Chapter 1

Mobile Security and Privacy

M.H. Au*; K.-K.R. Choo†^{,‡    *} The Hong Kong Polytechnic University, Kowloon, Hong Kong
† University of Texas at San Antonio, San Antonio, TX, United States
‡ University of South Australia, Adelaide, SA, Australia

Abstract

The number of Internet-connected mobile devices reportedly surpassed the human population in Oct. 2014, proving that such devices are an indispensable part of our daily lives. One might also argue that in the world of business, every business is potentially a “mobile” business. This is not surprising, as the increasing capabilities of mobile devices have paved the way for many new and exciting applications (e.g., mobile commerce and payment). However, due to their popularity and the amount of data that they can store and make accessible, these devices are increasingly being targeted by cybercriminals.

This chapter presents background information on the capabilities of mobile devices, the role of mobile devices within an enterprise, mobile operating systems, and finally, mobile security and privacy threats.

Keywords

Mobile device capabilities; Mobile operating systems; Mobile security and privacy; Mobile threats

1 Introduction

Security and privacy are highly dynamic and fast-paced research areas due to rapid technological advancements. Mobile security and privacy are no exception. For example, 10 or 15 years ago, research in mobile security was mainly concerned about securing the Global System for Mobile Communications (GSM) network and communications (Jøsang and Sanderud, 2003). Since mobile phones become user programmable (i.e., the device supports third-party software), the scope for security and privacy research extends to studying the security of such third-party software and associated privacy risks (La Polla et al., 2013) (e.g., whether third-party software will result in the leakage of user data).

It is also in the user's interest to ensure both confidentiality and integrity of the data that is stored on and made accessible via these devices. This is the focus of this book.

Specifically, in this book, we will be presenting the state-of-the-art advances in mobile device security and privacy. Such devices (e.g., Android, iOS, BlackBerry, and Windows devices) are, in fact, “minicomputers,” with processing, communication, and storage capabilities. In addition, these devices often include additional sensing capabilities from the built-in camera, GPS, barometer, accelerometer, and gyro sensors. It should be noted that the modern-day mobile devices are generally more powerful than the IBM Deep Blue supercomputer of 1997 (Nick, 2014).

According to research detailed in the report entitled “State of Mobile Commerce,” 34% of electronic commerce transactions are conducted over mobile devices globally (Wolf, 2015). In some parts of the world, such as technologically advanced countries like Japan and South Korea, more than half of e-commerce transactions are conducted over mobile devices (Wolf, 2015).

A prominent example of the shift in conventional business processes to mobile is mobile payments. This is evidenced by the significant worldwide trend of using platforms such as Apple Pay, Google Wallet, Samsung Pay, and WeChat Pay. According to Statista (2016), the annual transaction volume for mobile payments is reportedly $450 billion in 2015 and is forecasted to double in 3 years.

Another emerging mobile application is mobile health, which is the practice of integrating mobile technologies in supporting medical and health care services (Istepanian et al., 2006; Kay et al., 2011). With the anticipated benefits of increased access to point-of-care tools amongst others, mobile devices are becoming commonplace in medical and health care settings. It has also been suggested that mobile health supports better clinical decision making and improved patient outcomes (Divall et al., 2013).

Finally, we would also like to highlight the risks associated with the use of mobile devices in the workplace, a practice known as bring your own device or BYOD.

2 Threats to Mobile Security

Mobile threats can be broadly categorized into application-, web-, network-, and physical-level threats, as discussed in the following section.

2.1 Application-Level Threats

Application-level threats appear to be the most widely discussed threats in the literature (Faruki et al., 2015). As mobile devices can execute downloadable applications (apps), it is clear that apps can be a target vector to breach the security of the device and the system it connects to (e.g., a corporate network). The threats can be due to malicious applications (malware), particularly those downloaded from a third-party app store, as well as vulnerable apps.

Malware can, for instance, inject code into the mobile device in order to send unsolicited messages; allow an adversary the ability to remotely control the device; or exfiltrate user data, such as contact lists, email, and photos, without the user's knowledge or permission. For example, in a recent work, mobile security researchers demonstrated that it is possible to exfiltrate data from Android devices using inaudible sound waves (Do et al., 2015). As D'Orazio and Choo (2015, 2016) aptly explained, in the rush to reduce the time-to-market, applications are usually designed with functionality rather than security in mind. Hence it is not surprising that there are a large number of applications that contain security loopholes that can be exploited by an attacker. In another recent work, Chen et al. (2016) discussed how a botnet master issues commands, via multiple message push services, to remotely control mobile devices infected by malware. While vulnerable apps may not be developed with a malicious intent, they can result in significant security and privacy risks to the users. For example, D'Orazio and Choo (2015) revealed previous vulnerabilities in a widely used Australian government health care app that consequently exposed the users' sensitive personal data stored on the device. Other examples include the work of Zhao et al. (2016) and Farnden et al. (2015). Zhao et al. (2016) demonstrated how the geographic coordinates of a location-based social network app user can be obtained via probing attack, which resulted in location privacy leakage. Farnden et al. (2015) demonstrated that using forensic techniques, a wide range of data can be recovered from the devices of nine popular proximity-based dating app users, including the details of users who had been discovered nearby.

2.2 Web-Level Threats

While these threats are not specific to mobile devices (see Prokhorenko et al., 2013, 2016a,b for a review of web applications vulnerability and protection techniques), the security and privacy risks to mobile devices due to web-level threats are real. One key web-level threat is phishing, which uses email or other social media apps to send an unwitting user links to a phishing website designed to trick users into providing sensitive information such as user credentials. When combined with social engineering, phishing is one of the top seven security threats identified by Kaspersky Lab for the 2015–16.

