacks. These attacks exploit weaknesses inherent in smartphones that can come from the communication mode—like Short Message Service (SMS, aka text messaging), Multimedia Messaging Service (MMS), WiFi, Bluetooth and GSM, the de facto global standard for mobile communications. There are also exploits that target software vulnerabilities in the browser or operating system. And some malicious software relies on the weak knowledge of an average user.

Security countermeasures are being developed and applied to smartphones, from security in different layers of software to the dissemination of information to end users. There are good practices to be observed at all levels, from design to use, through the development of operating systems, software layers, and downloadable apps.

Challenges of smartphone mobile security

Threats

A smartphone user is exposed to various threats when they use their phone. In just the last two-quarters of 2012, the number of unique mobile threats grew by 261%, according to ABI Research.[1] These threats can disrupt the operation of the smartphone, and transmit or modify user data. So applications must guarantee privacy and integrity of the information they handle. In addition, since some apps could themselves be malware, their functionality and activities should be limited (for example, restricting the apps from accessing location information via GPS, blocking access to the user's address book, preventing the transmission of data on the network, sending SMS messages that are billed to the user, etc.).

There are three prime targets for attackers:[2]

  • Data: smartphones are devices for data management, and may contain sensitive data like credit card numbers, authentication information, private information, activity logs (calendar, call logs);
  • Identity: smartphones are highly customizable, so the device or its contents can easily be associated with a specific person. For example, every mobile device can transmit information related to the owner of the mobile phone contract,[citation needed] and an attacker may want to steal the identity of the owner of a smartphone to commit other offenses;
  • Availability: attacking a smartphone can limit access to it and deprive the owner of its use.

There are a number of threats to mobile devices, including annoyance, stealing money, invading privacy, propagation, and malicious tools.[3]

  • Botnets: attackers infect multiple machines with malware that victims generally acquire via e-mail attachments or from compromised applications or websites. The malware then gives hackers remote control of "zombie" devices, which can then be instructed to perform harmful acts.[3]
  • Malicious applications: hackers upload malicious programs or games to third-party smartphone application marketplaces. The programs steal personal information and open backdoor communication channels to install additional applications and cause other problems.[3]
  • Malicious links on social networks: an effective way to spread malware where hackers can place Trojans, spyware, and backdoors.[3]
  • Spyware: hackers use this to hijack phones, allowing them to hear calls, see text messages and e-mails as well as track someone's location through GPS updates.[3]

The source of these attacks are the same actors found in the non-mobile computing space:[2]

  • Professionals, whether commercial or military, who focus on the three targets mentioned above. They steal sensitive data from the general public, as well as undertake industrial espionage. They will also use the identity of those attacked to achieve other attacks;
  • Thieves who want to gain income through data or identities they have stolen. The thieves will attack many people to increase their potential income;
  • Black hat hackers who specifically attack availability.[4] Their goal is to develop viruses, and cause damage to the device.[5] In some cases, hackers have an interest in stealing data on devices.
  • Grey hat hackers who reveal vulnerabilities.[6] Their goal is to expose vulnerabilities of the device.[7] Grey hat hackers do not intend on damaging the device or stealing data.[8]

Consequences

When a smartphone is infected by an attacker, the attacker can attempt several things:

  • The attacker can manipulate the smartphone as a zombie machine, that is to say, a machine with which the attacker can communicate and send commands which will be used to send unsolicited messages (spam) via sms or email;[9]
  • The attacker can easily force the smartphone to make phone calls. For example, one can use the API (library that contains the basic functions not present in the smartphone) PhoneMakeCall by Microsoft, which collects telephone numbers from any source such as yellow pages, and then call them.[9] But the attacker can also use this method to call paid services, resulting in a charge to the owner of the smartphone. It is also very dangerous because the smartphone could call emergency services and thus disrupt those services;[9]
  • A compromised smartphone can record conversations between the user and others and send them to a third party.[9] This can cause user privacy and industrial security problems;
  • An attacker can also steal a user's identity, usurp their identity (with a copy of the user's sim card or even the telephone itself), and thus impersonate the owner. This raises security concerns in countries where smartphones can be used to place orders, view bank accounts or are used as an identity card;[9]
  • The attacker can reduce the utility of the smartphone, by discharging the battery.[10] For example, they can launch an application that will run continuously on the smartphone processor, requiring a lot of energy and draining the battery. One factor that distinguishes mobile computing from traditional desktop PCs is their limited performance. Frank Stajano and Ross Anderson first described this form of attack, calling it an attack of "battery exhaustion" or "sleep deprivation torture";[11]
  • The attacker can prevent the operation and/or be starting of the smartphone by making it unusable.[12] This attack can either delete the boot scripts, resulting in a phone without a functioning OS, or modify certain files to make it unusable (e.g. a script that launches at startup that forces the smartphone to restart) or even embed a startup application that would empty the battery;[11]
  • The attacker can remove the personal (photos, music, videos, etc.) or professional data (contacts, calendars, notes) of the user.[12]