by August 13, 2010 0 comments



The proportion of mobile devices providing open platform functionality is
expected to increase in future. The openness of these platforms offers
significant opportunities to all parts of the mobile ecosystem, enabling
flexible program and service delivery options that may be installed, removed or
refreshed multiple times in line with user needs. However, with openness comes
the responsibility to stop unrestricted access of mobile resources and APIs to
applications of unknown and untrusted origin. This can lead to a major security
breach which may result in damage to a user’s device, the network or all of
these, if not managed by suitable security architecture and network precautions.

Interestingly, with the marketshare of mobile user equipment with open
operating systems steadily shooting up, expectations are high. The openness here
offers clear benefits to customers, device manufacturers, software developers
and operators as it acts as a catalyst for the development of rich and
compelling applications. However, these also pose challenges and risks which
ultimately leads to the birth of more malicious applications which are  likely
to increase in number and complexity. Therefore, mobile application security is
a key issue for the mobile industry.

It is provided in some form on most open  mobile device OSes. Industry groups
have also created recommendations including the GSM Association and Open Mobile
Terminal Platform (OMTP) for this. There are over 4 billion devices in use
worldwide. Moreover, mobile phones have become a proximity devices for the user,
something which is always there on hand and convenient in use. This convenience
has resulted in an explosion of mobile applications such as mobile banking,
gaming, etc. All these applications require security, and as a result, mobile
application security is gaining in importance.

Best practices in mobile security
The processes to be followed while designing security applications for
mobiles, depend on organization concerned. Some use symmetric encryption like
AES and 3DES, which are basically the same standards for mobile application
security as for hardware based authentication devices. Some best practices which
can be followed while designing mobile security applications are leveraging SSL,
following secure programming practices, validating inputs, leveraging the
Permissions Model used by the operating systems, using the Least Privilege Model
for System Access, signing the application’s code using encryptions, using
Secure Mobile URLs and encouraging a safe browsing environment.

Learnings from mobile security providers

McAfee: It is very important to abide by certain
norms while designing applications. But it depends on an organization, as to
what development processes they are following to secure an application from
hackers. And from the design perspective, it is very important to make users
understand that installing unwanted and unauthorized applications are a
complete no.

Vinoo Thomas, Technical Product Manager.

Vosco: One of the major challenges in securing
apps is that there are a vast number of application stores that use
different application standards, resulting in a variety of platforms. The
industry today has not yet been capable of developing a standard for mobile
applications.

Jan Valcke, COO and President.

Tech Mahindra: Mobile applications generally
communicate with servers through SMSes, GPRS requests, etc. To perform
mobile application security testing the essential elements are Mobile
Information Device Profile (MIDP) and Money Manager Application.

Suhas Desai, Security Consultant.

 

 

Aquilonis: Biggest security concern is securing
data. Architects should ensure that nobody infects their apps and that they
are encrypted properly. One needs to make applications least vulnerable so
that hackers are unable to hack them.

Rahuldev Rajguru, Co-founder and
CEO.

 

Key challenges to security
A key challenge faced by the mobile application architects is to proactively
protect mobile users from fraud and malicious applications. Another huge task is
to ensure quality and accountability of mobile applications. Maintaining trust
in mobile platforms (and avoiding similar problems in the Internet world), and
securing the existing and future businesses of various enterprises is another
huge job. Even operators must be protected from various costs originating from
malicious applications. Other than all these facilitating certification
processes to reduce barriers for developers and ensure consistency across
different OS platforms and operators will perhaps be one of the major challenges
always.

It has been noted that security threats are platform dependent. As some
platforms are more vulnerable than the other, it is advisable that all
applications on mobile devices are certified or signed to avoid decompilation.
Hence it is extremely important to understand the robust architecture of mobiles
and their security platforms.

Some of the major threats faced include:

  1. Communication Services: Malicious users may misuse/manipulate/redirect
    communication services like prepaid/postpaid charging which will directly
    cause financial loss.
  2. Eavesdropping: They may use eavesdropping techniques to intercept mobile
    communication services with electronic devices.
  3. Data Privacy Loss: They may use weak encrypted data of mobile applications
    and communication services for data stealing.
  4. Authentication: They may gain unauthorized access to mobile
    phone/applications/services due to weak authentication implementation.

Mobile security pillars
A single application can be hacked without compromising other applications
or the system itself. For this, symmetric encryption is extremely useful,
considering it does not use a single point of entry. It should also be kept in
mind that federation is practical but it has its limitations when it comes to
security. The pillars for mobile application security are:

  1. App Store Security Assessment

  2. Mobile Device Application Security Assessment

  3. Server component Security Assessment

  4. SIM Card Application Security Assessment.

These points should always be kept in mind while
architecting applications as these are places where data compromise happens
because of security breaches.

Mobile applications generally communicate with servers
through SMSes, GPRS signals, etc. Hence to perform mobile application security
testing the essential elements are MIDP and Money Manager Application.

It has been observed that SIM cards which have DSTK and
USSD, play a major role in communication services because it generally allows
the integrator to have a secure communications channel.

Creating the test environment
Mobile application security testing can be broadly categorized under two
sections: mobile application security testing; and mobile SIM card application
security testing. Mobile applications generally communicate with the servers
through SMSs, GPRSs. Hence to perform mobile application security testing the
essential elements are Mobile Information Device Profile (MIDP) and Money
Manager Application. MIDP is a set of Java APIs and a generic J2ME emulator and
while the later is a money manager sample application written in J2ME and can be
installed on MIDP emulator. But the limitation of MIDP is that it does not
support SMS communication to server, hence SMS traffic interception is just not
possible.

Possible security tests which can be conducted are
authentication tests, tests of input validation, session management, encryption
ones and finally SQL injection tests. It is also essential to create an
environment to conduct tests. For mobile SIM card application tests, essentials
are SIM card reader/writer, and SIM card communications software.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<