2.3 Network Level Threats

One of the distinct features of mobile devices is the ability to connect. Typical connection supported by currently mobile devices include cellular/mobile networks, local wireless networks, and near field-communication (NFC). Security of the connection at the network level is another active research area at the time of this writing.

2.4 Physical-Level Threats

Finally, physical security of mobile devices is equally important, if not more so. Since mobile devices are typically small and portable, these devices can be easily stolen or misplaced. A lost or stolen device could be used to gain access to user data stored on the device or as an entry point into the user's corporate network (Imgraben et al., 2014; Choo et al., 2015).

3 Organization of the Book

The rest of this book is organized as follows.

The use cases of mobile devices within an organization's context and their security implications from a practitioner's perspective are presented in Chapters 2 through 5.

Chapters 6 and 7 explain how malware and vulnerabilities can be identified using state-of-the-art techniques.

Chapter 8 examines the effectiveness of existing antimalware Android apps.

Chapter 9 focuses on mobile forensics.

Chapter 10 presents a security framework on Internet of Things (IoT) security protocols.

Chapter 11 introduces the common security models for generic privacy requirements.

Finally, preliminary experimental results on the implementation of cryptographic algorithms on mobile devices are presented in Chapter 12.

References

Chen W., Luo X., Yin C., Xiao B., Au M.H., Tang Y. MUSE: towards robust and stealthy mobile botnets via multiple message push services. In: Information Security and Privacy. 20–39. Lecture Notes in Computer Science. 2016;9722.

Choo K.K.R., Heravi A., Mani D., Mubarak S. Employees' intended information security behaviour in real estate organisations: a protection motivation perspective. In: Proceedings of 21st Americas Conference on Information Systems, AMCIS 2015; Association for Information Systems; 2015. http://aisel.aisnet.org/amcis2015/ISSecurity/GeneralPresentations/29/.

Divall P., Camosso-Stefinovic J., Baker R. The use of personal digital assistants in clinical decision making by health care professionals: a systematic review. Health Informatics J. 2013;19(1):16–28.

Do Q., Martini B., Choo K.K.R. Exfiltrating data from Android devices. J. Comput. Secur. 2015;48:74–91.

D'Orazio C., Choo K.K.R. A generic process to identify vulnerabilities and design weaknesses in iOS healthcare apps. In: System Sciences (HICSS), 2015 48th Hawaii International Conference on; IEEE; 2015:5175–5184.

D'Orazio C., Choo K.K.R. An adversary model to evaluate DRM protection of video contents on iOS devices. J. Comput. Secur. 2016;56:94–110.

Farnden J., Martini B., Choo K.K.R. Privacy risks in mobile dating apps. In: Proceedings of 21st Americas Conference on Information Systems, AMCIS; Association for Information Systems; 2015. http://aisel.aisnet.org/amcis2015/ISSecurity/GeneralPresentations/13.

Faruki P., Bharmal A., Laxmi V., Ganmoor V., Gaur M.S., Conti M., Rajarajan M. Android security: a survey of issues, malware penetration, and defenses. IEEE Commun. Surv. Tutorials. 2015;17(2):998–1022.

Imgraben J., Engelbrecht A., Choo K.K.R. Always connected, but are smart mobile users getting more security savvy? A survey of smart mobile device users. Behav. Inform. Technol. 2014;33(12):1347–1360.

Istepanian R., Laxminarayan S., Pattichis C.S., eds. M-Health: Emerging Mobile Health Systems. New York: Springer-Verlag; 2006.

Jøsang A., Sanderud G. Security in mobile communications: challenges and opportunities. In: Proceedings of the Australasian Information Security Workshop Conference on ACSW Frontiers 2003; Australian Computer Society, Inc; 43–48. 2003;vol. 21.

Kay M., Santos J., Takane M. mHealth: New Horizons for Health Through Mobile Technologies. World Health Organization; 2011 pp. 66–71.

La Polla M., Martinelli F., Sgandurra D. A survey on security for mobile devices. IEEE Commun. Surv. Tutorials. 2013;15(1):446–471.

Nick T. A modern smartphone or a vintage supercomputer: which is more powerful? Phonearena News http://www.phonearena.com/news/A-modern-smartphone-or-a-vintage-supercomputer-which-is-more-powerful_id57149&gt. 2014 (accessed 08.06.16).

Prokhorenko V., Choo K.K.R., Ashman H. Intent-based extensible real-time PHP supervision framework. IEEE Trans. Inf. Forensics Secur. 2013;doi:10.1109/TIFS.2016.2569063.

Prokhorenko V., Choo K.K.R., Ashman H. Web application protection techniques: a taxonomy. J. Netw. Comput. Appl. 2016a;60:95–112.

Prokhorenko V., Choo K.K.R., Ashman H. Context-oriented web application protection model. Appl. Math. Comput. 2016b;285:59–78.

Statista. Total revenue of global mobile payment market from 2015 to 2019 (in billion U.S. dollars). http://www.statista.com/statistics/226530/mobile-payment-transaction-volume-forecast/&gt. 2016 (accessed 08.06.16).

Wolf J. State of Mobile Commerce Report 2015. Criteo; 2015.

Zhao S., Ma M., Bai B., Luo X., Zou W., Qiu X., Au M.H. I know where you are! Exploiting mobile social apps for large-scale location privacy probing. In: Information Security and Privacy. New York: Springer International; 2016.